At Splash Scripts, we take data protection seriously.
This Data Processing Agreement (DPA) explains how we handle personal data when providing back-office transcription and support services for property inventory companies and freelance clerks.
Most of our clients will not need to review this unless required for compliance (e.g., GDPR/UK GDPR).
We publish it here for transparency, and a signed copy can be provided on request.
Data Processing Agreement (DPA)
Last updated: November 1, 2024
This Data Processing Agreement (“DPA”) forms part of the Service Agreement (the “Agreement”) between:
- Customer (Controller): The property inventory company or freelance clerk using Splash Scripts’ services.
- Processor: Splash Scripts, registered in India and operating from Coimbatore, Tamil Nadu (“Splash Scripts”).
Together, the “Parties.”
Purpose
This DPA sets out the terms under which Splash Scripts processes personal data on behalf of the Customer, in compliance with:
- The UK General Data Protection Regulation (UK GDPR),
- The EU General Data Protection Regulation (EU GDPR) (where applicable), and
- Applicable data protection laws in India.
Roles Of The Parties
- Customer (Controller): Determines the purposes and means of processing personal data.
- Splash Scripts (Processor): Processes data only on documented instructions from the Customer, unless required by law.
Subject Matter And Duration
- Subject matter: Processing personal data contained in materials supplied by the Customer for preparing inventory-related reports and back-office support tasks.
- Duration: For the term of the Agreement, unless otherwise instructed by the Customer. Service files are deleted or returned within 30 days of termination, unless law requires retention.
Processor Obligations
Splash Scripts shall:
- Process data only on the Customer’s instructions.
- Ensure staff with access are bound by confidentiality.
- Apply appropriate technical and organisational measures to safeguard data.
- Assist the Customer in fulfilling obligations to respond to data subject rights.
- Notify the Customer without undue delay of any personal data breach.
- Delete or return data at the end of the engagement (unless law requires retention).
Sub-Processors
- Splash Scripts may engage carefully chosen sub-processors (e.g., hosting, communications, workflow tools).
- Splash Scripts remains responsible for their performance.
- Customers will be informed of material changes and may object on reasonable grounds.
International Transfers
- Splash Scripts processes data in India.
- For UK/EU data, transfers are safeguarded using:
- EU Standard Contractual Clauses (SCCs, Module 2 – Controller → Processor), and
- The UK Addendum to the EU SCCs.
Customer Obligations
The Customer must:
- Ensure it has a valid legal basis for collecting and sharing data with Splash Scripts, and
- Not instruct Splash Scripts to process data unlawfully.
Data Subject Rights
- If a data subject contacts Splash Scripts directly, we will forward the request to the Customer.
- Splash Scripts will not respond independently except where legally required.
Security Incidents
- Splash Scripts will notify the Customer without undue delay of any breach affecting Customer personal data.
- We will cooperate to investigate and mitigate the incident.
Governing Law
- For data transfers: governed by UK/EU data protection law and applicable SCCs.
- For general business matters: governed by the laws of India, with jurisdiction in Coimbatore, Tamil Nadu.
Schedule 1 — Details of Processing
| Item | Description |
|---|---|
| Nature of processing | Transcription, typing, formatting, photo handling, quality checks, file management, secure storage and transfer. |
| Purpose | To provide back-office support services for property inventory companies and clerks. |
| Categories of data subjects | Tenants, landlords, letting/managing agents, inventory clerks, and other individuals referenced in inspection materials. |
| Categories of personal data | Names, contact details, property addresses, tenancy details, photographs, audio notes, inspection data, report content. |
| Special category data | Not intentionally required. If provided, will be processed only with Customer’s instructions and appropriate safeguards. |
| Retention | Data deleted or returned within 30 days of service termination, unless law requires retention. |
| Location of processing | India (Splash Scripts) and approved sub-processors. |
| Transfer safeguards | UK Addendum + EU SCCs (Controller to Processor). |
Schedule 2 — Security Measures
Splash Scripts applies the following technical and organisational measures:
| Category | Practices |
|---|---|
| Access Control | Role-based access; unique logins; least-privilege principle. |
| Confidentiality | Staff bound by confidentiality agreements; regular training. |
| Data Handling | Segregated client folders; encrypted transfers; secure deletion after job completion. |
| Devices & Network | Encrypted endpoints; malware protection; firewalls; regular patching. |
| Monitoring & Logging | Activity logging and internal audits. |
| Incident Response | Documented breach response; notify Customer without undue delay. |
| Backup & Recovery | Regular backups for operational continuity; secure disposal of old media. |
Schedule 3 — Sub-Processors
Splash Scripts engages the following categories of sub-processors for service delivery:
| Sub-Processor | Location | Role | Data Processed |
|---|---|---|---|
| Google Workspace (Google LLC) | EU/Global | Email, file storage | Contact details, work files as shared by Customer |
| Dropbox, Inc. (if used) | EU/US | File transfer/sharing | Work files, documents |
| Cloud hosting provider (e.g., AWS/Contabo) | EU/India | Hosting of job management tools | Uploaded reports, metadata |
| Email service provider (e.g., transactional email) | EU/Global | Sending notifications | Customer contact details |
Notes:
- Sub-processor list may change. Customers will be notified of material changes in advance.
- Splash Scripts remains responsible for sub-processors’ compliance with this DPA.