Data Processing Agreement

1. Incorporation

This Data Processing Agreement forms part of the Terms of Service or applicable Order between the customer and the provider. It applies where GDPR or similar privacy laws require processor terms for personal data processed on behalf of the customer.

2. Roles

The customer is controller of Customer Data processed in its tenant. The provider is processor. The provider may act as controller for account, billing, security, analytics and business contact data as described in the Privacy Policy.

3. Processing instructions

The provider will process Customer Personal Data only to provide, secure, maintain, support and improve the Platform, to comply with documented customer instructions, to comply with law, or as otherwise permitted by this DPA. The customer instructs the provider to process Customer Personal Data for these purposes.

4. Subject matter and categories

Processing concerns cloud-based welding compliance, inspection, evidence and reporting workflows. Data may include user names, email addresses, roles, project contacts, welders, inspectors, coordinators, audit logs, photos, documents, signatures, inspection records and project metadata. Data subjects may include customer employees, contractors, inspectors, welders, coordinators, client contacts and supplier contacts.

5. Customer obligations

The customer must ensure that it has a lawful basis and all required notices, consents, contracts and authorisations to submit Customer Personal Data to the Platform. The customer is responsible for data accuracy, minimisation, retention choices and responding to data subject requests as controller.

6. Confidentiality

The provider will ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.

7. Security measures

The provider will maintain appropriate technical and organisational measures designed to protect Customer Personal Data, taking into account the nature of processing and risk. Measures may include access control, authentication, tenant separation, encrypted transport, backup, monitoring, logging, administrative controls and vulnerability management.

8. Sub-processors

The customer authorises the provider to use sub-processors for hosting, infrastructure, database, email, payment, monitoring, analytics, storage, support and security. The provider will impose data protection obligations on sub-processors that are substantially similar to this DPA. The provider remains responsible for sub-processor performance to the extent required by applicable law.

9. International transfers

Where Customer Personal Data is transferred outside the EEA, UK or Switzerland and applicable law requires safeguards, the provider will use an appropriate lawful transfer mechanism such as adequacy decisions, Standard Contractual Clauses or equivalent safeguards.

10. Data subject requests

The provider will reasonably assist the customer with data subject requests relating to Customer Personal Data, taking into account the nature of processing and information available to the provider. The provider may redirect requests from individuals to the customer where the customer is controller.

11. Personal data breach

The provider will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include information reasonably available to assist the customer with its legal obligations.

12. Assistance and audits

The provider will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must be reasonable, proportionate, protect confidentiality and security, and may be satisfied through documentation, certifications, summaries or third-party reports where available.

13. Deletion and return

Upon termination, the provider will delete or return Customer Personal Data according to the Terms, the customer's export options, legal requirements and technical backup cycles. Backup data may be retained for a limited period and deleted according to normal cycles.

14. Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms of Service unless mandatory law states otherwise.

15. Order of precedence

If this DPA conflicts with the Terms on privacy processor obligations, this DPA controls for that specific conflict. The Terms control all other matters.