Data Processing Addendum
Customer data-processing summary.
This page summarises how VariationDesk handles customer workspace data and the core protections that apply when VariationDesk acts as a processor for customer-controlled data.
1. Parties and role
When a customer uses VariationDesk to store project, user, rate-card or variation evidence data for its own business purposes, the customer acts as controller and VariationDesk Ltd acts as processor for that customer workspace data.
VariationDesk may also act as controller for its own website, account-management, billing, security and support records.
2. Subject matter and duration
The processing covers customer workspace data, including user accounts, project metadata, rate cards, variation records, photos, signatures, PDFs and operational audit events.
Processing continues for the duration of the customer subscription and any agreed retention or deletion period.
3. Nature and purpose of processing
VariationDesk processes customer data to provide authenticated application access, secure storage, evidence generation, workflow support, product security, support and service administration.
Processing is limited to what is needed to operate the contracted service and related security or support obligations.
4. Security measures
VariationDesk applies technical and organisational measures appropriate to the service, including authenticated access controls, tenancy boundaries, operational logging, encrypted transport and private evidence storage controls where configured.
Customers remain responsible for correct user access, lawful instructions and contract language used within their own projects.
5. Sub-processors
VariationDesk uses selected infrastructure, storage, billing, communications and customer-enabled integration providers to operate the service.
The current service-provider summary is available on the sub-processors page and may be updated from time to time. Accounting providers only apply where a customer connects that accounting integration.
6. Data subject requests and incidents
VariationDesk will assist the customer with reasonable requests relating to data subject rights, deletion, export or security issues where those requests relate to customer workspace data.
Customers should contact support through the published support routes for incident or request coordination.
Core data-processing terms
VariationDesk's customer data-processing arrangements are built around the following operational commitments.
Documented instructions
Customer workspace data is processed under the customer's documented instructions, unless law requires otherwise.
Confidentiality and access control
People with access to customer data are limited by role-based access and confidentiality obligations.
Security measures
VariationDesk uses tenant isolation, private storage controls, encrypted transport, audit logs and provider security controls appropriate to the service.
Sub-processors
Approved service providers are required to support the delivery of the service and to apply appropriate protection to personal data they process.
International transfers
Where required, VariationDesk relies on recognised safeguards such as adequacy arrangements, UK IDTA, UK Addendum/SCCs or equivalent vendor terms.
Rights, breach and deletion help
VariationDesk assists with access, deletion/export requests, security incidents, DPIAs and end-of-service return or deletion where relevant to customer workspace data.