top of page

Data Processing Schedule

 

Last updated: 19th April 2026

1. Types of personal data processed 

1.1 Data held on the Contractor’s systems (as Data Processor):

  • Client contact details (names, email addresses, phone numbers, business addresses). 

  • Financial records (purchase orders and invoices between the Contractor and the Business). 

  • System login credentials (where access is granted by the Business). 

1.2 Data accessed within the Business’s systems only (not stored on the Contractor’s systems): 

  • Customer and supplier contact details (names, email addresses, phone numbers, addresses). 

  • Employee/staff contact details (names, email addresses, phone numbers – where included in email signatures). 

  • Business correspondence and communications. 

  • Financial information (sales invoices, accounting reports, bookkeeping records). 

1.3 Email inbox access and management: 

  • Monitoring, retrieving, opening and consulting emails in named inboxes, triaging and prioritising messages, and taking actions such as filing, flagging, forwarding or deletion in line with the Business’s documented instructions and email policies. 

1.4 Calendar and correspondence management: 

  • Drafting, sending and replying to emails on behalf of the Business using agreed templates and instructions, and managing calendar invitations and meeting requests sent via email. 

 

2. Categories of data subject 

  • The Business (client organisation and key contacts). 

  • The Business’s customers and clients. 

  • The Business’s suppliers and contractors. 

  • The Business’s employees and staff members. 

 

3. Scope, nature and purpose of processing 

3.1 Services Provided:

  • The Contractor processes personal data solely for the purpose of providing virtual assistant services to the Business, including email/diary management, bookkeeping, customer support, and general administration.

3.2 Independent Controller Status:

  • The Contractor may process limited personal data relating to the Business and its officers as an independent Data Controller where necessary to comply with legal obligations, such as Anti‑Money Laundering (AML) checks, HMRC tax compliance, and ongoing monitoring.

3.3 Instruction Infringement:

  • The Contractor shall immediately inform the Business if, in its opinion, an instruction infringes the UK GDPR or other applicable data protection laws.

 

4. Duration of processing 

4.1 Term:

  • Personal data will be processed for the duration of this Agreement and thereafter as necessary to complete outstanding tasks, comply with legal obligations, or resolve disputes.

4.2 Retention and Disposal:

  • The Contractor will retain the Business’s contact details and financial records for a period of 7 years following termination (for HMRC compliance). At the choice of the Business, all other personal data will be securely deleted or returned to the Business within 30 days of termination, unless UK law requires further storage.

 

5. Technical and organisational measures

5.1 Access control:

  • Password-protected devices and systems with unique user credentials.

  • Google Workspace Password Manager secured by mandatory Multi-Factor Authentication (2FA).

  • Access to the Business’s systems only via authorised login credentials provided by the Business.

5.2 Data storage and transfer safeguards:

  • Full-disk encryption (e.g. BitLocker) on all primary devices. 

  • Any files downloaded from the Business’s systems are stored in a dedicated folder with restricted access and deleted immediately after use.

  • International Transfers: The Contractor shall not transfer personal data outside the UK or EEA unless the transfer is subject to "appropriate safeguards" as defined in the UK GDPR. Where sub-processors process data globally, the Contractor ensures these transfers are protected by UK Adequacy Regulations or the UK Addendum to the Standard Contractual Clauses (SCCs). 

5.3 Data minimisation:

  • Data accessed within the Business’s systems remains in those systems wherever possible. 

  • Time tracking tools (Clockify) are configured to avoid the use of identifiable personal data, using project codes or anonymised task descriptions.

5.4 Incident response:

  • Any suspected personal data breach will be reported to the Business without undue delay and, wherever possible, within 24 hours of the Contractor becoming aware of it.

6. Sub-processors and Personnel

6.1 Authorisation:

  • The Contractor may engage sub-processors (see Annex A). The Contractor shall inform the Business of any intended changes concerning the addition or replacement of sub-processors, giving the Business the opportunity to object.

6.2 Liability:​

  • The Contractor remains fully liable to the Business for the performance of the sub-processor’s obligations. This is a business-to-business arrangement.

7. Assistance and Audit

7.1 Detailed Data Subject Rights:

  • The Contractor shall assist the Business by appropriate technical and organisational measures for the fulfilment of the Business’s obligation to respond to requests for exercising data subject rights, including:

    • Right of Access (SARs): Providing copies of personal data held.

    • Right to Erasure: Deleting data where it is no longer necessary.

    • Right to Rectification: Correcting inaccurate personal data.

    • Right to Restriction & Objection: Halting processing upon valid request.

7.2 Compliance & DPIA Assistance

  • The Contractor shall further assist the Business in ensuring compliance with obligations regarding security of processing, breach notification, and providing necessary information for Data Protection Impact Assessments (DPIAs).

Annex A: Approved Sub-processors

CAKE.com (Clockify):

Service provided - Time recording & reporting

Data Location - Global (AWS)

Safeguards - Standard Contractual Clauses (SCCs)

Google Cloud:

Service provided - Email & Password Management

Data Location - Global

Safeguards - UK Addendum / SCCs

Note: Where the Contractor is provided with a login to the Business’s own infrastructure (e.g., a @business.co.uk email), the providers of those systems are sub-processors of the Business, not the Contractor.

Updates to this policy

 

We review and update this policy at least annually, or sooner if our practices or legal requirements change. The most recent version will always be published on our website.

bottom of page