top of page

Data Processing Addendum

Last updated 7 October 2025

​

This Data Processing Addendum (“DPA”) forms part of the agreement between JobTek Ltd (“Processor” or “JobTek”) and the customer identified in the Order or account (“Controller” or “Customer”) regarding the provision and use of the JobTek Services (as defined in the Terms & Conditions). This DPA reflects the parties’ obligations under the UK GDPR and Data Protection Act 2018.

​

By using the JobTek Services, the Customer agrees to this DPA, which is automatically incorporated into and forms part of the JobTek Terms & Conditions. No separate signature is required for this DPA to be binding.

Capitalised terms not defined in this DPA have the meaning given in the Agreement (Terms & Conditions) or the UK GDPR. If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding data protection.

​

1. Subject Matter and Duration

This DPA governs JobTek’s processing of Personal Data on behalf of the Customer in connection with the JobTek Services. Processing will continue for the term of the Agreement and any period thereafter required for data return or deletion in accordance with Section 10.
 

2. Roles and Instructions

  1. Roles. Customer is the Controller; JobTek is the Processor.

  2. Instructions. JobTek will only process Personal Data on documented instructions from Customer (including via the Agreement, this DPA, and Customer’s configuration and use of the Services). JobTek will promptly inform Customer if an instruction infringes the UK GDPR.
     

3. Confidentiality

JobTek ensures that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
 

4. Security

Taking into account the state of the art, costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data subjects, JobTek implements appropriate technical and organisational measures described in Annex C (Security Measures).
 

5. Sub-processors

  1. Authorised Sub-processors. Customer authorises JobTek to engage the sub‑processors listed in Annex B, and others as reasonably necessary to provide the Services.

  2. Sub-processor obligations. JobTek will impose on all sub‑processors data protection obligations no less protective than those in this DPA and remains liable for their performance.

  3. Changes. JobTek may update sub‑processors and will provide notice (e.g., website page or email). Customer may object on reasonable grounds related to data protection by notifying JobTek within 10 days of notice. If the parties cannot resolve the objection in good faith, Customer may suspend the affected Services without penalty.
     

6. Assistance to Customer

Taking into account the nature of processing and the information available to JobTek, JobTek will assist Customer by appropriate technical and organisational measures to fulfil Customer’s obligations to respond to requests to exercise data subject rights (access, rectification, erasure, restriction, portability, objection) and to comply with Articles 32–36 UK GDPR (security, breach notifications, DPIA, and prior consultation).
 

7. Personal Data Breach

JobTek will notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Data. Such notice will include details known to JobTek at the time, including the nature of the breach, likely consequences, and measures taken or proposed to address it.
 

8. Audits and Information

  1. Upon reasonable request, JobTek will make available information necessary to demonstrate compliance with this DPA.

  2. Customer (or an independent third-party auditor mandated by Customer) may conduct an audit, limited to once per 12‑month period and upon 30 days’ notice, during normal business hours, without disrupting JobTek’s operations, and subject to confidentiality. Where possible, JobTek will satisfy audit requests by providing independent third‑party audit reports or certifications covering the relevant controls.
     

9. International Transfers

Where processing involves a transfer of Personal Data outside the UK/EEA to a country without an adequacy decision, the parties agree that appropriate safeguards will apply (such as the UK International Data Transfer Addendum (“IDTA”) and/or EU Standard Contractual Clauses (“SCCs”) with the UK Addendum), as described in Annex D.
 

10. Return and Deletion

Upon termination or expiry of the Agreement, Customer may export or request return of Personal Data. Thereafter, JobTek will delete remaining Personal Data within a commercially reasonable period, unless retention is required by law. Where deletion is not feasible, JobTek will continue to protect the Personal Data in accordance with this DPA and limit further processing to the purposes that prevent deletion.
 

11. Liability

Liability under this DPA is governed by the limitations and exclusions of liability in the Agreement. Nothing limits liability where not permitted by law.

​

12. Governing Law and Jurisdiction

This DPA and any disputes arising from it are governed by the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction.

​

13. Order of Precedence

In case of conflict: (i) applicable transfer mechanism (IDTA/SCCs) prevails; (ii) this DPA; then (iii) the Agreement.

​

Annex A – Details of Processing

​

​

​​

​

​

​

​

​

​

​

​

​

​

​​​

​

Annex B – Sub‑processors​​​

​

​​​​​​​​​​The following sub‑processors support the JobTek Services (current list):

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​​​

Annex C – Security Measures

  • Governance & Access Control: role‑based access; least privilege; MFA for administrative access; onboarding/offboarding procedures; confidentiality obligations.

  • Physical & Infrastructure Security: secure hosting with Microsoft Azure; network segmentation; DDoS protections; firewalls and security groups.

  • Data Protection: TLS encryption in transit; encryption at rest where applicable; key management by reputable cloud KMS.

  • Application Security: secure SDLC; code review; dependency scanning; vulnerability management; change control; logging and monitoring.

  • Business Continuity & Backups: regular backups; high availability architecture appropriate to plan; tested restoration procedures.

  • Incident Response: documented incident management; breach assessment; customer notification within the timelines in Section 7.

  • Vendor Management: written contracts with sub‑processors; periodic review of their security measures and certifications where available.

  • Personnel Security & Training: background checks where lawful and appropriate; ongoing security and privacy training.
     

Annex D – International Transfer Mechanisms

Where JobTek transfers Personal Data outside the UK/EEA to a country without adequacy, one or more of the following mechanisms will apply:

  • UK International Data Transfer Addendum (IDTA) to the EU SCCs;

  • EU Standard Contractual Clauses (SCCs) (2021) with UK Addendum where relevant;

  • Other suitable safeguard permitted by UK GDPR.

To the extent the SCCs/IDTA require the parties to complete annexes, the information in Annex AAnnex B and Annex C applies.

​

This Data Processing Addendum forms part of the standard JobTek Terms & Conditions and does not require a separate physical signature.

​

Contact

Email: info@jobtek.com
Post: JobTek Ltd, 61 Bridge Street, Kington, Herefordshire, HR5 3DJ

For related information, see JobTek’s Privacy Policy and Acceptable Use Policy.

Annexe 1
Annexe 2
bottom of page