Data Processing Agreement
SurveyMate Ltd · Company No. 17144402 · Last updated: 5 May 2025
1. Background and scope
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between SurveyMate Ltd (“Processor”) and the Customer (“Controller”). It governs the processing of personal data by SurveyMate on behalf of the Customer in connection with the SurveyMate platform, as required by Article 28 of UK GDPR.
To the extent that SurveyMate processes personal data on behalf of the Customer (e.g. survey subject contact details, property occupant data entered by the Customer’s surveyors), SurveyMate acts as a data processor and the Customer acts as the data controller for that data.
2. Details of processing
| Subject matter | Provision of the SurveyMate damp and timber survey platform |
| Duration | For the term of the Customer’s active subscription |
| Nature | Storage, retrieval, display, export, and deletion of Customer Data |
| Purpose | Enabling surveyors to capture, manage, and report survey findings |
| Data types | Names, contact details, property addresses, survey findings, photos |
| Data subjects | Property occupants, clients, and third parties named in surveys |
3. Processor obligations
SurveyMate shall:
- Process personal data only on documented instructions from the Controller (i.e. the Customer’s use of the platform), except where required by applicable law.
- Ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with clause 5 below.
- Engage sub-processors only in accordance with clause 4 below.
- Assist the Controller in responding to data subject rights requests as set out in clause 6.
- Assist the Controller in complying with obligations under Articles 32–36 UK GDPR (security, breach notification, DPIAs, prior consultation).
- At the Controller’s election, delete or return all personal data on termination of the agreement, and delete existing copies unless storage is required by law.
- Make available all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits.
4. Sub-processors
The Controller grants general authorisation for the engagement of the following sub-processors. SurveyMate will notify the Controller of any intended changes at least 14 days in advance, giving the Controller the opportunity to object.
| Sub-processor | Location | Service | Transfer safeguard |
|---|---|---|---|
| Supabase, Inc. | USA | Database, auth, storage | IDTA / UK Addendum to SCCs |
| Stripe, Inc. | USA | Payment processing | IDTA / UK Addendum to SCCs |
| Vercel, Inc. | USA / EU | Application hosting | IDTA / UK Addendum to SCCs |
| Resend / SendGrid | USA | Transactional email | IDTA / UK Addendum to SCCs |
5. Security measures
SurveyMate maintains appropriate technical and organisational measures including:
- Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security policies enforcing tenant isolation at the database level.
- Role-based access controls restricting data access to authorised personnel.
- Regular automated backups with point-in-time recovery.
- Supabase-managed infrastructure security including DDoS mitigation and intrusion detection.
- Access logging and audit trails for administrative actions.
6. Data subject rights
Where SurveyMate receives a request directly from a data subject relating to Customer Data, SurveyMate will promptly notify the Controller and will not respond to the request without the Controller’s instructions. SurveyMate will provide reasonable technical assistance to enable the Controller to fulfil data subject rights obligations within the statutory timeframe.
7. Personal data breaches
SurveyMate shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer Data. Notifications will include: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed.
8. Anonymised data
Where SurveyMate generates anonymised, aggregated insights from Customer Data (as described in clause 6 of the Terms of Service), such outputs are not personal data and this DPA does not apply to them. The anonymisation process is irreversible and the outputs cannot be used to re-identify any individual or property.
9. Audits
SurveyMate will, upon reasonable written notice (minimum 14 days) and no more than once per calendar year, make available information and, where reasonably necessary, allow for audits by the Controller or an appointed third-party auditor, subject to the auditor executing a confidentiality agreement.
10. Governing law
This DPA is governed by the laws of England and Wales. It shall be interpreted consistently with the Terms of Service.
SurveyMate Ltd · Company No. 17144402 · Registered in England and Wales
DPA queries: privacy@damp-survey.com