Data Processing Terms (Data Processing Agreement)

These terms form part of, and should be read together with, our Terms of Use. They apply whenever you use Staff Rota & Payroll to process personal data about your staff. This is a template provided to help you get started and should be reviewed by a qualified legal adviser before it is relied upon.

1. Who these terms are between

These terms are between Bridport Operator Ltd (company number 12565935), trading as "Staff Rota & Payroll" ("we", "us"), of 13 Nelson Avenue, Plymouth, Devon, PL1 5RL, United Kingdom, and you — the business that holds the account ("you", "the Customer").

2. Who is responsible for what

You are the data controller for your staff's personal data — you decide why and how it's used. We are your data processor — we handle that data on your behalf, only to provide the service. You're responsible for having a lawful basis to put your staff's data into the service and for telling your staff how their data is used.

3. What we process, and for whom

  • Why (purpose): to provide staff rota scheduling, timesheets, payroll estimates, leave, time & attendance and related features you switch on.
  • For how long (duration): for as long as your account is active, plus the short retention period set out in our Privacy Policy.
  • Whose data (data subjects): your staff and your admin users.
  • What data (categories): names and contact details, login details, roles, pay rates and hours, calculated pay, tax codes, National Insurance category and (if you enter it) NI number, pension and student-loan settings, leave and sickness records, and clock-in/attendance data. Some sickness-absence information may be processed in connection with sick pay.

4. Our promises to you

  • We will process your staff's data only on your documented instructions — using the service in the normal way counts as your instructions — unless the law requires otherwise (in which case we'll tell you, unless we're legally barred from doing so).
  • Anyone we allow to access the data is bound by a duty of confidentiality.
  • We apply appropriate security measures for payroll-grade data: encrypted connections, individual logins, role-based access (admin and staff), and organisational and technical safeguards suited to the sensitivity of the data. No system is ever perfectly secure, so you must keep account passwords strong and confidential.

5. Sub-processors (the suppliers we use)

We use a small number of trusted suppliers to run the service, who may process personal data on our behalf:

  • Railway — secure hosting of the application and database.
  • Resend — sending service emails and notifications (which may include names and shift details).
  • Stripe — handling card payments and billing for your subscription.

We have appropriate data-processing terms in place with these suppliers. If we plan to add or change a sub-processor, we'll give you reasonable notice (for example, by email or on this page) so you can object if you have a genuine concern.

6. Where your data is processed

We aim to keep your data within the UK or the European Economic Area. Where a supplier processes data outside the UK, we rely on an appropriate safeguard recognised under UK data protection law (such as the UK International Data Transfer Agreement or Standard Contractual Clauses).

7. Helping you meet your obligations

Taking into account the nature of the service, we'll give you reasonable help with:

  • Responding to your staff's data-protection requests (such as access, correction or deletion). In practice, much of this you can do yourself in the app — for example exporting or deleting data.
  • Keeping data secure, dealing with personal data breaches, and, where needed, your data protection impact assessments and consultations with the ICO.

8. Telling you about data breaches

If we become aware of a personal data breach affecting your data, we'll notify you without undue delay, and give you the information you reasonably need to meet your own reporting duties.

9. Your responsibilities

You're responsible for: only putting in data you're allowed to process; keeping your staff's records accurate; managing who has admin and staff access; and telling your staff how their data is used (your own privacy notice to them).

10. Returning or deleting your data

When your account ends, you can export your data first. After that, we'll delete or anonymise your personal data within a reasonable period, except where we're required by law to keep certain records (for example, payroll or accounting records).

11. Showing we comply

On reasonable written request, we'll make available the information reasonably needed to show we're meeting these terms, and allow for audits in a proportionate way (for example, by providing documentation), respecting the security and privacy of our other customers.

12. How these terms fit with our other terms

If there's any conflict between these Data Processing Terms and our Terms of Use on the handling of personal data, these terms take priority. Our liability under these terms is subject to the limits in our Terms of Use.

13. Changes

We may update these terms from time to time. Where changes are material, we'll take reasonable steps to make you aware of them.

Last updated: June 2026. This document is a template and should be reviewed and adapted with a qualified legal adviser before it is relied upon.