Data processing agreement
Last updated: 5 July 2026 · This DPA forms part of the terms of service for every customer, per Article 28 UK GDPR.
1. Roles and scope
The customer is the controller of personal data entered into SponsorFort (worker records, documents, checks, events). SponsorFort is the processor, processing only on the customer's documented instructions — namely operating the features of the service.
2. Details of processing
- Subject matter & duration: provision of the service for the subscription term plus the 90-day export window.
- Nature & purpose: storage, organisation, deadline computation, document handling and reporting support for sponsor-licence compliance.
- Data subjects: the customer's employees, workers and candidates.
- Categories: identity and contact details, employment terms, immigration document references (passport, visa, CoS, share codes), absence records, uploaded documents. Immigration documentation may reveal nationality — the customer is responsible for its lawful basis for processing it.
3. Processor obligations
- Process only on documented instructions, including for international transfers.
- Ensure personnel are bound by confidentiality.
- Apply appropriate technical and organisational measures: UK data residency (London), encryption in transit and at rest, row-level tenant isolation, role-based access, time-limited signed URLs for documents, append-only audit logging.
- Assist the controller with data-subject requests, security and (where required) DPIAs.
- Notify the controller without undue delay after becoming aware of a personal-data breach.
- Delete or return personal data at the end of the service (90-day export window, then deletion).
- Make available information necessary to demonstrate compliance, and allow audits on reasonable notice.
4. Subprocessors
The controller authorises the subprocessors listed in the privacy policy (Vercel, Supabase, Stripe, Resend, PostHog, Sentry, and Anthropic where AI drafting is enabled). We'll give 30 days' notice of additions or replacements; the controller may object on reasonable grounds. Equivalent data-protection obligations are imposed on every subprocessor.
5. International transfers
Application data is stored in the UK. Where a subprocessor processes data outside the UK, transfers rely on the UK IDTA / Addendum or an adequacy decision.