This Data Processing Addendum ("DPA") forms part of the agreement between Inspect360 Suite ("Processor", "we") and the customer organisation ("Controller", "you") for use of the Inspect360 Suite platform (the "Service"). It governs the processing of personal data on your behalf in accordance with the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, and the Saudi Arabia Personal Data Protection Law ("PDPL") where applicable.
The Controller determines the purposes and means of Processing; the Processor acts on the Controller's documented instructions as set out in the Service Agreement and this DPA. The Processor shall not process Personal Data for any other purpose unless required by applicable law, in which case the Processor shall notify the Controller of that legal requirement before Processing (unless that law prohibits such notification on important grounds of public interest).
See Annex I below.
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law.
The Processor ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk — see Annex II.
The Controller authorises the Processor to engage the sub-processors listed in Annex III and at /subprocessors.html. The Processor will give the Controller at least 30 days' prior notice by email of any intended addition or replacement of a sub-processor. The Controller may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection in good faith, the Controller may terminate the affected portion of the Service without penalty. The Processor imposes data-protection obligations on every sub-processor that are no less protective than those set out in this DPA.
Taking into account the nature of the Processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data-subject rights. Self-service tooling is available in-product: data export (Art. 15 & 20), account deletion (Art. 17, 14-day grace), profile edit (Art. 16), AI disable (Art. 21 / 22).
The Processor assists the Controller in ensuring compliance with GDPR Art. 32 to 36 taking into account the nature of Processing and the information available to the Processor.
The Processor notifies the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include, to the extent known, the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.
On termination of the Service, the Processor will, at the Controller's choice: (a) return all Personal Data; or (b) delete all Personal Data and certify deletion — subject to the retention periods and legal holds described in our Privacy Policy.
The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality, security, and scheduling requirements. In practice, the Processor satisfies this via SOC-2-style controls documentation, the sub-processor register, and written responses to customer security questionnaires; on-site audits are available for Enterprise customers under NDA.
Default customer Personal Data hosting is Singapore (AWS ap-southeast-1) via Supabase. Singapore does not benefit from a UK or EU adequacy decision. Enterprise customers may elect a dedicated tenant in an alternative region — including Saudi Arabia (GCP me-central2, Dammam) for PDPL residency, London (eu-west-2), or Frankfurt (eu-central-1) — documented in the order form. All transfers of UK and EEA Personal Data into the Service, and onward transfers to AI inference providers, transactional email, and payment processing, are governed by:
Docking clause (SCC Clause 7): additional controllers may accede by signing Annex I.A.
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Service Agreement. If and to the extent of any conflict between this DPA, the SCCs, and the Service Agreement, the order of precedence is: (1) the SCCs, (2) this DPA, (3) the Service Agreement.
This DPA takes effect on the earlier of (a) the date it is countersigned by the Controller and (b) the date on which the Controller begins using the Service, and continues until the termination of the Service Agreement and the completion of any post-termination data return or deletion.
| Controller | The customer organisation that has subscribed to or accessed the Service. |
|---|---|
| Processor | Inspect360 Suite, including its affiliates. |
| Subject matter | Provision of an AI-assisted inspection and compliance platform. |
|---|---|
| Duration | Term of the Service Agreement, plus retention/deletion periods set out in the Privacy Policy (inspection records: 7 years; account data: until deletion request). |
| Nature & purpose | Hosting, storage, backup, transmission, display, AI-assisted analysis (advisory only), reporting, audit logging, authentication, email delivery. |
| Categories of data subjects | Controller's personnel (admins, inspectors, reviewers), invited collaborators, facility contacts named in inspections, occasional third-party subjects depicted in inspection photographs (e.g. bystanders in a site photo). |
| Categories of personal data | Contact data (name, email, phone); account/auth data; role and organisation metadata; inspection content (photos, findings, checklists, narrative text); audit logs (IP, user-agent, action); billing metadata (Enterprise only, handled by Stripe). |
| Special-category data | None processed intentionally. The Controller must not upload health, biometric, or other special-category data under GDPR Art. 9 without a separate written agreement. |
| Frequency & type of transfer | Continuous, as directed by the Controller through normal use of the Service. |
| Competent supervisory authority | For the Processor: the UK Information Commissioner's Office (ICO). For the Controller: the authority of the Controller's EU establishment, the ICO for UK Controllers, SDAIA for KSA Controllers, or (if none) the authority that the SCCs designate. |
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.2+ enforced on all user-facing and service-to-service traffic. HSTS on marketing domains. |
| Encryption at rest | AES-256 at the database and object-storage layer (Supabase/GCP managed keys). |
| Access control | Row-Level Security on every tenant table. Principle of least privilege. Opt-in TOTP multi-factor authentication. Service role keys scoped and rotated. |
| Authentication | Supabase Auth (email + password, Google OAuth). Passwords hashed with bcrypt. |
| Audit logging | Every mutating action recorded (user, org, action, timestamp, IP, user-agent). Retention 12 months, with customer-exportable log view for Enterprise. |
| Backup & recovery | Daily encrypted backups retained 14 days; point-in-time recovery window. Disaster-recovery runbook documented. |
| Resilience | Managed Postgres HA primary in me-central2. Object storage replicated. SLA-backed uptime on Enterprise plans. |
| Personnel | Confidentiality obligations, security-awareness training, background verification for staff with production access. |
| Network security | Edge DDoS protection (Cloudflare), WAF rules, rate limiting on auth endpoints, CSP headers, XSS hardening. |
| Vulnerability management | Automated dependency scanning on each commit, periodic manual review, responsible-disclosure channel at security@inspect360suite.com. |
| Change management | Peer-reviewed code, CI-run migration dry-runs against an ephemeral Postgres, staged rollout. |
| Incident response | Documented IRP with 72-hour breach-notification timeline aligned to GDPR Art. 33 and PDPL equivalents. |
| Sub-processor oversight | Public register, DPA flow-down, 30-day change notice. See /subprocessors.html. |
| AI governance | Customer data is not used to train models. Zero-retention API mode where the provider supports it. Admin-controllable AI disable switch. |
The current list of sub-processors is maintained at /subprocessors.html. At execution of this DPA, the sub-processors named in that register are deemed authorised. Changes follow the 30-day notice process in §4.4.
| For the Processor | For the Controller |
|---|---|
|
Inspect360 Suite Name: (on file) Title: Data Protection Officer Email: dpo@inspect360suite.com Date: 2026-04-21 |
________________________________ Name: ______________________ Title: ______________________ Email: ______________________ Date: ______________________ |