OnboardingHub OnboardingHub

Data Processing Agreement

Last updated: 2 February 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between WLS Labs Ltd (“Processor”, “we”, “us”) and the customer agreeing to the Terms of Service (“Controller”, “you”) for the provision of the OnboardingHub platform and related services (“Services”).

This DPA reflects the parties’ commitment to comply with UK data protection laws, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Definitions

1.1 “Data Protection Laws” means all applicable laws relating to the processing of Personal Data, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

1.2 “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, and “Personal Data Breach” shall have the meanings given to them in the UK GDPR.

1.3 “Customer Data” means Personal Data that the Controller uploads, stores, or processes through the Services.

1.4 “Sub-processor” means any third party engaged by the Processor to process Customer Data on behalf of the Controller.

2. Roles and Scope

2.1 The Controller is the data controller and the Processor is the data processor in respect of Customer Data processed under this DPA.

2.2 This DPA applies to all Processing of Customer Data carried out by the Processor on behalf of the Controller in connection with the Services.

2.3 The details of the Processing, including its subject matter, duration, nature and purpose, the types of Personal Data and the categories of Data Subjects, are set out in Schedule 1.

3. Controller Obligations

3.1 The Controller warrants and represents that:

(a) it has obtained all necessary consents and established all necessary legal bases for the Processing of Customer Data as required by Data Protection Laws;

(b) it has provided all required privacy notices to Data Subjects whose Personal Data is included in the Customer Data;

(c) its instructions to the Processor for the Processing of Customer Data comply with all applicable Data Protection Laws; and

(d) it is responsible for the accuracy, quality, and legality of Customer Data and the means by which it was obtained.

4. Processor Obligations

4.1 The Processor shall:

(a) process Customer Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before Processing (unless prohibited by law);

(b) ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) implement and maintain appropriate technical and organisational security measures in accordance with Schedule 2;

(d) not engage any Sub-processor without the prior authorisation of the Controller in accordance with Clause 6;

(e) taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights;

(f) assist the Controller in ensuring compliance with its obligations relating to security of Processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities;

(g) at the choice of the Controller, delete or return all Customer Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data; and

(h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

5. Security Measures

5.1 The Processor shall implement and maintain appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction, damage, theft, alteration, or disclosure, and to the nature of the Customer Data to be protected. The specific measures are detailed in Schedule 2.

6. Sub-processors

6.1 The Controller provides a general authorisation to the Processor to engage Sub-processors for the Processing of Customer Data, subject to the requirements of this Clause 6.

6.2 The Processor shall maintain an up-to-date list of Sub-processors at onboarding-hub.com/legal/sub-processors.

6.3 The Processor shall notify the Controller of any intended changes to the list of Sub-processors, giving the Controller the opportunity to object to such changes. The Controller shall have 14 days from the date of notification to object to the appointment of a new Sub-processor. If the Controller objects on reasonable grounds relating to data protection, the Processor shall use reasonable efforts to make available to the Controller a change in the Services or recommend a commercially reasonable change to the Controller’s use of the Services to avoid Processing of Customer Data by the objected-to Sub-processor.

7. Personal Data Breach

7.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data Breach affecting Customer Data. Such notification shall include, to the extent available, the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, and the measures taken or proposed to address the breach.

8. Data Subject Requests

8.1 The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under Data Protection Laws in respect of Customer Data. The Processor shall not respond to such a request except on the documented instructions of the Controller or as required by applicable law.

9. International Transfers

9.1 The Processor shall not transfer Customer Data outside the United Kingdom without ensuring that appropriate safeguards are in place in accordance with Data Protection Laws. Where such transfers are necessary for the provision of Services, the Processor shall ensure that they are subject to appropriate transfer mechanisms as recognised under UK GDPR.

10. Audits

10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable prior notice and during normal business hours.

11. Term and Termination

11.1 This DPA shall remain in effect for the duration of the Processing of Customer Data by the Processor on behalf of the Controller. Upon termination of the Agreement, the Processor shall comply with its obligations under Clause 4.1(g) regarding deletion or return of Customer Data.

12. Liability

12.1 Each party’s liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Terms of Service.

13. General

13.1 This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

13.2 In the event of any conflict between this DPA and the Agreement, this DPA shall prevail in respect of the Processing of Customer Data.

13.3 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Schedule 1: Details of Processing

Subject Matter and Purpose

The provision of the OnboardingHub platform for client onboarding management, including task management, workflow automation, communications, and team collaboration.

Duration of Processing

For the term of the Controller’s subscription to the Services, plus any period necessary to delete or return Customer Data in accordance with this DPA.

Types of Personal Data

  • Contact information (names, email addresses, telephone numbers, postal addresses)
  • Professional information (job titles, company names, business details)
  • Communication records (messages, notes, correspondence)
  • Task and workflow data (assignments, progress, completion records)

Categories of Data Subjects

  • Controller’s clients and prospective clients
  • Controller’s employees and contractors

Schedule 2: Technical and Organisational Security Measures

1. Access Control

  • Role-based access control to limit access to Customer Data on a need-to-know basis
  • Multi-factor authentication (MFA) for all administrative access
  • Automatic session timeouts after periods of inactivity
  • Comprehensive access logging and monitoring

2. Encryption

  • TLS 1.2 or higher for all data in transit
  • AES-256 encryption for all data at rest

3. Infrastructure Security

  • Hosting with reputable cloud infrastructure providers
  • Network firewalls and intrusion detection systems
  • DDoS protection and mitigation

4. Operational Security

  • Regular vulnerability scanning and penetration testing
  • Documented incident response procedures
  • Employee security awareness training

5. Business Continuity

  • Regular automated backups of all Customer Data
  • Documented disaster recovery procedures
  • Infrastructure redundancy to minimise service disruption

6. Physical Security

  • Data centre physical access controls
  • Environmental controls (fire suppression, climate control)
  • 24/7 monitoring and surveillance

WLS Labs Ltd
Company Number: 15609221
Registered Office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Email: [email protected]