Data Processing Agreement

Last updated: 9 June 2026

⚠ For review: Structure follows the ICO's Article 28 checklist (the four descriptive items and eight mandatory clauses). A solicitor/DPO must finalise the wording, the annex detail, and everything marked pending before this is relied on.

When your business puts operational data into BlueWave, we process personal data on your behalf — you're the controller, we're the processor, and UK GDPR Article 28 requires a written agreement between us covering exactly that. This is it. It forms part of our platform terms, so it applies to every customer automatically from sign-up. Procurement team that needs a counter-signed copy? Email privacy@usebluewave.com [pending mailbox] and we'll provide one.

What this agreement covers

Subject matter & durationHosting and processing of the operational data your business puts into the BlueWave platform, for as long as you use it and through the exit period described below.
Nature & purposeStorage, structuring, retrieval, display, transmission and backup of your data — solely to provide the field-service platform and its support.
Personal data & data subjectsYour staff and engineers (names, work contact details, roles, job activity, field evidence such as photos, locations and signatures) and your clients' personnel (names and business contact details on sites, jobs and reports).
Your obligations & rightsYou're responsible for the lawfulness of the data you put in and the instructions you give; you hold the rights to instruct, audit and exit set out below.

1. We process only on your instructions

We process your data only on your documented instructions. Using the platform is the core instruction set — every feature you use is an instruction to process accordingly. Anything beyond that needs to be agreed in writing. If we believe an instruction breaks data protection law, we'll tell you before acting on it. The one exception: where the law itself requires us to process, we'll do so and inform you unless that same law forbids it.

2. Our people are bound to confidentiality

Everyone we authorise to touch customer data is under a contractual or statutory duty of confidentiality. No exceptions for contractors.

3. We secure it (Article 32)

We apply appropriate technical and organisational measures — encryption in transit, encrypted managed storage, business-scoped tenant isolation, role-based access and audit trails. The current measures are described on our security page, which serves as the working annex to this clause.

4. Sub-processors

You give us general authorisation to use sub-processors for hosting, email delivery, and similar infrastructure. In return: we maintain a public list of who they are and what they do (being finalised — it will be linked from here); we'll notify you before adding or replacing one, with a real chance to object; we flow down obligations equivalent to this agreement in writing; and we remain fully liable to you for their failures, as if they were ours.

⚠ For review: The named list is pending confirmation (open Q2 — candidates: cloud hosting, transactional email, geocoding, analytics). US-MKT-016 publishes it and links it here. The notification mechanism (email + list subscription) needs an owner before launch.

5. We help with data-subject requests

If someone exercises their UK GDPR rights against you — access, erasure, rectification and the rest — we'll help with appropriate measures: the platform's own export and edit tools first, and our direct assistance where those aren't enough. Requests that reach us about your data get passed to you without undue delay, as our privacy policy says.

6. We help with breaches, security and DPIAs

If we become aware of a personal data breach affecting your data, we'll notify you without undue delay, with enough detail to meet your own notification duties, and we'll cooperate on containment and remediation. We'll also give reasonable assistance with your security obligations, data protection impact assessments and regulator consultations (Articles 32–36).

⚠ For review: Statutory wording only for now. Solicitor to weigh a concrete hour-commitment (e.g. "and in any event within 72 hours") — customers carry a 72-hour ICO clock and procurement will push for a number. Decide it as an operational commitment, not copy.

7. When you leave, the data leaves with you

At the end of the contract you choose: we return your personal data (export in usable formats) or delete it — and then delete remaining copies, except what the law requires us to keep. Timelines align with our privacy policy and your instructions.

8. You can verify all of this

We'll make available the information reasonably necessary to demonstrate compliance with this agreement, and we'll allow and contribute to audits and inspections you conduct or mandate.

⚠ For review: Audit logistics (notice period, frequency, confidentiality, who bears cost) are deliberately unstated — solicitor to set the conventional conditions.

International transfers

We aim to keep personal data in the UK and EEA. If any processing involves a restricted transfer to a country without UK adequacy, it will rest on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses — bare EU SCCs are not valid under UK GDPR — and we'll complete a transfer risk assessment first, retained and available to the ICO.

⚠ For review: Whether any sub-processor actually makes a restricted transfer is unconfirmed (open Q2/Q10). The TRA must exist before this clause claims IDTA/Addendum reliance for any named provider.

Precedence and changes

This agreement forms part of the platform terms; where the two conflict on processing matters, this agreement wins. If your business has a signed master agreement with its own DPA, that one governs instead. Material changes to this page get notified to account holders by email, with the date at the top updated.