Data Processing Addendum

Last updated 22 June 2026

Draft for review — working version; have a solicitor check it before launch.

This Addendum forms part of the agreement between the customer ("Controller") and Mately Limited ("Processor") and applies where Mately processes personal data on the Controller's behalf (i.e. the staff data a business manages in Mately). It reflects UK GDPR Article 28.

1. Roles

The Controller determines the purposes and means of processing its team's personal data. Mately processes that data only as a Processor, on the Controller's documented instructions (which include using the features of the app).

2. Subject matter and duration

Processing lasts for the term of the agreement plus the retention period in clause 8. The subject matter is the provision of the Mately service.

3. Nature and purpose

Scheduling, time and attendance, leave, payroll preparation, internal communication and document handling for the Controller's workforce.

4. Types of data and data subjects

Data subjects: the Controller's staff (owners, managers, employees).
Personal data: names, contact details, role, pay rate and contracted hours, worked time and leave, messages, signed documents, and limited device/technical data.

5. Mately's obligations

Process personal data only on the Controller's instructions.
Ensure people authorised to process it are under a duty of confidentiality.
Apply appropriate technical and organisational security measures (clause 7).
Assist the Controller in responding to data-subject requests, and with security, breach and DPIA obligations.
Notify the Controller without undue delay on becoming aware of a personal-data breach.
Delete or return personal data at the end of the service (clause 8).
Make available information needed to demonstrate compliance.

6. Sub-processors

The Controller authorises Mately to use the sub-processors listed in our Privacy Policy (Render, Stripe, Resend, Google Firebase, Cloudflare). We impose equivalent data-protection terms on each, and will give reasonable notice of changes so the Controller can object.

7. Security measures

Encryption in transit; hashed passwords (Argon2id); two-factor authentication; per-business data isolation enforced in the application; least-privilege access; audit logging of sensitive actions; rate limiting; and regular backups of the database.

8. Return and deletion

On termination the Controller can export its data and choose immediate deletion or a 30-day retention window, after which the data (and uploaded files) are permanently deleted from production systems, subject to any legal retention requirement.

9. International transfers

Data is hosted in the EU. Any transfer outside the UK/EEA relies on an appropriate safeguard (UK IDTA or Standard Contractual Clauses).

10. Audit

Mately will respond to reasonable audit requests by providing relevant documentation; on-site audits may be arranged where required by law, on reasonable notice.

11. Contact

Data protection queries: support@mately.co.uk.