Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Customer”, the controller) and JN Technology Limited, trading as Encompass One (“Encompass One”, “we”, the processor), registered office Portland House, Belmont Business Park, Durham, DH1 1TW, registered in England & Wales. It governs our processing of personal data on the Customer’s behalf when the Customer uses the Encompass One service, and applies in addition to our Terms of Service and Privacy Policy.

Where the Customer is itself a processor for a third party, the Customer warrants it has authority to engage us as a sub-processor on these terms.

The details required by Article 28(3) UK GDPR are:

• Subject-matter — provision of the Encompass One safety-compliance and HR software.
• Duration — for the term of the Customer’s subscription, plus the deletion period in section 9.
• Nature and purpose — hosting, storage and processing of Customer data to deliver the service’s features (assessments, employees, leave, sickness, training, documents, reporting and related functions).
• Types of personal data — names and contact details; employment data; leave, sickness and return-to-work records (which may include health data, a special category); training and qualifications; documents and acknowledgements; account and usage data.
• Categories of data subjects — the Customer’s employees, workers, contractors and other personnel; the Customer’s account users.

We will:

• process personal data only on the Customer’s documented instructions (including those given through the service), unless required by law, in which case we will inform the Customer unless legally prohibited;
• ensure persons authorised to process the data are bound by confidentiality;
• implement appropriate technical and organisational measures (section 7 and Annex C);
• respect the conditions in section 5 for engaging sub-processors;
• assist the Customer, taking into account the nature of processing, in responding to data-subject requests (section 6);
• assist the Customer with security, breach notification, data protection impact assessments and prior consultation under Articles 32–36;
• at the Customer’s choice, delete or return the data at the end of the service (section 9); and
• make available information necessary to demonstrate compliance and allow for and contribute to audits (section 8).

The Customer is the controller and is responsible for establishing a lawful basis (and, for special-category data such as sickness records, an additional Article 9 condition) for the data it processes through the service, for the accuracy of that data, and for informing its own staff as required.

The Customer provides general authorisation for us to engage sub-processors to deliver the service. Our current sub-processors are:

• Supabase — database, authentication and file storage (hosted in the UK/EU).
• Vercel — application hosting and delivery.
• Resend — transactional email delivery.

We impose data-protection terms on each sub-processor no less protective than this DPA, and remain liable for their performance. We will give the Customer reasonable notice of any intended change of sub-processor, allowing the Customer to object on reasonable data-protection grounds.

Taking into account the nature of the processing, we will assist the Customer with appropriate technical and organisational measures, insofar as possible, to fulfil the Customer’s obligations to respond to requests to exercise data-subject rights (access, rectification, erasure, restriction, portability and objection). The service also lets the Customer export, edit, anonymise and delete records directly.

We implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex C, in line with Article 32 UK GDPR.

We will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates — on reasonable prior notice, no more than once per year (except following a personal-data breach or where required by a supervisory authority), and subject to confidentiality. Our security & architecture documentation is available to support such reviews.

On termination of the service, the Customer may export its data. We will delete or anonymise Customer personal data within 30 days of termination, except where we are required to retain it by law. Backups are deleted on our standard backup-rotation cycle.

We aim to keep personal data within the UK/EEA. Where a sub-processor processes data outside the UK/EEA, we rely on an appropriate transfer mechanism such as the UK International Data Transfer Agreement / Addendum or adequacy regulations.

We will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer data, and provide information reasonably available to help the Customer meet its own notification obligations.

This DPA is governed by the laws of England and Wales. In the event of conflict between this DPA and the Terms of Service in respect of data protection, this DPA prevails. To request a counter-signed copy, contact hello@jntechnology.co.uk.

As set out in section 2 (subject-matter, duration, nature and purpose, types of personal data and categories of data subjects).

As listed in section 5. An up-to-date list is available on request.

• Encryption — data encrypted in transit (TLS) and at rest.
• Access control — row-level security isolating each customer workspace; role-based permissions; least-privilege access for staff.
• Authentication — SSO (Google/Microsoft) and optional multi-factor authentication for accounts.
• Auditability — audit logging of significant actions.
• Resilience — managed, backed-up database hosting in the UK/EU region.
• Network — security headers (CSP, HSTS), rate limiting and standard hardening.