1. Parties
This Data Processing Addendum (“DPA”) is between Codebased Ltd (processor) and the customer organisation (controller). It forms part of the Terms of Service and applies to customer content processed within Timelint.
2. Definitions
Terms such as “personal data”, “processing”, “controller”, and “processor” have the meanings given in the UK GDPR.
3. Subject matter, duration, nature, and purpose
- Subject matter: providing the Timelint service (tickets, service desk, client portal, time tracking, planning).
- Duration: for the term of the customer’s subscription/trial and any limited retention period after deletion for backups/restoration.
- Nature: hosting, storing, organising, transmitting, and displaying customer content; providing notifications; access control and audit.
- Purpose: to provide, secure, and support the service in accordance with the customer’s instructions.
4. Types of personal data and categories of data subjects
- Data subjects: customer users, client/portal contacts, and other individuals referenced within customer content.
- Personal data: names, emails, phone (optional), job titles (optional), ticket content, messages/comments, and file attachments.
5. Controller instructions
Codebased Ltd will process personal data only on documented instructions from the controller, including as needed to provide the service. If Codebased Ltd believes an instruction infringes the UK GDPR, it will inform the controller (unless prohibited by law).
6. Confidentiality
Codebased Ltd will ensure persons authorised to process personal data are bound by confidentiality obligations.
7. Security measures
Codebased Ltd implements appropriate technical and organisational measures to protect personal data. These measures include (among others, depending on deployment):
- account-scoped access controls and role-based permissions
- private attachments served through authenticated routes
- audit trails for key ticket actions
- encryption of certain secrets (for example, external connection tokens) at the application level
- secure development and operational practices (access controls, change management)
8. Subprocessors
The controller authorises Codebased Ltd to appoint subprocessors to assist in providing the service (for example: hosting, email delivery, storage). Codebased Ltd will remain responsible for subprocessors’ performance of their obligations.
Where reasonably practicable, Codebased Ltd will provide notice of material changes to subprocessors. If you require a list of subprocessors for due diligence, contact privacy@codebased.co.uk.
9. International transfers
If personal data is transferred outside the UK, Codebased Ltd will ensure appropriate safeguards are in place (for example, the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses), and will take steps to ensure an essentially equivalent level of protection.
10. Assistance
Taking into account the nature of processing, Codebased Ltd will assist the controller as reasonably necessary to:
- respond to data subject requests
- carry out data protection impact assessments (DPIAs) where required
- consult with the ICO where required
11. Personal data breaches
Codebased Ltd will notify the controller without undue delay after becoming aware of a personal data breach affecting customer content, and will provide information reasonably needed to support the controller’s compliance obligations.
12. Deletion and return
On termination of the service, Codebased Ltd will delete or return customer content within a reasonable period, except to the extent retention is required by law or for limited backup/restoration purposes.
13. Audits
On reasonable request, Codebased Ltd will provide information necessary to demonstrate compliance with this DPA. Audits, if required, must be reasonable in scope and timing and must not compromise other customers’ confidentiality or service security.
14. Order of precedence
If there is a conflict between this DPA and the Terms of Service, this DPA will apply for data processing matters.