Data Processing Agreement
Last updated: January 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between ScopeKit and the Customer for the provision of services, in accordance with UK GDPR (as amended by the Data Use and Access Act 2025) Article 28.
Template Document Notice
This Data Processing Agreement is a template that forms part of your service agreement with ScopeKit. For a fully executed copy specific to your organisation, please contact us at dpo@scopekit.co.uk. This DPA should be signed separately as part of your service contract.
1. Parties and Definitions
1.1 Parties
This DPA is entered into between:
Data Controller (“Customer”)
The organisation that has agreed to the ScopeKit Terms of Service and uses the Service to process personal data. The Customer determines the purposes and means of processing personal data.
Data Processor (“ScopeKit”)
ScopeKit, a UK-based company providing construction quote management and project management software services. ScopeKit processes personal data on behalf of the Customer in accordance with the Customer's documented instructions.
1.2 Definitions
- “UK GDPR”
- The General Data Protection Regulation as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.
- “Personal Data”
- Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).
- “Processing”
- Any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- “Data Subject”
- An identified or identifiable natural person whose personal data is processed.
- “Sub-processor”
- Any third party engaged by the Processor to process personal data on behalf of the Controller.
- “Personal Data Breach”
- A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- “Services”
- The construction quote management, project management, and workforce management services provided by ScopeKit to the Customer.
2. Subject Matter and Duration
2.1 Subject Matter
This DPA governs the processing of personal data by ScopeKit on behalf of the Customer in connection with the provision of the ScopeKit construction quote management and project management platform services.
2.2 Duration
This DPA shall remain in effect for the duration of the Customer's use of the Services under the main service agreement, and shall automatically terminate upon termination or expiry of that agreement, subject to any obligations that survive termination (including data return or deletion obligations).
3. Nature and Purpose of Processing
ScopeKit processes personal data for the following purposes in connection with providing the Services:
3.1 Construction Quote Management
- Processing customer and site information for quote generation
- Storing and processing site photos and project descriptions
- Managing quote approvals, revisions, and communications
- AI-assisted quote analysis and pricing recommendations
3.2 Project Management
- Scheduling and assignment of projects to employees
- Tracking project progress and milestones
- Document management and compliance record-keeping
- Site location and address management
3.3 Workforce Management
- Employee record management and HR administration
- Timesheet processing and payroll preparation
- Skills and certification tracking
- Location tracking for site attendance (where enabled)
- Scheduling and capacity planning
3.4 Customer Relationship Management
- Storing customer and client contact information
- Managing communications and correspondence
- Processing invoices and payment records
4. Types of Personal Data
The following categories of personal data may be processed under this DPA:
| Category | Data Elements | Processing Purpose |
|---|---|---|
| Employee Data | Full name, email address, phone number, National Insurance number, home address, date of birth, emergency contacts, employment details, bank account details (for payroll) | Workforce management, payroll processing, legal compliance, scheduling |
| Customer/Client Data | Company name, trading name, registered address, contact person names, email addresses, phone numbers, VAT registration number, payment details | Service delivery, invoicing, customer relationship management, contract fulfilment |
| Project Data | Location addresses, location photos, project descriptions, measurements, GPS coordinates, access instructions, property details | Quote generation, project planning and management, service delivery |
| Documents & Certifications | Uploaded documents, certificates (CSCS, qualifications), insurance documents, compliance records, signed contracts | Document management, compliance verification, regulatory requirements, CDM 2015 compliance |
| Timesheet & Location Data | Work hours, check-in/check-out times, GPS coordinates (when enabled), break times, project assignments | Time tracking, payroll calculation, workforce management, site attendance verification |
| Communication Data | Chat messages, email content, notifications, quote discussions, internal notes, support tickets | Customer communication, project collaboration, support provision, audit trail |
Special Category Data
The Services may process limited special category data including National Insurance numbers (for payroll and tax compliance) and potentially health-related information in certifications. The Customer warrants that it has obtained appropriate consent or has another lawful basis for processing any special category data uploaded to the Service.
5. Categories of Data Subjects
Personal data processed under this DPA may relate to the following categories of data subjects:
Employees
Individuals employed by the Customer, including full-time, part-time, and temporary workers whose data is managed through the workforce management features.
Customers/Clients
Individuals who are contacts at businesses that are customers or clients of the Customer, including those who receive quotes or are involved in project delivery.
Subcontractors
Self-employed individuals or contacts at subcontracting businesses engaged by the Customer for project work.
Site Contacts
Individuals at project sites who may be photographed or whose contact details are recorded for access and coordination purposes.
Suppliers
Individuals who are contacts at supplier businesses whose details are stored for procurement and invoicing purposes.
6. Processor Obligations
In accordance with UK GDPR Article 28, ScopeKit undertakes to:
6.1 Processing Instructions
Process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by UK law. ScopeKit shall promptly inform the Customer if it believes an instruction infringes UK GDPR or other UK data protection provisions.
6.2 Confidentiality
Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All ScopeKit employees with access to Customer personal data are bound by confidentiality agreements and receive regular data protection training.
6.3 Security Measures
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by UK GDPR Article 32. These measures are detailed in Annex A (Section 13) of this DPA. ScopeKit regularly reviews and updates these measures to address evolving security threats.
6.4 Assistance with Data Subject Rights
Assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising data subject rights under UK GDPR Chapter III, including: Right of access (Article 15), Right to rectification (Article 16), Right to erasure (Article 17), Right to restriction of processing (Article 18), Right to data portability (Article 20), and Right to object (Article 21). The Service includes self-service data export and deletion features to facilitate these requests. ScopeKit will respond to reasonable assistance requests within 10 business days.
6.5 Compliance Assistance
Assist the Customer in ensuring compliance with their obligations under UK GDPR Articles 32 to 36, taking into account the nature of processing and the information available to ScopeKit. This includes assistance with: Security of processing (Article 32), Notification of personal data breaches (Article 33), Communication of breaches to data subjects (Article 34), Data protection impact assessments (Article 35), and Prior consultation with the ICO (Article 36).
7. Sub-processors
The Customer provides general authorisation for ScopeKit to engage sub-processors to process personal data on behalf of the Customer. A summary of key sub-processors is set out below. For the complete and up-to-date register, please refer to our Sub-Processor Register.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, compute services, authentication (Cognito) | EU (Ireland/Frankfurt) | UK Adequacy Decision for EU, Standard Contractual Clauses, ISO 27001, SOC 2 |
| Stripe, Inc. | Payment processing, subscription management, billing | EU/US | EU-US Data Privacy Framework, PCI DSS Level 1, Standard Contractual Clauses |
| Elastic N.V. | Search functionality, data indexing, analytics | EU (Netherlands/Belgium) | UK Adequacy Decision for EU, Standard Contractual Clauses, ISO 27001, SOC 2 |
7.1 Sub-processor Changes
ScopeKit shall:
- Provide at least 30 days' prior notice before adding or replacing sub-processors
- Maintain an up-to-date list of sub-processors on our website
- Allow the Customer to object to new sub-processors on reasonable grounds
- Impose data protection obligations on sub-processors equivalent to those in this DPA
7.2 Sub-processor Liability
ScopeKit remains fully liable to the Customer for the performance of any sub-processor's obligations under this DPA.
8. International Transfers
ScopeKit processes personal data primarily within the United Kingdom and European Economic Area (EEA). Where transfers to third countries are necessary, the following safeguards apply:
UK Adequacy Decisions
Transfers to the EEA are covered by the UK adequacy decision for the EU. Transfers to other countries with UK adequacy decisions are permitted without additional safeguards.
International Data Transfer Agreement (IDTA)
For transfers to countries without adequacy decisions, ScopeKit uses the UK IDTA (the UK's Standard Contractual Clauses) as approved by the ICO.
Transfer Impact Assessments
Where required, ScopeKit conducts transfer impact assessments to evaluate the laws and practices of destination countries and implements supplementary measures as necessary.
EU-US Data Privacy Framework
For transfers to certified US organisations (such as Stripe), the EU-US Data Privacy Framework applies, which has been recognised as providing adequate protection.
Current Transfer Locations
Primary data processing occurs in AWS EU regions (Ireland/Frankfurt). Limited data may be processed in the US by Stripe for payment processing, subject to the safeguards described above. The Customer may request information about specific transfer locations at any time.
9. Data Breach Notification
48-Hour Notification Requirement
ScopeKit shall notify the Customer (as controller) without undue delay and in any event within 48 hours of a confirmed personal data breach affecting the Customer's data.
9.1 Notification Content
The notification shall include, to the extent known:
- The nature of the personal data breach, including the categories and approximate number of data subjects and personal data records concerned
- The personal data affected by the breach and the extent of any compromise
- The measures taken or proposed to be taken to address the breach, including measures to contain and remediate the incident
- Recommended actions for the Customer to take to mitigate any possible adverse effects on data subjects
- The name and contact details of the DPO or other contact point for further information
9.2 Cooperation
ScopeKit shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any personal data breach. This includes preserving evidence, providing logs and records, and assisting with notifications to the ICO and affected data subjects where required.
10. Audit Rights
ScopeKit shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in UK GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
10.1 Audit Procedures
Written Notice
The Customer shall provide at least 30 days' written notice of any audit request, unless a shorter period is required due to a regulatory investigation.
Scope and Confidentiality
Audits shall be limited to matters relevant to this DPA. Auditors must sign confidentiality agreements and comply with ScopeKit's security policies.
Frequency
The Customer may conduct one audit per calendar year, unless additional audits are required by regulatory authorities.
Costs
Each party shall bear its own costs in connection with audits, except that the Customer shall reimburse ScopeKit's reasonable costs for audits beyond one per year.
10.2 Alternative Assurance
In lieu of an on-site audit, ScopeKit may provide the Customer with copies of relevant third-party audit reports (such as SOC 2 Type II), certifications, and compliance documentation, which the Customer agrees to accept as demonstrating compliance with security requirements.
11. Return or Deletion of Data
Upon termination of the Services or upon the Customer's written request, ScopeKit shall, at the Customer's choice:
- Return all personal data to the Customer in a structured, commonly used, machine-readable format (JSON or CSV) within 30 days of termination; and/or
- Securely delete all personal data within 90 days of termination, unless retention is required by applicable law
- Provide written confirmation of deletion to the Customer upon request
Data Retention Exceptions
ScopeKit may retain personal data to the extent required by UK law, including for tax, accounting, and legal compliance purposes. Such retained data will remain subject to the confidentiality and security provisions of this DPA. ScopeKit will inform the Customer of any legal retention requirements that apply.
11.1 Data Export Period
Following termination, the Customer will have 30 days to export their data in JSON or CSV format using the self-service data export tools. After this period, ScopeKit will securely delete all Customer personal data within 90 days, except where legally required to retain it. Upon request, ScopeKit shall provide written confirmation that deletion has been completed.
12. Term and Termination
12.1 Term
This DPA shall come into effect on the date the Customer agrees to the ScopeKit Terms of Service and shall remain in effect for the duration of the Customer's use of the Services.
12.2 Termination
This DPA shall automatically terminate upon termination or expiry of the main service agreement between the parties. The Customer may also terminate this DPA by providing written notice if ScopeKit materially breaches this DPA and fails to remedy such breach within 30 days of receiving notice.
12.3 Survival
Clauses that by their nature should survive termination shall continue to apply, including provisions relating to confidentiality, data return/deletion, and liability.
13. Technical and Organisational Measures (Annex A)
In accordance with UK GDPR Article 32, ScopeKit implements the following technical and organisational measures to ensure a level of security appropriate to the risk:
13.1 Technical Measures
Encryption
- TLS 1.3 for all data in transit
- AES-256 encryption for data at rest
- Encrypted backups with separate key management
- End-to-end encryption for sensitive documents
Access Control
- Role-based access control (RBAC)
- Multi-factor authentication (MFA) available
- Unique user credentials required
- Automatic session timeout
- Principle of least privilege enforced
Network Security
- Web Application Firewall (WAF)
- DDoS protection
- Intrusion detection and prevention systems
- Regular penetration testing
- Network segmentation
Data Integrity
- Automated backup systems with geo-redundancy
- Point-in-time recovery capability
- Data validation and integrity checks
- Version control for documents
Monitoring & Logging
- Comprehensive audit logging
- Real-time security monitoring
- Anomaly detection systems
- Log retention for 7 years
Physical Security
- AWS data centres with ISO 27001 certification
- Biometric access controls at data centres
- 24/7 security monitoring
- Environmental controls (fire, flood, power)
13.2 Organisational Measures
- Data Protection Officer appointed
- Regular staff training on data protection
- Background checks for employees with data access
- Confidentiality agreements with all staff
- Documented security policies and procedures
- Regular security awareness programmes
- Incident response team and procedures
- Business continuity and disaster recovery plans
- Vendor security assessments
- Annual security audits by independent third parties
Continuous Improvement
ScopeKit regularly reviews and updates these technical and organisational measures to address evolving security threats and to maintain compliance with industry best practices. Changes that materially reduce the level of protection will be notified to Customers in advance.
Contact Information
For questions about this Data Processing Agreement or to request a signed copy:
Data Protection Officer: dpo@scopekit.co.uk
Company: ScopeKit
Address: 14th Floor, The Plaza, Old Hall St, Liverpool, L3 9QJ, United Kingdom
This DPA should be read in conjunction with our Privacy Policy and Terms of Service. In the event of any conflict between this DPA and other agreements, this DPA shall prevail with respect to data protection matters.