Data Processing Agreement - Boxcore
Book a Demo
Login

Data Processing Agreement

(GDPR – Controller / Processor)

This Data Processing Agreement (“Agreement”) forms part of the contract between Boxcore (“Processor”) and the customer (“Controller”) for the provision of Boxcore’s construction safety and workforce management software (“Services”).

This Agreement is intended to ensure compliance with the UK GDPR and EU GDPR, as applicable.

1. Definitions

  • Data Protection Laws means the UK GDPR, the EU GDPR, the Data Protection Act 2018, and any applicable data protection or privacy legislation.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing has the meaning given in the GDPR.
  • Sub-processor means any third party engaged by Boxcore to process Personal Data on behalf of the Controller.

2. Roles of the Parties

2.1 The Controller is the data controller for Personal Data processed under this Agreement.
2.2 Boxcore acts as a data processor and processes Personal Data only on documented instructions from the Controller, unless required to do otherwise by law.

3. Scope of Processing

3.1 Boxcore shall process Personal Data solely for the purpose of providing the Services.

3.2 The processing activities may include:

  • Collecting, storing, organising, viewing, and deleting Personal Data
  • Making Personal Data available to authorised users
  • Generating reports and compliance records

3.3 Categories of data subjects may include:

  • Employees
  • Subcontractors
  • Site operatives
  • Supervisors and managers

3.4 Types of Personal Data may include:

  • Name and contact details
  • Employment or company affiliation
  • Training and competency records
  • Identification data used for site access or attendance
  • Audit and compliance records

Special category data is not intentionally processed unless required for compliance or safety purposes and instructed by the Controller.

4. Processor Obligations

Boxcore shall:

4.1 Process Personal Data only on documented instructions from the Controller.

4.2 Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.

4.3 Implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, loss, destruction, or damage.

4.4 Assist the Controller, where reasonably possible, with:

  • Responding to data subject requests
  • Data protection impact assessments
  • Regulatory enquiries

4.5 Notify the Controller without undue delay after becoming aware of a Personal Data breach.

4.6 Delete or return Personal Data at the end of the Services, unless retention is required by law.

5. Controller Obligations

The Controller shall:

5.1 Ensure that Personal Data is collected and processed lawfully.

5.2 Provide lawful instructions to Boxcore for processing.

5.3 Ensure appropriate notices are provided to data subjects.

5.4 Remain responsible for determining retention periods and lawful bases for processing.

6. Sub-processors

6.1 The Controller authorises Boxcore to engage Sub-processors for the provision of the Services.

6.2 Boxcore shall:

  • Carry out due diligence on Sub-processors
  • Enter into written agreements imposing equivalent data protection obligations

6.3 A list of Sub-processors shall be made available upon request.

7. International Transfers

7.1 Where Personal Data is transferred outside the UK or EEA, Boxcore shall ensure appropriate safeguards are in place, including:

  • UK Addendum to Standard Contractual Clauses, or
  • EU Standard Contractual Clauses, where applicable.

8. Security Measures

8.1 Boxcore shall maintain appropriate security measures, including:

  • Access controls
  • Encryption where appropriate
  • Secure hosting environments
  • Regular security monitoring

8.2 Further details of security controls may be provided separately upon request.

9. Audits and Compliance

9.1 The Controller may request reasonable information to demonstrate compliance with this Agreement.

9.2 Audits shall be limited in scope, subject to reasonable notice, and must not disrupt Boxcore’s operations or compromise the security of other customers’ data.

10. Liability

10.1 Each party shall be liable for breaches of Data Protection Laws caused by its own acts or omissions.

11. Term and Termination

11.1 This Agreement remains in force for the duration of the Services.

11.2 Termination of the main services agreement automatically terminates this Agreement.

12. Governing Law

This Agreement shall be governed by the laws of Ireland, whose courts of that jurisdiction shall have exclusive jurisdiction.

Schedule 1 – Processing Details (Summary)

Subject matter:
Provision of construction safety and workforce management software.

Duration:
For the term of the Services.

Nature of processing:
Hosting, storage, access, reporting, and management of workforce and safety data.

Categories of data subjects:
Construction workers, subcontractors, managers, and administrative staff.