PrepShield

Data Processing Agreement (DPA)

Last updated: 8 July 2026 · Version: 1.0

This Data Processing Agreement forms part of, and is incorporated into, the PrepShield Terms of Service. It addresses the requirements of Article 28(3) UK GDPR.


1. Parties and status

This Data Processing Agreement ("DPA") applies between:

  • the Customer (the "Controller"); and
  • Sleepingmongoose.app Ltd, registered in Scotland (company no. SC893221, registered office 34 Hunter Grove, Bathgate, EH48 1NW), trading as PrepShield (the "Processor", "we", "us").

It applies where we process Personal Data on the Controller's behalf in connection with the Service. Where the Controller and Processor are the same legal person (for example, where a sole trader uses PrepShield to manage their own business), this DPA applies to the extent relevant.

2. Definitions

"UK GDPR", "controller", "processor", "personal data", "special category data", "process/processing", "personal data breach" and "data subject" have the meanings given in the UK GDPR and the Data Protection Act 2018 ("Data Protection Laws"). "Customer Personal Data" means personal data we process on the Controller's behalf under the Agreement, as described in Annex 1.

3. Roles and scope

3.1 The Controller is the controller and we are the processor in respect of Customer Personal Data.

3.2 The Controller is responsible for ensuring it has a lawful basis for the processing, for the lawfulness of its instructions, and for providing any required privacy information to data subjects (for example, its staff).

3.3 The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1.

4. Our obligations as Processor

We shall:

(a) Documented instructions. Process Customer Personal Data only on the Controller's documented instructions (including as to international transfers), unless required to do otherwise by law, in which case we will inform the Controller (unless legally prohibited). Using the features of the Service constitutes the Controller's instructions. We will inform the Controller if, in our opinion, an instruction infringes Data Protection Laws.

(b) Confidentiality. Ensure that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality.

(c) Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 UK GDPR. Our current measures are described in Annex 2.

(d) Sub-processors. Only engage sub-processors in accordance with clause 5.

(e) Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights.

(f) Assistance. Assist the Controller in ensuring compliance with its obligations relating to security, personal data breach notification, data protection impact assessments and prior consultation (Articles 32–36 UK GDPR), taking into account the nature of the processing and the information available to us.

(g) Deletion or return. At the Controller's choice, delete or return all Customer Personal Data at the end of the provision of the Service, and delete existing copies unless storage is required by law. The Agreement provides a 60-day post-termination window during which the Controller may export its data, after which it is deleted from active systems (and purged from backups as they cycle out of retention). We will confirm deletion on request.

(h) Audits. Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice, confidentiality, and the limits in clause 8.

5. Sub-processors

5.1 The Controller gives general written authorisation for us to engage the sub-processors listed in Annex 3 to assist in providing the Service.

5.2 We will impose on each sub-processor, by contract, data-protection obligations that are equivalent to those in this DPA (in particular regarding appropriate technical and organisational measures). We remain fully liable to the Controller for the performance of each sub-processor's obligations.

5.3 We will give the Controller at least 14 days' advance notice, by email or in-app notice, of any intended addition or replacement of a sub-processor, giving the Controller the opportunity to object on reasonable data-protection grounds.

6. International transfers

6.1 We will not transfer Customer Personal Data outside the United Kingdom except as necessary to provide the Service and as described in Annex 3, and only where an appropriate transfer mechanism is in place (for example, UK adequacy regulations, or the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses).

6.2 Where our sub-processors are established outside the UK, or process data outside the UK, we will ensure an appropriate transfer mechanism applies.

7. Personal data breach

We will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide the Controller with information reasonably available to us to assist it in meeting its own notification obligations.

8. Audit limits

Audits under clause 4(h) will take place on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and in a manner that does not compromise the security or confidentiality of other customers' data.

9. Liability

The liability of the parties under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

10. Term

This DPA takes effect when the Agreement does and continues for as long as we process Customer Personal Data on the Controller's behalf.


Annex 1 — Details of the processing

ItemDetail
Subject matterProvision of the PrepShield digital food-safety and HACCP compliance Service.
DurationFor the term of the Agreement, plus any post-termination data-export and deletion period.
Nature and purposeStorage, organisation, retrieval and management of food-safety compliance records and related staff records; recording of temperature, delivery, cleaning and check activity (including which user carried out a check); staff training and sickness records; and the raising and tracking of corrective actions.
Types of personal dataIdentity and contact details of the Controller's staff (name, work contact details, role); records of activity performed in the Service (for example, the user who logged a temperature check, cleaning task or corrective action); training and certification records and expiry dates; sickness and absence records and return-to-work information.
Special category dataYes — health data (staff sickness records and related absence/return-to-work information).
Categories of data subjectsThe Controller's employees, workers and other staff who use the Service or whose records are kept within it.

Annex 2 — Technical and organisational security measures

The Processor implements measures including:

  • Tenant isolation. Multi-tenant architecture with row-level security (RLS) enforcing per-organisation data scoping at the database layer, so each customer can access only its own data. Privileged administrative tables are restricted to service-role access only.
  • Encryption. Data encrypted in transit (TLS) and at rest.
  • Access control. Authenticated access only; role-based access within each organisation (owner / manager / staff); least-privilege principles for administrative and infrastructure access; privileged service keys restricted to server-side use.
  • Authentication. Email/password authentication with secure session management.
  • Hosting. Application and data hosted with the reputable infrastructure providers listed in Annex 3, with primary application data hosted in the United Kingdom; outbound transactional email is delivered via a US sub-processor (see Annex 3) under an appropriate international transfer mechanism.
  • Backups and resilience. Automated backups provided by the underlying database platform.
  • Breach response. Procedures to detect, report and respond to personal data breaches.

Annex 3 — Authorised sub-processors

Sub-processorPurposeLocation / hosting region
SupabaseDatabase (Postgres), authentication and file storageUnited Kingdom (London)
VercelApplication hosting / serverless computeUnited Kingdom
StripePayment processing and subscription billingEU / US (with appropriate transfer safeguards)
MXrouteTransactional email delivery (SMTP) — support, notification and alert emailsUnited States (with UK IDTA / SCCs safeguards)
CloudflareDNSGlobal (DNS resolution)

For each sub-processor we maintain data processing terms and, where data is processed outside the UK, an appropriate international transfer mechanism.


Sleepingmongoose.app Ltd · Registered in Scotland, company no. SC893221 · Registered office: 34 Hunter Grove, Bathgate, EH48 1NW · Trading as PrepShield · ICO registration ZC185426.

© PrepShieldTermsPrivacyData Processing Agreement