SurveyorData Processing Agreement
Between: SurveyorSuite Ltd. (the Processor) And: The customer named in the associated Terms of Service (the Controller)
Last updated: 2026-05-07
This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service between the Controller and SurveyorSuite Ltd. ("SurveyorSuite", "we", "us"). It governs the processing of personal data by SurveyorSuite on behalf of the Controller in connection with the SurveyorSuite platform and services.
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of data protection matters.
1. Definitions
In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the UK GDPR or, where applicable, the EU GDPR.
"Applicable Data Protection Law" means, as applicable to the processing of personal data under this DPA:
- the UK General Data Protection Regulation (UK GDPR) as defined in section 3 of the Data Protection Act 2018;
- the Data Protection Act 2018 (DPA 2018);
- the EU General Data Protection Regulation (EU) 2016/679 (EU GDPR), to the extent the Controller or any processing activity falls within its scope;
- any subordinate legislation, regulations, or guidance issued under any of the above; and
- any successor or replacement legislation to any of the above.
"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this DPA, the Controller is the customer (whether a surveying firm or an individual surveyor) who has accepted the Terms of Service.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by the Processor on behalf of the Controller.
"Data Subject" means an identified or identifiable natural person to whom personal data relates.
"DSAR" means a Data Subject Access Request made pursuant to Article 15 UK GDPR (or equivalent provision under Applicable Data Protection Law).
"EEA" means the European Economic Area.
"EU SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission under EU GDPR, currently set out in Commission Implementing Decision (EU) 2021/914.
"IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law, that is processed by the Processor on behalf of the Controller under this DPA.
"Processing" (and "process", "processed") has the meaning given under Applicable Data Protection Law and, for the purposes of this DPA, includes the operations described in Schedule 1.
"Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. For the purposes of this DPA, the Processor is SurveyorSuite Ltd., a company registered in England and Wales (company number 17103482), with its registered office at 4 Brading Road, London, SW2 2AN. ICO registration ZC111433. Contact: info@surveyorsuite.co.uk.
"Sub-Processor" means any third party engaged by the Processor to carry out processing activities in respect of personal data on behalf of the Controller.
"Services" means the SurveyorSuite software platform and associated services provided by the Processor to the Controller under the Terms of Service, including survey report creation, photo management, PDF and DOCX generation, cloud storage, and speech-to-text transcription.
"Terms of Service" means the agreement between the Processor and the Controller governing access to and use of the Services.
"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office under section 119A of the Data Protection Act 2018.
2. Scope and Duration
2.1 Scope
This DPA applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the provision of the Services. The subject matter, nature, purpose, and duration of the processing, the types of personal data processed, and the categories of data subjects are set out in Schedule 1.
2.2 Relationship of the Parties
The Controller is the data controller in respect of all personal data processed under this DPA. The Processor processes that personal data solely on behalf of and on the documented instructions of the Controller, as set out in this DPA and the Terms of Service.
2.3 Duration
This DPA commences on the date the Controller accepts the Terms of Service and remains in force for the duration of the Controller's active subscription. Following termination or expiry of the subscription, the Processor will retain personal data for a maximum of 12 months (the "Retention Period") to allow the Controller to retrieve or export their data. At the end of the Retention Period, personal data will be permanently and irreversibly deleted in accordance with clause 12.
3. Processing Details
Full details of the processing activities covered by this DPA are set out in Schedule 1 at the end of this document.
In summary:
- Subject matter: Hosting and processing of survey report data, photographs, and associated metadata created or uploaded by the Controller using the Services.
- Nature of processing: Storage, retrieval, display, generation of PDF and DOCX reports, photo storage and processing (including resizing and thumbnail generation), speech-to-text transcription of dictated notes, automated backup, and soft-delete with recovery.
- Purpose: Enabling the Controller to create, manage, store, and export professional survey reports in the course of their surveying practice.
- Duration: As described in clause 2.3.
4. Processor Obligations
4.1 Processing on Instructions Only
The Processor shall process personal data only on the documented instructions of the Controller, unless required to do so by Applicable Data Protection Law. Where the Processor is required by law to process personal data other than in accordance with the Controller's instructions, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so by law. For the avoidance of doubt, the Controller's instructions are embodied in this DPA, the Terms of Service, and the Controller's configuration and use of the Services.
4.2 Confidentiality
The Processor shall ensure that persons authorised to process personal data on behalf of the Controller are subject to appropriate obligations of confidentiality, whether by contract or by operation of law, in respect of all personal data they access or handle.
4.3 Technical and Organisational Security Measures
The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The security measures currently implemented are described in Schedule 2.
4.4 Assistance with Controller Obligations
The Processor shall, taking into account the nature of the processing and the information available to the Processor, assist the Controller in fulfilling the Controller's obligations under Applicable Data Protection Law in relation to:
(a) the security of processing (Article 32 UK GDPR);
(b) notification of personal data breaches to the supervisory authority and to data subjects (Articles 33 and 34 UK GDPR);
(c) data protection impact assessments and prior consultation with the supervisory authority where required (Articles 35 and 36 UK GDPR); and
(d) data subject rights requests (as further described in clause 10).
4.5 Deletion or Return of Data
Upon termination or expiry of the Terms of Service, or on written request by the Controller, the Processor shall, at the Controller's election, either return or delete all personal data in accordance with clause 12.
4.6 Audit Assistance
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or its authorised auditors in accordance with clause 11.
4.7 Notification of Unlawful Instructions
If, in the reasonable opinion of the Processor, any instruction from the Controller infringes Applicable Data Protection Law, the Processor shall promptly notify the Controller. The Processor shall not be required to follow any such instruction unless and until the Controller confirms the instruction in writing following the Processor's notification.
5. Controller Obligations
5.1 Lawful Basis and Compliance
The Controller is solely responsible for ensuring that:
(a) all personal data provided to or processed through the Services has been obtained lawfully and that an appropriate lawful basis for processing exists under Applicable Data Protection Law;
(b) all necessary notices have been given to and, where required, consents obtained from, data subjects in respect of the processing described in Schedule 1;
(c) the Controller has complied with all obligations applicable to it as a data controller under Applicable Data Protection Law, including (without limitation) maintaining a record of processing activities, conducting data protection impact assessments where required, and complying with data subject rights requests; and
(d) the personal data provided to the Processor is accurate, up to date, and limited to what is necessary for the purposes of the Services.
5.2 Authorised Instructions
The Controller shall ensure that its instructions to the Processor are lawful and shall not instruct the Processor to carry out any processing that would infringe Applicable Data Protection Law.
5.3 Security Responsibilities
The Controller is responsible for the security of access credentials (usernames, passwords, and any two-factor authentication tokens) used to access the Services. The Controller shall notify the Processor promptly if it suspects any unauthorised access to or use of the Services.
5.4 Adequate Safeguards for Special Category Data
The Controller shall not upload or submit to the Services any special category personal data (as defined in Article 9 UK GDPR) or criminal offence data (as defined in Article 10 UK GDPR) unless expressly agreed in writing with the Processor in advance.
6. Sub-Processors
6.1 General Authorisation
The Controller hereby grants the Processor general written authorisation to engage Sub-Processors to assist in the provision of the Services, subject to the conditions set out in this clause 6. The Sub-Processors currently engaged by the Processor are listed in Schedule 3.
6.2 Obligations on Sub-Processors
Before engaging a Sub-Processor, the Processor shall:
(a) conduct reasonable due diligence on the Sub-Processor's data protection practices; and
(b) enter into a written agreement with the Sub-Processor that imposes data protection obligations on the Sub-Processor that are no less protective than those imposed on the Processor under this DPA.
6.3 Notification of New Sub-Processors
The Processor shall notify the Controller of any intended changes to its Sub-Processor arrangements, including additions or replacements of Sub-Processors, by publishing an update to Schedule 3 on its website or by direct notification to the Controller's registered email address, with at least 30 days' notice before the change takes effect.
6.4 Right to Object
The Controller may object to the engagement of a new Sub-Processor by notifying the Processor in writing within 30 days of receiving notification under clause 6.3. The Controller's objection must be based on reasonable grounds relating to data protection. Where the Controller objects, the parties shall work in good faith to resolve the objection. If the parties are unable to resolve the objection within a further 30 days, either party may terminate the Terms of Service on reasonable notice, without penalty to the Controller. Where the Controller terminates under this clause, the Processor shall refund any prepaid Subscription fees on a pro-rata basis from the effective date of termination, as set out in Terms of Service §6.3.
6.5 Processor Liability for Sub-Processors
The Processor shall remain fully liable to the Controller for the acts and omissions of its Sub-Processors to the same extent as if the Processor had performed those acts or omissions itself.
7. International Transfers
7.1 Transfers Outside the UK
Where the Processor or a Sub-Processor transfers personal data to a country outside the United Kingdom that does not benefit from a UK adequacy regulation, the Processor shall ensure that such transfers are made subject to appropriate safeguards in accordance with Applicable Data Protection Law. Unless otherwise agreed, the Processor shall use the IDTA (or the EU SCCs with UK Addendum, where applicable) as the transfer mechanism for such transfers.
7.2 Transfers Outside the EEA
Where the Processor or a Sub-Processor transfers personal data to a country outside the European Economic Area that does not benefit from an EU adequacy decision (and where the EU GDPR applies to the Controller), the Processor shall ensure that such transfers are made subject to the EU SCCs or other appropriate safeguards approved under EU GDPR.
7.3 Sub-Processor Transfers
The Processor shall ensure that any transfer of personal data to a Sub-Processor located outside the UK or EEA is governed by appropriate transfer mechanisms as described in this clause 7. Details of the countries in which Sub-Processors are located are set out in Schedule 3.
7.4 Copies of Transfer Mechanisms
The Controller may request a copy of the applicable transfer mechanisms in place by contacting the Processor at info@surveyorsuite.co.uk.
8. Security Measures
8.1 Appropriate Technical and Organisational Measures
The Processor shall implement and maintain the technical and organisational security measures described in Schedule 2. These measures are designed to ensure a level of security appropriate to the risk posed by the processing, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data subjects.
8.2 Review and Update
The Processor shall keep its security measures under review and shall update them from time to time as appropriate to address evolving threats and vulnerabilities. The Processor shall notify the Controller of any material changes to the security measures that reduce the level of protection afforded to personal data.
8.3 Access Controls
The Processor shall implement and maintain appropriate access controls to ensure that personal data is accessible only to authorised personnel and systems on a need-to-know basis. All access to personal data is restricted by row-level security so that each Controller can only access their own data.
9. Data Breach Notification
9.1 Notification to Controller
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a Data Breach affecting personal data processed on behalf of the Controller. Such notification shall be made by email to the Controller's registered email address.
9.2 Contents of Notification
The notification shall, to the extent then known, include:
(a) a description of the nature of the Data Breach, including the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;
(b) the name and contact details of the Processor's data protection contact from whom further information can be obtained;
(c) a description of the likely consequences of the Data Breach; and
(d) a description of the measures taken or proposed to be taken by the Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.3 Subsequent Information
Where full information is not available within the 48-hour notification period, the Processor shall provide information in phases as it becomes available, without undue delay.
9.4 Assistance with Regulatory Notification
The Processor shall cooperate with and assist the Controller in complying with the Controller's obligation to notify the relevant supervisory authority and affected data subjects in accordance with Applicable Data Protection Law.
9.5 No Admission of Liability
A notification under this clause 9 shall not be construed as an admission of liability by the Processor.
10. Data Subject Requests
10.1 Notification of Requests
Where the Processor receives a request from a data subject exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, objection, and rights in relation to automated decision-making), the Processor shall promptly forward the request to the Controller and shall not respond to it directly except on the Controller's written instructions or as required by law.
10.2 Assistance with Requests
The Processor shall, taking into account the nature of the processing, provide such reasonable assistance as the Controller may request to enable the Controller to respond to data subject requests. The Processor shall respond to requests for assistance within 10 business days of receipt of the Controller's written request for assistance.
10.3 Costs
The Processor reserves the right to charge the Controller a reasonable fee for assistance provided under clause 10.2 where the volume or complexity of requests places a disproportionate burden on the Processor, provided that the Processor notifies the Controller of any anticipated charge before commencing the relevant assistance.
11. Audit Rights
11.1 Information and Audit
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or an independent auditor appointed by the Controller on the following terms:
(a) the Controller shall give the Processor at least 30 days' prior written notice of any intended audit or inspection;
(b) audits shall be conducted during normal business hours (Monday to Friday, 09:00–17:00 UK time) and in a manner that minimises disruption to the Processor's business operations;
(c) the Controller may conduct, or commission an independent third-party auditor to conduct, no more than one audit per calendar year, unless a Data Breach has occurred or there are reasonable grounds to suspect material non-compliance with this DPA, in which case additional audits may be conducted on reasonable notice;
(d) the Controller and any appointed auditor shall execute a confidentiality agreement in a form reasonably acceptable to the Processor prior to commencing any audit; and
(e) the Controller shall bear the costs of any audit, except where an audit reveals material non-compliance by the Processor, in which case the Processor shall bear its own reasonable costs of facilitating the audit.
11.2 Certification
Where the Processor holds relevant third-party certifications or audit reports (such as ISO 27001 certification or SOC 2 reports) relating to its information security practices, the Processor may provide copies of such certifications or reports to satisfy all or part of the Controller's audit rights under clause 11.1, to the extent they cover the processing activities under this DPA.
12. Data Return and Deletion
12.1 Return or Deletion on Termination
Upon termination or expiry of the Terms of Service (for any reason), the Processor shall:
(a) make the Controller's personal data available for export or download in a standard machine-readable format (JSON or CSV) for a period of 12 months following termination; and
(b) at the Controller's written request (which may be made at any time during the Retention Period), either return all personal data to the Controller or permanently delete it from all systems and storage, including any copies held by Sub-Processors.
12.2 Permanent Deletion at End of Retention Period
Where the Controller has not requested return or deletion of personal data during the 12-month Retention Period, the Processor shall permanently and irreversibly delete all personal data (including all copies, backups, and data held by Sub-Processors) at the end of the Retention Period. The Processor shall provide written confirmation to the Controller that deletion has been completed within 30 days of the deletion taking place.
12.3 Legal Retention Obligations
Notwithstanding the above, the Processor may retain personal data for longer than the Retention Period to the extent required by Applicable Data Protection Law or other applicable law, provided that the Processor notifies the Controller of the legal basis for such retention and continues to apply the protections set out in this DPA to the retained data.
12.4 Deletion of Anonymised and Aggregated Data
For the avoidance of doubt, this clause 12 does not apply to anonymised or aggregated data that does not constitute personal data under Applicable Data Protection Law.
13. Liability
13.1 Indemnity
Each party shall be liable to the other in accordance with the liability provisions set out in the Terms of Service, as supplemented by this clause 13.
13.2 Controller Liability
The Controller shall indemnify and hold harmless the Processor against any claims, losses, damages, fines, penalties, and regulatory sanctions suffered or incurred by the Processor arising from or in connection with:
(a) the Controller's failure to comply with its obligations under Applicable Data Protection Law;
(b) the Controller's failure to comply with its obligations under this DPA; or
(c) any instruction given by the Controller that causes the Processor to breach Applicable Data Protection Law.
13.3 Processor Liability
The Processor shall be liable to the Controller for any material damage or distress suffered by the Controller or any data subject as a result of the Processor's breach of this DPA or Applicable Data Protection Law, subject to the limitations of liability set out in the Terms of Service.
13.4 Regulatory Fines
Where both parties are responsible for a Data Breach or other infringement of Applicable Data Protection Law, liability for any regulatory fine or penalty imposed on either or both parties shall be apportioned between the parties according to their respective degree of responsibility for the infringement.
13.5 Limitation of Liability
Nothing in this DPA limits or excludes either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under applicable law.
14. General
14.1 Precedence
In the event of any inconsistency or conflict between this DPA and the Terms of Service, this DPA shall take precedence in respect of data protection matters. In all other respects, the Terms of Service shall continue to apply.
14.2 Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales to settle any dispute arising out of or in connection with this DPA.
14.3 Amendments
The Processor may amend this DPA from time to time to reflect changes in Applicable Data Protection Law or changes to the Services, provided that:
(a) the Processor gives the Controller at least 30 days' prior written notice of any material amendment; and
(b) no amendment shall reduce the level of data protection afforded to personal data below the minimum required by Applicable Data Protection Law.
The Controller's continued use of the Services following the effective date of any amendment constitutes acceptance of the amended DPA.
14.4 Entire Agreement
This DPA, together with the Terms of Service and any schedules hereto, constitutes the entire agreement between the parties in relation to the processing of personal data under the Services and supersedes all prior agreements, representations, and understandings in relation to that subject matter.
14.5 Severability
If any provision of this DPA is held to be invalid or unenforceable under applicable law, that provision shall be modified to the minimum extent necessary to make it valid and enforceable, and the remaining provisions of this DPA shall continue in full force and effect.
14.6 Waiver
No failure or delay by either party in exercising any right or remedy under this DPA shall constitute a waiver of that right or remedy. No waiver shall be effective unless made in writing.
14.7 Third Party Rights
This DPA does not create any rights enforceable by any third party under the Contracts (Rights of Third Parties) Act 1999, except that data subjects may benefit from any applicable rights under Applicable Data Protection Law.
14.8 Contact
For all data protection enquiries under this DPA, the Controller should contact:
SurveyorSuite Ltd. 4 Brading Road London SW2 2AN Email: info@surveyorsuite.co.uk
Schedule 1 — Details of Processing
This Schedule sets out the details of the processing carried out by the Processor on behalf of the Controller pursuant to clause 3 of this DPA.
Subject Matter of Processing
The Processor provides the Controller with a cloud-based platform for creating, managing, storing, and exporting professional building survey reports, including associated photographs and supporting data.
Duration of Processing
Processing commences on the date the Controller first accesses the Services and continues for the duration of the subscription, followed by the 12-month Retention Period described in clause 2.3.
Nature and Purpose of Processing
| Processing Activity | Description |
|---|---|
| Storage | Storing survey report data, sections, ratings, notes, and metadata in a hosted database |
| Retrieval and display | Retrieving and displaying survey data to authenticated users of the Controller's account |
| PDF generation | Rendering survey data into formatted PDF reports via a third-party rendering service |
| DOCX generation | Rendering survey data into Word (.docx) format reports |
| Photo storage and processing | Storing uploaded photographs in cloud object storage; generating resized working copies (1920px) and thumbnail copies (400px) |
| Speech-to-text transcription | Converting dictated audio input to text using a third-party speech recognition service; audio is processed in-memory and not persistently stored |
| Backup | Creating automated backups of database content to support disaster recovery |
| Soft-delete and recovery | Retaining deleted surveys and photographs in a soft-deleted state for up to 60 days to allow recovery before permanent deletion |
Types of Personal Data Processed
- Property owner and/or occupier names
- Property addresses (including full postal address)
- Surveyor names and RICS membership numbers
- Client names and contact details (email address, telephone number, postal address)
- Property photographs (which may incidentally capture identifiable features of persons or vehicles)
- Inspection notes and commentary (which may contain references to identifiable individuals)
- Account credentials and authentication data (email address, hashed password)
Categories of Data Subjects
- Property owners and/or occupiers who are the subject of survey reports
- Clients of the Controller who have commissioned surveys
- The surveyor(s) themselves (employees, partners, or principals of the Controller)
Schedule 2 — Technical and Organisational Security Measures
The Processor currently implements the following technical and organisational measures to protect personal data processed under this DPA.
Encryption
| Measure | Detail |
|---|---|
| Encryption in transit | All data transmitted between end-user devices and the Processor's platform is encrypted using TLS 1.2 or higher |
| Encryption at rest | All personal data stored in the database and in cloud object storage is encrypted at rest using AES-256 encryption |
Access Controls
| Measure | Detail |
|---|---|
| Row-level security (RLS) | Row-level security policies are enforced on all database tables, ensuring that each Controller account can only access its own data and cannot access data belonging to other Controller accounts |
| Authentication | User access to the platform is controlled by Supabase Auth, requiring verified email address and password authentication |
| Time-limited access URLs | Photographs stored in cloud object storage are accessible only via time-limited presigned URLs scoped to the authenticated user; no public or permanent URLs are issued |
| Principle of least privilege | Staff and service accounts are granted only the minimum permissions necessary to perform their functions |
Availability and Resilience
| Measure | Detail |
|---|---|
| Automated backups | Database backups are performed automatically on a regular schedule to support data recovery in the event of data loss or corruption |
| Soft-delete architecture | Deleted surveys and photographs are retained in a soft-deleted state for up to 60 days before permanent deletion, allowing recovery in the event of accidental deletion |
| Disaster recovery | The Processor's infrastructure providers maintain high-availability and failover capabilities in accordance with their respective service commitments |
Audit and Monitoring
| Measure | Detail |
|---|---|
| Audit logging | Significant data access and modification events are recorded in an audit log, including record creation, update, deletion, and export events. Per-survey audit logs are available to users for RICS compliance and PI defence purposes |
| Breach monitoring | The Processor monitors its systems and those of its Sub-Processors for security incidents and data breaches |
| Dependency scanning | Automated vulnerability scanning of third-party dependencies is performed on every code deployment using industry-standard tools (e.g. Snyk, GitHub Dependabot). Known vulnerabilities are triaged and patched according to severity |
| Security headers | The application enforces HTTP security headers including Content-Security-Policy, Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, and Referrer-Policy |
Vulnerability Management
| Measure | Detail |
|---|---|
| Dependency updates | Third-party dependencies are monitored continuously for known vulnerabilities. Critical and high-severity vulnerabilities are patched within 7 days of disclosure; medium-severity within 30 days |
| Code review | All code changes are reviewed before deployment. Security-sensitive changes (authentication, authorisation, data access) receive additional scrutiny |
| Penetration testing | The Processor will conduct or commission periodic security assessments of the platform. Results are used to improve security measures on an ongoing basis |
| Responsible disclosure | The Processor maintains a security contact (info@surveyorsuite.co.uk) for reporting vulnerabilities. Reports are acknowledged within 2 business days and triaged within 5 business days |
Incident Response
| Measure | Detail |
|---|---|
| Incident classification | Security incidents are classified by severity: Critical (active data breach or exploitation), High (vulnerability with imminent risk of exploitation), Medium (vulnerability with limited exposure), Low (informational or best-practice improvement) |
| Response timeline | Critical incidents: immediate investigation, containment within 4 hours, Controller notification within 48 hours (per clause 9.1). High incidents: investigation within 24 hours. Medium/Low: addressed within standard vulnerability management timelines |
| Containment and remediation | On detection of a confirmed breach, the Processor will: (1) contain the incident to prevent further data exposure, (2) preserve evidence for investigation, (3) remediate the root cause, (4) notify affected Controllers per clause 9, and (5) conduct a post-incident review to prevent recurrence |
| Post-incident review | Following any Critical or High incident, the Processor conducts a documented post-incident review within 14 days, identifying root cause, impact, and preventive measures. A summary is made available to affected Controllers on request |
Organisational Measures
| Measure | Detail |
|---|---|
| Confidentiality obligations | All staff with access to personal data are subject to contractual confidentiality obligations |
| Security training | Staff with access to personal data receive appropriate data protection and security awareness training |
| Vendor management | Sub-Processors are subject to due diligence and contractual data protection obligations before being engaged |
| Security posture monitoring | The Processor uses security posture management tooling to continuously assess and improve the security configuration of its production infrastructure |
Schedule 3 — Approved Sub-Processors
The Processor currently engages the Sub-Processors set out in the published sub-processor list at surveyorsuite.co.uk/legal/sub-processors, which is incorporated into this DPA by reference. The Controller's acceptance of this DPA constitutes general authorisation for the engagement of those Sub-Processors.
That published list identifies, for each Sub-Processor, the legal entity, the role, the country of processing, the categories of data processed, and a link to that Sub-Processor's data-protection terms. Where a Sub-Processor processes personal data outside the UK or EEA, the transfer mechanism is the UK International Data Transfer Agreement (IDTA) or the EU SCCs with the UK Addendum, except where an adequacy decision applies.
Voice dictation does not use a Sub-Processor. Voice dictation runs through the user's browser's or device's built-in speech recognition (Web Speech API on web; Capacitor on-device recognition on iOS and Android), and SurveyorSuite Ltd. does not see, store, or transmit the raw audio.
The Processor shall maintain an up-to-date list of Sub-Processors at the URL above and shall notify the Controller of any changes in accordance with clause 6.3 of this DPA.
This Data Processing Agreement is entered into by the parties on the date the Controller accepts the Terms of Service.