Data Processing Addendum

Customer data-processing summary.

This page summarises how VariationDesk handles customer workspace data and the core protections that apply when VariationDesk acts as a processor for customer-controlled data.

1. Parties and role

When a customer uses VariationDesk to store project, user, rate-card or variation evidence data for its own business purposes, the customer acts as controller and VariationDesk Ltd acts as processor for that customer workspace data.

VariationDesk may also act as controller for its own website, account-management, billing, security and support records.

2. Subject matter and duration

The processing covers customer workspace data, including user accounts, project metadata, rate cards, variation records, photos, signatures, PDFs and operational audit events.

Processing continues for the duration of the customer subscription and any agreed retention or deletion period.

3. Nature and purpose of processing

VariationDesk processes customer data to provide authenticated application access, secure storage, evidence generation, workflow support, product security, support and service administration.

Processing is limited to what is needed to operate the contracted service and related security or support obligations.

4. Security measures

VariationDesk applies technical and organisational measures appropriate to the service, including authenticated access controls, tenancy boundaries, operational logging, encrypted transport and private evidence storage controls where configured.

Customers remain responsible for correct user access, lawful instructions and contract language used within their own projects.

5. Sub-processors

VariationDesk uses selected infrastructure, storage, billing, communications and customer-enabled integration providers to operate the service.

The current service-provider summary is available on the sub-processors page and may be updated from time to time. Accounting providers only apply where a customer connects that accounting integration.

6. Data subject requests and incidents

VariationDesk will assist the customer with reasonable requests relating to data subject rights, deletion, export or security issues where those requests relate to customer workspace data.

Customers should contact support through the published support routes for incident or request coordination.

Core data-processing terms

VariationDesk's customer data-processing arrangements are built around the following operational commitments.

Documented instructions

Customer workspace data is processed under the customer's documented instructions, unless law requires otherwise.

Confidentiality and access control

People with access to customer data are limited by role-based access and confidentiality obligations.

Security measures

VariationDesk uses tenant isolation, private storage controls, encrypted transport, audit logs and provider security controls appropriate to the service.

Sub-processors

Approved service providers are required to support the delivery of the service and to apply appropriate protection to personal data they process.

International transfers

Where required, VariationDesk relies on recognised safeguards such as adequacy arrangements, UK IDTA, UK Addendum/SCCs or equivalent vendor terms.

Rights, breach and deletion help

VariationDesk assists with access, deletion/export requests, security incidents, DPIAs and end-of-service return or deletion where relevant to customer workspace data.