Data Processing Agreement

Last updated: January 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Pocket Keyworker ("Processor") and the subscribing organisation ("Controller") for the provision of our services.

2. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the UK GDPR.

3. Scope and Purpose

The Processor shall process Personal Data only on documented instructions from the Controller for the purpose of providing the Pocket Keyworker platform services.

4. Categories of Data

The following categories of Personal Data may be processed:

  • Names and contact details of staff members
  • Young person identification and demographic data
  • Support plans, assessments, and progress records
  • Communication and session records
  • Special category data where relevant to support (e.g., health information)

5. Data Security

The Processor shall implement appropriate technical and organisational measures including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security testing and audits
  • Incident response procedures
  • Staff training on data protection

6. Sub-processors

The Processor may engage sub-processors to assist in providing the services. A list of current sub-processors is available on request. The Controller will be notified of any changes to sub-processors.

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under data protection law.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.

9. Data Retention and Deletion

Upon termination of services, the Processor shall delete or return all Personal Data to the Controller within 90 days, unless required by law to retain it.

10. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits with reasonable notice.

11. International Transfers

Personal Data shall be processed within the UK/EEA. Any transfers outside these areas shall only occur with appropriate safeguards in place.

12. Contact

For questions about this DPA, please contact: info@pocketkeyworker.co.uk