Data Processing Agreement (DPA)

Last updated: February 18, 2026

This Data Processing Agreement (“DPA”) forms part of the contract or subscription agreement between Time Prof (“Processor”) and the customer organisation (“Controller”) that uses the Time Prof workforce and rota management platform (the “Service”).

1. Definitions

For the purposes of this DPA:

“Controller” means the customer organisation that determines the purposes and means of processing.
“Processor” means Time Prof, which processes personal data on behalf of the Controller.
“Data Subject” means an identified or identifiable natural person (e.g. staff, managers, contractors).
“Personal Data” means any information relating to a Data Subject.
“UK GDPR” means the retained EU law version of the General Data Protection Regulation as applied in the UK.
“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Subject Matter & Duration

The Processor will process Personal Data on behalf of the Controller in order to provide rota, scheduling, workforce and related services as described in the main service agreement. Processing will continue for the duration of the subscription or contract, unless otherwise required by law.

3. Nature and Purpose of Processing

The Processor will process Personal Data for purposes including:

Managing user accounts and authentication (including multi-factor authentication and recovery codes).
Generating rotas, allocating shifts and capturing responses.
Recording availability, leave, sickness and training.
Running workforce analytics, AI-assisted risk scoring and skill gap analysis.
Time & attendance recording, including geolocation where enabled by the Controller.
Providing support, troubleshooting and continuous service improvement.

4. Categories of Data Subjects

Employees, agency workers and contractors of the Controller.
Administrators and managers who use the platform.
Other users whose data is entered into the system by the Controller.

5. Types of Personal Data

Identity data (name, staff identifiers, job role, profile photo).
Contact details (email, phone, address).
Employment and rota-related data (skills, sites, shift history, leave).
Time & attendance records, clock-in/out data and geolocation (if enabled).
Login and security data (hashed passwords, tokens, 2FA configuration).
System usage logs, audit logs and communications (messages, alerts).

6. Obligations of the Processor

The Processor shall:

Process Personal Data only on documented instructions from the Controller.
Ensure authorised persons are subject to confidentiality obligations.
Implement appropriate technical and organisational security measures.
Assist the Controller with Data Subject rights requests where reasonably required.
Assist with Data Protection Impact Assessments (DPIAs) where processing involves high risk.
Notify the Controller without undue delay after becoming aware of a Personal Data breach.
Maintain records of processing activities in accordance with UK GDPR.

7. Sub-processing

The Controller authorises the Processor to engage Sub-processors for hosting, storage, email delivery, analytics and related services.
The Processor shall ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA.
The Processor will notify the Controller of material changes to Sub-processors where appropriate.

8. International Transfers

Where Personal Data is transferred outside the UK, the Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent lawful transfer mechanisms.

9. Security Measures

The Processor will implement measures including (where appropriate):

Encryption in transit and at rest.
Role-based access control and multi-factor authentication.
Regular backups and recovery testing.
System logging and monitoring.
Staff training in data protection and security.

10. Data Subject Requests

If the Processor receives a request directly from a Data Subject, the Processor shall notify the Controller and not respond directly unless instructed to do so by the Controller.

11. Personal Data Breaches

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and provide sufficient information to support regulatory and Data Subject notifications where required.

12. Audits & Inspections

The Controller may request information regarding the Processor’s data protection controls or conduct audits subject to reasonable notice and confidentiality requirements.

13. Return or Deletion of Data

Upon termination of the service, the Processor shall, at the Controller’s option:

Return Personal Data to the Controller; and/or
Securely delete or anonymise Personal Data unless retention is required by law.

14. Liability

The liability provisions of the main service agreement apply to this DPA. Nothing in this DPA limits liability where prohibited by law.

15. Precedence

In the event of conflict between this DPA and the main service agreement, this DPA shall prevail regarding data protection obligations.

For any questions regarding this DPA, please contact us at: privacy@timeprof.com.