Data Processing Agreement
Last updated: 3 July 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between DBIM Limited (company number 16771428, 295 Ainsworth House, Bury, BL8 2LS; “the Processor”) and the customer organisation (“the Controller”). It applies to all personal data the Controller's users enter into DBIM Elostir, and is made under Article 28(3) UK GDPR.
1. Processing details
- Subject matter & duration: provision of the DBIM Elostir QHSE platform for the term of the agreement.
- Nature & purpose: hosting, storage, display, transmission and backup of QHSE management records to deliver the service.
- Categories of data subjects: the Controller's employees, workers, contractors, visitors and other individuals named in QHSE records.
- Categories of personal data: names, job details, contact details, training and competency records, incident and investigation details, and other content the Controller's users enter.
- Special-category data: the people module can hold occupational-health information (health surveillance, return-to-work, DSE). The Controller is responsible for having an Article 9 condition for it — typically Art 9(2)(b) with the employment condition in Schedule 1, Part 1 of the Data Protection Act 2018 and an appropriate policy document.
2. Processor obligations
The Processor shall:
- process personal data only on the Controller's documented instructions, including with regard to transfers of personal data outside the UK, unless UK law requires otherwise, in which case the Processor will inform the Controller before processing unless the law prohibits it (using the service is an instruction to process as its features require; this DPA, including the section 3 sub-processor list, is the Controller's documented instruction for the transfers it describes);
- ensure everyone authorised to process the data is bound by confidentiality;
- implement the technical and organisational measures in section 5 (Article 32);
- assist the Controller, by appropriate technical and organisational measures, with data-subject requests (access, rectification, erasure and the rest of Chapter III);
- assist the Controller with its Articles 32–36 obligations (security, breach notification, DPIAs), taking account of the information available to the Processor;
- notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with enough detail to meet the Controller's own 72-hour obligation;
- at the end of the service, delete or return the personal data at the Controller's choice (see section 6), unless UK law requires storage;
- make available all information necessary to demonstrate compliance with Article 28, and allow and contribute to audits conducted by the Controller or its mandated auditor, on reasonable notice and no more than once in any 12-month period unless a breach or regulator requires otherwise;
- immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes UK GDPR or other UK data protection law, in which case the Processor may suspend the affected processing until the Controller confirms or amends the instruction.
3. Sub-processors
The Controller gives general written authorisation for the sub-processors below. The Processor will give at least 30 days' notice of intended changes (by updating this page and emailing workspace admins), during which the Controller may object on reasonable data protection grounds; the Processor remains fully liable for its sub-processors' performance. Each engagement carries data-protection terms equivalent to this DPA. If an objection cannot be resolved, the Controller may cancel the subscription with effect from the end of the current billing period and export its data under section 6.
- Supabase — database, auth, file storage — London, UK. No transfer.
- Vercel (US) — application hosting — UK Extension to the EU–US Data Privacy Framework, or IDTA/UK Addendum.
- Resend (US) — transactional email — IDTA/UK Addendum.
- Sentry (US) — error monitoring — UK Extension to the EU–US Data Privacy Framework, or IDTA/UK Addendum.
- Anthropic (US) — AI analysis and text generation (record and document content) — IDTA/UK Addendum; inputs are not used to train models per its commercial terms.
Stripe (US) handles payment and billing data as an independent controller, not as a sub-processor under this DPA; it never receives the Controller's QHSE records. Stripe holds a current UK Extension to the EU–US Data Privacy Framework certification. Billing data is account data for which DBIM Limited is controller (see the Privacy Policy).
4. International transfers
Primary storage is in the UK. Where a sub-processor processes personal data outside the UK, the transfer relies on the safeguard listed above, supported by a transfer risk assessment. The Processor will not make any other transfer of the Controller's personal data outside the UK except on the Controller's documented instructions, and then only with an Article 46 safeguard in place.
5. Security measures (Article 32)
- Tenant isolation enforced at the database layer (row-level security on every table).
- Encryption in transit (TLS) and at rest.
- Role-based access within each workspace, set by the Controller.
- Support access to a workspace only via an audited, banner-visible session recorded in the Controller's own audit log.
- Daily backups on a short rolling window; UK region.
- Secrets management and least-privilege service credentials; no service keys in client code.
6. Return and deletion
For 30 days after termination the Controller may export its data (CSV and PDF exports are built in; a full export is available on request). After that window the Processor deletes the workspace data, with backup copies overwritten by the rolling backup cycle within a further 7 days. Statutory-retention records the Controller must keep (for example 40-year health-surveillance records) are the Controller's responsibility to export before deletion.
7. Controller obligations and rights
The Controller instructs the Processor to carry out the processing described in section 1; using the service and its features is a documented instruction. The Controller warrants that it has a lawful basis under Article 6 UK GDPR for the personal data its users enter and, for special-category data, an Article 9 condition as described in section 1, and that its instructions to the Processor will comply with UK GDPR. The Controller is responsible for the accuracy of the data its users enter, for setting workspace roles (section 5), and for exporting statutory-retention records before deletion (section 6). The Controller may exercise the rights in this DPA, including issuing instructions, objecting to sub-processor changes (section 3), auditing under section 2, and choosing return or deletion under section 6.
8. Liability and order of precedence
This DPA is subject to the liability provisions of the Terms of Service. If this DPA and the Terms conflict on data protection matters, this DPA prevails.