Data Processing Agreement

In this DPA, the following definitions apply in addition to those set out in the Terms of Service:

"Applicable Data Protection Law"

means the UK General Data Protection Regulation (UK GDPR) as retained by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and any successor legislation, as amended from time to time.

"Controller"

means the party that determines the purposes and means of Processing of Personal Data — in the context of this DPA, the Customer.

"Processor"

means the party that Processes Personal Data on behalf of the Controller — in the context of this DPA, WhealBit.

"Sub-Processor"

means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

"Personal Data"

means any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Controller through the Service.

"Processing"

means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Personal Data Breach"

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

"Data Subject"

means an identified or identifiable natural person to whom Personal Data relates.

"DPIA"

means a Data Protection Impact Assessment as required under Article 35 of the UK GDPR.

"Supervisory Authority"

means the Information Commissioner's Office (ICO) or any successor regulatory authority with competence over data protection in the United Kingdom.

"Standard Contractual Clauses" or "SCCs"

means the standard contractual clauses approved by the European Commission or UK Government, as applicable, for the transfer of Personal Data to countries that do not benefit from an adequacy decision.

Terms not defined in this DPA shall have the meanings given to them in the Terms of Service or, where applicable, Applicable Data Protection Law.

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Controller's use of QWTN - Waste Tools & Compliance.

This DPA does not apply to:

• Personal Data that the Processor Processes as a Controller in its own right (for example, account registration data, billing data, and usage analytics), which is governed by our Privacy Policy;
• Anonymous or aggregated data from which no individual can be identified;
• Data Processed by third-party services that you integrate with the Service independently;
• Data Processed prior to the effective date of this DPA.

The parties acknowledge and agree that:

• The Controller (you) determines the purposes and means of Processing Personal Data through the Service. You are solely responsible for ensuring that your Processing activities comply with Applicable Data Protection Law;
• The Processor (WhealBit) Processes Personal Data solely on behalf of and under the documented instructions of the Controller, as described in this DPA;
• Nothing in this DPA shall be construed as making the Processor a joint controller with the Controller.

The Controller warrants, represents, and undertakes that:

• It has a lawful basis under Applicable Data Protection Law for all Personal Data it submits to or Processes through the Service;
• It has provided all required notices to, and obtained all necessary consents from, Data Subjects prior to submitting their Personal Data to the Service;
• All Personal Data submitted to the Service is accurate, complete, and lawfully obtained;
• It shall comply with all obligations incumbent on a Controller under Applicable Data Protection Law;
• It has conducted and documented any required DPIA before Processing high-risk Personal Data through the Service;
• It shall not submit special category data (Article 9 UK GDPR) or criminal conviction data (Article 10 UK GDPR) to the Service unless it has established a lawful basis and appropriate safeguards, and has notified the Processor in writing;
• Its instructions to the Processor shall at all times comply with Applicable Data Protection Law;
• It shall promptly inform the Processor of any changes to applicable legislation or regulatory guidance that may affect the Processor's Processing activities under this DPA.

The Processor shall Process Personal Data only on the documented instructions of the Controller, unless required to do so by Applicable Law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing (unless prohibited from doing so by law).

The Controller's documented instructions are as follows:

• Processing Personal Data as necessary to provide, maintain, and improve the Service;
• Processing Personal Data as described in the Privacy Policy;
• Processing Personal Data as further documented in any written instructions provided by the Controller and accepted by the Processor;
• Processing Personal Data to comply with applicable law, regulation, or lawful government request.

The Controller's use of the Service constitutes its complete and final documented instructions for Processing. Any additional or modified instructions must be agreed in writing and may be subject to additional fees.

If the Processor reasonably believes that an instruction from the Controller infringes Applicable Data Protection Law, it shall promptly notify the Controller. The Processor may suspend Processing of the affected Personal Data until the Controller issues a compliant instruction. The Processor shall not be liable for any delay or failure to perform caused by such suspension.

The Processor shall Process Personal Data solely for the following purposes:

• Providing and operating the waste transfer note management features of the Service;
• Generating, storing, and transmitting waste transfer notes, season tickets, and related compliance documents;
• Managing client, site, and contact records as directed by the Controller;
• Facilitating electronic signatures, document sharing, and client portal access;
• Providing fleet management, health and safety, and scheduling features;
• Generating invoices and financial records;
• Sending transactional communications (e.g. signature requests, collection reminders, invoice notifications) as directed by the Controller;
• Providing support and resolving technical issues;
• Generating aggregated analytics and reports for the Controller;
• Complying with applicable law and regulatory requirements.

The lawful basis for Processing is the performance of the contract between the Controller and the Processor (Article 6(1)(b) UK GDPR) and the legitimate interests of the Controller in managing waste compliance operations (Article 6(1)(f) UK GDPR). The Controller is solely responsible for determining and documenting the appropriate lawful basis for Processing in respect of each category of Data Subject.

The following categories of Data Subjects and Personal Data may be Processed under this DPA:

The Controller acknowledges that it is solely responsible for ensuring that only necessary and proportionate Personal Data is submitted to the Service (data minimisation principle). The Processor has no obligation to review, validate, or filter Personal Data submitted by the Controller.

The Controller provides general written authorisation to the Processor to engage Sub-Processors for the Processing of Personal Data, subject to the conditions below.

The Processor currently uses the following Sub-Processors:

Changes to Sub-Processors. The Processor shall maintain an up-to-date list of Sub-Processors on this page. When the Processor intends to add or replace a Sub-Processor, it shall notify the Controller by updating this page and, where practicable, by email. The Controller shall have 14 days from the date of notification to object in writing to privacy@qwtn.co.uk.

If the Controller objects, the Processor shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, the Controller's sole remedy is to terminate the affected Service and this DPA by providing written notice. The Controller shall have no claim for damages, refund, or compensation arising from such termination.

The Processor shall impose contractual obligations on each Sub-Processor that are no less protective than those contained in this DPA. The Processor shall remain liable for the acts and omissions of its Sub-Processors to the extent set out in the limitation of liability provisions of this DPA — not to any greater extent.

The Controller acknowledges that certain Sub-Processors are located outside the United Kingdom and the European Economic Area. The Processor shall ensure that any international transfer of Personal Data is conducted in compliance with Applicable Data Protection Law, using one or more of the following safeguards:

• Transfer to a country or territory that has been recognised as providing an adequate level of data protection by the UK Secretary of State;
• Standard Contractual Clauses (as adopted and supplemented by the UK International Data Transfer Addendum);
• Binding Corporate Rules approved by a competent Supervisory Authority;
• Any other lawful transfer mechanism under Applicable Data Protection Law.

The Controller acknowledges that transfer mechanisms are subject to legal and regulatory change. The Processor shall use commercially reasonable efforts to maintain appropriate safeguards, but shall not be liable for any transfer that was compliant at the time it was made and is subsequently invalidated by a court or regulatory decision.

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. These measures include:

• Encryption: All Personal Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• Access controls: Role-based access controls, multi-factor authentication for staff access to production systems, and principle of least privilege;
• Monitoring: Automated monitoring and alerting for unusual access patterns and security events;
• Infrastructure: Hosted on Supabase and Netlify, operating within SOC 2 Type II and ISO 27001 certified cloud environments;
• Backup: Automated daily backups with point-in-time recovery capability;
• Personnel: All personnel with access to Personal Data are bound by contractual confidentiality obligations;
• Vulnerability management: Regular dependency updates and security patching.

The Controller is responsible for implementing appropriate security measures within its own systems, including but not limited to strong passwords, access management for team members, and timely revocation of access for departing personnel.

In the event of a Personal Data Breach, the Processor shall:

• Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach, providing such information as is reasonably available at the time;
• Provide the Controller with sufficient information to enable the Controller to fulfil its own notification obligations to the Supervisory Authority and affected Data Subjects under Articles 33 and 34 of the UK GDPR;
• Take reasonable steps to contain and mitigate the effects of the breach;
• Cooperate with the Controller in investigating the breach, provided the Controller bears any costs of external forensic investigation or specialist support.

The Processor's notification to the Controller shall include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach;
• The contact details of the Processor's point of contact for further information.

Where a DPIA is required under Article 35 of the UK GDPR, the Controller is solely responsible for conducting and documenting the assessment.

The Processor shall, upon reasonable written request and subject to confidentiality obligations, provide the Controller with such information about the Processing as is reasonably necessary to assist the Controller in conducting a DPIA, provided that:

• The request is made in writing to privacy@qwtn.co.uk;
• The Controller provides reasonable advance notice (not less than 30 days);
• The scope of information requested does not extend to the Processor's proprietary systems, algorithms, security architecture, or business-sensitive information;
• The Controller bears all costs associated with the Processor's assistance, including but not limited to staff time at our standard professional rates.

The Processor shall also provide reasonable assistance if the Controller is required to consult with the Supervisory Authority under Article 36 of the UK GDPR, subject to the same conditions above.

The Controller is solely responsible for responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

The Processor shall:

• Promptly forward to the Controller any Data Subject request received directly by the Processor, and shall not respond to the Data Subject directly unless instructed by the Controller or required by law;
• Provide the Controller with commercially reasonable technical assistance to fulfil Data Subject requests, insofar as the Controller cannot fulfil such requests independently through the Service's standard functionality;
• Make available self-service tools within the Service (such as data export and deletion features) to enable the Controller to respond to common Data Subject requests.

The Controller shall bear all costs associated with the Processor's assistance in responding to Data Subject requests that cannot be fulfilled through standard Service functionality. Assistance shall be billed at the Processor's standard professional rates.

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice of any proposed audit;
• Audits shall be conducted no more than once per 12-month period, unless required by a Supervisory Authority or following a confirmed Personal Data Breach;
• Audits shall be conducted during Business Hours and shall not interfere with the Processor's normal business operations;
• The Controller shall bear all costs associated with the audit, including but not limited to the Processor's staff time, third-party auditor fees, and any expenses incurred;
• Where an independent third-party auditor is engaged, the auditor must be agreed by both parties and shall execute a confidentiality agreement acceptable to the Processor before commencing any audit;
• The scope of any audit shall not extend to the Processor's proprietary source code, security architecture details, other customers' data, or commercially sensitive information;
• The Processor may satisfy audit requests by providing relevant certifications (e.g. SOC 2, ISO 27001), audit reports, or compliance documentation from its infrastructure providers, in lieu of permitting on-site access.

The Processor shall cooperate with reasonable audit requests and provide access to relevant documentation, records, and personnel. However, the Processor reserves the right to redact information that pertains to other customers or that would compromise the Processor's security posture.

The Processor shall retain Personal Data for the duration of the Controller's use of the Service, unless earlier deletion is requested by the Controller through the Service's standard functionality.

Upon termination of the Controller's account:

• The Controller shall have 30 days from the date of termination to export any Personal Data through the Service's standard export features;
• After the 30-day export period, the Processor shall delete all Personal Data within a further 90 days, unless retention is required by Applicable Law or for the establishment, exercise, or defence of legal claims;
• Deletion shall include the removal of Personal Data from active systems. Personal Data may persist in encrypted backups for a further period consistent with the backup retention schedule (up to 90 days), after which it shall be overwritten in the ordinary course of backup rotation;
• The Processor shall provide written confirmation of deletion upon reasonable written request from the Controller.

The Processor shall ensure that all personnel authorised to Process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

The Processor shall not disclose Personal Data to any third party except:

• To authorised Sub-Processors as described in Section 8;
• Where required by Applicable Law, regulation, court order, or Supervisory Authority direction (in which case the Processor shall, where legally permitted, notify the Controller prior to disclosure);
• Where expressly authorised by the Controller in writing;
• To the Processor's professional advisers (legal, accounting, insurance) on a need-to-know basis and subject to confidentiality obligations.

To the maximum extent permitted by Applicable Law:

• The Processor's total aggregate liability under or in connection with this DPA (whether in contract, tort, negligence, breach of statutory duty, or otherwise) shall not exceed the lesser of (a) the total fees actually paid by the Controller to the Processor in the 12-month period immediately preceding the event giving rise to the claim, or (b) one thousand pounds sterling (£1,000);
• The Processor shall not be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages, including but not limited to loss of profits, revenue, business, data, goodwill, anticipated savings, or opportunity, regardless of whether the Processor was advised of the possibility of such damages;
• The Processor shall not be liable for any regulatory fines, penalties, enforcement actions, or compensation orders imposed on the Controller or any third party by a Supervisory Authority or court;
• The Processor shall not be liable for any loss arising from the Controller's failure to comply with its obligations under this DPA, Applicable Data Protection Law, or the Terms of Service;
• The Processor shall not be liable for any Personal Data Breach caused by the Controller's own acts or omissions, including but not limited to weak passwords, failure to revoke access, or sharing login credentials;
• The Processor shall not be liable for any loss arising from the acts or omissions of Sub-Processors, except where the Processor has failed to impose contractual obligations on the Sub-Processor materially equivalent to those in this DPA;
• The Processor shall not be liable for any claim brought more than 12 months after the event giving rise to the claim.

Nothing in this DPA excludes or limits liability for (a) death or personal injury caused by negligence, (b) fraud or fraudulent misrepresentation, or (c) any other liability that cannot be excluded or limited under Applicable Law.

The parties acknowledge that the limitations in this section reflect the allocation of risk between the parties and form an essential basis of the bargain. The fees charged by the Processor reflect this allocation of risk.

The Controller agrees to indemnify, defend, and hold harmless the Processor, its directors, officers, employees, agents, contractors, and affiliates from and against any and all claims, demands, liabilities, losses, damages, costs, fines, penalties, and expenses (including reasonable legal fees and regulatory costs) arising out of or in connection with:

• The Controller's breach of this DPA or Applicable Data Protection Law;
• The Controller's Processing of Personal Data through the Service, including any claims from Data Subjects or third parties;
• Any complaint, investigation, enforcement action, or penalty by a Supervisory Authority in connection with the Controller's Processing activities;
• The Controller's failure to obtain necessary consents, provide required notices, or establish a lawful basis for Processing;
• Any instructions given by the Controller to the Processor that infringe Applicable Data Protection Law;
• Any special category or criminal conviction data submitted by the Controller without proper safeguards;
• Any dispute between the Controller and a Data Subject arising from the Controller's use of the Service;
• The Controller's failure to respond to Data Subject requests in a timely manner;
• Any international transfer of Personal Data directed or authorised by the Controller.

This indemnification obligation survives the termination of the Controller's account and this DPA without time limitation.

This DPA commences on the date the Controller first uses the Service and continues for the duration of the Controller's use of the Service.

This DPA terminates automatically upon:

• Deletion of the Controller's account;
• Expiry or termination of the Terms of Service;
• Mutual written agreement of the parties.

Upon termination:

• The Processor shall cease Processing Personal Data on behalf of the Controller, except as necessary for data deletion and as permitted under Section 15;
• Sections 15 (Data Retention & Deletion), 16 (Confidentiality), 17 (Limitation of Liability), 18 (Indemnification), 20 (Governing Law), and 21 (General Provisions) survive termination;
• The Controller shall have no claim for refund, compensation, or damages arising from the termination of this DPA.

This DPA, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it, are governed by and construed in accordance with the laws of England and Wales.

You irrevocably submit to the exclusive jurisdiction of the courts of England and Wales for the resolution of any dispute arising under or in connection with this DPA.

Mandatory Pre-Litigation Resolution. Before initiating any legal proceedings relating to this DPA, the Controller must:

• Notify the Processor in writing at legal@qwtn.co.uk with full details of the dispute;
• Allow a minimum of 60 days for informal resolution;
• Participate in good faith in any mediation or alternative dispute resolution process proposed by the Processor.

Legal proceedings commenced without following this procedure may be stayed by the court pending compliance.

Entire Agreement. This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous communications, representations, or agreements, whether written or oral.

Amendments. The Processor may amend this DPA at any time by publishing the updated version on this page. Material changes shall be notified to the Controller by email or in-app notification. Continued use of the Service after the effective date of any amendment constitutes acceptance. The Controller's sole remedy if it disagrees with an amendment is to terminate its account.

Severability. If any provision of this DPA is found to be invalid or unenforceable, it shall be severed and the remaining provisions shall continue in full force. The invalid provision shall be replaced by a valid provision that most closely achieves the intended commercial effect.

No Waiver. No failure or delay by the Processor in exercising any right shall constitute a waiver of that right. A waiver of any term shall not be deemed a continuing waiver.

Assignment. The Processor may assign or transfer this DPA (including by way of merger, acquisition, or sale of substantially all assets) without the Controller's consent. The Controller may not assign this DPA without the Processor's prior written consent.

Third-Party Rights. This DPA does not confer any rights on any person or party other than the parties to it (and their permitted successors and assigns). Nothing in this DPA is intended to create any rights in favour of Data Subjects.

Precedence. In the event of conflict between this DPA and the Terms of Service, the terms most protective of the Processor shall prevail. Headings are for convenience only and do not affect interpretation. References to "including" mean "including without limitation".

For questions about this Data Processing Agreement or to exercise any rights under it, please contact us: