Legal

Data Processing Addendum

Last updated: July 2026

This Data Processing Addendum ("DPA") forms part of the ConductPath Terms of Service and applies where ConductPath UK Limited ("Processor") processes personal data on behalf of a Customer ("Controller") in the course of providing the Service. It is drafted to satisfy Article 28 UK GDPR and the Data Protection Act 2018.

1. Definitions

Terms used in this DPA have the meaning given in the UK GDPR unless otherwise defined. "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable UK data-protection legislation as amended from time to time.

2. Scope and roles

For the Personal Data described in Annex A, the Customer is the Controller and ConductPath is the Processor. ConductPath processes Personal Data only on the Controller's documented instructions, which include (a) the standard functions of the Service, (b) any additional written instructions given via the workspace configuration, and (c) instructions required to comply with UK law (which we will notify the Controller of, unless prohibited).

3. Subject matter and duration

Subject matter: provision of the ConductPath workplace-investigations Service, including AI inference, case documentation, procedural scoring, evidence storage, and audit trail.
Duration: for the term of the subscription and any post-termination export window specified in the Terms.
Nature and purpose: collection, storage, structuring, analysis, retrieval, disclosure to authorised users, and deletion, for the purpose of running workplace investigations aligned with the ACAS Code of Practice.

4. Categories of data subjects and Personal Data (Annex A)

Data subjects may include:

  • Complainants, respondents, witnesses in workplace investigations;
  • HR practitioners, investigators, reviewers, managers, and administrators;
  • External accompanying persons (e.g. trade-union representatives, colleagues acting under s.10 Employment Relations Act 1999);
  • Whistleblowers making protected disclosures under PIDA 1998.

Personal Data categories:

  • Identification and contact data (name, employee ID, work email, phone);
  • Employment data (job title, department, employment history, disciplinary record);
  • Case narrative (allegations, statements, evidence, findings, decisions);
  • Correspondence (interview notes, letters, emails included as evidence);
  • Technical/usage data (IP address, sign-in history for the platform).

Special-category data (Article 9 UK GDPR) may include:

  • Health data (occupational-health reports, reasonable-adjustment requests);
  • Racial or ethnic origin, religion or belief, sexual orientation, sex life (in discrimination or harassment cases);
  • Trade-union membership.

Criminal-offence data may be processed where the case involves alleged criminal misconduct.

5. Processor obligations (Article 28(3))

ConductPath will:

  • process Personal Data only on documented instructions from the Controller, including for transfers, unless required by UK law (in which case we will notify the Controller, unless the law prohibits it);
  • ensure that persons authorised to process Personal Data are under an appropriate obligation of confidentiality;
  • implement the security measures required by Article 32 UK GDPR (see Section 7);
  • engage sub-processors only in accordance with Section 8;
  • assist the Controller in fulfilling requests from data subjects exercising their rights under Chapter III UK GDPR;
  • assist the Controller with data-protection impact assessments (DPIAs) and prior consultations with the ICO where required;
  • at the Controller's choice, delete or return all Personal Data at the end of the Service (see Section 10);
  • make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits (Section 12).

6. Controller obligations

The Controller warrants that it will:

  • have and maintain a lawful basis for processing under Article 6 UK GDPR, and where applicable an Article 9 exception under Schedule 1 DPA 2018;
  • maintain the "appropriate policy document" required by paragraphs 39–41 of Schedule 1 DPA 2018 for special-category processing;
  • provide fair-processing information to data subjects (Articles 13/14);
  • use the Service in compliance with Data Protection Laws, the ACAS Code, and the Customer's own policies;
  • not upload data that the Controller is not lawfully entitled to process.

7. Security measures (Annex B)

  • Hosting: UK region only (AWS London, eu-west-2), including backups.
  • Encryption: AES-256 at rest, TLS 1.2+ in transit.
  • Tenant isolation: Row-Level Security enforced in the database.
  • Access control: role-based, least-privilege; MFA enforced for privileged and Enterprise users; SSO/SAML supported.
  • Audit logging: immutable, append-only log of practitioner actions, engine outputs, evidence uploads, and approvals.
  • Vulnerability management: automated dependency scanning, third-party penetration test annually.
  • Business continuity: daily encrypted backups in-region; RPO ≤ 24h, RTO ≤ 8h.
  • Personnel: background checks (BS 7858 aligned), confidentiality obligations, security training on induction and annually.
  • Certifications on roadmap: Cyber Essentials Plus, ISO/IEC 27001, SOC 2 Type II.

8. Sub-processors (Annex C)

The Controller consents to the current list of sub-processors, which includes hosting (Amazon Web Services EMEA SARL, UK region), AI inference (Anthropic Ireland Ltd, OpenAI Ireland Ltd, or equivalent UK/EU entities under zero-retention terms), transactional email (Mailgun via the delegated notify subdomain), and error monitoring. A current list is maintained and available on request from privacy@conductpath.co.uk.

We give the Controller at least 30 days' notice of any proposed new or replacement sub-processor. The Controller may object in writing on reasonable data-protection grounds; if the parties cannot agree, the Controller may terminate the affected part of the Service without penalty for the unexpired term.

We impose obligations on each sub-processor no less protective than those in this DPA and remain fully liable to the Controller for the acts and omissions of each sub-processor.

9. International transfers

Customer Content is stored in the UK. Where a sub-processor processes Personal Data outside the UK, EEA or a country with UK adequacy, we rely on the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, together with a documented Transfer Risk Assessment (TRA). Copies of executed transfer mechanisms are available on request.

10. Data subject requests and breach

Data subject requests. We will forward any request received directly from a data subject to the Controller without undue delay and will assist the Controller (using appropriate technical and organisational measures) to respond within statutory timescales.

Personal data breach. We will notify the Controller without undue delay (target: within 24 hours of becoming aware) of any personal data breach affecting Customer Personal Data, providing the information required by Article 33(3) as soon as it is available. We will assist the Controller in meeting its notification obligations to the ICO (Article 33) and affected data subjects (Article 34).

11. Return and deletion

On termination or expiry of the Service, the Controller may export all Customer Content for 30 days. Thereafter, ConductPath will delete Customer Content from active systems within 60 days, and from backups on the next scheduled backup-rotation cycle (not to exceed 180 days), subject to any legal retention obligation (which will be documented and limited to what is strictly required).

12. Audit rights

We will make available to the Controller, on request and no more than once per year (or more often following a breach), our most recent security audit reports, penetration-test summaries, and completed security questionnaire. Where the Controller reasonably requires an on-site audit, the parties will agree scope, notice, cost, and confidentiality; audits must be conducted so as not to disrupt the Service or the confidentiality of other customers.

13. Order of precedence

In the event of conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails. In the event of conflict between this DPA and any transfer-mechanism annex incorporating the UK IDTA, the transfer mechanism prevails to the extent required.

14. Governing law

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales, mirroring the Terms of Service.