Data Processing Agreement
Last updated: 14 May 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between 360 Compliance Ltd (“Processor”) and the Client Organisation (“Controller”) and governs the processing of personal data by 360 Compliance on behalf of the Controller. This DPA is required by Article 28 of the UK General Data Protection Regulation (UK GDPR).
1. Parties
Data Controller
The Client Organisation named in the service agreement with 360 Compliance.
Data Processor
360 Compliance Ltd, a company registered in England and Wales.
Contact: info@360compliance.co.uk
2. Subject matter and nature of processing
360 Compliance processes personal data on behalf of the Controller for the purpose of providing the 360 Compliance compliance management platform, including:
- Hosting and managing staff HR compliance records
- Storing and serving policy, procedure, and protocol documents
- Recording policy acknowledgements and audit trails
- Processing form submissions and log entries
- Managing staff appraisals and development records
- Delivering transactional email notifications
3. Categories of personal data and data subjects
Data subjects
Staff members, managers, and other employees of the Controller organisation.
Categories of personal data
- Identity data: name, email address, phone number
- Employment data: job title, employment position, appraisal records
- Authentication data: encrypted session tokens, IP addresses
Special categories of personal data (Article 9 UK GDPR)
The following special category data is processed under this DPA:
- Criminal records data (Article 10): DBS certificate numbers, types, and dates
- Biometric data (Article 9(1)): Passport scans, biometric residence permits, visa documents
- Health data (Article 9(1)): Immunisation records, vaccination history
4. Processor obligations
360 Compliance shall, in its capacity as Processor:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law
- Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures in accordance with Article 32 UK GDPR, including encryption, access controls, and audit logging
- Not engage sub-processors without prior written authorisation from the Controller, except as set out in Schedule 1 of this DPA
- Assist the Controller in responding to data subject rights requests, taking into account the nature of the processing
- Assist the Controller in ensuring compliance with Articles 32–36 UK GDPR (security, breach notification, DPIAs)
- Delete or return all personal data to the Controller at the end of the service relationship, and delete existing copies unless retention is required by law
- Make available all information necessary to demonstrate compliance with Article 28 UK GDPR and allow for audits
5. Sub-processors (Schedule 1)
The Controller provides general authorisation for 360 Compliance to engage the following sub-processors. 360 Compliance will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Neon Inc. | PostgreSQL database hosting | UK (eu-west-2, London) | UK adequacy / DPA |
| Cloudflare Inc. | File storage (R2) — EU jurisdiction-locked | EU | EU adequacy / DPA |
| Vercel Inc. | Application hosting and serverless functions | UK (lhr1, London) | UK adequacy / DPA |
| Resend Inc. | Transactional email delivery | EU (EU data residency enabled) | EU adequacy / DPA |
No personal data is transferred to countries outside the UK or EU. All sub-processors are bound by Data Processing Agreements that impose equivalent obligations to those in this DPA.
6. Technical and organisational security measures
360 Compliance implements the following measures in accordance with Article 32 UK GDPR:
- Encryption in transit: All data transmitted over TLS 1.2 or higher
- Encryption at rest: Database and file storage encrypted at rest by infrastructure providers
- Session security: Sessions encrypted with AES-256-GCM, expire after 8 hours, and are invalidated on logout
- Access controls: Role-based access control (RBAC) with five permission levels; tenant isolation enforced on every database query
- File access: Sensitive documents served only via short-lived presigned URLs (60-second expiry); never exposed directly
- Audit logging: All data mutations logged with actor, timestamp, IP address, and user agent; 7-year retention
- Rate limiting: Authentication endpoints rate-limited to prevent brute-force attacks
- Invite-only access: No self-registration; all accounts created by authorised administrators
7. Personal data breach notification
360 Compliance will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data. Notification will include, to the extent available: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
8. Retention and deletion
On termination of the service agreement, 360 Compliance will, at the Controller's election, either return or securely delete all personal data within 30 days, except where retention is required by applicable law (including CQC Regulation 17 audit log retention requirements).
The Controller may request erasure of individual data subjects' personal data at any time, subject to legal retention obligations. 360 Compliance provides an erasure workflow that anonymises personal data and deletes associated files from storage.
9. Contact and execution
This DPA is incorporated by reference into the service agreement between 360 Compliance and the Controller. By using the 360 Compliance platform, the Controller agrees to the terms of this DPA.
For data protection queries, breach notifications, or to request a signed copy of this DPA, contact: