Skip to main content

This is Duty Room for the United Kingdom. We have a version for your country.

United States
United Kingdom United States Canada
Continue →

Data Processing Agreement

Last updated on April 18, 2026.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and Jon Simpson, trading as Duty Room (the "Processor"). It applies where Duty Room processes personal data on your behalf in the course of providing the Services.

Definitions

"UK GDPR" means the UK General Data Protection Regulation (as retained under the Data Protection Act 2018). "Personal Data", "processing", "Controller", "Processor", and "Data Subject" have the meanings given in UK GDPR.

Scope of Processing

We process Personal Data only as necessary to provide the Services. Specifically:

  • Subject matter: Provision of a compliance operations platform.
  • Duration: For as long as you have an active account, plus the post-cancellation retention period described in the Terms.
  • Nature and purpose: Storage, retrieval, organisation, and display of operational records you create in the Services.
  • Types of Personal Data: Names, email addresses, job titles, and other contact information of your staff. Operational records may contain personal data at your discretion. You should not store special category data or criminal offence data in the Services.
  • Data Subjects: Your employees, contractors, and other individuals whose data you choose to store in the Services.

Processor Obligations

Duty Room will:

  1. Process Personal Data only on your documented instructions, unless required by law.
  2. Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
  3. Implement appropriate technical and organisational measures to protect Personal Data, including encryption in transit and at rest.
  4. Not engage another processor without first notifying you and giving you the opportunity to object, as described in the Sub-processors section below.
  5. Assist you, taking into account the nature of the processing, in responding to Data Subject requests to exercise their rights under UK GDPR.
  6. Assist you in meeting your obligations under Articles 32 to 36 of UK GDPR (security, breach notification, impact assessments, and prior consultation), taking into account the nature of processing and information available to us.
  7. At your choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless required by law to retain them. The timelines for deletion are set out in the Terms.
  8. Make available to you information necessary to demonstrate compliance with these obligations.

Data Breach Notification

If we become aware of a Personal Data breach affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of records affected, and the measures taken or proposed to address it.

International Transfers

Customer data for UK accounts is stored in AWS data centres in London, United Kingdom. Duty Room is based in Alberta, Canada. Access to Personal Data from Canada for the purposes of providing support and maintaining the Services constitutes a restricted transfer under UK GDPR.

Canada has partial adequacy status under UK data protection law (limited to transfers covered by PIPEDA). Where the transfer falls within the scope of that adequacy finding, no additional safeguards are required.

Certain operational sub-processors listed below are based in the United States. Transfers to those sub-processors are covered by the UK Extension to the EU-US Data Privacy Framework, to which each relevant sub-processor is self-certified. If you have questions about the scope of these transfers, contact us.

Sub-processors

The following sub-processors are engaged as of the date of this DPA:

Sub-processor Purpose Location
Amazon Web Services (AWS) Infrastructure and hosting London, UK
Postmark (AC PM LLC) Transactional email delivery United States
Sentry (Functional Software, Inc.) Application error monitoring United States

We will notify you by email at least 30 days before adding or replacing a sub-processor. If you object, you may terminate your account in accordance with the Terms.

Contact

For questions about this DPA, contact us at privacy@dutyroom.com.