HomeOrbit
HomeOrbit®
Legal & Policies
Back to siteLog in
LegalBusiness

HomeOrbit Data Processing Agreement

Controller and processor terms for customer personal data handled in HomeOrbit.

Version 1.0
Updated 15 April 2026

This Data Processing Agreement (DPA) forms part of the agreement between the Customer and Joshua Roberts trading as HomeOrbit for the provision of the HomeOrbit services.

1. Parties

1.1 Processor

Joshua Roberts trading as HomeOrbit Apartment 414, 35 Greenland Street, Liverpool, L1 0AD, United Kingdom support@homeorbit.co.uk

1.2 Controller

The Customer organisation using the HomeOrbit platform and determining the purposes and means of the processing of Customer Personal Data.

2. Interpretation

In this DPA:

  • Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, Special Category Data, and Supervisory Authority have the meanings given in applicable Data Protection Law.
  • Customer Personal Data means Personal Data processed by HomeOrbit on behalf of the Customer in connection with the Services.
  • Data Protection Law means all laws applicable to the processing of Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, PECR where relevant, and any legislation replacing or amending them.

3. Roles of the parties

The parties acknowledge and agree that:

  • the Customer is the Controller of Customer Personal Data; and
  • HomeOrbit is the Processor of Customer Personal Data,

except to the extent that HomeOrbit acts as an independent controller for its own business administration, security, legal compliance, billing, support records, or website/enquiry data.

4. Customer instructions

HomeOrbit will process Customer Personal Data:

  • only on the Customer's documented instructions;
  • as necessary to provide the Services under the agreement;
  • as necessary to comply with applicable law; or
  • as otherwise agreed in writing.

The agreement, platform configuration, authorised user actions, and this DPA together form the Customer's documented instructions unless and until varied in writing.

If HomeOrbit believes an instruction infringes Data Protection Law, HomeOrbit may inform the Customer and may suspend the affected processing until the issue is resolved.

5. Confidentiality

HomeOrbit will ensure that persons authorised to process Customer Personal Data are subject to an appropriate duty of confidentiality.

6. Security of processing

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to individuals, HomeOrbit will implement appropriate technical and organisational measures to protect Customer Personal Data.

Those measures are described at a high level in the Security Schedule to this legal pack and may be updated from time to time provided that the overall level of protection is not materially reduced.

7. Subprocessors

The Customer grants HomeOrbit general authorisation to engage subprocessors in connection with the Services.

HomeOrbit will:

  • maintain information about its current material subprocessors;
  • impose data protection obligations on subprocessors that are substantially similar to those imposed on HomeOrbit under this DPA, to the extent applicable to the services they perform; and
  • remain responsible for the performance of its subprocessors' data protection obligations to the extent required by law.

A current subprocessor schedule is included in this legal pack.

8. International transfers

HomeOrbit will not transfer Customer Personal Data internationally except as permitted by Data Protection Law and only where an appropriate safeguard or lawful transfer mechanism is in place where required.

9. Assistance to the Customer

Taking into account the nature of the processing and the information available to HomeOrbit, HomeOrbit will provide reasonable assistance to the Customer with:

  • data subject rights requests;
  • security obligations;
  • personal data breach notifications;
  • data protection impact assessments; and
  • consultations with supervisory authorities,

to the extent required by Data Protection Law and reasonably within HomeOrbit's control.

Where the request results from the Customer's own configuration, conduct, or legal obligations, HomeOrbit may charge reasonable costs if the agreement allows this or if agreed in writing in advance.

10. Personal data breaches

If HomeOrbit becomes aware of a confirmed Personal Data Breach affecting Customer Personal Data, HomeOrbit will notify the Customer without undue delay after becoming aware of it.

That notification will, where reasonably possible, include:

  • the nature of the breach;
  • the categories of data concerned;
  • the likely consequences;
  • measures taken or proposed; and
  • a contact point for further information.

HomeOrbit may provide information in phases if full details are not available immediately.

11. Return or deletion of data

On termination or expiry of the Services, HomeOrbit will, at the Customer's choice and subject to the agreement, either return or delete Customer Personal Data after the applicable export period, unless applicable law requires storage.

The Customer acknowledges that deletion from backups and disaster recovery systems may not be instantaneous and residual copies may remain until overwritten in the ordinary backup cycle, provided they remain protected and inaccessible in the ordinary course.

12. Information and audits

HomeOrbit will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.

Where reasonably required and proportionate, the Customer may request an audit or inspection relating to HomeOrbit's processing of Customer Personal Data, subject to:

  • reasonable prior written notice;
  • confidentiality obligations;
  • reasonable scope and frequency limits;
  • protection of other customers' information and platform security;
  • avoidance of disruption; and
  • use of independent auditors where requested by HomeOrbit.

HomeOrbit may satisfy audit requests through documentation, certifications, summaries, completed questionnaires, or virtual review before any on-site or intrusive audit is considered.

13. Customer obligations

The Customer warrants and undertakes that it:

  • has complied and will comply with Data Protection Law in relation to Customer Personal Data and its use of the Services;
  • has all necessary lawful bases, notices, permissions, policies, and internal authority for the processing it instructs HomeOrbit to carry out;
  • will not instruct HomeOrbit to process Personal Data unlawfully;
  • is responsible for the accuracy, quality, and lawfulness of Customer Personal Data and the means by which it acquired it; and
  • will respond to data subject requests and regulatory correspondence as controller unless otherwise agreed.

14. Liability

Liability under this DPA is subject to the liability provisions in the main agreement unless Data Protection Law requires otherwise.

15. Order of precedence

If there is a conflict between this DPA and the main agreement in relation to data protection matters, this DPA will prevail to the extent of the conflict.

16. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction, unless mandatory law requires otherwise.

---

# Schedule 1 - Subject matter, duration, nature and purpose

A. Subject matter

The processing of Customer Personal Data through the HomeOrbit platform and related support, maintenance, hosting, storage, security, and communications services.

B. Duration

For the duration of the Customer's use of the Services, plus any limited post-termination period required for export, deletion, legal compliance, security, dispute resolution, or backup integrity.

C. Nature of processing

Collection, recording, organisation, structuring, storage, hosting, viewing, retrieval, consultation, use, disclosure by transmission where instructed, restriction, erasure, and destruction.

D. Purpose

To provide, secure, host, maintain, support, and improve the Services for the Customer, and to process Customer Personal Data strictly on the Customer's behalf in connection with the Customer's use of the platform.

# Schedule 2 - Categories of data subjects

Depending on the Customer's use of the Services, data subjects may include:

  • employees and workers;
  • agency, bank, or relief staff;
  • contractors and consultants;
  • managers and administrators;
  • applicants where records are uploaded;
  • young people or service users;
  • family contacts or related individuals where the Customer uploads such information;
  • payroll contacts;
  • training providers or external professionals named in records; and
  • other individuals whose data the Customer chooses to upload lawfully.

# Schedule 3 - Categories of personal data

Depending on the modules and workflows used, Customer Personal Data may include:

  • name, role, job title, identifiers, and contact details;
  • rota, attendance, working time, and shift records;
  • training records, qualifications, certificates, and reminders;
  • policies, acknowledgements, forms, notes, and workflow entries;
  • payroll-related and payslip information;
  • HR and personnel records;
  • right to work information;
  • DBS-related records and other criminal offence data uploaded by the Customer;
  • signatures;
  • young person records;
  • medication-related information;
  • receipts, budgets, and supporting documents;
  • uploaded files, images, PDFs, and attachments;
  • account assignment and permission data; and
  • audit trail information.

# Schedule 4 - Special category and criminal offence data

The Customer may choose to upload special category data and criminal offence data, including health-related information, medication-related information, safeguarding information, and DBS-related records. The Customer is responsible for ensuring an appropriate lawful basis and condition applies to such processing.

# Schedule 5 - Technical and organisational measures summary

HomeOrbit applies measures designed to include, where relevant and appropriate:

  • role-based access control and scoped permissions;
  • authenticated access controls;
  • encryption in transit;
  • managed cloud hosting and managed database/storage services;
  • activity logging and audit features in relevant parts of the platform;
  • secret and credential management through managed deployment tooling;
  • issue and error monitoring;
  • patching and code updates through a controlled source management and deployment process;
  • signed URLs or scoped file access for private stored content where implemented;
  • reasonable restriction of administrative access; and
  • incident investigation and remediation processes.

This schedule describes measures at a summary level and does not require disclosure of information that would weaken security.