Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Joshua Tyler Development Limited t/a WorkLane ("Processor") and the customer entity that has agreed to those Terms ("Controller"). It applies where the Controller uses the WorkLane platform to process personal data relating to the Controller's employees, clients or other individuals.
This DPA is entered into under Article 28 of UK GDPR and governs the processing of personal data by WorkLane on behalf of the Controller.
1. Definitions
Terms used in this DPA have the meanings given to them in UK GDPR and the Data Protection Act 2018. In summary:
- Controller — the customer, who determines the purposes and means of processing
- Processor — WorkLane (Joshua Tyler Development Limited), who processes data on behalf of the Controller
- Personal Data — any information relating to an identified or identifiable natural person
- Data Subjects — individuals whose personal data is processed (e.g. the Controller's staff, clients)
2. Subject Matter and Nature of Processing
WorkLane processes personal data on behalf of the Controller for the purpose of providing the job management platform described in the Terms of Service. Processing activities include:
- Storing and retrieving job records, timelines, photos and documents
- Managing staff profiles, assignments and schedules
- Managing client and property records
- Generating and sending invoices and quotes
- Sending transactional notifications (job assignments, status updates)
Categories of personal data processed
- Staff: names, email addresses, phone numbers, roles, profile photos, hourly rates
- Clients: names, company names, email addresses, phone numbers, addresses
- Property occupants: addresses and any personal details included in job notes or photos
Categories of data subjects
- The Controller's employees and contractors (field staff, office staff, managers)
- The Controller's clients and their representatives
- Individuals associated with properties where work is carried out
3. Processor Obligations
WorkLane shall:
- Process personal data only on documented instructions from the Controller (being the use of the platform as described) and not for any other purpose
- Ensure that persons authorised to process the data are subject to appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures as described in Section 5
- Not engage sub-processors without the Controller's prior consent (general consent is given by accepting these Terms; see Section 4)
- Assist the Controller in responding to Data Subject rights requests, insofar as this is reasonably possible
- Assist the Controller in ensuring compliance with its security, breach notification and impact assessment obligations
- At the Controller's choice, delete or return all personal data on termination of the Service
- Make available all information necessary to demonstrate compliance with this DPA
4. Sub-Processors
The Controller provides general written consent to WorkLane engaging the following sub-processors. WorkLane will inform the Controller of any intended changes and give reasonable opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication and file storage | EU (Frankfurt) |
| Vercel Inc. | Web application hosting | EU / US (SCCs in place) |
| Stripe Inc. | Payment processing | EU / US (SCCs in place) |
| Postmark (ActiveCampaign) | Transactional email delivery | US (SCCs in place) |
| Upstash Inc. | Message queue and caching | EU (Frankfurt) |
| Anthropic PBC | AI processing (CSV column headers only — no row data) | US (SCCs in place) |
5. Security Measures
WorkLane implements the following technical and organisational measures:
- Encryption at rest — AES-256 encryption for all stored data
- Encryption in transit — TLS 1.2 or higher for all data transfers
- Access control — Row-level security (RLS) enforced at database level; each tenant's data is logically isolated
- Authentication — Multi-factor authentication available; passwords stored as bcrypt hashes
- Audit logging — All job updates, status changes and key actions are logged with timestamps
- Incident response — Documented process for identifying, containing and reporting data breaches
- Vulnerability management — Regular dependency updates and security reviews
- Personnel — Access to production data restricted to authorised personnel under confidentiality obligations
6. Data Breach Notification
WorkLane will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach likely to result in a risk to the rights and freedoms of individuals. The notification will include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach
7. Data Subject Rights
Where WorkLane receives a request directly from a data subject relating to the Controller's data, WorkLane will promptly notify the Controller and will assist the Controller in responding to such requests within the timescales required by UK GDPR.
8. International Transfers
Where personal data is transferred to countries outside the UK or EEA, WorkLane ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO or European Commission, as applicable.
9. Audit Rights
WorkLane will make available all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Controller or its auditors, provided that reasonable notice is given and any audit is conducted at the Controller's expense without disrupting WorkLane's operations.
10. Term and Termination
This DPA is in effect for the duration of the Terms of Service. On termination, WorkLane will, at the Controller's election, either delete or return all personal data processed on the Controller's behalf within 30 days, and delete existing copies, unless retention is required by law.
11. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
12. Contact
For questions about data processing or to exercise rights under this DPA:
Joshua Tyler Development Limited t/a WorkLane
4 Colvreath Road, Newquay, TR7 2PY
Company Registration No. 14716963 · ICO Registration No. 00013953894
Email: hello@worklane.co.uk