Version: 1.0
Last updated: 03/06/26
Provider: Stow Quill Ltd trading as House Desk
Company number: 15671718
Registered office: 47 Jerounds, Harlow, Essex, CM19 4HE
Email: support@bopple.co.uk
This Data Processing Agreement applies where House Desk processes personal data on behalf of your business as processor under UK GDPR Article 28.
House Desk Data Processing Agreement
This Data Processing Agreement forms part of the agreement between House Desk and the Customer.
It applies where House Desk processes personal data on behalf of the Customer in connection with the House Desk platform and services.
1. Parties
This Data Processing Agreement is between:
Processor: Stow Quill Ltd trading as House Desk Company number: 15671718 Registered office: 47 Jerounds, Harlow, Essex, CM19 4HE Email: privacy@bopple.co.uk
and
Controller: The business, company, pub, venue, organisation or other customer that creates or uses a House Desk account.
The Controller may also be referred to as the Customer, you or your.
House Desk may also be referred to as we, us or our.
2. Purpose of this DPA
This DPA explains how House Desk will process personal data on behalf of the Customer.
It is intended to meet the requirements of Article 28 of the UK GDPR.
This DPA applies where the Customer uses House Desk to process personal data relating to staff, workers, contractors, managers, administrators, users or other individuals.
3. Relationship between the parties
For most workplace data processed through House Desk:
- the Customer is the controller;
- House Desk is the processor;
- and House Desk processes personal data only on behalf of the Customer and in accordance with the Customer's documented instructions.
The Customer is responsible for deciding:
- what personal data is collected;
- why it is collected;
- how it is used;
- which users can access it;
- how long it is retained;
- what lawful basis applies;
- what privacy information is provided to individuals;
- and how to respond to data subject rights requests.
House Desk is responsible for processing the personal data in accordance with this DPA, the Customer Terms, the Customer's documented instructions and applicable data protection law.
4. Definitions
In this DPA:
Applicable Data Protection Laws means all applicable data protection and privacy laws, including the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations where applicable.
Controller, processor, personal data, personal data breach, processing, data subject and special category data have the meanings given to them in Applicable Data Protection Laws.
Customer Data means personal data processed by House Desk on behalf of the Customer through the House Desk platform.
Services means the House Desk platform, app, website, dashboard, hosting, support, maintenance and related services provided to the Customer.
Subprocessor means another processor engaged by House Desk to help provide the Services.
5. Scope of processing
The processing covered by this DPA is described in Schedule 1: Processing Details.
In summary, House Desk may process personal data to provide workplace management software, including:
- rota planning;
- shift management;
- clock-in and clock-out;
- timesheets;
- holiday and availability management;
- shift swaps;
- staff records;
- training records;
- staff documents;
- policy acknowledgements;
- messages and updates;
- task management;
- opening and closing checks;
- temperature logs;
- incident and accident records;
- payroll exports;
- reporting;
- audit logs;
- support;
- security;
- and platform administration.
6. Customer instructions
The Customer instructs House Desk to process Customer Data as necessary to:
- provide the Services;
- host and store Customer Data;
- allow authorised users to access and use the platform;
- provide support;
- maintain, secure and improve the Services;
- perform backups and disaster recovery;
- manage integrations enabled by the Customer;
- investigate errors, security issues and misuse;
- comply with the Customer Terms;
- and comply with applicable law.
House Desk must not process Customer Data for any other purpose unless:
- the Customer gives further documented instructions;
- the processing is required by law;
- or the processing is otherwise permitted under this DPA.
If House Desk believes an instruction breaches Applicable Data Protection Laws, House Desk will inform the Customer unless prohibited by law.
7. Customer responsibilities
The Customer confirms that it is responsible for:
- complying with Applicable Data Protection Laws;
- having a lawful basis for processing Customer Data;
- providing privacy information to staff and other individuals;
- ensuring Customer Data is accurate, relevant and not excessive;
- deciding and applying retention periods;
- setting appropriate user permissions;
- removing access when users leave or no longer need access;
- responding to data subject rights requests;
- ensuring its use of clock-in, attendance, location, monitoring, messaging, incident and document features is lawful and proportionate;
- ensuring special category data is processed only where lawful;
- and ensuring that its instructions to House Desk are lawful.
The Customer must not use House Desk to process personal data in a way that would breach Applicable Data Protection Laws.
8. House Desk responsibilities
House Desk will:
- process Customer Data only on documented instructions from the Customer;
- ensure that people authorised to process Customer Data are subject to confidentiality obligations;
- use appropriate technical and organisational measures to protect Customer Data;
- assist the Customer with data subject rights requests where reasonably possible;
- assist the Customer with security, breach and data protection impact assessment obligations where reasonably possible;
- use subprocessors only in accordance with this DPA;
- delete or return Customer Data at the end of the Services in accordance with this DPA;
- make available information reasonably necessary to demonstrate compliance with this DPA;
- and notify the Customer if House Desk becomes aware of a personal data breach affecting Customer Data.
9. Confidentiality
House Desk will ensure that anyone it authorises to process Customer Data is subject to a duty of confidentiality.
This may include employees, contractors, support staff, developers, administrators and subprocessors.
House Desk will restrict access to Customer Data to those who need access to provide, support, secure or maintain the Services.
10. Security measures
House Desk will implement appropriate technical and organisational measures designed to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The measures may include, where appropriate:
- access controls;
- user authentication;
- role-based permissions;
- encryption in transit;
- encryption at rest where supported;
- secure hosting;
- firewalls and network protections;
- backups;
- audit logs;
- monitoring;
- secure development practices;
- staff confidentiality obligations;
- least-privilege access;
- incident response procedures;
- and regular review of security controls.
The Customer acknowledges that no system can be completely secure and that the Customer is also responsible for appropriate use of the platform, including user permissions, device security, password security and account administration.
11. Subprocessors
The Customer gives House Desk general written authorisation to appoint subprocessors to help provide the Services.
Subprocessors may include providers of:
- cloud hosting;
- database hosting;
- file storage;
- email delivery;
- SMS or push notifications;
- payment processing;
- analytics;
- error monitoring;
- customer support;
- security tools;
- backups;
- and other technical or operational services.
House Desk will ensure that subprocessors are subject to written terms that impose data protection obligations no less protective than those in this DPA, as required by Applicable Data Protection Laws.
House Desk remains responsible to the Customer for the performance of its subprocessors' data protection obligations.
The current list of key subprocessors is published at: https://housedesk.co.uk/privacy/subprocessors
House Desk may update the subprocessor list from time to time. Where required, House Desk will give the Customer notice of new subprocessors and a reasonable opportunity to object on legitimate data protection grounds.
If the Customer reasonably objects to a new subprocessor, the parties will work together in good faith to resolve the objection. If the objection cannot be resolved, the Customer may stop using the affected Services or terminate the relevant subscription in accordance with the Customer Terms.
12. International transfers
House Desk will not transfer Customer Data outside the United Kingdom unless appropriate safeguards are in place where required by Applicable Data Protection Laws.
Such safeguards may include:
- UK adequacy regulations;
- the UK International Data Transfer Agreement;
- the UK Addendum to the EU Standard Contractual Clauses;
- standard contractual clauses;
- or another lawful transfer mechanism.
Where Customer Data is transferred internationally by a subprocessor, House Desk will ensure appropriate transfer safeguards are used where required.
13. Data subject rights requests
If House Desk receives a request directly from a data subject relating to Customer Data, House Desk will not respond substantively unless authorised by the Customer or required by law.
Instead, House Desk will, where reasonably possible:
- log the request;
- notify or refer the request to the Customer;
- tell the requester that the Customer is usually responsible for workplace data;
- and assist the Customer in responding to the request.
The Customer is responsible for responding to data subject rights requests relating to Customer Data.
House Desk will provide reasonable technical assistance to the Customer, where possible, to help the Customer respond to requests for:
- access;
- rectification;
- erasure;
- restriction;
- objection;
- data portability;
- and information about automated decision-making.
House Desk may charge reasonable fees for assistance where the request is complex, excessive, repetitive or outside normal support.
14. Personal data breaches
House Desk will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.
The notification will include, where available:
- a description of the breach;
- the categories and approximate number of data subjects affected;
- the categories and approximate number of records affected;
- the likely consequences of the breach;
- the measures taken or proposed to address the breach;
- and any steps recommended to reduce risk.
House Desk may provide information in stages if full details are not immediately available.
The Customer is responsible for deciding whether to notify the ICO, data subjects or any other person, unless Applicable Data Protection Laws require House Desk to do so.
House Desk will provide reasonable assistance to the Customer in relation to breach investigation and notification obligations.
15. Data protection impact assessments and consultations
Where reasonably requested by the Customer, House Desk will provide reasonable assistance with data protection impact assessments and consultations with supervisory authorities, where the request relates to processing carried out by House Desk as processor.
This assistance may include providing information about:
- the platform;
- security measures;
- subprocessors;
- processing activities;
- data locations;
- and available technical controls.
House Desk is not responsible for carrying out the Customer's data protection impact assessments or legal assessments.
16. Audits and compliance information
House Desk will make available information reasonably necessary to demonstrate compliance with this DPA.
This may include:
- security summaries;
- subprocessor information;
- data processing descriptions;
- technical and organisational measures;
- policy summaries;
- certification information where available;
- and responses to reasonable security or compliance questionnaires.
The Customer may request an audit where required under Applicable Data Protection Laws.
Any audit must be:
- limited to processing under this DPA;
- reasonable in scope;
- subject to confidentiality;
- carried out during normal business hours;
- conducted with reasonable notice;
- designed to avoid disruption to House Desk's business and other customers;
- and conducted no more than once per year unless there has been a personal data breach or a regulator requires it.
House Desk may refuse access to systems, information or premises where this would compromise security, confidentiality, other customers' data, trade secrets or legal obligations.
House Desk may charge reasonable fees for audit assistance where permitted by law.
17. Deletion or return of Customer Data
At the end of the Services, House Desk will delete or return Customer Data in accordance with the Customer's instructions, the Customer Terms and Applicable Data Protection Laws.
Unless otherwise agreed:
- the Customer is responsible for exporting Customer Data before closing its account;
- House Desk may delete Customer Data from active systems after account closure or termination;
- Customer Data may remain in backups until overwritten or deleted in accordance with normal backup cycles;
- and House Desk may retain limited data where required for legal, accounting, security, fraud prevention, dispute resolution or regulatory purposes.
If the Customer requests deletion of Customer Data during the Subscription Term, House Desk will provide reasonable technical assistance where possible.
House Desk is not required to delete data that it is legally required or permitted to retain.
Our Data Retention Policy (https://housedesk.co.uk/data-retention) describes typical retention periods for Customer Data in active accounts, after deletion, after account closure, and in backups.
18. Special category data
House Desk is not designed to routinely process special category data.
However, the Customer may choose to enter special category data into House Desk, for example in absence records, incident reports, accident reports, health and safety records, messages, documents or notes.
The Customer is responsible for ensuring that any special category data entered into House Desk is processed lawfully and that an appropriate Article 9 condition and any additional legal requirements are satisfied.
The Customer should avoid entering unnecessary special category data into House Desk.
House Desk will apply the same general security and processing obligations to special category data processed through the platform.
19. Criminal offence data
House Desk is not designed to routinely process criminal offence data.
The Customer must not enter criminal offence data into House Desk unless it has a lawful basis and appropriate legal authority to do so.
Where the Customer enters criminal offence data, the Customer remains responsible for ensuring that the processing complies with Applicable Data Protection Laws.
20. Customer admin access and permissions
The Customer is responsible for configuring and managing user access within House Desk.
This includes:
- inviting users;
- assigning roles;
- setting permissions;
- limiting manager/admin access;
- removing former staff;
- reviewing access regularly;
- and ensuring users only access data they are authorised to view.
House Desk is not responsible for unauthorised access caused by the Customer's failure to manage users, passwords, permissions or devices properly.
21. Support access
House Desk staff may access Customer Data where necessary to:
- provide support;
- investigate issues;
- fix bugs;
- maintain the platform;
- protect security;
- respond to incidents;
- or comply with the Customer's instructions.
Support access will be limited to authorised personnel and should be used only where required for legitimate support, security or operational purposes.
22. Aggregated and anonymised data
House Desk may use aggregated or anonymised information for analytics, service improvement, benchmarking, reporting and product development.
House Desk will not use Customer Data for these purposes in a way that identifies individual staff users or the Customer unless permitted by the Customer or allowed by law.
Anonymised data is not personal data where individuals are no longer identifiable.
23. Liability
The parties' liability under this DPA is subject to the liability terms in the Customer Terms or other agreement between House Desk and the Customer.
Nothing in this DPA excludes or limits liability where it cannot lawfully be excluded or limited.
24. Conflict
If there is a conflict between this DPA and the Customer Terms, this DPA will take priority in relation to the processing of Customer Data.
The Customer Terms will continue to apply to all other matters.
25. Changes to this DPA
House Desk may update this DPA from time to time.
Where changes are material, House Desk will take reasonable steps to notify the Customer.
Continued use of the Services after the updated DPA takes effect will be treated as acceptance of the updated DPA.
If the Customer does not agree to an updated DPA, the Customer may stop using the Services and terminate the subscription in accordance with the Customer Terms.
26. Governing law
This DPA is governed by the laws of England and Wales.
The courts of England and Wales will have exclusive jurisdiction, unless Applicable Data Protection Laws require otherwise.
Schedule 1: Processing Details
1. Subject matter of processing
The subject matter of the processing is the provision of House Desk, a workplace management platform used to manage staff and operational information.
This includes processing personal data for rota management, clock-in and clock-out, timesheets, holidays, availability, documents, training, tasks, workplace communications, incident records, payroll exports, reporting, support, security and account administration.
2. Duration of processing
House Desk will process Customer Data for the duration of the Customer's subscription or use of the Services.
After the Services end, House Desk will process Customer Data only as needed to:
- allow export or deletion;
- comply with legal obligations;
- maintain backups until overwritten;
- resolve disputes;
- protect security;
- or comply with this DPA and the Customer Terms.
See our Data Retention Policy (https://housedesk.co.uk/data-retention) for typical timeframes.
3. Nature and purpose of processing
The nature of processing may include:
- collection;
- recording;
- organisation;
- structuring;
- storage;
- hosting;
- retrieval;
- consultation;
- use;
- transmission;
- disclosure to authorised users;
- restriction;
- export;
- backup;
- deletion;
- and destruction.
The purpose of processing is to provide House Desk and related services to the Customer.
4. Categories of data subjects
Data subjects may include:
- employees;
- workers;
- contractors;
- casual staff;
- agency staff;
- managers;
- supervisors;
- customer account owners;
- customer administrators;
- venue users;
- former staff users;
- job applicants where entered by the Customer;
- and other individuals whose data is entered into House Desk by the Customer.
5. Categories of personal data
Personal data may include:
- name;
- email address;
- phone number;
- user ID;
- profile photo;
- role or job title;
- workplace or venue;
- employment status;
- rota records;
- shift records;
- clock-in and clock-out records;
- timesheets;
- break records;
- holiday requests;
- availability records;
- shift swap records;
- training records;
- document acknowledgements;
- uploaded documents;
- messages and comments;
- task records;
- opening and closing checklist records;
- temperature logs;
- incident and accident records;
- manager notes;
- payroll export information;
- audit logs;
- IP addresses;
- device information;
- login records;
- location data where enabled;
- photo verification data where enabled;
- support messages;
- and technical logs.
6. Special category data
Special category data is not routinely required by House Desk.
However, the Customer may enter special category data into the platform, including information relating to:
- health;
- sickness;
- accidents;
- incidents;
- reasonable adjustments;
- disability;
- pregnancy or maternity;
- religion or belief where relevant to availability or scheduling;
- trade union information where entered by the Customer;
- or other sensitive information included in documents, messages or reports.
The Customer is responsible for ensuring such processing is lawful.
7. Criminal offence data
Criminal offence data is not routinely required by House Desk.
The Customer may only enter criminal offence data where it has a lawful basis and appropriate legal authority.
8. Processing operations
Processing operations may include:
- creating user accounts;
- assigning roles and permissions;
- displaying rota and shift information;
- recording attendance;
- recording time and date stamps;
- calculating timesheet totals;
- exporting payroll-related data;
- recording holiday and availability requests;
- storing documents;
- recording acknowledgements;
- sending notifications;
- recording messages and comments;
- storing task and checklist responses;
- generating reports;
- logging user activity;
- providing support;
- troubleshooting errors;
- backing up data;
- securing the platform;
- and deleting or exporting data.
Schedule 2: Technical and Organisational Measures
House Desk will maintain appropriate technical and organisational measures, which may include:
1. Access control
- unique user accounts;
- role-based permissions;
- admin and manager permission controls;
- least-privilege access for House Desk staff where practical;
- access removal processes;
- and authentication controls.
2. Data security
- encryption in transit;
- encryption at rest where supported;
- secure hosting environments;
- firewalls or equivalent protections;
- secure configuration management;
- and protection against unauthorised access.
3. Logging and monitoring
- login logs;
- audit logs where available;
- security monitoring;
- error monitoring;
- and investigation of suspicious activity.
4. Backup and recovery
- regular backups;
- backup access controls;
- disaster recovery processes;
- and restoration testing where appropriate.
5. Staff controls
- confidentiality obligations;
- limited access to customer data;
- staff awareness of data protection responsibilities;
- and internal escalation procedures.
6. Development and maintenance
- secure development practices;
- testing before deployment where appropriate;
- bug fixing;
- change control;
- and vulnerability review.
7. Incident response
- internal breach escalation process;
- investigation of suspected incidents;
- customer notification where required;
- and records of incidents and response actions.
8. Subprocessor management
- review of key subprocessors;
- written agreements with subprocessors;
- subprocessor access limited to what is required;
- and maintenance of a subprocessor list.
Schedule 3: Customer Instructions
The Customer instructs House Desk to process Customer Data for the following purposes:
- to create and manage the Customer's House Desk account;
- to create and manage user accounts;
- to provide rota, scheduling and shift management features;
- to provide clock-in and clock-out features;
- to provide timesheet and payroll export features;
- to provide holiday, availability and shift swap features;
- to provide staff document, training and acknowledgement features;
- to provide messaging, updates and notification features;
- to provide task, checklist and operational record features;
- to provide incident and accident record features where enabled;
- to provide reporting and audit features;
- to provide support and troubleshooting;
- to maintain and secure the platform;
- to create backups;
- to use subprocessors as permitted by this DPA;
- to delete or return data at the end of the Services;
- and to comply with applicable law.
Any additional instructions must be agreed in writing or configured by the Customer through the platform.