Data Processing Agreement (DPA)
Last updated: 23 June 2026 · Version: 1.2
This Data Processing Agreement forms part of, and is incorporated into, the Tenavo Terms of Service. It addresses the requirements of Article 28(3) UK GDPR.
1. Parties and status
This Data Processing Agreement ("DPA") applies between:
- the Customer (the "Controller"); and
- Sleepingmongoose.app Ltd, registered in Scotland (company no. SC893221, registered office 34 Hunter Grove, Bathgate, EH48 1NW), trading as Tenavo (the "Processor", "we", "us").
It applies where we process Personal Data on the Controller's behalf in connection with the Service. Where the Controller and Processor are the same legal person (for example, where you use Tenavo for your own organisation), this DPA applies to the extent relevant.
2. Definitions
"UK GDPR", "controller", "processor", "personal data", "special category data", "process/processing", "personal data breach" and "data subject" have the meanings given in the UK GDPR and the Data Protection Act 2018 ("Data Protection Laws"). "Customer Personal Data" means personal data we process on the Controller's behalf under the Agreement, as described in Annex 1.
3. Roles and scope
3.1 The Controller is the controller and we are the processor in respect of Customer Personal Data.
3.2 The Controller is responsible for ensuring it has a lawful basis for the processing, for the lawfulness of its instructions, and for providing any required privacy information to data subjects.
3.3 The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1.
4. Our obligations as Processor
We shall:
(a) Documented instructions. Process Customer Personal Data only on the Controller's documented instructions (including as to international transfers), unless required to do otherwise by law, in which case we will inform the Controller (unless legally prohibited). Using the features of the Service constitutes the Controller's instructions. We will inform the Controller if, in our opinion, an instruction infringes Data Protection Laws.
(b) Confidentiality. Ensure that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality.
(c) Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 UK GDPR. Our current measures are described in Annex 2.
(d) Sub-processors. Only engage sub-processors in accordance with clause 5.
(e) Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights.
(f) Assistance. Assist the Controller in ensuring compliance with its obligations relating to security, personal data breach notification, data protection impact assessments and prior consultation (Articles 32–36 UK GDPR), taking into account the nature of the processing and the information available to us.
(g) Deletion or return. At the Controller's choice, delete or return all Customer Personal Data at the end of the provision of the Service, and delete existing copies unless storage is required by law. The Agreement provides a 60-day post-termination window during which the Controller may export its data, after which it is deleted from active systems (and purged from backups as they cycle out of retention). We will confirm deletion on request.
(h) Audits. Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice, confidentiality, and the limits in clause 8.
5. Sub-processors
5.1 The Controller gives general written authorisation for us to engage the sub-processors listed in Annex 3 to assist in providing the Service.
5.2 We will impose on each sub-processor, by contract, data-protection obligations that are equivalent to those in this DPA (in particular regarding appropriate technical and organisational measures). We remain fully liable to the Controller for the performance of each sub-processor's obligations.
5.3 We will give the Controller at least 14 days' advance notice, by email or in-app notice, of any intended addition or replacement of a sub-processor, giving the Controller the opportunity to object on reasonable data-protection grounds.
6. International transfers
6.1 We will not transfer Customer Personal Data outside the United Kingdom except as necessary to provide the Service and as described in Annex 3, and only where an appropriate transfer mechanism is in place (for example, UK adequacy regulations, or the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses).
6.2 Where our sub-processors are established outside the UK, or process data outside the UK, we will ensure an appropriate transfer mechanism applies.
7. Personal data breach
We will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide the Controller with information reasonably available to us to assist it in meeting its own notification obligations.
8. Audit limits
Audits under clause 4(h) will take place on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and in a manner that does not compromise the security or confidentiality of other customers' data.
9. Liability
The liability of the parties under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
10. Term
This DPA takes effect when the Agreement does and continues for as long as we process Customer Personal Data on the Controller's behalf.
Annex 1 — Details of the processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Tenavo employee-records and compliance Service. |
| Duration | For the term of the Agreement, plus any post-termination data-export and deletion period. |
| Nature and purpose | Storage, organisation, retrieval and management of employee records and related documents; generation of employment documents; compliance reminders and status tracking. |
| Types of personal data | Identity and contact details (name, address, contact details, emergency-contact details); National Insurance number; employment details (role, dates, pay, working pattern); right-to-work and immigration-related information and documents (e.g. nationality, share codes, visa/CoS details, document images); sponsorship details; health data (sickness records, fit-note information); conduct and disciplinary records; holiday records. |
| Special category data | Yes — health data (sickness records and fit notes). |
| Categories of data subjects | The Controller's employees, workers, job applicants, and their nominated emergency contacts. |
Annex 2 — Technical and organisational security measures
The Processor implements measures including:
- Tenant isolation. Multi-tenant architecture with row-level security (RLS) enforcing per-organisation data scoping at the database layer, so each customer can access only its own data.
- Encryption. Data encrypted in transit (TLS) and at rest.
- Document storage. Uploaded documents stored in a private, organisation-scoped store and served only via short-lived signed URLs; no public access.
- Access control. Authenticated access only; least-privilege principles for administrative and infrastructure access; privileged keys restricted.
- Authentication. Email/password authentication with session management; a minimum password length of 12 characters; and optional two-factor authentication (TOTP) available to all users.
- Hosting. Application and data hosted with the reputable infrastructure providers listed in Annex 3, with data hosted in the United Kingdom and the European Union (Ireland).
- Backups and resilience. Automated backups provided by the underlying database platform.
- Breach response. Procedures to detect, report and respond to personal data breaches.
Annex 3 — Authorised sub-processors
| Sub-processor | Purpose | Location / hosting region |
|---|---|---|
| Supabase | Database (Postgres), authentication, and file storage | European Union (Ireland) |
| Vercel | Application hosting / serverless compute | London (lhr1) |
| Stripe | Payment processing and subscription billing | EU / US (with appropriate transfer safeguards) |
| Hostinger | Outbound transactional email (account, billing and support notifications) | European Union (Lithuania) |
For each sub-processor we maintain data processing terms and, where data is processed outside the UK, an appropriate international transfer mechanism.
Sleepingmongoose.app Ltd · Registered in Scotland, company no. SC893221 · Registered office: 34 Hunter Grove, Bathgate, EH48 1NW · Trading as Tenavo.