1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The consultant or organisation using the BehaviouralSafety.org platform ("Controller", "you")
Data Processor: Hi Vis Safety Ltd, a company registered in England and Wales, operating BehaviouralSafety.org ("Processor", "we", "us")

2. Scope of Processing

We process personal data on your behalf solely to provide the BehaviouralSafety.org platform services:

Hosting and delivering behavioural safety surveys to your employees/clients
Collecting and storing survey responses
Generating AI-powered analysis and reports
Providing benchmarking against anonymised industry data
Managing your client portal and CRM

3. Types of Personal Data

Survey respondent data: Job role, department, experience, sex (demographic only), survey answers (Likert scale 1-5)
Consultant data: Name, email, company name, branding preferences, payment history
Client contact data: Name, email address (for portal access)

We do not collect or process special category data. Survey responses are anonymous by default — no names, email addresses, or employee IDs are collected from respondents.

4. Our Obligations

Process personal data only on your documented instructions
Ensure all personnel with access are bound by confidentiality obligations
Implement appropriate technical and organisational security measures (see Section 6)
Not engage sub-processors without your prior consent (current list at /privacy/sub-processors)
Assist you in responding to data subject access requests
Notify you without undue delay of any personal data breach
Delete or return all personal data upon termination of services
Make available all information necessary to demonstrate compliance

5. Your Obligations

Ensure you have a lawful basis for collecting survey data from respondents
Provide appropriate privacy notices to survey respondents
Not upload special category data to the platform
Comply with applicable data protection laws (UK GDPR, DPA 2018)

6. Security Measures

Encryption at rest: AES-256 (AWS RDS)
Encryption in transit: TLS 1.2+ on all connections
Password hashing: bcrypt with 12 salt rounds
Data hosting: AWS EU (Stockholm, eu-north-1)
Access control: Role-based, session-based authentication
Backups: Daily automated backups with 1-day retention, point-in-time restore
No tracking: No analytics cookies, no third-party trackers, no fingerprinting

7. Sub-processors

We use the following sub-processors to deliver our services. See the full list with details at /privacy/sub-processors.

Amazon Web Services (AWS) — Infrastructure hosting (EU region)
Stripe — Payment processing
Resend — Transactional email delivery
OpenAI — AI analysis (no training on your data)

8. Data Retention

Active accounts: Data retained while your account is active
Deactivated accounts: All personal data deleted 30 days after deactivation
Anonymised benchmarks: Aggregated, non-identifiable data retained indefinitely
Payment records: Retained for 7 years (UK tax/legal requirements)

9. International Transfers

All primary data is stored in the EU (AWS Stockholm). Where data is transferred outside the UK/EEA (e.g., OpenAI API calls for analysis), we rely on Standard Contractual Clauses (SCCs) and ensure the processor has adequate safeguards in place.

10. Term and Termination

This DPA is effective for the duration of your use of the platform. Upon termination, we will delete all personal data within 30 days unless legally required to retain it. You may request data export at any time via Settings > Download My Data.

11. Contact

For data protection enquiries, contact us at:

Hi Vis Safety Ltd
Submit via: /contact (Privacy / data request)