How Xertilox processes personal data on your behalf as a data processor.
Last updated: June 2026
Xertilox HR Platform – Direct Customers
Xertilox Ltd · Company No. 14689245 · 48 Sutton Mill Road, Potton, Sandy, England, SG19 2QB
Version 1.0 | June 2026 | Confidential
This Data Processing Agreement ("DPA") governs the processing of personal data by Xertilox Ltd on behalf of the Customer in connection with the Xertilox HR Platform. It is incorporated into and forms part of the Xertilox HR Platform Terms and Conditions (the "Master Agreement") between the parties. In the event of conflict between this DPA and the Master Agreement in relation to the processing of personal data, this DPA prevails.
1.1 This DPA is between Xertilox Ltd ("Xertilox", the "Processor") and the business customer identified in the applicable Order Form (the "Customer", the "Controller").
1.2 For the purposes of UK Data Protection Laws, the Customer is the Controller and Xertilox is the Processor in respect of personal data processed by Xertilox on behalf of the Customer under the Master Agreement.
1.3 Nothing in this DPA relieves the Customer of its own responsibilities under UK Data Protection Laws, including establishing a lawful basis for processing and providing transparency information to Data Subjects.
2.1 In this DPA, the following terms apply. Terms not defined here have the meaning given in the Master Agreement or in UK Data Protection Laws.
| Controller | The party that determines the purposes and means of Processing Personal Data. For this DPA, the Customer is the Controller. |
| Processor | The party that Processes Personal Data on behalf of the Controller. For this DPA, Xertilox is the Processor. |
| Data Subject | An identified or identifiable natural person whose Personal Data is Processed under this DPA. |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1). |
| Processing | Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure and destruction. |
| Security Measures | The technical and organisational measures set out in clause 6 and Annex 2 (Security Measures). |
| Sub-processor | Any third party engaged by Xertilox to carry out Processing on behalf of the Customer. |
| Sub-processor List | The current list of approved Sub-processors maintained by Xertilox at Annex 3, as updated from time to time in accordance with clause 7. |
| UK Data Protection Laws | The UK GDPR (Regulation (EU) 2016/679 as retained in UK law) and the Data Protection Act 2018, together with all applicable UK data protection legislation. |
| UK GDPR | The UK General Data Protection Regulation. |
3.1 This DPA governs all Processing of Personal Data carried out by Xertilox as Processor on behalf of the Customer in connection with the Xertilox HR Platform under the Master Agreement.
3.2 The subject matter, duration, nature, purpose, types of Personal Data and categories of Data Subjects are set out in Annex 1 (Processing Schedule).
3.3 This DPA covers the Xertilox HR Platform. Where the Customer elects to use Compliance Services, the processing of personal data in connection with those services is also governed by this DPA, subject to the Compliance Services Terms in the Master Agreement.
4.1 Xertilox shall Process Personal Data only on documented instructions from the Customer, unless required to do otherwise by applicable law. The Master Agreement, this DPA, and the Customer's use and configuration of the Platform constitute the Customer's documented instructions.
4.2 If Xertilox considers that an instruction infringes UK Data Protection Laws, it shall inform the Customer without undue delay and may suspend Processing of the relevant instruction until the Customer provides a clarified or amended instruction.
4.3 Where applicable law requires Xertilox to Process Personal Data beyond the Customer's instructions, Xertilox shall notify the Customer before Processing, unless prohibited by law on important grounds of public interest.
5.1 Xertilox shall ensure that all personnel authorised to Process Personal Data are subject to appropriate obligations of confidentiality, whether contractual or statutory, and receive appropriate data protection and information security training.
5.2 Xertilox shall restrict access to Personal Data to personnel who require it to perform the Services.
6.1 Xertilox shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by UK GDPR Article 32. The measures in place are set out in Annex 2 (Security Measures).
6.2 As a minimum, those measures include: (a) encryption of Personal Data in transit using HTTPS/TLS; (b) encryption of Personal Data at rest using AES-256; (c) role-based access control and multi-factor authentication; (d) segregation of production from non-production environments with isolated credentials; (e) structured audit logging of administrative actions; and (f) daily backups with point-in-time recovery capability.
6.3 Xertilox may update the Security Measures from time to time provided no update materially reduces the overall level of protection, and shall notify the Customer of any material reduction within 14 days.
7.1 The Customer provides general written authorisation for Xertilox to engage the Sub-processors set out in the Sub-processor List at Annex 3 as at the date of this DPA.
7.2 The Sub-processor List is maintained separately and may be updated by Xertilox from time to time. Xertilox shall give the Customer not less than 30 days' prior written notice (which may be by email or via the Platform) before adding or replacing a Sub-processor, or materially changing the role of an existing Sub-processor. The Customer is not required to re-execute this DPA when the Sub-processor List is updated.
7.3 Where the Customer objects to a proposed new or changed Sub-processor on reasonable data protection grounds, the Customer shall notify Xertilox in writing within 14 days of the notice. The parties shall negotiate in good faith to resolve the objection. If no resolution is reached within 30 days, the Customer may terminate the Master Agreement in respect of the affected Services on written notice.
7.4 Xertilox shall impose on each Sub-processor, by written contract, data protection obligations no less protective than those in this DPA, and remains liable to the Customer for the acts and omissions of its Sub-processors to the same extent as if Xertilox had performed the Processing itself.
Why this clause matters: the Sub-processor List lives in Annex 3 and is updated by notice. Neither party needs to re-sign this DPA when a sub-processor changes.
8.1 Xertilox shall assist the Customer in responding to requests from Data Subjects exercising their rights under UK Data Protection Laws. Where Xertilox receives a request directly from a Data Subject, it shall promptly forward it to the Customer and shall not respond directly unless instructed by the Customer or required by law.
8.2 Xertilox shall provide assistance within the following indicative timescales, measured from the Customer's written request:
| Right | How Xertilox assists | Timescale |
|---|---|---|
| Access (Art. 15) | Export of the Data Subject's Personal Data in a readable format. | Within 5 business days |
| Rectification (Art. 16) | Correction of inaccurate data as instructed. | Within 5 business days |
| Erasure (Art. 17) | Erasure via support process with audit trail; mobile users may self-delete in-app. Where a legal retention obligation applies, Xertilox notifies the Customer first. | Within 30 days |
| Restriction (Art. 18) | Restriction of processing without deletion. | Within 5 business days |
| Portability (Art. 20) | Export in a structured, machine-readable format (CSV or JSON). | Within 10 business days |
| Objection (Art. 21) | Suspension of processing pending resolution. | Within 5 business days |
8.3 Where a request results in substantial additional work outside normal service delivery, Xertilox may charge reasonable additional fees for that assistance.
9.1 Xertilox shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Personal Data Processed on behalf of the Customer.
9.2 The notification shall include, to the extent available: (a) the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) the name and contact details of the Xertilox data protection contact; (c) the likely consequences; and (d) the measures taken or proposed to address it.
9.3 Where full information is not available within 72 hours, Xertilox shall provide it in phases without further undue delay, and shall provide reasonable assistance to the Customer in making any notification required to the ICO or affected Data Subjects under UK GDPR Articles 33 and 34.
9.4 Notification of a breach shall not be construed as an admission of fault or liability.
10.1 Taking into account the nature of Processing and the information available to it, Xertilox shall provide the Customer with reasonable assistance to carry out a Data Protection Impact Assessment and any prior consultation with the ICO required under UK GDPR Articles 35 and 36.
10.2 Where the Customer enables Compliance Services involving identity verification, Right to Work, or DBS data, the Customer acknowledges this may constitute high-risk processing of special category or criminal records data requiring a DPIA, and Xertilox shall provide the information necessary to support it.
11.1 On termination or expiry of the Master Agreement, or on written request from the Customer, Xertilox shall, at the Customer's option and within 30 days: (a) return all Personal Data in a structured, commonly used, machine-readable format (CSV or JSON); or (b) securely delete all Personal Data and copies from Xertilox's systems and those of its Sub-processors.
11.2 Xertilox shall provide written confirmation of deletion within 14 days of completing it.
11.3 Xertilox may retain Personal Data beyond 30 days only where required by applicable law, in which case it shall notify the Customer of the retention obligation, the data retained and the retention period, and shall delete it once the period expires.
12.1 Xertilox shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and UK GDPR Article 28, and shall allow for and contribute to audits by the Customer or a mandated auditor, provided that: (a) not less than 30 days' prior written notice is given (except following a breach or regulatory investigation, where reasonable notice applies); (b) audits take place during normal business hours; (c) they do not unreasonably disrupt Xertilox's business or compromise the security of other customers; and (d) the auditor is bound by confidentiality.
12.2 Xertilox may satisfy audit requests through third-party certifications (such as ISO 27001), independent audit reports, security summaries or questionnaire responses where reasonably sufficient for the Customer's purposes.
13.1 Xertilox shall not transfer Personal Data outside the United Kingdom or EEA unless a valid transfer mechanism is in place under UK GDPR Chapter V, such as adequacy regulations, the UK IDTA, or the UK Addendum to the EU Standard Contractual Clauses.
13.2 The data region of each processing activity and the applicable transfer mechanism are set out in Annex 3 (Sub-processor List). Core HR data (database, file storage and authentication) is hosted within the United Kingdom.
13.3 Xertilox shall notify the Customer before engaging any new Sub-processor that would involve an international transfer not covered by an existing mechanism.
14.1 Term: This DPA takes effect on the date of the Master Agreement and continues for as long as Xertilox Processes Personal Data on behalf of the Customer. Clauses 5, 6, 11 and 12 survive termination.
14.2 Liability: Liability under this DPA is subject to the limitations and caps set out in the Master Agreement. Nothing in this DPA excludes or limits liability that cannot lawfully be excluded.
14.3 Changes: Except for updates to the Sub-processor List under clause 7 and Security Measures under clause 6, no amendment to this DPA is effective unless agreed in writing by both parties.
14.4 Precedence: In the event of conflict between this DPA and the Master Agreement in relation to the processing of Personal Data, this DPA prevails.
14.5 Governing law: This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.
Where signed as a standalone document, the parties agree to be bound by this DPA. Where the Master Agreement is signed, this DPA is incorporated by reference and separate signature is not required.
| Signed for Xertilox Ltd (Processor) | Name: ___ Title: ___ Signature: ___ Date: ___ |
| Signed for the Customer (Controller) | Name: ___ Title: ___ Signature: ___ Date: ___ |
This schedule sets out the details of Processing as required by UK GDPR Article 28(3).
| Subject matter | Provision of the Xertilox HR Platform and associated support, hosting, workflow, reporting and optional compliance functionality. |
| Duration | For the term of the Master Agreement and any reasonable deletion or return period afterwards. |
| Nature of processing | Collection, storage, organisation, retrieval, consultation, use, transmission, restriction, deletion and other processing required to provide the Services. |
| Purpose | To enable the Customer to manage HR records, onboarding, workflows, compliance activity and related business operations. |
| Data subjects | Employees, workers, contractors, agency staff, applicants, former personnel, managers, administrators and Customer representatives. |
| Personal data | Identification and contact details; employment records; user account data; payroll-related data; holiday and absence data; document data; compliance and identity verification data; access logs; system usage data; support communications. |
| Special category data | May include health or absence-related data and, where Compliance Services are enabled, biometric or document-derived identity data and criminal records data (DBS). The Customer is responsible for the lawful basis under UK GDPR Articles 9 and 10. |
| Data category | Retention period | Basis |
|---|---|---|
| Employment records | 6 years from end of employment | HMRC and UK employment law |
| Payroll & compensation | 6 years | HMRC requirements |
| Health & safety records | 3 years minimum | Health & Safety at Work etc. Act 1974 |
| Audit logs | 12 months | Security and accountability |
| Terminated employee records | 6 years from termination | Employment law / claims period |
The technical and organisational measures in place to protect Personal Data, as referenced in clause 6.
| Area | Measure |
|---|---|
| Encryption in transit | All communication between browsers, the mobile app and servers uses HTTPS/TLS. Database connections enforce TLS. |
| Encryption at rest | AES-256 encryption for the database and file storage. MFA codes are stored hashed (HMAC-SHA256), never in plaintext. |
| Access control | Role-based access control; managers limited to their reports; database-level row security as defence-in-depth. |
| Authentication | Mandatory multi-factor authentication for all users; optional authenticator-app TOTP; device-local biometric unlock on mobile. |
| Environment separation | Separate development, test, demo and production environments with isolated credentials. |
| Audit logging | Structured audit trail of administrative actions, permission changes and email sends. |
| Backup & recovery | Daily backups with point-in-time recovery; 24-hour RTO and RPO targets. |
| Personnel | Staff bound by confidentiality; production access restricted to those who require it. |
Xertilox may update these Security Measures from time to time provided no update materially reduces the overall level of protection afforded to Personal Data.
This list is maintained separately from the body of the DPA and may be updated by Xertilox on not less than 30 days' notice in accordance with clause 7. Updating this list does not require re-execution of the DPA or the Master Agreement.
Current version: 1.0 · Last updated: June 2026
| Sub-processor | Purpose | Data region | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | London, UK (AWS eu-west-2) | None required (UK) |
| Vercel Inc. | Web application hosting, serverless functions | Dublin, IE + London, UK | None required (UK/EEA) |
| Resend (Plus Five Five, Inc.) | Transactional email | Ireland (EEA) | None required (EEA) |
| Apple Inc. | iOS push notifications, App Store distribution | USA | Apple standard developer terms |
| Google LLC | Android push notifications, Play Store distribution | USA | Google Cloud DPA / SCCs |
Changes to this Annex are notified to the Customer by email or via the Platform. The Customer may object to a new or changed Sub-processor on reasonable data protection grounds within 14 days of notice, as set out in clause 7.3.
