SiteBot

Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SiteBot Ltd ("Processor") and the subscribing organisation ("Controller") and governs the processing of personal data by SiteBot on behalf of the Controller.

This DPA is entered into in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Definitions

Terms used in this DPA have the same meaning as in the UK GDPR. Additionally:

  • "Personal Data" means any data relating to an identified or identifiable natural person processed through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
  • "Sub-processor" means any third party engaged by SiteBot to process Personal Data.

3. Scope of Processing

Subject Matter

Processing of Worker and User personal data through the SiteBot platform for construction site management purposes.

Categories of Data Subjects

  • Workers (employees and subcontractors of the Controller)
  • Users (site managers and administrators of the Controller)

Types of Personal Data

  • Names, employer details, role/trade
  • RFID/NFC card identifiers
  • Attendance records (timestamps)
  • Photographs (where camera hardware is deployed)
  • Induction completion records
  • Certificate and qualification data

Purpose of Processing

  • Site attendance tracking and CDM 2015 compliance
  • Digital induction management
  • Access control enforcement
  • Daily reporting and analytics
  • Certificate and qualification tracking

Duration

For the duration of the subscription agreement, plus any retention period specified in the Privacy Policy.

4. Obligations of the Processor

SiteBot shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not engage Sub-processors without prior written consent of the Controller
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all Personal Data at the end of the service, at the Controller's choice
  • Make available information necessary to demonstrate compliance with this DPA
  • Notify the Controller without undue delay (and within 72 hours) of any personal data breach

5. Sub-processors

SiteBot currently uses the following Sub-processors:

| Sub-processor | Purpose | Location | |---------------|---------|----------| | DigitalOcean | Cloud infrastructure | United Kingdom | | Cloudflare | CDN and DDoS protection | Global (edge), data stored in EU/UK |

The Controller consents to the use of these Sub-processors. SiteBot will notify the Controller of any changes to Sub-processors and provide 30 days to object.

6. International Transfers

SiteBot stores all Personal Data in the United Kingdom. We do not transfer Personal Data outside the UK unless:

  • The Controller specifically requests it, and
  • Appropriate safeguards are in place (e.g., UK Standard Contractual Clauses)

7. Security Measures

SiteBot implements the following security measures:

  • Encryption at rest and in transit (TLS 1.2+)
  • PostgreSQL Row-Level Security for tenant data isolation
  • Role-based access control
  • Regular security patching and monitoring
  • Secure credential storage (bcrypt password hashing)
  • API key authentication with scoped permissions
  • Automated audit logging

8. Data Breach Notification

In the event of a personal data breach, SiteBot will:

  1. Notify the Controller without undue delay and within 72 hours of becoming aware
  2. Provide details of the nature of the breach, categories and approximate number of data subjects affected
  3. Describe the likely consequences and measures taken to mitigate
  4. Cooperate with the Controller in notifying the ICO and affected data subjects where required

9. Data Subject Rights

SiteBot will assist the Controller in fulfilling data subject requests including:

  • Access requests (subject access requests)
  • Rectification of inaccurate data
  • Erasure (right to be forgotten)
  • Data portability (export in structured format)
  • Restriction of processing
  • Objection to processing

10. Audit

The Controller has the right to audit SiteBot's compliance with this DPA, subject to reasonable notice and confidentiality obligations. SiteBot will cooperate with reasonable audit requests.

11. Termination

On termination of the service:

  • SiteBot will make all Personal Data available for export for 30 days
  • After the 30-day period, all Personal Data will be permanently deleted
  • SiteBot will provide written confirmation of deletion upon request

This DPA is provided as a framework and should be reviewed by a qualified legal professional before use. Last updated: March 2026.