1. Roles
- Controller: the Haulier subscribing to the service.
- Processor: Lee Bliss t/a WTNDigital.com of 3 Pulla Hill Drive, Storrington, West Sussex, RH20 3LS, United Kingdom.
2. Subject matter & duration
The Processor processes personal data on behalf of the Controller strictly to deliver the SaaS described in the Terms of Service, for the duration of the subscription plus the statutory retention period required by the Waste (England & Wales) Regulations 2011 (minimum 2 years).
3. Nature & purpose
Creating, storing, signing, generating PDFs of, and emailing Waste Transfer Notes; submitting them to DEFRA Digital Waste Tracking; enabling drivers to capture signatures and GPS; running an authenticated customer portal.
4. Categories of data subject
- Controller’s employees (admins, drivers)
- Controller’s customers / waste-producer contacts
- Site operators signing at the transfer point
5. Categories of personal data
- Contact: name, email, phone
- Authentication: hashed password
- Operational: vehicle registration, driver name, signatures, GPS
- Commercial: company address, carrier number, DWT API keys
6. Processor obligations
The Processor will:
- Only process personal data on the Controller’s documented instructions (configuring the account = instruction).
- Keep personal data confidential and ensure staff are under equivalent obligations.
- Apply the technical and organisational security measures listed in Annex A.
- Only engage sub-processors listed in Annex B, with equivalent obligations.
- Help the Controller respond to data-subject rights requests and to the ICO where required.
- Notify the Controller without undue delay (target: within 72 hours) of a personal-data breach.
- On termination, return or delete all personal data except where retention is required by law (see Privacy Policy § 4).
- Make available all information necessary to demonstrate compliance with Art. 28, and allow audits on reasonable notice.
7. International transfers
Where sub-processors are outside the UK/EEA, transfers are covered by the UK International Data Transfer Agreement (IDTA) or EU SCCs + UK Addendum.
8. Liability
Liability under this DPA is subject to the cap in the Terms of Service. Nothing in this DPA limits a data subject’s rights under UK GDPR.
Annex A — Security measures
- TLS 1.2+ on all traffic
- bcrypt password hashing (cost factor 12)
- JWT session tokens (12 h expiry) + httpOnly cookies
- Database-level tenant isolation (every record keyed by
tenant_id) - Stripe webhook signature verification
- Encrypted backups retained for 30 days
- Role-based admin access; principle of least privilege
- Annual review of access permissions
Annex B — Sub-processors
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe Payments Europe | Payment processing | Ireland / US | SCCs + UK Addendum |
| Resend | Transactional email delivery | US | SCCs + UK Addendum |
| Google Analytics 4 | Anonymised marketing-site analytics | EU / US | SCCs + UK Addendum, IP-anonymised |
| MongoDB Atlas | Primary database | eu-west-1 (Ireland) | UK adequacy |
| Emergent hosting | Application hosting | EU/UK region | UK adequacy |
How to sign this DPA
By accepting the Terms of Service, you also accept this DPA as a counter-signed document. If your internal policies require a wet-signed copy, email support@wtndigital.com and we’ll send you a PDF.