Legal

GDPR Compliance

OnboardSwift is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Data Protection Act 2018. This page explains how we fulfil our obligations and how you can exercise your rights.

UK GDPR Compliant

EU GDPR Compliant

Data Protection Act 2018

Standard Contractual Clauses

Our Role Under GDPR

OnboardSwift operates in two distinct capacities depending on the data involved:

Data Controller

We are the data controller for personal data you provide when creating and managing your account (e.g. your name, email, billing details). We determine the purposes and means of processing this data.

Data Processor

We are the data processor for personal data belonging to your employees and candidates that you manage through the Platform. You (the Customer) are the data controller for this data.

Lawful Basis for Processing

All processing activities at OnboardSwift have a documented lawful basis under Article 6 UK/EU GDPR:

Processing Activity	Lawful Basis
Account creation & management	Contract performance (Art. 6(1)(b))
Billing & payment processing	Contract performance (Art. 6(1)(b))
Employee onboarding data	Contract performance / legitimate interests (Art. 6(1)(b)(f))
Platform security & fraud prevention	Legitimate interests (Art. 6(1)(f))
Product analytics (anonymised)	Legitimate interests (Art. 6(1)(f))
Marketing to existing customers	Legitimate interests (Art. 6(1)(f))
Marketing to prospects (email/ads)	Consent (Art. 6(1)(a))
Legal compliance & audits	Legal obligation (Art. 6(1)(c))
Analytics cookies	Consent (Art. 6(1)(a))

Your Rights Under GDPR

Data subjects (individuals whose personal data we process) have the following rights under Chapter III of UK/EU GDPR. To exercise any of these rights, email privacy@onboardswift.com. We will respond within 30 days (extendable to 90 days for complex requests).

Right of Access (Art. 15)

You may request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification (Art. 16)

You may request that we correct inaccurate or incomplete personal data without undue delay.

Right to Erasure (Art. 17)

You may request deletion of your personal data where there is no compelling reason to continue processing it.

Right to Restriction (Art. 18)

You may request that we restrict processing of your data in certain circumstances, e.g. while accuracy is contested.

Right to Portability (Art. 20)

You may receive your personal data in a structured, machine-readable format and transmit it elsewhere.

Right to Object (Art. 21)

You may object to processing based on legitimate interests or for direct marketing purposes.

Note for employees: If you are an employee whose data is held by your employer via OnboardSwift, please contact your employer (the data controller) in the first instance. We will assist your employer in fulfilling data subject requests.

International Data Transfers

Our primary infrastructure is hosted within the EEA via Supabase (EU region). Where data is transferred outside the UK/EEA to sub-processors (e.g. certain analytics or support tools), we ensure appropriate safeguards are in place:

UK International Data Transfer Agreements (IDTA) for transfers from the UK
EU Standard Contractual Clauses (SCCs, 2021) for transfers from the EEA
Adequacy decisions where applicable (e.g. UK–EU adequacy)
Transfer Impact Assessments conducted for high-risk transfers

A full list of sub-processors and their data processing locations is available on request at privacy@onboardswift.com.

Data Processing Agreement (DPA)

Every OnboardSwift customer who is a data controller under UK/EU GDPR has a Data Processing Agreement in place with OnboardSwift. Our DPA is publicly available at onboardswift.com/dpa and is accepted by all customers upon signup. It covers:

Subject matter, duration, nature, and purpose of processing.
Processing only on documented instructions from the Controller.
Technical and organisational security measures (TOMs).
Sub-processor authorisations and equivalent protections.
Data subject rights, breach notification, and deletion obligations.
International transfer safeguards (SCCs / UK IDTA).

To request a countersigned PDF copy for your own compliance records, email legal@onboardswift.com.

Technical & Organisational Security Measures

We implement comprehensive technical and organisational measures (TOMs) to protect personal data in accordance with Article 32 UK/EU GDPR:

AES-256 encryption at rest for all Customer Data

TLS 1.2+ encryption in transit (HTTPS everywhere)

Role-based access control — staff only access data they need

Multi-factor authentication for all administrative accounts

Regular vulnerability scanning and penetration testing

Audit logs for all data access and mutations

Sub-processor agreements with all third-party vendors

Data minimisation — we only collect what is necessary

Annual staff GDPR training

72-hour breach notification to supervisory authority where required

Data Retention

We retain personal data for no longer than necessary for its stated purpose:

Data Type	Retention Period
Account & billing data	Duration of subscription + 2 years
Employee/candidate onboarding data	Duration of subscription; deleted within 90 days of cancellation
Audit logs	2 years
Support communications	3 years
Marketing contact data	Until withdrawal of consent or unsubscribe
Analytics data (aggregated)	Indefinitely (anonymised — no personal data)
Cookie consent records	1 year from consent

Breach Notification

In the event of a personal data breach, OnboardSwift will:

Notify affected Customers without undue delay and where feasible within 72 hours of becoming aware.
Provide details of the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed.
Where required, notify the relevant supervisory authority (ICO in the UK, lead DPA in the EU) within 72 hours.
Maintain a register of all data breaches regardless of whether notification is required.

Supervisory Authority

Our lead supervisory authority in the UK is the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

You have the right to lodge a complaint with the ICO if you believe your data has been handled unlawfully. We ask that you contact us first so we can resolve the matter promptly.

Contact Our Data Protection Contact

For all GDPR-related enquiries, data subject requests, or to obtain a copy of our DPA:

Innovate Prime Limited — Data Protection
Email: privacy@onboardswift.com
Legal: legal@onboardswift.com
Website: onboardswift.com