1. Parties and purpose
This Data Processing Agreement forms part of the TapTick contract between Fit2Trade Ltd and the customer organisation using TapTick. It applies where TapTick processes personal data on behalf of that customer.
2. Roles of the parties
For customer data processed through TapTick, the customer organisation acts as the controller and Fit2Trade Ltd acts as the processor, except where Fit2Trade Ltd separately acts as a controller for its own business administration, security, billing, or legal compliance purposes.
3. Subject matter, duration and nature of processing
The subject matter of the processing is the provision of the TapTick SaaS platform. The duration of processing lasts for the period during which TapTick processes customer personal data to provide the service and any agreed post-termination retention period.
Processing activities may include collection, storage, organisation, retrieval, consultation, transmission, backup, deletion, and other operations required to provide the service.
4. Categories of data and data subjects
Data subjects
- customer employees, managers, contractors, and authorised users;
- individuals who may appear in uploaded operational images or comments.
Types of personal data
- names, email addresses, user roles, initials, identifiers, timestamps, and activity records;
- comments, uploaded images, and other operational content entered by customer users.
5. Processor obligations
Fit2Trade Ltd will:
- process personal data only on documented instructions from the customer, unless required by law to do otherwise;
- ensure persons authorised to process personal data are subject to confidentiality obligations;
- implement appropriate technical and organisational measures;
- assist the customer, taking into account the nature of the processing, with appropriate requests relating to data subjects, security, breach response, impact assessments, and supervisory authority engagement;
- delete or return personal data at the end of the provision of services, unless law requires retention.
6. Customer obligations
The customer is responsible for determining the lawful basis for processing, providing notices to individuals where required, setting retention requirements, and ensuring that use of TapTick complies with applicable data protection law.
7. Security measures
Measures may include encrypted transport, authentication controls, role-based permissions, logging, and use of reputable managed infrastructure providers. Security measures may evolve over time provided they do not materially reduce overall protection for customer data.
8. Subprocessors
The customer authorises Fit2Trade Ltd to use subprocessors to deliver the service. Current subprocessors are listed on the Subprocessor List. Fit2Trade Ltd will remain responsible for the performance of its subprocessor obligations to the extent required by law and contract.
9. International transfers
Where personal data is transferred outside the EEA or UK, Fit2Trade Ltd will seek to ensure an appropriate transfer mechanism is in place, such as Standard Contractual Clauses or another recognised safeguard.
10. Personal data breaches
Fit2Trade Ltd will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data and will provide reasonable cooperation to support the customer's own assessment and reporting obligations.
11. Audit and information rights
On reasonable written request, Fit2Trade Ltd will make available information reasonably necessary to demonstrate compliance with this DPA. Any audit rights must be exercised in a proportionate way that avoids undue disruption, protects other customers, and respects confidentiality and security obligations.
12. Return and deletion
On termination, customer data may be exported by the customer during any available access window. After that, Fit2Trade Ltd may delete the data after a reasonable retention period unless law requires otherwise.
13. Liability and order of precedence
Unless expressly stated otherwise in this DPA, liability is governed by the main TapTick contract. If this DPA conflicts with the main TapTick terms on data protection matters, this DPA will take precedence for those matters.
14. Governing law
This DPA is governed by the laws of Ireland.