Data Processing Agreement

Definitions

• →Personal data — Has the meaning given in UK GDPR Article 4.
• →Processing — Any operation performed on personal data, as defined in UK GDPR Article 4.
• →Controller — Your organisation, which determines the purposes and means of processing member data.
• →Processor — Softfox Ltd, which processes personal data on behalf of the Controller.

Subject matter and duration

The Processor provides a safeguarding management platform. Processing under this DPA begins when you first use the service and continues until the termination of your contract with the Processor.

Nature and purpose of processing

The Processor will process personal data solely to provide the Safeguard platform as described in the Terms of Service, and for no other purpose without the Controller's documented instruction.

Types of personal data

Member data may include names, dates of birth, contact details, medical information, parental consent records, DBS check records, attendance records, and safeguarding case notes.

Categories of data subjects

Members of the Controller's organisation, which may include minors (under 18), their parents or guardians, and organisation staff and volunteers.

Processor obligations

The Processor shall:

• →Process personal data only on documented instructions from the Controller.
• →Ensure persons authorised to process personal data have committed to confidentiality.
• →Implement appropriate technical and organisational security measures (see our Security page).
• →Assist the Controller in fulfilling data subject rights requests.
• →Delete or return all personal data on termination, as instructed by the Controller.
• →Make available all information necessary to demonstrate compliance with this DPA.
• →Notify the Controller without undue delay (and within 72 hours where feasible) of any personal data breach.

Sub-processors

The Controller hereby provides general authorisation for the Processor to engage sub-processors, subject to the Processor maintaining a current list at /legal/sub-processors and notifying the Controller of any changes with 7 days' notice. The Processor remains liable for sub-processors' compliance with this DPA.

International transfers

Your members' records — including all safeguarding data — are processed within the European Union by our hosting, authentication, and file-storage sub-processors (see our sub-processors list).

A limited category of personal data — the email addresses and message content used to deliver account, invitation, and notification emails — is processed in the United States by our email sub-processor, Resend. Where personal data is transferred outside the UK or EEA, the Processor ensures the transfer is governed by an appropriate safeguard under UK GDPR Article 46 — namely the European Commission's Standard Contractual Clauses together with the UK International Data Transfer Addendum (or a successor mechanism approved under UK or EU law).

By design, emails never contain member personal data. They carry only the recipient's email address and operational content such as the organisation name and action links. Exports, reports, and similar files are delivered as a one-time, short-lived signed link to storage hosted in the EU (Cloudflare R2); the underlying member data is downloaded from EU-hosted storage and is never sent by email or transferred outside the UK or EEA.

The Processor will not introduce any new transfer of personal data outside the UK or EEA without updating its sub-processor list and giving the notice set out above.

Audit rights

The Controller may request an audit of the Processor's compliance with this DPA no more than once per year, with 30 days' notice, at the Controller's cost. The Processor may satisfy audit requests by providing relevant certifications or third-party audit reports in the first instance.

Contact

Data protection queries: hello@softfox.com