Data Processing Agreement

Data Processing Agreement Last updated: July 2026 Draft notice: this is a standard template covering the clauses required by Article 28 UK GDPR. It...

Data Processing Agreement

Last updated: July 2026

Draft notice: this is a standard template covering the clauses required by Article 28 UK GDPR. It has not yet had a formal legal review, and is not itself a signed contract — if you need an executed, countersigned copy for your own compliance records, contact us and we will arrange one as part of your agreement.

1. Purpose & Scope

This Data Processing Agreement (“DPA”) applies wherever Crew Connect (“we”, “us”, “the Processor”) processes personal data on behalf of a company, recruiter, or crewing agency using the Platform (“you”, “the Controller”) — including, but not limited to: crew profile data you manage through your dashboard, and any documents you upload (e.g. your SMS or procedures) for us to draft a company-specific Knowledge Check pack from. It supplements our Privacy Policy and Terms of Service.

2. Processing Only On Your Instructions

We process personal data only on your documented instructions — the actions you take through the Platform (e.g. what you upload, who you invite, what you search for) — unless required to do otherwise by UK law. We will tell you if we believe an instruction breaches UK GDPR.

3. Confidentiality

Anyone we allow to access personal data or documents you upload (staff or contractors) is bound by a confidentiality obligation, whether contractual or statutory.

4. Security Measures

We use HTTPS encryption in transit, hashed passwords, role-based access controls (a company’s uploaded documents and draft Knowledge Check content are scoped only to that company’s own crew, never shared across companies), and restrict admin access to the underlying database. No system is completely secure and we continue to improve these measures over time.

5. Sub-processors

We use a small number of sub-processors to run the Platform: Stripe (payment processing), our email delivery provider (transactional emails only), and our hosting provider (application and database hosting). We will not add a new sub-processor with access to your data without telling you first and giving you the chance to object.

6. Supporting Your Crew/Employees’ Rights

Where a crew member or employee whose data you manage exercises a UK GDPR right (access, correction, deletion, etc.), we provide the tools to action this directly (see the GDPR export/delete tools in the crew portal) and will assist with any request that needs our help beyond that.

7. Assisting With Your Obligations

We will reasonably assist you in meeting your own obligations around data security, data protection impact assessments, and notifying the ICO or affected individuals of a personal data breach, taking into account the nature of processing and information available to us.

8. Personal Data Breach Notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay so you can meet your own breach-notification obligations.

9. End of Contract

When you close your account or our agreement ends, we will delete or return your data (at your choice) within a reasonable period, except where UK law requires us to retain it (e.g. financial records for 7 years).

10. Audits & Inspections

We will make available the information reasonably necessary to demonstrate compliance with this DPA, and allow for audits/inspections by you or an auditor you appoint, on reasonable notice.

11. Company Documents You Upload (SMS Knowledge Checks)

If you upload your own SMS document or procedures to request a company-specific Knowledge Check pack, we hold that file solely to draft the questions you asked for, share it with you for review before anything is published, and do not use it for any other purpose or share it with any other company. You may ask us to delete the uploaded file at any time once the pack has been delivered.

12. Contact

Questions about this DPA, or to request a signed copy for your own records: ashley.dadd2@gmail.com.