Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Arj.Global Ltd, a company registered in England and Wales ("Processor", "we"), and the Employer customer using the Shiftzy app ("Controller", "you"). It governs the processing of personal data carried out by Arj.Global Ltd on your behalf in connection with Shiftzy and is intended to comply with Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

1. Definitions

Capitalised terms have the meaning given in the UK GDPR. "Customer Personal Data" means any personal data processed by us on your behalf via Shiftzy. "Sub-processor" means any third party engaged by us to process Customer Personal Data.

2. Roles and scope

You are the Controller of Customer Personal Data. We act as Processor and process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do so by UK or EU law.

3. Subject matter, nature and purpose

• Subject matter: provision of the Shiftzy platform.
• Duration: the term of your subscription, plus any retention required by law.
• Nature and purpose: hosting, processing and managing temporary worker data to fulfil shifts.
• Categories of data subjects: Workers, Employer staff, candidates, end users.
• Categories of data: identity, contact, Right to Work, financial, availability, shift history, device data.

4. Confidentiality

We ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.

5. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, role-based access controls, regular backups and security testing.

6. Sub-processors

You provide general written authorisation for us to engage Sub-processors to process Customer Personal Data, subject to a written contract that imposes data protection obligations no less protective than those in this DPA. Our current list of Sub-processors is published at /subprocessors. We will give reasonable prior notice of any intended changes, and you may object on reasonable data protection grounds.

7. Data subject rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to fulfil your obligation to respond to data subject rights requests under the UK GDPR.

8. Personal data breaches

We will notify you without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, providing the information required under Article 33(3) UK GDPR.

9. International transfers

Where Customer Personal Data is transferred outside the UK, we rely on UK adequacy regulations or appropriate safeguards such as the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses.

10. Audits

We will make available to you all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted on reasonable prior notice and subject to confidentiality.

11. Return or deletion

On termination, at your choice, we will delete or return all Customer Personal Data and delete existing copies, unless UK or EU law requires storage.

12. Liability and governing law

The liability provisions and governing law set out in our Terms of Service apply to this DPA.

13. Contact

Arj.Global Ltd · United Kingdom · talenthire@arjglobal.co.uk