Data Processing Agreement
1. Introduction and Parties
This Data Processing Agreement ("DPA") forms part of the agreement between SWYFTHQ LTD ("Processor", "we", "us") and the Customer identified in the Warser account ("Controller", "you") and applies to all processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the Warser platform ("Service").
This DPA is incorporated into and forms part of the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence in respect of data protection matters.
This DPA is intended to satisfy the requirements of Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
2. Definitions
In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given to them in UK GDPR.
"Applicable Data Protection Law" means the UK General Data Protection Regulation, the Data Protection Act 2018, and any subordinate legislation or regulation made under them, as amended or replaced from time to time.
"Controller" means the Customer, who determines the purposes and means of processing Personal Data submitted to the Service.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed in connection with the Service, including employees, contractors, and other individuals whose details are managed within the Service.
"Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Service, including but not limited to names, email addresses, job titles, access request content, approval decisions, and provisioning records.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, storage, retrieval, use, disclosure, and deletion.
"Processor" means SWYFTHQ LTD, which processes Personal Data on behalf of the Controller.
"Restricted Transfer" means a transfer of Personal Data to a country outside the United Kingdom or European Economic Area that is not subject to an adequacy decision.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for international data transfers approved by the UK ICO under the International Data Transfer Agreement ("IDTA") framework, or such equivalent mechanism as may be approved from time to time.
"Subprocessor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
3. Scope and Nature of Processing
The Processor shall process Personal Data only to the extent necessary to provide the Service and only in accordance with the documented instructions of the Controller, which are set out in this DPA and the Terms of Service.
The details of the processing are as follows:
| Field | Detail |
|---|---|
| Subject matter | Access request management and IT governance workflows |
| Nature of processing | Collection, storage, retrieval, use, disclosure, erasure, and destruction |
| Purpose of processing | Providing the Warser platform as described in the Terms of Service, including access request routing, approval workflows, JML automation, audit logging, provisioning automation, and directory synchronisation |
| Duration | For the term of the subscription and for 30 days following termination, after which data is deleted unless retention is required by law |
| Types of Personal Data | Names, email addresses, job titles, department information, access request descriptions, approval decisions, provisioning actions, audit log entries, IP addresses, and session data |
| Categories of Data Subjects | Employees, contractors, and other individuals whose access to systems is managed through the Service |
4. Controller Obligations and Instructions
The Controller warrants and represents that:
- It has a lawful basis under Applicable Data Protection Law for processing the Personal Data it submits to the Service, and that such processing is consistent with the purposes for which the Personal Data was collected
- It has provided all necessary notices and obtained all necessary consents from Data Subjects as required by Applicable Data Protection Law, including informing them that their data may be processed by Warser as a data processor
- It has the authority to enter into this DPA and to instruct the Processor as described herein
- The Personal Data submitted to the Service is accurate and up to date to the best of the Controller's knowledge
The Controller may issue further documented instructions to the Processor from time to time. The Processor shall follow such instructions unless doing so would require it to act in breach of Applicable Data Protection Law, in which case the Processor shall promptly notify the Controller.
5. Processor Obligations
The Processor agrees to:
5.1 Compliance with instructions
Process Personal Data only on documented instructions from the Controller, except where required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so by law.
5.2 Confidentiality
Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and are informed of the confidential nature of the data they handle. Access to Personal Data is restricted on a need-to-know basis.
5.3 Security measures
Implement and maintain the technical and organisational security measures described in Schedule 2 of this DPA, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons.
5.4 Subprocessing
Not engage any new Subprocessor without first notifying the Controller in accordance with Section 7 of this DPA.
5.5 Assistance with Data Subject rights
Assist the Controller, by appropriate technical and organisational measures and to the extent reasonably possible, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection. Where the Processor receives a request directly from a Data Subject, it will promptly forward the request to the Controller.
5.6 Assistance with compliance obligations
Assist the Controller in ensuring compliance with its obligations under Applicable Data Protection Law, including in relation to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.
5.7 Deletion or return of data
On termination of the Service, at the Controller's election and subject to Section 6 below, delete or return all Personal Data to the Controller, and delete existing copies, unless retention is required by applicable law.
5.8 Audit cooperation
Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and, subject to the terms of Section 9, allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.
5.9 Notification of unlawful instructions
Promptly inform the Controller if, in the Processor's reasonable opinion, an instruction from the Controller infringes Applicable Data Protection Law.
6. Data Retention and Deletion
The Processor applies the following retention periods to Personal Data processed in connection with the Service:
| Data type | Retention period | Basis |
|---|---|---|
| Access requests (structured records: who requested, who approved, outcome, timestamp) | 6 years from date of creation | Audit evidence and potential legal claims |
| Audit log entries | 6 years from date of creation | Regulatory compliance and legal evidence |
| JML events (joiner, mover, leaver records) | 6 years from date of creation | Employment law and regulatory compliance |
| Free-text request content (natural language descriptions entered by users) | 1 year from date of submission | Data minimisation — contains personal data not required for long-term audit purposes |
| Email notification logs | 90 days | Operational purposes only |
| Session and authentication data | 30 days | Security monitoring |
| Deleted organisation data | 30 days grace period, then permanent deletion | To allow recovery from accidental deletion |
Following termination of the Service, the Processor will retain all data for 30 days to allow the Controller to request an export. After this period, all Personal Data will be permanently deleted from the Processor's systems, including backups, unless the Processor is required by applicable law to retain it for a longer period. Where retention is required by law, the Processor will notify the Controller and will restrict processing to the minimum extent necessary for that purpose.
7. Subprocessors
7.1 General authorisation
The Controller provides general authorisation for the Processor to engage the Subprocessors listed in Schedule 1 of this DPA. The Processor shall enter into written agreements with each Subprocessor imposing data protection obligations that are no less protective than those set out in this DPA.
7.2 Notification of changes
The Processor shall notify the Controller of any intended addition or replacement of Subprocessors at least 14 days before the change takes effect, by updating the subprocessor list at warser.ai/dpa and/or by email notification. The notification will include the name, location, and role of the new Subprocessor.
7.3 Objection
The Controller may object to a new Subprocessor on reasonable data protection grounds by notifying the Processor in writing within 14 days of receiving notice. The parties will work in good faith to resolve the objection. If the parties cannot agree, either party may terminate the affected Services on reasonable written notice.
7.4 Liability for Subprocessors
The Processor shall remain fully liable to the Controller for the acts and omissions of its Subprocessors to the same extent as if the Processor had performed the processing directly.
8. International Data Transfers
Some Subprocessors are based in, or process data from, countries outside the United Kingdom or the European Economic Area that are not subject to an adequacy decision under Applicable Data Protection Law. In such cases, the Processor ensures that appropriate safeguards are in place for Restricted Transfers, including:
- Where data is transferred to the United States or other third countries, the Processor relies on Standard Contractual Clauses as approved by the UK ICO under the International Data Transfer Agreement (IDTA) framework, or equivalent SCCs approved by the European Commission where EU GDPR applies
- Where a Subprocessor has its own approved transfer mechanisms (such as Microsoft's EU Standard Contractual Clauses or Atlassian's Data Processing Addendum), the Processor relies on those mechanisms
- The Processor maintains records of all international transfers and the safeguards applied
A summary of the international transfers and applicable transfer mechanisms is set out in Schedule 1.
9. Audits and Inspections
The Controller may, on reasonable written notice of not less than 30 days and no more than once per calendar year, request an audit of the Processor's data processing activities to verify compliance with this DPA. Audits must be carried out during normal business hours and in a manner that minimises disruption to the Processor's operations.
The Processor may, at its discretion, satisfy an audit request by providing:
- Copies of relevant certifications (such as ISO 27001 or SOC 2 reports)
- Responses to a written questionnaire
- Third-party audit reports prepared within the preceding 12 months
Where the Controller requires an on-site audit beyond what the Processor can satisfy through the above means, the costs of such an audit shall be borne by the Controller unless the audit reveals a material breach of this DPA, in which case costs shall be borne by the Processor.
10. Personal Data Breach Notification
In the event of a Personal Data Breach, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide the Controller with sufficient information to enable it to comply with its obligations under Applicable Data Protection Law, including its obligation to notify the relevant supervisory authority and, where required, affected Data Subjects
The notification shall include, to the extent available at the time:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
- The name and contact details of the Processor's data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its possible adverse effects
The Processor shall cooperate with the Controller and take such steps as the Controller reasonably requests to assist in the investigation, mitigation, and remediation of the breach. The Processor shall keep the Controller informed of any developments relating to the breach.
The Controller is solely responsible for any notifications to supervisory authorities or Data Subjects required by Applicable Data Protection Law.
11. Data Protection Impact Assessments
Where required by Applicable Data Protection Law, the Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments ("DPIAs") in relation to the processing carried out under this DPA. Such assistance shall include providing information about the processing activities carried out by the Processor and the security measures in place.
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law that cannot be excluded or limited by law.
Where both parties are responsible for damage caused by processing in breach of Applicable Data Protection Law, each party shall be liable for the part of the damage caused by its own breach.
13. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
14. Duration
This DPA shall remain in force for the duration of the Terms of Service and shall automatically terminate upon termination of the Terms of Service, subject to any obligations that survive termination as described in Section 6.
Schedule 1 — Subprocessor List
The following Subprocessors are engaged by SWYFTHQ LTD in connection with the Warser platform:
| Subprocessor | Entity | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|---|
| Supabase | Supabase Inc | Database hosting, authentication, and row-level security | All Personal Data stored in the Service | United States (EU region used where available) | IDTA / SCCs |
| Vercel | Vercel Inc | Application hosting, content delivery, and deployment | IP addresses, session tokens, request logs | United States (EU edge nodes used where available) | IDTA / SCCs |
| OpenAI | OpenAI Inc | AI interpretation of plain-English access requests submitted by users | Free-text access request content entered by users | United States | IDTA / SCCs + OpenAI Data Processing Addendum |
| Resend | Resend Inc | Transactional email delivery (access request notifications, approval decisions, provisioning updates) | Email addresses, names, notification content | United States | IDTA / SCCs |
| Slack | Slack Technologies LLC | In-app notification delivery and approval workflow (where Customer enables Slack integration) | Email addresses, names, access request summaries | United States | IDTA / SCCs |
| Microsoft | Microsoft Corporation | Entra ID directory synchronisation (where Customer enables Entra integration) | Names, email addresses, job titles, group memberships | United States / European Union | Microsoft Online Services DPA and EU SCCs |
| GitHub | GitHub Inc (subsidiary of Microsoft) | Provisioning automation — adding users to GitHub organisations and repositories (where Customer enables GitHub integration) | Email addresses, GitHub usernames | United States | IDTA / SCCs |
| Atlassian | Atlassian Pty Ltd | Jira ticket creation for access request tracking (where Customer enables Jira integration) | Names, email addresses, access request content | United States / European Union | Atlassian Data Processing Addendum |
The Processor will maintain this list and notify the Controller of any changes in accordance with Section 7 of this DPA. The current version of this list is always available at warser.ai/dpa.
Schedule 2 — Technical and Organisational Security Measures
The Processor implements and maintains the following technical and organisational security measures:
Access Control
- Role-based access control is enforced across the Service, with users assigned the minimum level of access required to perform their role (principle of least privilege)
- Row-level security is implemented at the database level, ensuring that each organisation's data is logically isolated and cannot be accessed by users from other organisations
- Multi-factor authentication (TOTP) is available for all users and is encouraged as a condition of use
- Administrative access to infrastructure is restricted to named individuals and requires multi-factor authentication
- Access rights are reviewed periodically and revoked promptly when no longer required
Encryption
- All data transmitted between users and the Service is encrypted in transit using TLS 1.2 or higher
- All data stored in the Service database is encrypted at rest using AES-256 encryption
- Encryption keys are managed by the infrastructure provider (Supabase) using industry-standard key management practices
Infrastructure Security
- The Service is hosted on Vercel (application layer) and Supabase (data layer), both of which maintain their own security certifications and controls
- The database is not directly accessible from the public internet; all access is mediated through the application layer with authentication required
- Automated backups are taken regularly; backup data is subject to the same encryption and access controls as live data
- Dependencies are reviewed and security patches are applied promptly following disclosure of vulnerabilities
Audit Logging
- All access requests, approval decisions, administrative actions, and provisioning events are logged with a timestamp, the identity of the actor, and the outcome
- Audit logs are append-only; they cannot be modified or deleted by any application user, including administrators
- Audit log data is retained for six years in accordance with Section 6 of this DPA
Incident Response
- The Processor maintains an internal incident response process for detecting, investigating, and responding to security incidents and Personal Data Breaches
- Security incidents are escalated to the designated data protection contact within 24 hours of detection
- The Controller will be notified of any Personal Data Breach within 72 hours of the Processor becoming aware, in accordance with Section 10 of this DPA
Personnel and Confidentiality
- All personnel with access to Personal Data are subject to binding confidentiality obligations
- Access to Personal Data is granted only to those who need it to perform their role
- Personnel are made aware of their data protection obligations as part of onboarding
Vulnerability Management
- Software dependencies are monitored for known vulnerabilities using automated tooling
- Security patches and updates are applied promptly following disclosure
- The Processor conducts periodic reviews of its security posture
Business Continuity
- The Processor maintains backup and recovery procedures to minimise the impact of system failures on the availability of the Service
- Recovery time and recovery point objectives are documented internally and reviewed periodically