← Back to home

Data Processing Agreement

Last updated: March 19, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Reclaim Time Ltd ("Processor") and the subscribing organization ("Controller") for the use of the ReclaimTime service.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and deletion.
  • "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the UK GDPR, the EU General Data Protection Regulation (EU 2016/679), and the Data Protection Act 2018.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the ReclaimTime workforce productivity platform.

The Processor shall process Personal Data solely for the purpose of providing the Service as described in the Terms of Service, and in accordance with the Controller's documented instructions.

2.1 Categories of data subjects

  • Employees and contractors of the Controller
  • Authorized administrators and account holders

2.2 Types of personal data processed

  • Names and email addresses
  • Workstation activity data (application usage, website visits, active/idle time)
  • Device identifiers and IP addresses
  • Account credentials and authentication data
  • Policy configuration and scheduling data

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
  • Not engage another processor without prior specific or general written authorization of the Controller
  • Assist the Controller in responding to data subject access requests and in ensuring compliance with data protection obligations
  • Delete or return all Personal Data to the Controller after the end of the provision of services, at the Controller's choice
  • Make available to the Controller all information necessary to demonstrate compliance with these obligations

4. Security Measures

The Processor implements the following technical and organizational security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls with role-based permissions and multi-factor authentication
  • Regular security assessments and vulnerability testing
  • Secure cloud infrastructure with SOC 2 compliant hosting providers
  • Automated backup and disaster recovery procedures
  • Employee security awareness training
  • Incident response and breach notification procedures

5. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

The Processor shall ensure that any Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

6. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom or European Economic Area without appropriate safeguards in place, such as Standard Contractual Clauses approved by the relevant authority, or an adequacy decision.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach. The notification shall include:

  • The nature of the breach, including categories and approximate numbers of data subjects and records affected
  • The name and contact details of the data protection point of contact
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

8. Data Subject Rights

The Processor shall assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10. Duration and Termination

This DPA shall remain in effect for the duration of the Service agreement. Upon termination, the Processor shall, at the Controller's election, delete or return all Personal Data and delete existing copies unless applicable law requires storage of the Personal Data.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales.

12. Contact

For questions about this DPA or to request a signed copy for your records, please contact us at .

Reclaim Time Ltd, registered in England and Wales. Registered office: London, United Kingdom.