Data Processing Agreement
Version 1.0.0 · Effective 1 July 2026
This DPA supplements the agreement between UniAsset and your organisation. Owners can review and accept it on record from Settings → Legal & Compliance. See our Subprocessor Register for the third parties referenced below.
1. Parties and Roles
This Data Processing Agreement ("DPA") forms part of the agreement between UniAsset ("Processor") and the customer organisation that accepts it ("Controller") for the provision of the UniAsset asset operations platform (the "Service").
For the personal data that the Controller and its authorised users enter into or generate within the Service ("Customer Personal Data"), the Controller acts as the data controller and UniAsset acts as the data processor. UniAsset separately acts as a controller for limited account, billing and security data as described in its Privacy Policy.
This DPA is governed by and incorporates the requirements of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
2. Definitions
"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and all applicable laws relating to the processing of personal data and privacy. Terms such as "personal data", "processing", "data subject", "controller", "processor" and "personal data breach" have the meanings given in the UK GDPR.
"Subprocessor" means any third party engaged by UniAsset to process Customer Personal Data. "Sub-processing" is described in Section 7 and the live Subprocessor Register.
3. Details of Processing
Subject matter and duration
The subject matter is the provision of the Service. Processing continues for the duration of the agreement and until deletion or return of Customer Personal Data in accordance with Section 11.
Nature and purpose
UniAsset processes Customer Personal Data to host, operate, secure and support the Service — including asset management, work orders, preventive maintenance, document management, notifications and reporting — strictly on the Controller's documented instructions.
Categories of data subjects
- The Controller's staff, administrators and authorised users
- Individuals recorded as asset assignees, contacts or persons
- Individuals referenced in uploaded documents, images or work-order records
Categories of personal data
- Identity and contact data (name, email, phone, role, department)
- Authentication and account data
- Usage, audit-log and technical data (including IP address and device information)
- Any personal data contained in customer-uploaded files and free-text fields
The Controller must not upload special category data unless strictly necessary and lawful, and remains responsible for the lawfulness of the data it processes through the Service.
4. Processor Obligations
UniAsset shall:
- Process Customer Personal Data only on the Controller's documented instructions, including as set out in the agreement and this DPA, unless required by law (in which case UniAsset will inform the Controller, unless legally prohibited);
- Ensure that persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
- Implement and maintain the technical and organisational measures set out in Section 6;
- Respect the conditions in Section 7 for engaging subprocessors;
- Taking into account the nature of processing, assist the Controller with data subject requests (Section 8) and with its obligations under Articles 32–36 UK GDPR (security, breach notification, data protection impact assessments and prior consultation);
- Delete or return Customer Personal Data as described in Section 11; and
- Make available information necessary to demonstrate compliance and allow for audits (Section 12).
5. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis and all necessary notices/consents for the Customer Personal Data it processes through the Service;
- Issue only lawful processing instructions;
- Be responsible for the accuracy, quality and legality of Customer Personal Data and the means by which it was acquired;
- Configure roles, permissions and access appropriately and manage its users; and
- Comply with its own obligations as a controller under Data Protection Laws.
6. Security — Technical and Organisational Measures
Taking into account the state of the art and the risks to data subjects, UniAsset implements appropriate technical and organisational measures (Article 32 UK GDPR), including:
- Encryption in transit (TLS) and encryption at rest for the database and file storage;
- Logical multi-tenant isolation so each organisation can access only its own data;
- Role-based access control and the principle of least privilege;
- Secure credential handling (industry-standard password hashing) and support for SSO/MFA via identity providers;
- Sensitive integration secrets encrypted using authenticated encryption (AES-256-GCM);
- Audit logging of security-relevant actions and login events;
- Regular, encrypted backups and defined restoration procedures;
- Secure software development practices, dependency management and access reviews.
UniAsset may update these measures provided the level of protection is not materially reduced. A current summary is available in UniAsset's security documentation.
7. Subprocessors
The Controller provides general authorisation for UniAsset to engage subprocessors to process Customer Personal Data. Current subprocessors are listed in the Subprocessor Register at /subprocessors.
UniAsset imposes data protection obligations on each subprocessor that are no less protective than those in this DPA, and remains liable for its subprocessors' performance. UniAsset will provide a mechanism to notify the Controller of intended changes to subprocessors, giving the Controller the opportunity to object on reasonable data protection grounds.
8. Data Subject Rights
Taking into account the nature of the processing, UniAsset shall assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability and objection.
Where UniAsset receives a request directly from a data subject relating to Customer Personal Data, it will, unless legally required to act, refer the data subject to the Controller and promptly notify the Controller.
9. Personal Data Breach Notification
UniAsset shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event in time to allow the Controller to meet its own regulatory obligations (including notification to the Information Commissioner's Office within 72 hours where required).
Such notification shall, to the extent available, describe:
- The nature of the breach and the categories and approximate number of data subjects and records concerned;
- The likely consequences of the breach;
- The measures taken or proposed to address and mitigate the breach; and
- A contact point for further information.
10. International Data Transfers
Where processing of Customer Personal Data involves a transfer outside the United Kingdom, UniAsset shall ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or transfers to a jurisdiction covered by UK adequacy regulations.
The transfer safeguards applicable to each subprocessor are indicated in the Subprocessor Register.
11. Retention, Return and Deletion
UniAsset retains Customer Personal Data for the duration of the agreement. On termination, or on the Controller's request, UniAsset will delete Customer Personal Data within the periods described in its Privacy Policy, save where retention is required by law.
Permanent deletion of an organisation removes its database records and all associated files held in blob storage (documents, images and work-order photos), so that no customer files remain. Backups are purged in line with the defined backup retention schedule.
12. Audit Rights
UniAsset shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and Article 28 UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted on reasonable prior notice, no more than once per year (unless required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and in a manner that does not disrupt the Service or compromise other customers' data. UniAsset may satisfy audit requests by providing relevant certifications, reports or completed security questionnaires where available.
13. Liability and General
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the agreement. In the event of a conflict between this DPA and the agreement on data protection matters, this DPA prevails.
This DPA takes effect when accepted by an authorised representative of the Controller and remains in force for the duration of the agreement. Acceptance is recorded with the accepting user, timestamp and DPA version.