Data Processing Addendum
This Data Processing Addendum ("DPA") governs the processing of personal data we carry out on your instructions when you use RTW Checker. It forms part of the contract between you and Instant Check Ltd.
If your organisation is in the UK or EEA and you handle worker personal data through RTW Checker, UK GDPR Article 28 requires a written processor agreement. This DPA is that agreement. By using the service you agree to it; for procurement or vendor-onboarding processes we can also provide a counter-signed PDF on request — email privacy@instantcheck.co.uk.
1. Definitions
Terms in this DPA have the meanings given in the UK GDPR and the Data Protection Act 2018. In particular:
- Customer means you, the data controller, contracting for the RTW Checker service.
- Processor means Instant Check Ltd, the data processor.
- Worker Data means the personal data you upload to the service for the purpose of checking right to work (worker name, date of birth, share code, gov.uk PDF, photograph, visa type and expiry).
- UK GDPR means the United Kingdom General Data Protection Regulation as it forms part of domestic law by virtue of the European Union (Withdrawal) Act 2018.
2. Scope and roles
You are the controller of Worker Data. We act as the processor of Worker Data, processing it only on your documented instructions for the purpose of performing the RTW Checker service as described in the contract.
3. Details of processing (Article 28(3))
| Item | Detail |
|---|---|
| Subject matter | Provision of the RTW Checker service |
| Duration | Term of your subscription plus any post-termination retention period agreed under the Privacy Policy |
| Nature and purpose | Performing Right to Work checks against gov.uk on your behalf, storing the evidence, and alerting you to expiries and changes |
| Categories of data subjects | Your workers, candidates and prospective hires whose right to work you are entitled to check |
| Categories of personal data | Name, date of birth, Right to Work share code, nationality, visa type and expiry date, photograph (from the gov.uk PDF), check result and PDF evidence |
| Special category data | None expected. The service is not designed to process Article 9 special category data. |
4. Our obligations as processor
We will:
- Process Worker Data only on your documented instructions, including with regard to transfers, except where required by UK law (in which case we will inform you of that requirement before processing unless prohibited from doing so)
- Ensure persons authorised to process Worker Data are bound by confidentiality
- Implement appropriate technical and organisational measures as set out in section 6 (Security)
- Engage sub-processors only as permitted by section 5
- Assist you by appropriate technical and organisational measures, insofar as possible, to respond to data subject requests under Chapter III of the UK GDPR
- Assist you in ensuring compliance with your obligations under Articles 32-36 of the UK GDPR (security, breach notification, DPIA, prior consultation)
- Make available to you all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, as set out in section 8
- At the end of the contract, at your choice, delete or return all Worker Data and delete existing copies, except where law requires storage
5. Sub-processors
You authorise us to engage the sub-processors listed in our Privacy Policy at /privacy (section 8). The current list is:
- Fly.io — application and database hosting, UK (London) region
- GoDaddy / Microsoft 365 — email correspondence, EU
- Formspree — demo request form receipt, US (operating under EU-US Data Privacy Framework)
We will impose data protection obligations on our sub-processors that are at least equivalent to those in this DPA. We remain fully liable for the performance of our sub-processors.
We will provide at least 30 days' notice of any intended change to the sub-processor list. You may object to a new sub-processor for documented data protection reasons; if you do and we cannot accommodate, you may terminate the contract for cause with prorated refund.
6. Security measures (Article 32)
Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, we implement the following technical and organisational measures:
Technical measures
- Encryption in transit using TLS 1.2 or higher for all customer-facing endpoints
- Encryption at rest for all persistent storage volumes (AES-256)
- Hashed and salted user passwords
- Network isolation of customer data behind authenticated application endpoints
- Logical separation of customer tenant data (per-company storage isolation enforced at the application layer)
- Regular dependency scanning and patching
- Encrypted off-site backups retained for 30 days
Organisational measures
- Role-based access control with the principle of least privilege
- Multi-factor authentication on all administrative consoles
- Audit logging of administrative actions
- Confidentiality undertakings for all personnel with access to customer data
- Documented incident response process with named on-call
- Annual review of this DPA and the security measures herein
The full list and current state of these controls is published at /security.
7. Personal data breach notification
We will notify you without undue delay, and in any event within 48 hours of becoming aware, of any personal data breach affecting your Worker Data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.
For the avoidance of doubt: this 48-hour window is the period within which we will inform you. You as the controller remain responsible for assessing whether to notify the ICO and data subjects under Articles 33 and 34 of the UK GDPR.
8. Audit rights
On reasonable written notice (not less than 30 days, except in the case of an actual or suspected breach), we will make available to you all information necessary to demonstrate our compliance with Article 28 of the UK GDPR, and allow for and contribute to audits.
You may exercise audit rights by means of (a) reviewing security documentation we provide, (b) submitting a security questionnaire which we will complete within 30 days, or (c) appointing an independent third-party auditor at your cost, subject to a reasonable confidentiality agreement.
9. International transfers
Worker Data is stored and processed in the United Kingdom. Where a sub-processor is located outside the UK or EEA (see section 5), transfers are made under an adequacy decision, the International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, as appropriate.
10. Return or deletion of Worker Data
On expiry or termination of the contract, you may export your Worker Data at any time during the 30-day window following termination. Thereafter we will delete Worker Data in line with our retention schedule unless storage is required by law. Backups will be overwritten in line with the 30-day backup cycle.
11. Liability
Liability under this DPA is subject to the liability provisions of the main contract (the Terms of Service at /terms), without prejudice to data subjects' rights under the UK GDPR.
12. Term and termination
This DPA takes effect on your acceptance of the Terms of Service and remains in force for the duration of the contract.
13. Governing law
This DPA is governed by the laws of England and Wales.
14. Contact for data protection matters
Email: privacy@instantcheck.co.uk
Post: Data Protection, Instant Check Ltd, Unit 2k1 Hastingwood Business Park, Wood Lane, Birmingham B24 9QR