SafeTap

Data Processing Agreement

Last updated: 29 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Controller”) and SafeTap (the “Processor”) and applies where we process personal data on your behalf — for example, the staff names and photos contained in your records.

Subject matter & duration

We process personal data for as long as you hold an account, plus the retention period for records (about 24 months).

Nature & purpose

Storing and presenting daily food-safety records, sending reminders, and producing inspection exports.

Types of personal data

  • Staff names and hashed PINs.
  • Photos captured as evidence (which may contain images of people).
  • User account details (name, email).

Our obligations

  • Process personal data only on your documented instructions.
  • Ensure people authorised to process data are bound by confidentiality.
  • Apply appropriate technical and organisational security measures.
  • Assist you with data-subject requests and breach notifications.
  • Delete or return personal data at the end of the service.

Sub-processors

  • Amazon Web Services — hosting, storage and email (London, UK).
  • MongoDB Atlas — database (London, UK).
  • Stripe — payment processing.
  • Google Firebase — push notifications.

International transfers

Personal data is stored in the UK. Where a sub-processor operates outside the UK, appropriate safeguards (such as UK IDTA / SCCs) apply.

Security

We use encryption in transit, hashed passwords and PINs, private storage with short-lived signed access, role-based access control, and server-authoritative timestamps to protect record integrity.

Contact

For DPA requests, email hello@safetap.co.uk.