Data Processing Agreement
Incorporated into the MyQTAG Terms of Service.
This Data Processing Agreement (DPA) forms part of the agreement between MyQTAG and the Subscriber and governs the processing of personal data by MyQTAG on behalf of the Subscriber in connection with the MyQTAG platform. It is intended to satisfy the requirements of Article 28 of UK GDPR.
1. Definitions
In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the Terms of Service.
- “Controller” means the Subscriber, who determines the purposes and means of processing personal data.
- “Processor” means MyQTAG, which processes personal data on behalf of the Controller.
- “Data Subject” means the individual to whom personal data relates.
- “Personal Data” has the meaning given in the UK GDPR: any information relating to an identified or identifiable natural person.
- “Processing” has the meaning given in UK GDPR and includes any operation performed on Personal Data.
- “Sub-processor” means any third party engaged by MyQTAG to process Personal Data on behalf of the Controller.
- “UK GDPR” means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved under applicable data protection law for the transfer of personal data to third countries.
- “Security Incident” means any confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Roles of the Parties
The Subscriber is the Controller of any Personal Data submitted to or processed via the MyQTAG platform in connection with its use of the Service. MyQTAG acts as a Processor, processing Personal Data solely on the Controller’s behalf and in accordance with the Controller’s documented instructions, except where required to do so by applicable law.
MyQTAG processes Personal Data only to the extent necessary to provide the Service and as described in Schedule 1 (Details of Processing).
3. Controller Obligations
The Controller is responsible for:
- ensuring it has a valid lawful basis for processing Personal Data and for providing MyQTAG with that Personal Data;
- ensuring Data Subjects have been provided with appropriate privacy notices in accordance with UK GDPR;
- ensuring that any instructions given to MyQTAG comply with applicable data protection law;
- responding to requests from Data Subjects exercising their rights, with assistance from MyQTAG as described in Section 8.
4. Processor Obligations
4.1 Instructions
MyQTAG shall process Personal Data only on documented instructions from the Controller, including those set out in this DPA and the Terms of Service, unless required to do otherwise by applicable law. MyQTAG will promptly notify the Controller if, in its opinion, any instruction infringes applicable data protection law.
4.2 Confidentiality
MyQTAG shall ensure that all personnel authorised to process Personal Data are subject to appropriate obligations of confidentiality.
4.3 No Further Use
MyQTAG shall not process Personal Data for any purpose other than providing the Service, unless required to do so by applicable law. In particular, MyQTAG shall not use Personal Data for advertising, profiling, or the training of AI or machine learning models.
4.4 UK GDPR Compliance
MyQTAG shall comply with all obligations applicable to it as a Processor under UK GDPR, including maintaining records of processing activities as required by Article 30(2).
5. Sub-processors
5.1 Authorisation
The Controller provides general authorisation for MyQTAG to engage Sub-processors. MyQTAG shall maintain and make available to the Controller an up-to-date list of Sub-processors at myqtag.co.uk/sub-processors.
5.2 Notice of Changes
MyQTAG shall give the Controller at least 14 days’ prior written notice of any intended addition or replacement of Sub-processors. If the Controller objects to the proposed change on legitimate data protection grounds, it shall notify MyQTAG in writing within 14 days of the notice. The parties shall attempt to resolve the objection in good faith. If no resolution is reached, the Controller may terminate the Agreement on 30 days’ written notice without penalty.
5.3 Sub-processor Obligations
MyQTAG shall impose data protection obligations on each Sub-processor equivalent to those set out in this DPA. MyQTAG remains liable to the Controller for the acts and omissions of its Sub-processors to the same extent as if MyQTAG had performed the processing directly.
6. Security of Processing
6.1 Technical and Organisational Measures
Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects, MyQTAG shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
- pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.
Details of MyQTAG’s current security measures are set out in Schedule 2 (Technical and Organisational Measures).
6.2 Security Incidents
In the event of a Security Incident affecting Personal Data, MyQTAG shall:
- notify the Controller without undue delay and in any event within 72 hours of becoming aware of the incident;
- provide the Controller with sufficient information to enable it to meet its own notification obligations to the ICO and affected Data Subjects;
- co-operate with the Controller and take reasonable steps to mitigate or remediate the incident.
MyQTAG’s notification obligation applies to confirmed Security Incidents. An initial notification may be provided before full information is available, to be supplemented as further details emerge.
7. International Data Transfers
MyQTAG shall not transfer Personal Data outside the UK or European Economic Area (EEA) except:
- to a country that the UK Government has assessed as providing an adequate level of protection;
- subject to appropriate safeguards in accordance with UK GDPR, including the use of UK International Data Transfer Agreements (IDTAs) or equivalent mechanisms; or
- with the prior written consent of the Controller.
Details of any international transfers and the applicable safeguards are set out in Schedule 1.
8. Data Subject Rights
MyQTAG shall provide reasonable assistance to the Controller to enable it to respond to requests from Data Subjects exercising rights under UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
MyQTAG shall promptly notify the Controller if it receives a request from a Data Subject in relation to Personal Data processed on the Controller’s behalf, and shall not respond to such requests directly unless expressly authorised by the Controller or required to do so by law.
9. Privacy by Design & Impact Assessments
MyQTAG shall provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations with the ICO or other supervisory authorities where required under UK GDPR, taking into account the nature of the processing and the information available to MyQTAG.
10. Audits & Inspections
MyQTAG shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.
Audits must be conducted on at least 30 days’ prior written notice, during normal business hours, and in a manner that does not unreasonably disrupt MyQTAG’s operations. The costs of any audit shall be borne by the Controller unless the audit reveals material non-compliance, in which case MyQTAG shall bear its own reasonable costs.
MyQTAG may satisfy its audit obligations by providing up-to-date third-party certifications or audit reports (such as ISO 27001 or SOC 2) in lieu of direct audit access, subject to agreement between the parties.
11. Deletion & Return of Data
On termination of the Agreement, or upon the Controller’s written request, MyQTAG shall, at the Controller’s election, either:
- return all Personal Data to the Controller in a commonly used, machine-readable format; or
- securely delete all Personal Data.
MyQTAG shall complete such deletion or return within 90 days of the termination date or written request, and shall provide written confirmation to the Controller upon completion. MyQTAG may retain Personal Data where required by applicable law, in which case it shall inform the Controller of the legal basis and limit processing to what is strictly necessary for that purpose.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except that nothing in this DPA shall limit either party’s liability:
- for death or personal injury caused by negligence;
- for fraud or fraudulent misrepresentation;
- to the extent that such limitation is not permitted under applicable data protection law.
13. Term & Termination
This DPA is effective from the date the Subscriber first accepts the Terms of Service and continues in force for so long as MyQTAG processes Personal Data on behalf of the Controller. Termination of the Terms of Service shall automatically terminate this DPA, subject to any post-termination obligations.
14. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Schedule 1 — Details of Processing
Subject Matter
The subject matter of the processing is the provision of the MyQTAG platform, including form management, data collection, submission review, and team management services.
Duration
Personal Data is processed for the duration of the Subscriber’s active Subscription, plus the 90-day post-termination retention period described in Section 11.
Nature and Purpose of Processing
MyQTAG processes Personal Data to:
- enable Users to log in and access the platform;
- store and display form submissions made by Users or field operatives;
- provide collaboration, review, and approval workflows;
- send transactional email notifications related to account activity;
- provide customer support;
- comply with applicable legal obligations.
Categories of Personal Data
MyQTAG may process the following categories of Personal Data:
- identity data: names, usernames;
- contact data: email addresses, phone numbers;
- account data: role, team membership, login timestamps;
- operational data: form responses, inspection records, file attachments, and other data submitted by the Subscriber or its Users;
- usage data: IP addresses, device type, browser, activity logs.
Categories of Data Subjects
The Personal Data relates to:
- Subscribers and their authorised Users;
- individuals whose information is included in form submissions or inspection records (for example, site contacts, operatives, or third parties named in inspection data).
International Transfers
MyQTAG’s primary data processing infrastructure is located within the UK and/or EEA. Where any Sub-processor processes Personal Data outside the UK or EEA, MyQTAG shall ensure appropriate safeguards are in place as described in Section 7. Current Sub-processor locations are listed at myqtag.co.uk/sub-processors.
Schedule 2 — Technical and Organisational Measures
MyQTAG implements and maintains the following technical and organisational security measures:
Access Control
- Role-based access controls limiting access to Personal Data to authorised personnel only;
- Multi-factor authentication available for all platform accounts;
- Regular access reviews and prompt revocation of access for leavers.
Encryption
- All data transmitted between users and the platform is encrypted in transit using TLS 1.2 or higher;
- Personal Data stored in the platform database is encrypted at rest.
Availability & Resilience
- Regular automated backups with tested restoration procedures;
- Infrastructure hosted on reputable cloud providers with high availability configurations;
- Incident response and business continuity plans maintained and reviewed annually.
Monitoring & Testing
- Security monitoring and alerting for anomalous access patterns;
- Regular vulnerability scanning and patching processes;
- Periodic security assessments and penetration testing.
Personnel
- All staff with access to Personal Data are subject to confidentiality obligations;
- Data protection and security training provided to relevant personnel;
- Background checks conducted for personnel with access to production systems where permissible by law.
Physical Security
- Physical access to infrastructure is controlled by MyQTAG’s cloud hosting providers in accordance with their security certifications (such as ISO 27001).
This DPA was last updated on 1 July 2025. MyQTAG may update this DPA from time to time in accordance with changes in applicable law or MyQTAG’s processing activities, with notice provided to Subscribers.