Data Processing Agreement

"Controller" means the organisation that determines the purposes and means of processing personal data (the customer using OnboardSwift).

"Processor" means OnboardSwift, which processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in UK GDPR Article 4(1) — any information relating to an identified or identifiable natural person.

"Processing" has the meaning given in UK GDPR Article 4(2) and includes any operation performed on personal data, including storage, retrieval, disclosure, and deletion.

"Data Subject" means an individual whose personal data is processed — in this context, primarily employees, candidates, and contractors managed through the platform.

"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

"Applicable Law" means UK GDPR, EU GDPR (where applicable), the Data Protection Act 2018, the Nigeria Data Protection Act 2023 (where applicable), and any successor legislation.

The Processor provides an HR onboarding and offboarding platform. In doing so, the Processor processes personal data submitted by the Controller relating to the Controller's employees, contractors, and candidates.

The categories of personal data processed include: full name, email address, phone number, job title, department, employment start date, employment type, salary information (where provided), identification documents, right-to-work documents, training records, asset assignment records, task completion status, and any other personal data the Controller uploads to the platform.

The categories of data subjects are: employees, candidates, contractors, and HR/admin personnel of the Controller.

The purpose of processing is to provide the onboarding, offboarding, training, compliance, and HR workflow management services described in the Terms of Service.

The duration of processing is for the period of the Controller's active subscription, plus any retention period required by Applicable Law, after which data will be deleted in accordance with Section 9.

Process personal data only on documented instructions from the Controller (being the use of the platform in accordance with the Terms of Service), unless required to do otherwise by Applicable Law — in which case the Processor shall inform the Controller before processing, unless prohibited from doing so by law.

Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.

Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Section 7 of this DPA.

Not engage a sub-processor without prior general or specific written authorisation of the Controller. The Controller provides general authorisation for the sub-processors listed in Schedule 1, subject to the Processor notifying the Controller of any changes.

Assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligations to respond to requests from data subjects exercising their rights under Applicable Law, including the right of access (Article 15), rectification (Article 16), erasure (Article 17), and data portability (Article 20).

Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Applicable Law requires storage of the personal data.

Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

Ensure that it has a lawful basis for processing personal data it submits to the platform, including obtaining necessary consents from data subjects where required.

Ensure that data subjects have been provided with appropriate privacy notices explaining that their personal data may be processed by OnboardSwift as a processor.

Comply with all Applicable Law with respect to its activities as a data controller.

Promptly inform the Processor if any instructions provided would cause the Processor to breach Applicable Law.

The Controller grants general written authorisation for the Processor to engage the sub-processors listed in Schedule 1 below.

The Processor shall impose equivalent data protection obligations on all sub-processors by way of contract, and shall remain fully liable to the Controller for the performance of those obligations.

The Processor will notify the Controller of any intended changes to sub-processors by updating Schedule 1 on this page with at least 14 days' notice. Continued use of the platform after that date constitutes acceptance. If the Controller objects, it may terminate the service in accordance with the Terms of Service.

The Processor shall not transfer personal data outside the Controller's home jurisdiction without ensuring that an appropriate transfer mechanism is in place.

For UK & EU Controllers: transfers are protected by UK International Data Transfer Agreements (IDTA) or EU Standard Contractual Clauses (SCCs) where personal data is transferred to the United States via sub-processors such as Supabase, Vercel, and Resend.

For Nigerian & African Controllers: transfers outside Nigeria are made in accordance with NDPA 2023 Section 43, relying on Standard Contractual Clauses with all sub-processors as the applicable transfer safeguard.

In the event of a personal data breach affecting the Controller's data, the Processor shall notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach.

Notification shall include: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences of the breach, and measures taken or proposed to address the breach.

The Controller is responsible for notifying the ICO (or relevant supervisory authority) within 72 hours where required under Applicable Law.

Upon termination of the service for any reason, the Processor will retain personal data for a maximum of 30 days to allow the Controller to export their data, after which all data will be permanently deleted from production systems.

Backup copies may persist for up to 90 days following deletion from production systems, after which they are irreversibly purged.

The Controller may submit a formal data erasure request at any time via the platform's GDPR settings. The Processor will process such requests within 30 days.

The Processor may retain certain data beyond these periods where required by Applicable Law (e.g. financial records required by HMRC for 6 years), in which case the Processor will notify the Controller of the specific data retained and the legal basis for retention.

The Processor shall provide technical tools to assist the Controller in responding to data subject rights requests, including: data export (Subject Access Requests), data deletion (Right to Erasure), and data portability.

The Controller remains solely responsible for handling data subject rights requests from its own employees and candidates. The Processor assists with the technical fulfilment of such requests upon the Controller's instruction.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

The Controller shall indemnify the Processor against any claims brought by data subjects arising from the Controller's failure to comply with its obligations as data controller under Applicable Law.

For Controllers based in Nigeria or Africa: this DPA is governed by the laws of the Federal Republic of Nigeria. Disputes shall first be referred to the NDPC mediation process where applicable, failing which the parties submit to Nigerian courts.

For Controllers based in the UK or rest of world: this DPA is governed by the laws of England and Wales. Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Where the Controller is based in the EU and subject to EU GDPR, the Standard Contractual Clauses (Commission Implementing Decision 2021/914) are incorporated by reference and apply to the extent of any conflict with this DPA.

The Processor may update this DPA from time to time to reflect changes in Applicable Law, sub-processors, or processing activities. The current version will always be published at onboardswift.com/dpa with the effective date and version number shown at the top.

For material changes, the Controller will be notified by email at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance. If the Controller does not accept the updated DPA, it may terminate its subscription in accordance with the Terms of Service.