Data Processing Agreement
Last updated: 23 March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the subscribing organisation ("Controller", "you") and Vardeck ("Processor", "we", "us") for the provision of compliance management services.
1. Definitions
- UK GDPR means the General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
- DPA 2018 means the Data Protection Act 2018.
- Personal Data, Data Subject, Processing, Controller, Processor, and Sub-processor have the meanings given in UK GDPR.
- Services means the Vardeck compliance management platform and related services.
2. Scope and Roles
When you use Vardeck to manage data about your staff, pupils, parents/guardians, and facility operations:
- You (the subscribing organisation) are the Data Controller — you determine the purposes and means of processing personal data
- Vardeck is the Data Processor — we process personal data on your behalf and according to your instructions
3. Categories of Data Processed
| Data Category | Data Subjects | Types of Personal Data |
|---|---|---|
| Staff records | Your employees and contractors | Name, email, phone, job title, DBS references, emergency contacts, medical notes, kiosk PINs |
| Parent/guardian records | Parents and guardians of pupils | Name, email, phone, address, emergency contacts, payment references |
| Pupil records | Children enrolled in swim lessons | Name, date of birth, medical notes, swimming aids, consent flags, attendance, skill progress |
| Operational data | Staff performing facility tasks | Pool test readings, incident reports, equipment checks, audit trails |
4. Processor Obligations
Vardeck shall:
- Process personal data only on your documented instructions, unless required by law
- Ensure that persons authorised to process the data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures to ensure security of processing (see Section 5)
- Not engage a sub-processor without your prior written authorisation (see Section 7)
- Assist you in responding to data subject rights requests
- Assist you in meeting obligations under Articles 32–36 UK GDPR (security, breach notification, impact assessments)
- At your choice, delete or return all personal data upon termination of services, and delete existing copies unless required by law
- Make available all information necessary to demonstrate compliance and allow for audits
5. Security Measures
Vardeck implements the following technical and organisational measures:
- Encryption at rest: All personal data fields encrypted using AES-256-CBC
- Encryption in transit: All connections secured with TLS 1.2 or higher
- Access control: Role-based access control with tenant-level data isolation
- Authentication: Passwords hashed with bcrypt (12 rounds); PINs hashed; API tokens with configurable expiration
- Session security: Encrypted, HTTP-only, secure cookies with SameSite protection
- Audit logging: All data modifications logged with user identification and timestamp
- Rate limiting: Login attempts rate-limited to prevent brute force attacks
- Input validation: Server-side validation on all user inputs; output encoding to prevent XSS
- CSRF protection: Token-based protection on all state-changing requests
- Hosting: UK-based data centres with physical security controls
6. Data Breach Notification
In the event of a personal data breach, Vardeck shall:
- Notify you without undue delay, and in any event within 24 hours of becoming aware of the breach
- Provide sufficient information to enable you to meet your obligation to notify the ICO within 72 hours (Article 33 UK GDPR)
- Provide the following details: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with you in investigating, mitigating, and remediating the breach
- Document all breaches including facts, effects, and remedial action taken
7. Sub-processors
You authorise Vardeck to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | UK / EU |
| Hosting provider | Infrastructure and hosting | United Kingdom |
We will inform you of any intended changes to sub-processors, giving you the opportunity to object. If you reasonably object, we will work with you to find an alternative solution or, where this is not possible, you may terminate the affected services.
8. International Transfers
All personal data is stored and processed within the United Kingdom. We do not transfer personal data outside the UK. If this changes, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses or an adequacy decision) and will notify you in advance.
9. Data Subject Rights
Vardeck will assist you in fulfilling data subject requests including:
- Access requests (Subject Access Requests)
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Data portability (export in machine-readable format)
- Restriction of processing
- Objection to processing
If a data subject contacts Vardeck directly, we will promptly redirect them to you as the Controller.
10. Data Protection Impact Assessments
Where processing is likely to result in a high risk to data subjects' rights and freedoms, Vardeck will assist you in carrying out Data Protection Impact Assessments (DPIAs) as required by Article 35 UK GDPR, including providing relevant information about our processing operations and security measures.
11. Data Retention and Deletion
Upon termination of the agreement:
- You may export your data within 30 days of termination
- After 30 days, all personal data will be permanently deleted from active systems
- Backup copies will be purged within 90 days of termination
- We will provide written confirmation of deletion upon request
12. Audit Rights
You have the right to audit Vardeck's compliance with this DPA. Audits shall be conducted with reasonable notice (minimum 30 days), during normal business hours, and at your expense. Vardeck will cooperate fully and provide access to relevant documentation, systems, and personnel.
13. Liability
Each party's liability under this DPA is subject to the limitations set out in the main Terms of Service. This DPA does not limit either party's liability for breaches of data protection law where such limitation is not permitted.
14. Term and Termination
This DPA is effective for the duration of your subscription to Vardeck's Services. Data processing obligations survive termination until all personal data has been deleted or returned.
15. Governing Law
This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the English courts.
16. Contact
For questions about this DPA or data processing practices, contact:
- Email: privacy@vardeck.app
- Post: Vardeck, Data Protection Enquiries