Data Processing Agreement

Last updated: 1 April 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer and Licet, and governs the processing of personal data by Licet on behalf of the Customer.

1. Parties

• “Controller” means the Customer — the Organisation that subscribes to the Licet Service and determines the purposes and means of processing personal data within the platform.
• “Processor” means Licet (pending Ltd formation), founded by Josh O’Keeffe, Wirral, Merseyside. Registered address to be confirmed.

2. Subject Matter and Duration

2.1. Subject matter: The processing of personal data relating to construction compliance management through the Licet platform, including the hosting, storage, organisation, retrieval, display, and securing of compliance data.

2.2. Duration: This DPA shall remain in effect for the duration of the Customer’s active subscription to the Service, and shall continue to apply to any personal data retained after termination in accordance with legal retention obligations.

3. Nature and Purpose of Processing

Licet processes personal data for the following purposes:

• Hosting and storing compliance records, certificates, and inspection reports on behalf of the Customer.
• Processing and displaying competency data, training records, and expiry information.
• Securing compliance data through encryption, access controls, and audit logging.
• Maintaining an immutable, hash-chain-secured audit trail of all compliance activities.
• Generating automated notifications (email and SMS) for certificate expiry, inspection due dates, and compliance alerts.
• Providing reporting and analytics dashboards to the Customer.

4. Types of Personal Data

The following categories of personal data may be processed under this DPA:

• Identity data: Full name, job title, employee/worker reference number.
• Contact data: Email address, telephone number.
• Competency records: Qualifications, certifications, CSCS card numbers, training completion records, and expiry dates.
• Medical fitness status: Fit/unfit status for specific site roles (note: no detailed medical records are stored — only the binary fitness-for-role status).
• Digital signatures: Electronic signatures captured for compliance sign-offs and acknowledgements.
• GPS location data: Coordinates captured at the point of clock-in/clock-out for site presence verification.
• Photographs: Site photographs attached to inspection reports, progress records, or compliance evidence.

5. Categories of Data Subjects

Personal data may relate to the following categories of individuals:

• Construction workers: Operatives, tradespeople, and labourers working on the Customer’s sites.
• Supervisors: Site supervisors, foremen, and team leaders.
• Managers: Project managers, site managers, health and safety managers, and compliance officers.
• Visitors: Individuals attending site for inductions, inspections, or other temporary purposes.

6. Obligations of the Processor

Licet shall:

6.1 General Obligations

• Process personal data only on documented instructions from the Controller, unless required to do so by UK law.
• Ensure that persons authorised to process personal data have committed themselves to confidentiality.
• Implement and maintain appropriate technical and organisational measures as described in Section 9 of this DPA.
• Assist the Controller in ensuring compliance with the Controller’s obligations under Articles 32 to 36 of the UK GDPR.

6.2 Sub-processor Management

• Not engage another processor without prior written authorisation from the Controller. A general written authorisation is granted for the sub-processors listed in Section 8 of this DPA.
• Notify the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
• Ensure that sub-processor agreements impose equivalent data protection obligations.

6.3 Data Breach Notification

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach.
• The notification shall include: (a) the nature of the breach, (b) the categories and approximate number of data subjects affected, (c) the likely consequences, and (d) the measures taken or proposed to mitigate the breach.
• Cooperate fully with the Controller in investigating and remediating any data breach.

6.4 Deletion and Return of Data

• Upon termination of the subscription, make all Customer data available for export for 30 days in standard formats (CSV, PDF).
• After the 30-day export period, delete all personal data from active systems, unless retention is required by UK law (in which case the data will be securely archived and isolated from active processing).

7. Obligations of the Controller

The Customer shall:

• Ensure that it has a lawful basis for processing the personal data it uploads to the Service.
• Ensure that data subjects have been provided with appropriate privacy notices.
• Provide documented processing instructions to Licet and notify Licet if any instruction infringes UK data protection law.
• Maintain appropriate access controls within its Organisation’s account, including role-based permissions and MFA enforcement.

8. Sub-processors

The Controller provides general written authorisation for Licet to engage the following sub-processors:

9. Technical and Organisational Measures

Licet implements the following measures to protect personal data:

9.1 Encryption

• At rest: All data is encrypted at rest using AES-256 encryption via Supabase’s managed PostgreSQL infrastructure.
• In transit: All data in transit is encrypted using TLS 1.2 or higher. HTTPS is enforced for all connections.

9.2 Access Controls

• Row Level Security (RLS): Supabase RLS policies ensure that each Organisation can only access its own data. No cross-tenant data access is possible at the database level.
• Multi-Factor Authentication (MFA): Required for all user accounts without exception.
• Role-Based Access Control (RBAC): Granular permissions (Owner, Admin, Manager, User, Viewer) control access to features and data within each Organisation.

9.3 Audit Logging

• All data access, modifications, and compliance actions are logged in an immutable audit trail.
• Audit records are secured using a cryptographic hash chain, providing tamper-evidence for all compliance activities.

9.4 Infrastructure Security

• Application hosted on Vercel’s enterprise-grade infrastructure with automatic DDoS protection.
• Database hosted on Supabase’s managed PostgreSQL with automated backups, point-in-time recovery, and network isolation.
• Regular security updates and dependency vulnerability scanning.

9.5 Personnel

• All personnel with access to personal data are bound by confidentiality obligations.
• Access to production systems is limited to essential personnel only and requires MFA.

10. Audits and Inspections

10.1. Licet shall make available to the Controller all information necessary to demonstrate compliance with this DPA and the UK GDPR.

10.2. The Controller may conduct audits, including inspections, either itself or through an appointed third-party auditor, subject to reasonable notice and during normal business hours.

11. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales, and is subject to the exclusive jurisdiction of the courts of England and Wales.

12. Contact

For any questions regarding this DPA, please contact:

• Email: dpa@licet.co.uk
• Post: Licet (pending Ltd formation), Wirral, Merseyside. Registered address to be confirmed.