— the legal stuff.

// // data processing agreement

Data Processing Agreement.

The UK GDPR contract between Workhand (processor) and you (controller). Stub content awaiting solicitor review — the binding version goes live before the first paying customer.

Effective 1 May 2026

Draft · awaiting solicitor review before binding use

Roles

For your customer data — the data your customers generate interacting with Workhand on your behalf — you are the controller and Workhand Ltd is the processor.

For our records about you (Workhand customer) — name, email, billing — Workhand Ltd is the controller.

Subject matter + duration

Workhand processes your customer data for as long as you have an active Workhand subscription, plus a 30-day grace period post-cancellation, plus regulatory retention windows (audit/payment: 7 years; call recordings: 90 days).

Categories of data + data subjects

Categories: contact details, communication content (call audio, email/SMS body, review text), interaction metadata, booking details, payment receipts, knowledge-base content. Data subjects: your end customers (people who interact with you via Workhand) and your operator users.

Sub-processors

Workhand uses the named sub-processors at /legal/sub-processors. You authorise the current list on signup. We notify you 30 days before any addition; you can object and we'll find an alternative or, if not possible, support transition.

Security measures

Encryption at rest (AES-256-GCM for credentials per ADR-007; Postgres-level for everything else); encryption in transit (TLS 1.3); RLS on every customer-scoped table enforced via CI lint; audit log with hash chain integrity verification per ADR-017; nightly backup with documented restore drill; principle-of-least-privilege role gating; full audit trail of every state change.

Breach notification

Workhand notifies you within 24 hours of becoming aware of a personal-data breach, with the information UK GDPR Art. 33 requires (nature, categories, approximate numbers, consequences, remedial action). You are responsible for notifying the ICO + affected data subjects where required.

International transfers

Where sub-processors are outside the UK / EEA (Anthropic, OpenAI, Stripe in the US; Vercel in the US), transfers run on Standard Contractual Clauses with appropriate supplementary measures (UK Addendum where required).

On termination

On termination Workhand returns your data via export (formats documented at /legal/sub-processors) within 30 days, then deletes from production within 30 days, except records we're legally required to retain (audit log, payment records).

Questions on this page? Email felix@workhand.co.uk — Felix reads everything. For DSAR submissions specifically, use the in-app DSAR form so the request lands in the audit log directly.