How RotaPulse processes personal data on your behalf.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between RotaPulse ("Processor") and the Customer ("Controller"). It applies where RotaPulse processes personal data on the Controller’s behalf in providing the Service. Each party will comply with applicable data protection law (including UK GDPR and the Data Protection Act 2018).
RotaPulse processes personal data to provide the Service for the duration of the Controller’s subscription and for any limited period afterwards needed to return or delete data.
Processing includes collecting, storing, organising, retrieving, using, transmitting and deleting personal data to deliver scheduling, attendance, vetting records, payroll preparation, invoicing, reporting and related features, on the Controller’s documented instructions (including via configuration of the Service).
Depending on the Controller’s use: employees’ and operatives’ names, contact details, job and pay information, attendance and location-at-clock-in data, vetting and licensing information (e.g. SIA, BS 7858, right-to-work, references), and limited client contact details. The Controller must not submit special-category data except where the Service is intended to capture it and a lawful basis exists.
The Controller’s employees, operatives, applicants and client contacts.
RotaPulse will: (a) process personal data only on the Controller’s documented instructions; (b) ensure persons authorised to process are under confidentiality obligations; (c) implement appropriate technical and organisational security measures (Annex A); (d) assist the Controller, taking into account the nature of processing, with data subject requests and with security, breach and impact-assessment obligations; (e) notify the Controller without undue delay on becoming aware of a personal data breach; and (f) at the Controller’s choice, delete or return personal data at the end of the services, subject to legal retention obligations.
The Controller authorises RotaPulse to engage sub-processors to provide the Service (e.g. cloud hosting, managed database, object storage, email delivery, mapping, AI providers, and payment processing). RotaPulse will impose data-protection obligations on sub-processors no less protective than this DPA, remain responsible for their performance, and give the Controller a way to be informed of changes with a reasonable opportunity to object.
Where personal data is transferred outside the UK/EEA, RotaPulse will ensure an appropriate transfer mechanism is in place (e.g. UK IDTA / Standard Contractual Clauses or an adequacy decision).
Taking into account the nature of processing, RotaPulse will assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise data subject rights (access, rectification, erasure, restriction, portability and objection).
RotaPulse will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and security conditions.
Liability under this DPA is subject to the limitations in the Terms of Service.
To be completed with your actual providers, e.g.: cloud hosting & managed PostgreSQL, object storage (S3-compatible), transactional email, mapping/geocoding, AI content/assistant provider, and payment processing. List name, purpose and location for each.
Last updated: June 2026. Related: Terms, Privacy Policy, Cookie Policy.
Start free, set up in minutes, and bring your whole operation into one platform.