Data Processing Agreement
This Data Processing Agreement (“DPA”) is between Fair Tip Ltd (the “Processor”) and the venue using FairTIP (the “Controller”). It forms part of the Terms & Conditions. The Owner accepts this DPA by using the Service on behalf of the venue.
This DPA sets out how Fair Tip Ltd processes personal data on behalf of the venue in accordance with Article 28 of the UK GDPR.
1. Definitions
Capitalised terms (Controller, Processor, Personal Data, Processing, Data Subject, Supervisory Authority, Sub-processor, etc.) have the meanings given in the UK GDPR. “Worker Personal Data” means Personal Data of the venue’s workers, troncmaster, and accountant that the venue provides to Fair Tip Ltd through the Service.
2. Roles and scope
The venue is the Controller of Worker Personal Data. Fair Tip Ltd is the Processor, processing Worker Personal Data on the venue’s documented instructions, which are the act of using the Service in accordance with the Terms.
Fair Tip Ltd is a separate Controller for:
- Account-level data of the Owner (i.e. the person who signed up to operate the venue).
- Aggregate, anonymised analytics about Service usage.
- Information needed to invoice the venue and run our business.
3. Subject matter, nature, purpose, and duration
Subject matter: the provision of the FairTIP tronc-management service to the venue.
Nature and purpose of processing: hosting Worker Personal Data; making it available to authorised users of the venue (workers, troncmaster, accountant) in line with the role model and access controls described in the Service; generating the tipping policy, allocation records, and audit trail; sending transactional emails (invites, sign-off notifications, etc.).
Duration: while the venue is active on FairTIP, plus any post-termination retention required to meet the Controller’s own statutory duties (notably the three-year minimum record retention under the Employment (Allocation of Tips) Act 2023 §27I, where applicable).
4. Types of personal data and categories of data subject
4.1 Categories of data subject
- The venue’s troncmasters
- The venue’s workers
- The venue’s accountants
4.2 Types of personal data
- Contact data: email address, first name, last name.
- Identification data: National Insurance number (workers and troncmasters only).
- Employment-related data: role, hourly weight, hours worked per allocation period, share of each signed period, sign-off audit data.
- Technical data: authentication tokens, IP addresses (in server logs), request timestamps.
5. Processor obligations
Fair Tip Ltd will:
- Process Worker Personal Data only on the Controller’s documented instructions, unless required to do otherwise by UK law (in which case we’ll inform the Controller unless the law forbids it).
- Ensure people authorised to process Worker Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures to protect Worker Personal Data (see Annex 1).
- Respect the conditions on engaging Sub-processors set out in section 6.
- Assist the Controller, by appropriate technical and organisational measures, with responding to Data Subject rights requests.
- Assist the Controller with security obligations, breach notification, DPIAs, and consultations with the relevant supervisory authority (typically the Information Commissioner’s Office for UK venues), taking into account the nature of the processing and the information available to us.
- At the Controller’s choice, delete or return Worker Personal Data at the end of the provision of services, subject to UK law requiring further storage.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow reasonable audits as set out in section 9.
6. Sub-processors
The Controller authorises Fair Tip Ltd to use Sub-processors to provide the Service. Our current list:
- Supabase: managed PostgreSQL, authentication, and transactional email. Region: United Kingdom. Purpose: storing and serving Worker Personal Data. Supabase routes outgoing emails via Mailgun under its own sub-processor arrangement.
- Vercel: application hosting and aggregate analytics. Region: United Kingdom. Purpose: serving the FairTIP application.
We’ll impose data-protection obligations on every Sub-processor that are no less protective than the obligations in this DPA.
We’ll publish at least 30 days’ notice on this page before adding or replacing a Sub-processor, and we’ll email the venue’s Owner for whom we have a current email address. The Controller may object to the change within that period; if we can’t accommodate the objection, the Controller may terminate the Service without penalty.
7. International transfers
Our Sub-processors host data in the United Kingdom. As a result, no routine cross-border transfer of Worker Personal Data takes place.
If a future change required us to transfer Worker Personal Data outside the UK, we’d rely on a safeguard approved under UK GDPR (typically the UK International Data Transfer Addendum, the EU Standard Contractual Clauses (Module Two, Controller-to-Processor), or an adequacy decision), and we’d update this DPA before relying on the new arrangement.
8. Personal data breach
Fair Tip Ltd will notify the Controller promptly on becoming aware of a Personal Data Breach affecting Worker Personal Data, and in any event in time for the Controller to comply with its own notification duty under UK GDPR Art. 33 (within 72 hours of awareness, where the breach meets the legal threshold).
The notification will include, to the extent we have the information, the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures we’ve taken or propose to take in response.
9. Audit rights
Fair Tip Ltd will, on reasonable written notice and not more than once in any 12-month period (except where required by law or following a Personal Data Breach), allow the Controller (or an auditor mandated by the Controller and agreed by both parties) to audit our compliance with this DPA. Audits will be conducted during business hours, in a way that doesn’t unreasonably disrupt our operations, and subject to confidentiality undertakings.
In practice, we expect to satisfy most audit requests by providing relevant policies, sub-processor agreements, and independent third-party reports (such as Supabase’s SOC 2 report) without an on-site audit.
Audit costs. The Controller bears its own costs of any audit, unless the audit identifies a material breach of this DPA by Fair Tip Ltd, in which case Fair Tip Ltd bears the reasonable costs of the audit.
10. Return or deletion of data
On termination of the Service, the Controller may request that we return Worker Personal Data (in CSV or JSON format, whichever the Service supports at the time of the request) or delete it. The Controller has 30 days from the termination date to request and complete the data export, consistent with the export window in section 13 of the Terms & Conditions.
Unless the Controller instructs otherwise, we’ll delete Worker Personal Data 30 days after termination. Records required to be retained by law (notably allocation records under the Tipping Act 2023 §27I, three years) will be retained for the period required and then deleted.
11. Liability
Each party’s liability under this DPA is subject to the liability caps in the Terms & Conditions, except where those caps are excluded by law.
12. Order of precedence
Where there is a conflict between this DPA and the Terms & Conditions, this DPA prevails on matters of data protection.
13. Governing law
This DPA is governed by the law of Scotland and is subject to the jurisdiction provisions of the Terms.
14. Contact
Processor: Fair Tip Ltd, registered in Scotland under company number SC892153. Registered office on file with Companies House.
Privacy enquiries: privacy@fairtip.org.
Annex 1: Technical and organisational measures
Fair Tip Ltd implements the following technical and organisational security measures. The same set is summarised in the public-facing Privacy Policy; any substantive change to one is reflected in the other.
- Encryption in transit: all client-server traffic uses TLS 1.2 or higher.
- Encryption at rest: database storage is encrypted at rest by our hosting provider (Supabase).
- Row-level security: the database enforces access control at the row level, so every query is automatically scoped to what the requesting user is authorised to see.
- Magic-link authentication: sign-in uses short-lived links sent to the user’s email; we don’t store passwords.
- Least-privilege model: each role on each venue (owner, troncmaster, accountant, worker) sees only what it strictly needs.
- Audit logging: sign-offs, policy publications, and other write operations are logged with author + timestamp + a snapshot of the structural facts at the time.
- Backups: daily managed backups via Supabase.
- Personnel access control: production system access is limited to authorised Fair Tip Ltd personnel under confidentiality undertakings.
- Incident response: documented procedures for detecting, containing, and notifying breaches.