Last updated: June 2025
When your organisation uses Alphanomic to manage workforce data, you are usually the data controller and Alphanomic acts as the data processor for personal data you submit to the platform.
This page summarises our standard Data Processing Agreement (DPA) commitments under UK GDPR Article 28. A signed DPA is available on request for paying and enterprise customers.
1. Scope
The DPA applies to personal data processed in the Alphanomic platform on your documented instructions, including workforce records such as:
- employee and worker profile details
- schedules, attendance, leave, and operational records
- documents, training records, and related notes you choose to store
It does not replace our Privacy Policy, which covers data Alphanomic controls directly (for example website enquiries and billing contacts).
2. Processor commitments
Alphanomic will:
- process personal data only on your documented instructions, unless required by law
- ensure personnel with access are bound by confidentiality obligations
- implement appropriate technical and organisational security measures
- assist with data subject requests where feasible, taking into account the nature of processing
- assist with security, breach notification, and impact assessment obligations where applicable
- delete or return personal data at the end of the service term, subject to legal retention requirements
- make available information reasonably necessary to demonstrate compliance with Article 28
3. Your responsibilities as controller
Your organisation is responsible for:
- having a lawful basis to collect and upload personal data
- providing appropriate privacy notices to employees and workers
- configuring roles, permissions, and retention within the platform
- the accuracy and quality of Customer Data you submit
4. Sub-processors
We use sub-processors to deliver hosting, billing, email, security, and related services. A current list is published on our Sub-processors page.
We require sub-processors to protect personal data under written terms consistent with UK GDPR. Where your signed agreement requires prior notice of sub-processor changes, we will follow those terms.
5. Security
We maintain administrative, technical, and organisational measures designed to protect personal data, including access controls, encryption in transit, monitoring, and incident response procedures appropriate to the Services.
6. International transfers
Personal data may be accessed by authorised personnel or sub-processors outside the country where your organisation is located. Where required, we use appropriate transfer safeguards such as the UK IDTA or Standard Contractual Clauses, as described in our Privacy Policy.
7. Personal data breaches
If we become aware of a personal data breach affecting Customer Data, we will notify you without undue delay after becoming aware of the breach, and provide information reasonably available to help you meet your obligations.
8. Audits and information
On reasonable notice, we will provide information necessary to demonstrate compliance with Article 28 and allow for audits or inspections agreed in writing, subject to confidentiality and security constraints.
9. Term and deletion
When your subscription ends, we will delete or return Customer Data according to your agreement and our standard export and retention procedures, except where retention is required by law or legitimate dispute resolution.
10. Request a signed DPA
To receive our standard DPA for review or signature:
Email: hello@alphanomic.co.uk
Include "DPA request" in the subject line, your organisation name, and the email domain to be covered.
Related policies: Privacy Policy · Terms & Conditions · Sub-processors