This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Dayspring Software Limited (“Dayspring”, “we”, “us”) and the Customer (“you”) and governs the processing of personal data by Dayspring on behalf of the Customer in connection with the Platform. Capitalised terms not defined here have the meanings given in the Terms of Service.
“Controller” means the Customer, who determines the purposes and means of processing personal data.
“Data Protection Law” means the UK GDPR, the Data Protection Act 2018, and any successor legislation, as amended from time to time.
“Personal Data” has the meaning given in Data Protection Law.
“Processor” means Dayspring, who processes personal data on behalf of the Customer.
“Special Category Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation, as defined in Article 9 UK GDPR.
“Sub-processor” means any third party engaged by Dayspring to process personal data in connection with the Platform.
The Customer is the Controller and Dayspring is the Processor in respect of any personal data processed through the Platform. Each party will comply with its respective obligations under Data Protection Law.
The Customer acknowledges that it is solely responsible for the lawfulness of any personal data uploaded to the Platform, including any Special Category Data that may be contained within documents or files uploaded by Authorised Users. Dayspring processes such data solely on the Customer’s instructions and does not determine the nature or content of uploaded materials.
Categories of Data Subjects: The Customer’s Authorised Users and any individuals whose personal data is contained within the files and documents uploaded to the Platform. This may include individuals referenced in policy documents, HR materials, or other files uploaded by Authorised Users.
Duration: For the Term of the Customer’s subscription, plus any applicable retention period set out in Clause 7 of this DPA.
Nature of Processing: Hosting, storage, retrieval,and transmission of personal data as part of the Platform, together with AI-assisted processing including but not limited to summarisation, content analysis, gap identification, recommendations, and responses to natural language queries, in each case applied to materials uploaded by the Customer.
Purpose: Providing the Platform to the Customer in accordance with the Terms of Service.
Types of Personal Data: Account credentials (name, email address, authentication data), billing information, support correspondence, and any personal data – including Special Category Data – contained within documents uploaded by Authorised Users.
Dayspring will:
The Customer will:
The Customer provides general authorisation for Dayspring to engage sub-processors. Dayspring’s current sub-processors are:
Dayspring will ensure sub-processors are bound by data protection obligations no less protective than those in this DPA.
Dayspring will notify the Customer of any intended changes to sub-processors by updating this DPA and providing at least 30 days’ notice. If the Customer reasonably objects to a new sub-processor on data protection grounds, it must notify Dayspring in writing within that 30-day period at compliance@dayspringsoftware.com. If the parties cannot resolve the objection, either party may terminate the Agreement on written notice without penalty.
Dayspring will carry out appropriate due diligence on any new sub-processor before engaging them, and will be fully liable to the acts and omissions of its sub-processors to the same extent as if Dayspring had performed the processing itself, subject to the limitations set out in Clause 13 of the Terms of Service.
Account & Billing Records: Personal data relating to the Customer’s account, billing history, and support correspondence will be retained for 7 years from the end of the subscription, in accordance with the Limitation Act 1980, after which it will be securely deleted or anonymised.
Platform Data: All Customer Data within the Platform will be permanently deleted within 30 days of cancellation of the Customer’ssubscription, in accordance with Clause 5 of the Terms of Service.
Upon expiry of the applicable retention period, Dayspring will securely delete or anonymise all personal data, unless retention is required by applicable law. Upon written request, Dayspring will provide the Customer with written confirmation that deletion or anonymisation has been completed.
Dayspring processes Customer personal data within the UK and EU only (AWS eu-west-1 and eu-west-2). With the exception of Stripe, Inc., which processes billing information in the US subject to appropriate safeguards including the UK Addendum to the EU Standard Contractual Clauses, all sub-processors process Customer personal data within the UK or EU. No other transfers of Customer personal data are made to third countries outside the UK or EU, except where required by applicable law.
Where Dayspring receives a request directly from a data subject in relation to personal data processed on behalf of the Customer, Dayspring will promptly forward that request to the Customer and will not respond to the data subject unless instructed to do so by the Customer or required by law.
All data protection queries, notices, and complaints should be directed to Dayspring’s compliance team: compliance@dayspringsoftware.com.
This DPA is governed by the laws of England and Wales and forms part of the Terms of Service.