CURCLEBY HERRIDGE
Data Processing Agreement

UK GDPR Article 28 Processor Terms

The terms on which Curcle processes personal data on our customers\u2019 behalf when providing the Service.

Version 1.1Last updated: 28 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Curcle Ltd (company number 17260381), a company registered in England & Wales and a wholly-owned subsidiary of Herridge Ventures (the “Processor”, “Curcle”, “we”), and the customer that subscribes to the Curcle platform (the “Controller”, “Customer”, “you”). It sets out the terms on which Curcle processes personal data on the Customer’s behalf in providing the Curcle field-service management platform (the “Service”), in accordance with Article 28 of the UK GDPR.

1. Roles of the parties

In respect of personal data contained within the Customer’s business records processed through the Service (“Customer Personal Data”), the Customer is the controller and Curcle is the processor. Each party shall comply with its respective obligations under UK Data Protection Law, meaning the UK GDPR and the Data Protection Act 2018, and any successor legislation.

2. Subject-matter, duration, nature and purpose

  • Subject-matter: the provision of the Curcle field-service management platform.
  • Duration: for the term of the Customer’s subscription and any agreed post-termination data-retrieval period.
  • Nature and purpose: hosting, storage, organisation, retrieval, transmission and deletion of Customer Personal Data as necessary to provide the Service.

3. Types of personal data and categories of data subjects

  • Categories of data subjects: the Customer’s employees, engineers, approved sub-contractors, customer-portal users, and the Customer’s own clients and site contacts.
  • Types of personal data: names, contact details, employment role, job and scheduling records, site addresses, test results and certificates, timesheets and pay data, signatures, photographs, notes, GPS check-in/out coordinates, and device/session information.

4. Processor obligations

Curcle shall:

  • process Customer Personal Data only on the Customer’s documented instructions, including as set out in this DPA and the main Terms, unless required to do otherwise by law (in which case it will inform the Customer where lawful to do so);
  • ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
  • implement appropriate technical and organisational measures as described in Annex II;
  • respect the conditions for engaging sub-processors set out in clause 5;
  • assist the Customer, taking into account the nature of processing, in responding to data subject requests and in meeting its obligations regarding security, breach notification and data protection impact assessments;
  • at the Customer’s choice, delete or return Customer Personal Data at the end of the provision of the Service, save where storage is required by law.

5. Sub-processors

The Customer provides general authorisation for Curcle to engage the sub-processors listed in Annex I to support delivery of the Service. Curcle imposes data-protection obligations on each sub-processor that are substantially equivalent to those in this DPA, and remains liable to the Customer for the performance of each sub-processor’s obligations. Curcle will inform the Customer of any intended changes to its sub-processors and give the Customer the opportunity to object on reasonable data-protection grounds.

6. AI-assisted processing

Where the Customer enables AI-assisted features, Curcle may engage AI service providers as sub-processors to provide those features. Any such processing is carried out only on the Customer’s documented instructions and only to the extent necessary to provide the enabled feature. Curcle does not use Customer Personal Data to train third-party foundation models unless expressly agreed with the Customer. As at the date of this DPA, no AI sub-processor is engaged for production processing of Customer Personal Data; any such sub-processor will be added to Annex I and the Customer notified in accordance with clause 5 before processing begins.

7. International transfers

Some sub-processors are located outside the United Kingdom. Where Customer Personal Data is transferred outside the UK, Curcle ensures that an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision.

8. Security

Curcle implements and maintains the technical and organisational measures set out in Annex II, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to data subjects.

9. Personal data breaches

Curcle shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and shall provide the Customer with sufficient information to allow it to meet any obligations to report the breach to the ICO or to data subjects.

10. Audit

Curcle shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, on reasonable prior notice and subject to confidentiality.

11. Return and deletion

On termination of the Service, Curcle will, at the Customer’s choice, make Customer Personal Data available for export for a reasonable period and will then delete it, except to the extent that retention is required by law.

12. Liability and governing law

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the main Terms. This DPA is governed by the laws of England & Wales.

Annex I — Sub-processors

  • Replit, Inc. (USA) — application hosting and managed database.
  • Google Cloud (via Replit) — encrypted object/file storage.
  • Stripe — subscription payment processing.
  • Resend — outbound transactional email delivery.
  • Google Maps — optional in-app mapping.
  • AI service provider(s) — used only where the Customer enables AI-assisted features. The current AI sub-processor list will be confirmed and updated before any production AI processing involving Customer Personal Data.

Annex II — Technical and organisational measures

  • Encryption of data in transit using TLS.
  • Passwords hashed using the bcrypt algorithm; no plaintext password storage.
  • Role-based access controls restricting access to data on a need-to-know basis.
  • Per-tenant data isolation between subscribing organisations.
  • Session management with a 30-minute inactivity timeout and secure session cookies.
  • Audit logging of security-relevant actions, with configurable retention.
  • Rate limiting, restricted CORS, security headers and CSRF protection.
  • Regular database backups to support recovery.

Contact

Curcle Ltd, Crown Chambers, 7 Market Place, Melksham, SN12 6ES, United Kingdom. Email: support@curcle.co.uk. Telephone: +44 7860 503886.

Related documents

Privacy PolicyTerms & ConditionsCookie Policy