This Data Processing Agreement ("DPA") applies where DocRide Tech Ltd processes personal data on behalf of a customer organisation through the DocRide platform. It is incorporated into the User Agreement unless the parties sign a separate DPA.
1. Parties and roles
The customer organisation is the controller of Customer Personal Data. DocRide Tech Ltd is the processor. Where the customer processes data on behalf of another organisation, the customer warrants that it has authority to instruct DocRide.
2. Customer Personal Data
"Customer Personal Data" means personal data submitted to, stored in, generated through or otherwise processed by DocRide on behalf of the customer, including user records, employee records, contractor records, consultant records, OHS documents, incidents, investigations, training, competence, audit, inspection, corrective action, uploaded file and sign-off records.
3. Processing details
- Subject matter: provision of the DocRide OHS management SaaS platform.
- Duration: for the term of the customer subscription and any post-termination retention period.
- Nature and purpose: hosting, storage, retrieval, display, workflow management, AI-assisted processing, reporting, backup, support, security and deletion/export of Customer Personal Data.
- Data subjects: platform users, employees, contractors, consultants, auditors, assessors, clients, suppliers, visitors, witnesses, injured persons and other persons referenced in OHS records.
- Categories: contact details, employment details, role data, competence/training records, certificates, OHS records, incident details, uploaded files, usage logs and special category data where uploaded by the customer.
4. Customer obligations
The customer must:
- provide lawful, documented instructions to DocRide;
- ensure it has a lawful basis for processing all Customer Personal Data;
- provide privacy notices to affected individuals;
- ensure an Article 9 UK GDPR condition exists for health or other special category data;
- avoid uploading excessive, irrelevant or unlawful content;
- manage user permissions and access rights;
- ensure AI outputs and OHS records are reviewed by competent humans before use.
5. DocRide obligations
DocRide will:
- process Customer Personal Data only on documented customer instructions, unless required by law;
- ensure persons authorised to process Customer Personal Data are bound by confidentiality;
- implement appropriate technical and organisational security measures;
- assist the customer, insofar as reasonably possible, with data subject requests, security obligations, DPIAs and regulatory consultations;
- notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data;
- make available information reasonably necessary to demonstrate compliance with UK GDPR Article 28;
- delete or return Customer Personal Data at the end of the services, subject to legal, audit, backup, sign-off and evidential retention limits.
6. Subprocessors
The customer gives DocRide general authorisation to appoint subprocessors. Current categories include UK hosting/infrastructure, Amazon SES for email, Stripe for payments, Google Gemini for AI processing, Google Analytics for website analytics and security/monitoring providers.
DocRide will maintain a Subprocessor Policy and will impose data protection obligations on subprocessors that are materially equivalent to this DPA. Customers may object to a new subprocessor on reasonable data protection grounds.
7. International transfers
DocRide aims to host customer platform data in the United Kingdom. Where Customer Personal Data is transferred outside the UK or EEA, DocRide will use appropriate transfer safeguards, including adequacy regulations, the UK IDTA, the UK Addendum to EU SCCs, EU SCCs and transfer risk assessments where required.
8. Security measures
- role-based access controls and permissions;
- authentication and password hashing;
- encryption in transit;
- backup and recovery processes;
- audit logs and security monitoring;
- least-privilege access for support/admin functions;
- supplier due diligence and confidentiality commitments;
- incident response and breach escalation procedures.
9. Deletion, export and sign-off records
Customers may delete tenant data or request deletion/export, subject to the service functionality, contract terms and applicable law. Consultant, auditor, reviewer or competent professional sign-off records may be retained where necessary for legal, regulatory, contractual, professional accountability, audit, dispute resolution, safety management or evidential purposes.
10. Audit
DocRide will respond to reasonable written security and data protection questionnaires. Formal audits must be proportionate, subject to confidentiality, avoid disruption to the service, and may be satisfied by policies, summaries, certifications if later obtained, or independent reports where available.
11. Conflict
If this DPA conflicts with the User Agreement, this DPA prevails for processor obligations relating to Customer Personal Data.