Data Processing Agreement
1. Background and Purpose
This Data Processing Agreement ("DPA") forms part of the agreement between DisruptionHub ("Processor") and the subscribing organisation ("Controller") for the use of the DisruptionHub platform.
This DPA is required where the Controller shares personal data with DisruptionHub in the course of using the platform, and sets out the terms of that processing under UK GDPR Article 28.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person within the meaning of UK GDPR.
"Processing" means any operation performed on Personal Data including collection, storage, use, and deletion.
"Sub-processor" means any third party engaged by DisruptionHub to process Personal Data on behalf of the Controller.
3. Nature and Purpose of Processing
DisruptionHub processes Personal Data on behalf of the Controller for the following purposes: providing AI-assisted logistics decision support; storing incident and operational records; generating analysis and recommendations.
Categories of data subjects: employees and contractors of the Controller (including drivers and operations staff); third parties whose details are entered operationally (carrier contacts, customer contacts).
Categories of personal data: names; job titles; contact telephone numbers; vehicle registration numbers (which may be linked to individuals); location data entered as part of disruption descriptions.
4. Controller Obligations
The Controller warrants that it has a lawful basis under UK GDPR for sharing Personal Data with DisruptionHub.
The Controller is responsible for ensuring data subjects have been informed about this processing in accordance with UK GDPR Articles 13 and 14.
The Controller should minimise personal data inputs — operational descriptions can typically be completed using reference numbers, vehicle registrations, and role titles rather than individual names.
5. Processor Obligations
DisruptionHub will process Personal Data only on documented instructions from the Controller.
DisruptionHub will implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure.
DisruptionHub will not engage a new sub-processor without informing the Controller and providing an opportunity to object.
DisruptionHub will assist the Controller in responding to data subject rights requests within 30 days.
DisruptionHub will notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach.
6. Sub-Processors
The Controller authorises DisruptionHub to engage the following sub-processors:
Our AI services provider (United States) — AI processing of operational inputs. Transfer to the US is covered by appropriate UK GDPR safeguards including Standard Contractual Clauses.
Our secure database provider (data hosted in the European Economic Area) — database storage and management.
Our hosting provider (United States) — application hosting and delivery. Transfer covered by Standard Contractual Clauses.
Our SMS and voice communications provider — message and call delivery for operational notifications.
DisruptionHub will maintain an up-to-date list of sub-processors and notify the Controller of any changes.
7. International Transfers
Processing by our AI services provider and our hosting provider involves transfer of data to the United States. DisruptionHub has satisfied itself that appropriate safeguards are in place under UK GDPR for these transfers, including Standard Contractual Clauses or equivalent mechanisms.
If you require copies of the relevant transfer safeguards, contact hello@disruptionhub.ai.
8. Deletion and Return
Upon termination of the subscription, DisruptionHub will delete or anonymise Personal Data within 90 days, except where retention is required by law.
The Controller may request a data export in JSON format before deletion by contacting hello@disruptionhub.ai.
9. Audit Rights
The Controller may request evidence of DisruptionHub's compliance with this DPA by written request to hello@disruptionhub.ai. DisruptionHub will respond within 30 days with relevant documentation or, where applicable, third-party audit certifications.
On-site audit rights may be exercised with 30 days notice, at the Controller's cost, no more than once per calendar year.
10. Term
This DPA remains in force for the duration of the subscription agreement and survives termination for as long as DisruptionHub processes Personal Data on behalf of the Controller.
11. Governing Law
This DPA is governed by the laws of England and Wales.
You are the Controller — you own your data and are responsible for having a lawful reason to share it with us. We are the Processor — we only use it to provide the service. We store it in the EEA. We pass it to our AI services provider (US-based) to generate responses. We delete it within 90 days of you leaving. You can audit us. Contact us for any data requests.