SponsorSafe HR - Data Processing Agreement (DPA) Version: 1.0 Effective date: 2026-01-26 This Data Processing Agreement ("DPA") is incorporated into the SponsorSafe HR Terms of Service and applies to the processing of Personal Data by SponsorSafe HR ("Processor") on behalf of the customer organisation ("Controller"). 1. Scope & Roles - Controller determines the purposes and means of processing. - Processor processes Personal Data only on documented instructions from Controller. 2. Processing Details - Purpose: Deliver HR compliance record-keeping services, audit exports, and sponsor licence compliance tracking. - Data Subjects: Controller employees, candidates, and authorised users. - Data Types: Identity data, employment details, RTW evidence, visa documents, audit logs, and related compliance records. - Duration: For the term of the service agreement and any retention period chosen by Controller or required by law. 3. Security Measures - Encryption at rest and in transit. - Signed URL access for files with short-lived expiry. - Immutable audit logs and document versioning with hashes. - Role-based access controls and least-privilege permissions. 4. Subprocessors - Processor may use approved subprocessors for infrastructure and storage. - A current list of subprocessors is available upon request. 5. Data Subject Rights - Processor supports Controller in responding to DSARs and deletion requests. - Controller remains responsible for legal response obligations. 6. Breach Notification - Processor will notify Controller without undue delay after becoming aware of a personal data breach. 7. International Transfers - Data is stored in UK-based data centers unless otherwise agreed. 8. Audit & Compliance - Processor maintains audit logs and security controls suitable for sponsor compliance evidence requirements. 9. Return or Deletion - Upon termination, Controller may export data. Processor deletes data after the retention period unless legally required to retain it. 10. Liability - Liability is governed by the Terms of Service unless otherwise agreed. If you need a signed copy or a custom DPA addendum, contact legal@sponsorsafehr.com.