Data processing agreement

This summary is provided for transparency. The signed agreement between AdaptScot and a referring organisation takes precedence.

1. Roles

The referring organisation is the controller. AdaptScot acts as processor for personal data shared under the referral and as joint controller only for engagement-specific data we are required to retain (CDM, building control, HMRC).

2. Subject matter and duration

Processing is limited to delivering the named adaptation. It ends when the engagement closes, subject to statutory retention periods.

3. Types of data

• Identifiers — name, address, contact details, NHS or council reference.
• Special category — relevant health, disability and functional-need information.
• Property data — survey photos, drawings, structural notes.

4. Security measures

• Encryption at rest and in transit; role-based access; MFA enforced on staff accounts.
• UK-hosted Supabase Postgres with Row Level Security and audit logging.
• Annual access review and penetration test.

5. Sub-processors

We use only the sub-processors listed in our Privacy notice. We will give 30 days' notice before adding a new sub-processor; the controller may object.

6. International transfers

All personal data remains in the UK or EEA. Any transfer outside these regions is governed by an UK IDTA or recognised adequacy decision.

7. Breach notification

We will notify the controller without undue delay and at most within 24 hours of becoming aware of a personal data breach.

8. Audit rights

Controllers may audit AdaptScot's compliance on 30 days' notice, once per year, or immediately following a breach.

9. Return or deletion

On termination, we return or delete personal data on the controller's instruction, except where retention is required by law.

Email dpo@adaptscot.co.uk to request the signed agreement.