Data Processing Agreement

This Data Processing Agreement (the "DPA") is entered into between you, the customer organisation that has agreed to the WagePilot Terms of Service (the "Customer"), and [Whealbit Ltd OR sole trader - confirm legal entity & status] [company registration number if a company] of [registered office / trading address], trading as WagePilot ("WagePilot", "we", "us"). It forms part of, and is incorporated into, the Terms of Service. In relation to Customer Personal Data (defined below), the Customer acts as the controller and WagePilot acts as the processor. This DPA records the parties' agreement under Article 28 of the UK GDPR and the Data Protection Act 2018 with respect to WagePilot's processing of personal data on the Customer's behalf. Where there is any conflict between this DPA and the rest of the Terms of Service on a data-protection matter, this DPA prevails. This DPA is intended to apply where the Customer contracts as a business; where the Customer contracts as a consumer, see clause 13.

1. Definitions and interpretation

In this DPA, the following terms have the meanings given below. Capitalised terms not defined here have the meaning given in the Terms of Service.

• "Data Protection Law" means all laws relating to data protection and privacy applicable to the processing of personal data under this DPA, including the UK GDPR, the Data Protection Act 2018 ("DPA 2018"), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), in each case as amended or replaced from time to time (including by the Data (Use and Access) Act 2025).
• "UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the DPA 2018.
• "controller", "processor", "data subject", "personal data", "special category data", "processing", "personal data breach" and "supervisory authority" have the meanings given in the UK GDPR.
• "Customer Personal Data" means the personal data described in Annex 1 that WagePilot processes on behalf of the Customer in connection with the WagePilot service.
• "Data Subject Request" means a request from a data subject to exercise rights under Articles 12 to 23 of the UK GDPR.
• "ICO" means the Information Commissioner's Office, the UK supervisory authority.
• "normal business hours" means 9am to 5pm UK time on a business day (excluding weekends and English public holidays).
• "Restricted Transfer" means a transfer of Customer Personal Data to, or access from, a country outside the United Kingdom that is not subject to UK adequacy regulations.
• "Sub-processor" means any third party engaged by WagePilot to process Customer Personal Data on the Customer's behalf.
• "Standard Transfer Mechanism" means the International Data Transfer Agreement ("IDTA") issued by the ICO, or the EU Standard Contractual Clauses as supplemented by the ICO's International Data Transfer Addendum (the "UK Addendum"), or any successor mechanism approved under Data Protection Law.
• "Transfer Risk Assessment" means a documented assessment of the risks of a Restricted Transfer of the kind expected by the ICO to accompany a Standard Transfer Mechanism.
• "TOMs" means technical and organisational security measures of the kind required by Article 32 of the UK GDPR, as described in Annex 2 and on our security page.

References to "the Customer's documented instructions" mean the instructions set out in this DPA and in the Terms of Service, together with the configuration choices the Customer actively makes within the WagePilot service from time to time. Any further or different instruction must be given to WagePilot in writing.

2. Scope, roles and subject-matter of processing

This DPA applies only to WagePilot's processing of Customer Personal Data as a processor acting on the Customer's behalf. The subject-matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1.

The Customer is the controller of Customer Personal Data (primarily the personal data of the Customer's staff, workers and other individuals whose data the Customer enters into or generates through the service). WagePilot is the processor of that data.

This DPA does not apply to personal data for which WagePilot is itself a controller, including account-holder and billing data and data about visitors to our marketing website. WagePilot's processing of that data as a controller is governed by our Privacy Policy, not by this DPA.

The Customer acknowledges that, for payment card data, Stripe acts as an independent controller and not as a Sub-processor of WagePilot. WagePilot does not store payment card numbers.

The Customer is solely responsible for determining that its use of the service, and the instructions it gives, comply with Data Protection Law in respect of the Customer Personal Data.

3. Processing only on documented instructions

WagePilot shall process Customer Personal Data only on the Customer's documented instructions, including with regard to transfers of Customer Personal Data to a third country, unless WagePilot is required to process by law to which it is subject; in which case WagePilot shall, to the extent permitted by that law, inform the Customer of that legal requirement before processing.

WagePilot shall inform the Customer if, in WagePilot's opinion, an instruction infringes Data Protection Law. WagePilot is not obliged to provide legal advice and the giving (or not giving) of such notice does not relieve the Customer of its responsibilities as controller.

If, acting reasonably, WagePilot considers that it cannot process in accordance with an instruction without breaching Data Protection Law, or considers an instruction to be unlawful, it may suspend the affected processing or decline the instruction. In that event WagePilot's obligation is to notify the Customer promptly, and WagePilot will not be liable for the consequences of declining or suspending in respect of an instruction that, acting reasonably and in good faith, it considers unlawful. Nothing in this clause excludes or limits any liability that cannot lawfully be excluded or limited.

4. Customer warranties and indemnity

The Customer warrants and undertakes, on a continuing basis, that:

• it has a valid lawful basis under Article 6 of the UK GDPR for each purpose for which it instructs WagePilot to process Customer Personal Data;
• where Customer Personal Data includes, or could become, special category data (for example, health data revealed by leave or absence reasons, or biometric data if the Customer processes kiosk photos for the purpose of uniquely identifying an individual), it has identified and can rely on a valid condition under Article 9 of the UK GDPR and Schedule 1 to the DPA 2018, and has in place and maintains any Appropriate Policy Document required by Schedule 1 Part 1 to the DPA 2018;
• it has provided to its staff and other relevant data subjects all privacy information required by Articles 13 and 14 of the UK GDPR, and has obtained any consents and given any notices required by Data Protection Law for the collection and processing of the Customer Personal Data through the service (including in relation to location captured at clock-in/out and any kiosk clock-event photo);
• it has carried out, where required, any data protection impact assessment in respect of its processing;
• its instructions to WagePilot, and WagePilot's processing on those instructions, comply with Data Protection Law; and
• it is entitled to disclose the Customer Personal Data to WagePilot and to authorise the processing described in this DPA.

The Customer shall indemnify WagePilot against losses, claims, damages, liabilities, costs and expenses (including reasonable legal costs) to the extent directly caused by any breach by the Customer of the warranties in this clause 4 or of its obligations as controller under Data Protection Law. This indemnity does not extend to any regulatory penalty or fine imposed on WagePilot to the extent it arises from WagePilot's own act, omission or breach, and the recovery of any regulatory penalty under this indemnity applies only to the extent recovery is lawful. The amount recoverable under this indemnity shall be reduced proportionately to the extent that WagePilot's own breach of this DPA, negligence, or failure to comply with Data Protection Law caused or contributed to the loss. The indemnity excludes indirect or consequential loss.

As a condition of the indemnity, WagePilot shall: give the Customer prompt written notice of any relevant claim; make no admission of liability without the Customer's prior written consent (not to be unreasonably withheld); allow the Customer to control the defence and settlement of the claim (provided no settlement adversely affects WagePilot without its consent); and take reasonable steps to mitigate its loss.

For the avoidance of doubt, WagePilot is the Customer's processor and does not discharge the Customer's transparency or other controller obligations to its staff. WagePilot may make available optional template wording or guidance to assist the Customer, but the Customer remains solely responsible for its own compliance.

5. Confidentiality of personnel

WagePilot shall ensure that persons authorised to process Customer Personal Data are subject to an appropriate duty of confidentiality, whether a contractual obligation or a statutory duty, and are made aware of the confidential nature of the data. WagePilot shall limit access to Customer Personal Data to those personnel who need access to perform WagePilot's obligations under the Terms of Service.

6. Security (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, WagePilot shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2 and on our security page.

WagePilot may update its TOMs from time to time provided that such updates do not materially reduce the overall level of security of the service.

The Customer is responsible for its own use and configuration of the service, including managing user access, roles and permissions within its organisation, keeping credentials secure, and configuring features (for example, free-text fields, kiosk photo capture and retention settings) in a way that minimises the personal data it collects.

7. Sub-processors

The Customer gives WagePilot general written authorisation to engage Sub-processors to process Customer Personal Data. The Sub-processors authorised as at the date of this DPA are listed at /legal/sub-processors and summarised in Annex 3.

WagePilot shall:

• impose on each Sub-processor, by a written contract, data-protection obligations that are equivalent in substance to those set out in this DPA (in particular the relevant obligations under Article 28(3) of the UK GDPR), so far as applicable to the services the Sub-processor provides;
• remain fully liable to the Customer for the performance of each Sub-processor's data-protection obligations to the same extent as if WagePilot performed those obligations itself; and
• give the Customer at least thirty (30) days' notice [confirm objection window: 30 days] before authorising any new or replacement Sub-processor to begin processing Customer Personal Data, by a guaranteed channel (namely email to the account owner and/or an in-product notice), and by updating the sub-processor page.

The Customer may object to a proposed new Sub-processor on reasonable data-protection grounds by giving written notice to [data protection / privacy contact email] within that notice period. The parties shall work in good faith to resolve the objection. If the objection cannot be resolved, the Customer may terminate the affected service by written notice and receive a pro-rata refund of any fees pre-paid for the unused period after termination; this does not affect the Customer's statutory rights or any claim the Customer may have in respect of WagePilot's own breach. If the Customer does not object within the notice period, the Customer is deemed to have approved the Sub-processor.

8. Assistance to the Customer

Taking into account the nature of the processing, WagePilot shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to respond to Data Subject Requests relating to Customer Personal Data. Where WagePilot receives a Data Subject Request directly, it shall, unless legally prohibited, promptly notify the Customer and not respond to the request itself except on the Customer's documented instructions or as required by law. The Customer is responsible for responding to Data Subject Requests; the self-service export, rectification and deletion features of the service are provided free of charge as the primary means of enabling the Customer to do so.

WagePilot shall, taking into account the nature of processing and the information available to it, provide reasonable assistance to the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 of the UK GDPR, namely security of processing, personal data breach notification, communication of a breach to data subjects, data protection impact assessments, and prior consultation with the ICO.

WagePilot will provide assistance with personal data breach notification (clause 9 and Article 28(3)(f)) at no charge as part of the service, and will not charge for Data Subject Request assistance that can be met by the standard self-service features. WagePilot may charge a reasonable fee only for genuinely exceptional or bespoke manual assistance with Data Subject Requests or with data protection impact assessments and prior consultation, save that no charge will be made where the assistance is required because of a failure or error attributable to WagePilot. WagePilot will provide an advance estimate and obtain the Customer's approval before incurring any such charge.

9. Personal data breach notification

WagePilot shall notify the Customer without undue delay, and where reasonably practicable within 48 hours, after becoming aware of a personal data breach affecting Customer Personal Data. Notification shall be made to the Customer's account owner and/or such contact as the Customer designates in the service. The notification shall, to the extent then known and available to WagePilot, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. Where WagePilot cannot provide all the information at once, it may provide it in phases without undue further delay.

The Customer acknowledges that, as controller, it is responsible for assessing whether the breach is notifiable to the ICO and/or to affected data subjects and, where required, for making such notifications (including any notification to the ICO within 72 hours of the Customer becoming aware of the breach). WagePilot's notification to the Customer is not, and shall not be construed as, an admission of fault or liability by WagePilot.

10. Deletion or return of personal data

On termination or expiry of the Terms of Service, WagePilot shall, at the Customer's choice (notified in writing), delete or return all Customer Personal Data and delete existing copies, unless storage is required by law to which WagePilot is subject.

The Customer is responsible for exporting its data before its account is closed, using the export features provided. Following termination, WagePilot will retain Customer Personal Data for a grace period of [data deletion grace period: e.g. 30 days] to allow the Customer to export it, after which WagePilot will delete Customer Personal Data from active systems and arrange for its deletion from routine backups in the ordinary course of WagePilot's backup cycle.

Where WagePilot is required by law to retain certain Customer Personal Data (for example, records WagePilot must keep for its own statutory or accounting purposes), or where the Customer instructs WagePilot to retain data so that the Customer can meet statutory record-keeping obligations (such as PAYE, National Minimum Wage, Working Time Regulations or right-to-work retention periods), WagePilot may retain such data for no longer than the applicable retention period, shall keep it secured and (where feasible) pseudonymised, shall not otherwise process it, and shall delete it at the end of that period.

WagePilot shall, on the Customer's written request, provide written certification of deletion.

11. Audit and information rights

WagePilot shall make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the UK GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

To protect the security and confidentiality of WagePilot's systems and of other customers' data, audits and inspections are subject to the following reasonable conditions:

• the Customer shall first accept WagePilot's then-current security documentation, certifications, and any third-party audit reports where these reasonably address the Customer's queries;
• any on-site or hands-on audit is limited to once in any twelve (12) month period [confirm audit frequency: 12 months] (save where required by the ICO or following a personal data breach affecting the Customer), requires at least thirty (30) days' prior written notice [confirm audit notice: 30 days], must take place during normal business hours, and must not unreasonably disrupt WagePilot's business;
• the auditor must not be a direct competitor of WagePilot; an independent professional third-party auditor is acceptable even if that auditor also serves competitors, provided the auditor gives reasonable confidentiality undertakings;
• the scope must not require WagePilot to disclose data of other customers, or information that would compromise security or breach confidentiality or legal obligations; and
• each party bears its own costs of a standard audit conducted under this clause; WagePilot may recover its reasonable costs only for excessive or repeat audits, or where required by the Customer following a finding of material breach attributable to WagePilot the costs are borne by WagePilot.

12. International transfers

WagePilot shall not carry out a Restricted Transfer of Customer Personal Data except where a Standard Transfer Mechanism, supported by a documented Transfer Risk Assessment, is in place, or another lawful basis for the transfer under Articles 44 to 49 of the UK GDPR applies. The Customer authorises WagePilot to enter into a Standard Transfer Mechanism with a Sub-processor on the Customer's behalf, or to rely on a Standard Transfer Mechanism entered into directly between the Customer and the recipient, in each case for the purpose of any Restricted Transfer necessary to provide the service.

WagePilot configures its primary data storage (database, authentication and file storage) to remain within the United Kingdom or the European Economic Area [confirm Supabase and other provider processing, support and backup regions]. The processing regions and transfer positions of each Sub-processor are described at /legal/sub-processors. The parties acknowledge that transfers from the United Kingdom to the EEA currently rely on the United Kingdom's adequacy regulations for the EEA, and that should those regulations lapse the parties shall in good faith put a Standard Transfer Mechanism in place for any continued EEA processing. The parties acknowledge that international transfer and adequacy rules are subject to ongoing reform and shall act in good faith to put in place any updated mechanism required by Data Protection Law.

13. Liability

Each party's liability for damage caused by processing is governed by Article 82 of the UK GDPR. Nothing in this DPA limits or excludes either party's direct statutory liability to a data subject under Article 82, or limits a data subject's statutory rights or remedies, or limits any liability that cannot lawfully be limited or excluded.

Subject to the preceding paragraph, the limitations and exclusions of liability set out in the Terms of Service apply to each party's liability arising under or in connection with this DPA. The Terms of Service and this DPA together are treated as one agreement so that any aggregate liability cap in the Terms of Service applies to the combined liability of a party under the Terms of Service and this DPA, is shared across both, and is not duplicated. The same aggregate cap applies mutually to each party, including to the Customer's indemnity obligations under clause 4 (see the exclusion below). For data-protection liability under or in connection with this DPA, the cap shall be the greater of (a) the cap stated in the Terms of Service and (b) [fixed monetary floor for data-protection liability, e.g. GBP X], so that the cap is not nil or derisory on free or low-fee plans.

The aggregate cap applies to claims between the parties (controller and processor) under or in connection with this DPA. It does not and cannot limit either party's direct statutory liability to data subjects under Article 82, nor does it apply to: (a) a party's obligation to indemnify the other for sums that party has had to pay a data subject or the ICO as a result of that party's breach; or (b) the Customer's indemnification obligations under clause 4, which are excluded from the cap.

WagePilot is not liable for any loss or claim to the extent it arises from the Customer's own failure to comply with Data Protection Law, from the Customer's instructions, or from any breach by the Customer of the warranties in clause 4.

Nothing in this DPA excludes or limits either party's liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot lawfully be excluded or limited under the law of England and Wales. Where the Customer contracts as a consumer, nothing in this DPA affects the Customer's non-excludable statutory rights, and the indemnity, deemed-consent and unilateral-change provisions of this DPA apply to a consumer only to the extent they are fair and binding under the Consumer Rights Act 2015.

14. Employment-law and guidance disclaimer

The Customer acknowledges and agrees that WagePilot's National Minimum Wage and National Living Wage checks, holiday and leave accrual, overtime calculations and Working Time Regulations break tracking are informational and guidance tools only, and that WagePilot is not a payroll provider and does not calculate tax, National Insurance or net pay or move money. WagePilot does not warrant that the service ensures compliance with the National Minimum Wage Act 1998, the Working Time Regulations 1998, holiday-pay law or any other employment or payroll legislation. The Customer remains solely responsible for paying its staff lawfully and for its own legal compliance. To the extent permitted by law (and subject to the non-excludable carve-outs in clause 13), WagePilot has no liability for any fine, penalty, back-pay award or claim arising from the Customer's reliance on the service to meet a legal obligation. This clause is to be read together with the corresponding provisions of the Terms of Service.

15. Term and order of precedence

This DPA takes effect on the date the Customer agrees to the Terms of Service and continues for as long as WagePilot processes Customer Personal Data, after which the surviving provisions (including clauses 10, 11, 13 and 14) continue to apply.

In the event of any conflict, the following order of precedence applies to data-protection matters: (1) any Standard Transfer Mechanism entered into under clause 12, to the extent it governs a Restricted Transfer; (2) this DPA; (3) the rest of the Terms of Service.

16. Changes to this DPA

WagePilot may update this DPA where the change is (a) required by law or by a supervisory authority, or (b) does not materially reduce the Customer's rights or the level of data-protection afforded to Customer Personal Data, in which case the update takes effect on notice given in accordance with the Terms of Service. For any other material change to this DPA, WagePilot will give the Customer advance notice and, if the Customer does not agree, the Customer may terminate the affected service before the change takes effect and receive a pro-rata refund of any fees pre-paid for the unused period. WagePilot will not rely on continued use alone as acceptance of a material change to this DPA by a Customer who contracts as a consumer.

17. General

This DPA is governed by the law of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, consistent with the Terms of Service. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions continue in full force, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' intent.

Annex 1 - Details of processing

Subject-matter of the processing: WagePilot's processing of Customer Personal Data as necessary to provide the WagePilot staff time and attendance service to the Customer under the Terms of Service.

Duration of the processing: for the duration of the Terms of Service, plus any period during which data is retained under clause 10.

Nature and purpose of the processing: collection, recording, organisation, structuring, storage, retrieval, use, hosting, display, transmission, export, pseudonymisation, restriction, erasure and deletion of Customer Personal Data, for the purpose of providing rota scheduling, geofenced GPS clock-in/out, QR clock-in, kiosk mode (including optional PIN and an optional photo captured at the clock event), holiday and leave tracking and accrual, audited timesheets, live labour-cost reporting, National Minimum/Living Wage guidance checks, Working Time Regulations break tracking, CSV/payroll data export, and in-app staff messaging. WagePilot is not a payroll provider: it does not calculate tax, National Insurance or net pay and does not move money. National Minimum/Living Wage checks are guidance only (see clause 14).

Types of personal data:

• identification and contact details of staff (for example, names, email addresses, phone numbers);
• employment and pay information (pay rates, roles, shifts and rota assignments, timesheets and recorded hours, breaks, overtime);
• holiday and leave records, including leave/absence reasons, which may include special category data (health data) where the Customer or its staff enter such detail;
• location data captured only at the moment of clock-in and clock-out (never continuous tracking);
• an optional kiosk photo captured at the clock event, retained as an audit image of attendance. WagePilot does not process kiosk photos for biometric unique identification. If the Customer enables or undertakes any facial-matching or identification use of kiosk photos, the Customer is the controller of that Article 9 biometric processing and must satisfy an Article 9 condition and any Appropriate Policy Document required by the DPA 2018;
• in-app messaging content; and
• device and usage logs.

Categories of data subjects: the Customer's staff, workers and employees (including, where applicable, casual, agency or contract staff) whose data the Customer enters into or generates through the service, and any other individuals whose personal data the Customer chooses to process using the service.

Annex 2 - Technical and organisational security measures

WagePilot maintains the following measures, as further described on our security page (which may be updated in line with clause 6):

• Encryption: encryption of Customer Personal Data in transit (TLS) and at rest.
• Access control and least privilege: role-based access controls, authentication for all user access, and restriction of WagePilot personnel access to those who need it.
• Tenant isolation: logical separation of each organisation's data in the multi-tenant database, including row-level security to prevent cross-organisation access.
• Pseudonymisation and minimisation: pseudonymisation where feasible and product controls enabling the Customer to minimise the personal data collected (including configurable kiosk photo capture and retention).
• Logging and monitoring: logging of access and significant events, and monitoring to detect and respond to security incidents.
• Backup and restore: regular backups with tested restoration procedures.
• Personnel: confidentiality undertakings and security awareness for personnel with access to Customer Personal Data.
• Breach response: a documented and tested personal data breach response process supporting the notification obligations in clause 9.
• Sub-processor assurance: due diligence on Sub-processors and contractual flow-down of equivalent data-protection obligations.

Annex 3 - Sub-processors

The current list of authorised Sub-processors, with their role and processing region, is maintained at /legal/sub-processors. As at the date of this DPA the authorised Sub-processors are:

Stripe processes payment data as an independent controller (PCI-DSS Level 1) and is therefore not a Sub-processor under this DPA; see clause 2 and our Privacy Policy. WagePilot has in place a written data processing agreement or equivalent processor terms with each Sub-processor listed above.