E
ErgoBot
Back to Home

Ergobot UK Data Processing Agreement (DPA)

Last updated: 15 February 2026
Version: v1.1

Supplier / Processor

Company

Happy Humans Consulting Limited

Address

47 Southgate Street, Winchester, SO23 9EH

Identifiers

Co No: [Pending] | VAT: [Pending]

Contact

privacy@ergobot.co

This DPA forms part of the contract between the Supplier and the Customer for the provision of the Ergobot Platform.

1Definitions

  • Data Protection Laws: UK GDPR and the Data Protection Act 2018, plus applicable guidance and codes of practice issued by the UK ICO.
  • Other capitalised terms have the meanings given in the UK GDPR (e.g., Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach).

2Roles and processing details

  • The Customer is the Controller of Customer Personal Data.
  • The Supplier acts as Processor when it processes Customer Personal Data on the Customer’s behalf under the Agreement.
  • Processing details are set out in Annex 1.

3Processor obligations

The Supplier will:

  1. process Customer Personal Data only on documented instructions from the Customer (including as needed to provide the Services), unless required by law;
  2. ensure personnel who process Customer Personal Data are subject to appropriate confidentiality obligations;
  3. implement appropriate technical and organisational measures (“TOMs”) to protect Customer Personal Data (Annex 2);
  4. take reasonable steps to ensure ongoing confidentiality, integrity, availability and resilience of systems and services;
  5. notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data;
  6. assist the Customer (taking into account the nature of processing) with Data Subject requests, DPIAs, and consultations with the ICO, to the extent reasonably required and legally necessary; and
  7. at the Customer’s choice, return or delete Customer Personal Data at the end of the Services, unless retention is required by law.

4International transfers

If Customer Personal Data is transferred outside the UK, the Supplier will ensure appropriate safeguards are in place (for example, the UK IDTA or the UK Addendum to the EU SCCs, as applicable).

5Subprocessors

5.1 General authorisation

The Customer gives the Supplier a general authorisation to appoint subprocessors, provided the Supplier:

  • maintains a list of subprocessors (see Annex 3); and
  • ensures each subprocessor is bound by written terms providing at least the same level of protection as this DPA.

5.2 Changes to subprocessors

If the Supplier intends to add or replace a material subprocessor, it will give the Customer at least 30 days’ prior notice. If the Customer objects on reasonable data protection grounds within 15 days, the parties will work in good faith to resolve the concern. If unresolved, the Customer may terminate the affected part of the Services before the new subprocessor starts processing.

6Audit

On reasonable request, the Supplier will provide information (and where appropriate third‑party assurances) demonstrating compliance with this DPA. Any audit will be subject to reasonable scope, confidentiality, and security requirements.

7Liability

Liability relating to this DPA is dealt with in the parties’ main agreement, unless mandatory law requires otherwise.

Annex 1 – Processing details

Subject matter

Provision of the Ergobot Platform and related health & safety / DSE services.

Nature of processing

Collection, storage, analysis and reporting of workstation assessments and support communications.

Purpose

Enabling the Customer to meet its legal health and safety obligations by managing ergonomic risks and providing adjustments.

Data Subjects

Customer employees, contractors and authorised users.

Personal Data Types

Name, work email, job role; self‑assessment responses; comfort/discomfort information; notes from assessments.

Special Category Data

  1. Health and Safety Compliance: The Platform processes limited data concerning physical comfort and symptoms to assist the Customer (the Controller) in meeting its duty of care.
  2. Voluntary Disclosure: Where Data Subjects choose to provide more detailed medical history, the Supplier will process this as a Processor.
  3. Controller Responsibility: The Customer remains responsible for ensuring a lawful basis (e.g., UK GDPR Article 9(2)(b)).

Annex 2 – Technical and organisational measures (TOMs)

The Supplier maintains appropriate measures, including:

  • Role‑based access and least privilege
  • MFA for admin accounts
  • Encryption in transit (TLS)
  • Encryption at rest
  • Logging and monitoring
  • Vulnerability management
  • Backups and disaster recovery
  • Secure development practices
  • Incident response processes

Annex 3 – Approved subprocessors

See /legal/subprocessors for the live list. Snapshot below:

SubprocessorServiceLocation
VercelApp hostingEU (primary)
ResendEmail deliveryEU / US
Google WorkspaceBusiness emailGlobal