Data processing agreement

This Data Processing Agreement (“DPA”) forms part of the Foreman Terms of Service between Luke Pledger, a sole trader trading as “Foreman” from the United Kingdom (“Processor”, “we”, “us”) and the tradesperson who has signed up to use the service (“Controller”, “you”). It applies whenever Foreman processes personal data of your end customers on your behalf and is entered into automatically when you accept the Terms of Service at signup.

This DPA is written to satisfy Article 28 of the UK GDPR (and, where relevant, the EU GDPR) and applies in addition to any obligations imposed on us directly by data-protection law.

1. Definitions

Capitalised terms not defined here have the meaning given in UK GDPR Article 4. “Customer Personal Data” means any personal data relating to your end customers that Foreman processes on your behalf under the Terms of Service — including names, phone numbers, email addresses, service addresses, message content, and call recordings and transcripts. “Sub-processor” means any third party engaged by us to process Customer Personal Data on your behalf. “Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and (where relevant) the EU GDPR.

2. Roles and scope

• You are the Controller of Customer Personal Data. You determine the purposes and means of processing.
• We are the Processor in respect of Customer Personal Data. We process it only to provide the Foreman service to you under the Terms of Service.
• We are a separate Controller in respect of your own account data (your name, email, billing details, technical logs of your use of Foreman). That processing is governed by our Privacy Policy, not by this DPA.

3. Subject matter and details of processing

• Subject matter: the provision of Foreman’s messaging, scheduling, voice answering, and back-office services.
• Duration: for the term of your Foreman subscription, plus the retention periods set out in our Privacy Policy.
• Nature and purpose: receiving and sending messages, answering and recording calls, generating transcripts, scheduling jobs, sending transactional emails, and operating the Foreman dashboard.
• Categories of data subject: your end customers (the homeowners and businesses who book or enquire with you).
• Categories of personal data: name, phone number, email address, service address, message content, call audio and transcripts, call metadata, job and booking details.
• Special category data: Foreman is not designed to process special category personal data. You agree not to use Foreman to deliberately collect or store such data.

4. Processing on documented instructions

We process Customer Personal Data only on your documented instructions, including with regard to transfers outside the United Kingdom. The Terms of Service, this DPA, your use of the Foreman product (the actions you take in the dashboard, the settings you configure, and the messages you authorise), and any written instructions you give us by email constitute your documented instructions.

If we believe an instruction infringes Applicable Data Protection Law, we will inform you without undue delay and may suspend execution of that instruction.

We will not process Customer Personal Data for our own purposes, sell it, or use it to train artificial-intelligence models.

5. Confidentiality

We ensure that any person we authorise to process Customer Personal Data is bound by an obligation of confidentiality, whether contractual or statutory. Access is restricted to personnel who need it to provide or operate the service.

6. Security

We implement appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing. Current measures include:

• Encryption in transit (HTTPS / TLS) for all traffic
• Encryption at rest for sensitive credentials (WhatsApp tokens, OAuth tokens, API keys)
• Bcrypt hashing of tradesperson passwords
• Tenant isolation enforced at both the application layer and the database row level
• Verification of webhook signatures before any state change
• Rate-limiting of authentication endpoints
• Reputable infrastructure providers in the UK and EEA
• Restricted, audited administrative access

We review these measures regularly and may update them without materially weakening them.

7. Sub-processors

You give us general written authorisation to engage the sub-processors listed in our Privacy Policy (under “Who we share data with”) to provide the service. We will:

• Impose contractual obligations on each sub-processor that are materially equivalent to those set out in this DPA, including security, confidentiality, and processing-on-instruction requirements;
• Remain fully liable to you for the performance of any sub-processor we engage;
• Notify you in advance — by email to your registered address or an in-product banner — of any intended addition or replacement of a sub-processor that processes Customer Personal Data. You may object on reasonable data-protection grounds by emailing hello@foremanai.trade within 14 days of our notice. If no objection is received within that period, you are deemed to have approved the new sub-processor;
• If you object on reasonable data-protection grounds within the 14-day window, we will work with you in good faith to find a workaround. If no workaround is available, you may terminate the affected service on written notice as your sole remedy.

8. International transfers

Where we (or our sub-processors) transfer Customer Personal Data outside the United Kingdom or the European Economic Area, we rely on one of the following safeguards under UK GDPR Chapter V:

• An adequacy regulation (e.g. the UK-US Data Bridge);
• The European Commission’s Standard Contractual Clauses read together with the UK Information Commissioner’s International Data Transfer Addendum;
• The UK International Data Transfer Agreement (IDTA), where applicable.

We assess each restricted transfer and apply additional safeguards (such as transfer-risk assessments) where required by Applicable Data Protection Law.

9. Assistance with data subject rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to fulfil your obligation to respond to requests from data subjects exercising their rights under UK GDPR (Articles 12–22). In practice this means:

• You can access, export, correct, or delete an end customer’s records directly from the Foreman dashboard;
• For requests you cannot fulfil from the dashboard alone, email hello@foremanai.trade and we will assist within a reasonable timeframe;
• An end customer who contacts us directly will normally be referred to you as the controller. We may also act on the request directly where you confirm the instruction or where law requires us to.

10. Personal data breach

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer Personal Data. The notification will, where possible, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. We will provide reasonable assistance to help you meet your own breach-notification obligations to the ICO and to affected data subjects.

11. Data protection impact assessments and prior consultation

We will provide reasonable assistance to help you carry out a data protection impact assessment (DPIA) and any prior consultation with the ICO under UK GDPR Articles 35 and 36, where required, taking into account the nature of the processing and the information available to us.

12. Audits and information rights

We will make available to you all information necessary to demonstrate compliance with this DPA and Article 28 UK GDPR. This normally takes the form of:

• The information published in our Privacy Policy and on this page;
• Written responses to your reasonable security or data-processing questionnaires;
• Where we hold them, copies of relevant third-party certifications or audit reports of our sub-processors.

You may, on at least 30 days’ written notice and no more than once in any 12-month period (except where required by a supervisory authority or following a personal data breach), request a remote audit limited to the scope of this DPA. Audits must be conducted during normal business hours, must not unreasonably interfere with our operations or compromise the security or confidentiality of other customers’ data, and (unless the audit reveals a material breach by us) are at your cost.

13. Return or deletion of data

On termination of your Foreman subscription, our default is deletion of all Customer Personal Data, save where UK or EU law requires storage for a longer period. If you want your data returned (exported) instead, email hello@foremanai.trade within 14 days of the termination notice and we will provide an export in JSON and CSV format. After that 14-day window, deletion proceeds automatically. Account data is immediately deactivated and made inaccessible at deletion. All tenant data (jobs, customers, messages, etc.) is then permanently deleted within 30 days, after which database backups will have rotated. See the account deletion instructions for the full timeline and what is retained.

14. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in clauses 13.1–13.4 of the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law (such as administrative fines imposed directly on a party by a supervisory authority).

15. Order of precedence

In the event of any conflict between this DPA and the Terms of Service in respect of the processing of Customer Personal Data, this DPA prevails. In the event of any conflict between this DPA and the Standard Contractual Clauses or UK Addendum, the Clauses and Addendum prevail.

16. Governing law and changes

This DPA is governed by the laws of England and Wales. We may update this DPA from time to time; material changes will be notified to your registered email address at least 30 days before they take effect.

17. Contact

Data-protection queries: hello@foremanai.trade.