chillcheck Beta
Legal

Data Processing Agreement

How ChillCheck processes personal data on behalf of customers as a data processor under UK GDPR.

Effective: 27 May 2026 Last updated: 27 May 2026

1. Introduction and scope

This Data Processing Agreement ("DPA") is entered into between Shaylor Consulting, operating the ChillCheck service ("Processor"), and the customer organisation that has subscribed to ChillCheck ("Controller").

This DPA is incorporated into and forms part of the ChillCheck Terms of Service. By subscribing to ChillCheck, the Controller accepts the terms of this DPA. This DPA applies wherever ChillCheck processes personal data on behalf of the Controller in connection with providing the Service.

Need a signed copy? If your compliance process requires a countersigned DPA, contact us at hello@chillcheck.online and we will arrange a signed PDF version.

2. Definitions

Controller
The customer organisation that determines the purposes and means of processing personal data using the ChillCheck service.
Processor
Shaylor Consulting, which processes personal data on the Controller's behalf in order to provide the ChillCheck service.
Data Subject
An identified or identifiable natural person whose personal data is processed — in this context, typically the Controller's employees, managers, and nominated alert contacts.
Personal Data
Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).
Processing
Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Sub-processor
A third party engaged by the Processor to carry out processing of personal data on the Controller's behalf.
UK GDPR
The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
DPA 2018
The Data Protection Act 2018.

3. Roles of the parties

The Controller decides which individuals' data to enter into the ChillCheck platform — for example, which staff to invite as users, which phone numbers and email addresses to configure as alert contacts, and what names to assign to sites and cabinets.

The Processor processes this data only as necessary to provide and operate the Service as described in the Terms of Service and as further detailed in this DPA. The Processor does not determine the purposes of processing and acts only on the Controller's instructions.

4. Processing details

The details of the processing carried out under this DPA are as follows:

Item Description
Nature Collection, storage, retrieval, use, and deletion of personal data to operate the temperature monitoring and alert service
Purpose Delivering temperature alerts; maintaining the compliance audit trail; enabling dashboard access and account management
Duration For the term of the subscription agreement, plus 90 days post-termination to allow data export
Data types Names, email addresses, and phone numbers of the Controller's staff and nominated alert contacts; account credentials (passwords are hashed and not accessible to the Processor)
Data subjects The Controller's employees, managers, and other individuals added by the Controller as users or alert contacts

5. Processor obligations

The Processor shall:

  • Process personal data only on the Controller's documented instructions, as set out in the Terms of Service and as configured in the platform
  • Ensure that all persons authorised to process personal data are bound by appropriate confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures (see Section 8)
  • Not engage any sub-processor without prior general or specific authorisation from the Controller, and ensure sub-processors are bound by obligations no less protective than those in this DPA
  • Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests, to the extent possible given the nature of the processing
  • Notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach affecting the Controller's data (see Section 9)
  • At the Controller's written request, assist with data protection impact assessments and prior consultations with the ICO where required
  • At the end of the agreement, delete or return all personal data as set out in Section 10
  • Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA
  • Not transfer personal data outside the UK or EEA without adequate safeguards (see sub-processors table in Section 6)

6. Sub-processors

The Controller grants general authorisation for the Processor to engage the sub-processors listed below. The Processor will ensure each sub-processor is bound by a written data processing agreement providing protections at least equivalent to those in this DPA.

Sub-processor Purpose Location Transfer mechanism
Supabase, Inc. Database storage and user authentication United States Standard Contractual Clauses (UK Addendum / IDTA)
Vonage (Ericsson) SMS and voice call delivery United Kingdom / EU UK GDPR adequate / SCCs as applicable
Resend, Inc. Transactional email delivery United States Standard Contractual Clauses (UK Addendum / IDTA)
Stripe, Inc. Payment processing (billing data only) United States Standard Contractual Clauses (UK Addendum / IDTA)
Vercel, Inc. Dashboard application hosting United States (with EU edge nodes) Standard Contractual Clauses (UK Addendum / IDTA)

The Processor will notify the Controller of any intended addition or replacement of sub-processors by updating this page with at least 30 days' prior notice. The notification date is the "last updated" date shown at the top of this DPA. If the Controller reasonably objects to a new sub-processor on data protection grounds, the parties will discuss the objection in good faith; if no resolution is reached, the Controller may terminate the agreement without penalty.

7. Data subject rights

If the Processor receives a request from a Data Subject exercising rights under UK GDPR (access, rectification, erasure, restriction, portability, or objection) that relates to the Controller's data, the Processor will:

  • Promptly forward the request to the Controller
  • Not respond to the Data Subject directly unless the Controller authorises it
  • Provide the Controller with reasonable assistance to fulfil the request, using the technical capabilities of the platform

The Controller is responsible for responding to Data Subject requests within the statutory timeframes under UK GDPR (one month, extendable by two months for complex requests).

8. Security measures

The Processor implements the following technical and organisational measures to protect personal data:

  • Encryption in transit: all data transmitted between the Pi hub, Vercel, and Supabase uses TLS 1.2 or higher
  • Encryption at rest: database storage is encrypted at rest via Supabase infrastructure (AES-256)
  • Access isolation: Row-Level Security (RLS) policies in the database ensure that each organisation's data is accessible only to users authenticated to that organisation
  • Authentication: user accounts are secured by Supabase's authentication system; passwords are hashed and not accessible to ChillCheck staff
  • Tamper-evident audit log: database-level triggers prevent modification or deletion of audit log entries, even by platform administrators
  • Staff access controls: ChillCheck staff access to customer data is restricted to what is necessary for support and incident response; access requires authentication and is logged
  • Dependency management: regular review of third-party dependencies for known vulnerabilities
  • Incident response: defined process for identifying, containing, and notifying data breaches within the 72-hour statutory window

9. Personal data breach notification

In the event of a personal data breach affecting the Controller's data, the Processor will notify the Controller within 72 hours of becoming aware of the breach. The notification will include, to the extent known at the time:

  • A description of the nature of the breach
  • The approximate number and categories of data subjects and personal data records affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

Where information is not available at the time of initial notification, it will be provided in a follow-up communication as soon as reasonably practicable.

The Controller remains responsible for assessing whether to notify the ICO (within 72 hours of becoming aware) and, where required, the affected Data Subjects.

10. Data return and deletion

On termination or expiry of the subscription agreement, the Processor will:

  • Retain the Controller's data for 90 days from the termination date, during which the Controller may log in and export data in CSV format
  • After 90 days, permanently delete all personal data from live systems
  • Retain billing records (name, email, billing address, invoice amounts) for 7 years from the date of transaction as required by HMRC rules — this is a legal obligation and cannot be waived
  • On written request, provide written confirmation of deletion within 30 days of completion

Data held by sub-processors will be deleted in accordance with those sub-processors' data processing agreements and deletion timelines.

11. Audits and inspections

The Controller may request audit information to verify the Processor's compliance with this DPA. The Processor will provide:

  • Written responses to reasonable compliance questionnaires within 30 days
  • Access to relevant security and compliance documentation upon request

On-site audits may be arranged by mutual agreement and at the Controller's cost. Any third-party auditor engaged by the Controller must sign a confidentiality agreement acceptable to the Processor before access is granted. Audits may not unreasonably disrupt the Processor's operations or compromise the security of other customers' data.

12. Term

This DPA remains in force for the duration of the subscription agreement and continues for as long as the Processor retains any of the Controller's personal data, including during the 90-day post-termination retention period.

13. Governing law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA are subject to the exclusive jurisdiction of the courts of England and Wales.

14. Signed copy

This DPA is accepted automatically when the Controller subscribes to ChillCheck, as confirmed by acceptance of the Terms of Service. For organisations that require a countersigned PDF copy for their own records or procurement process, contact us at hello@chillcheck.online with the subject line "DPA signed copy request".

See also: Privacy Policy · Terms of Service