Data Processing Agreement
Last updated: 7 July 2026
This template reflects our current processing setup and UK GDPR practice. A signed, counter-approved version is available on request from privacy@leavo.co.uk.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer organisation (the "Controller") and Yellow Peach Ventures Ltd, trading as Leavo (the "Processor"), governing the processing of personal data on the Controller's behalf.
1. Definitions
"UK GDPR" means the UK General Data Protection Regulation and the Data Protection Act 2018. "Personal data", "processing", "controller", "processor", "data subject" and "special category data" have the meanings set out in the UK GDPR.
2. Roles and scope
The Controller determines the purpose and means of processing employee leave and sickness records. The Processor processes personal data only on documented instructions from the Controller (this DPA plus in-product configuration) for the sole purpose of providing the Leavo service.
3. Categories of data subjects and personal data
- Data subjects: the Controller's employees, contractors, admins and approvers.
- Standard personal data: name, work email, employment start date, department, working pattern, holiday entitlement, approver relationships, invitation and login records.
- Special category data (health): sickness absence dates, reasons noted by admins, uploaded fit notes and return-to-work records.
- Audit and system data: IP addresses on sign-in, request timestamps, audit-log entries of admin actions.
4. Duration
Processing continues for as long as the Controller has an active subscription (or trial), plus a retention window afterwards for legal compliance (see section 9).
5. Processor obligations
- Process personal data only on the Controller's documented instructions.
- Ensure that everyone authorised to process personal data is bound by confidentiality.
- Implement the technical and organisational measures in Annex II.
- Only engage sub-processors listed in Annex III (or notified in advance) under equivalent written terms.
- Assist the Controller with data-subject requests, DPIAs, and breach notifications.
- Notify the Controller without undue delay (and in any case within 72 hours) of becoming aware of a personal data breach affecting the Controller's data.
- On termination, delete or return all personal data within 30 days, except where retention is required by law.
6. Controller obligations
- Have a lawful basis for processing employee data through Leavo (typically Article 6(1)(b) contract and 6(1)(f) legitimate interests, with Article 9(2)(b) or (h) for sickness records).
- Provide any required privacy notices to employees.
- Configure roles, approvers and retention correctly.
- Keep credentials secure and use the least-privilege role for each user.
7. International transfers
Personal data is stored and processed within the UK/EU region. Where a sub-processor unavoidably transfers data outside the UK/EEA (for example, an error-monitoring endpoint or transactional email provider), transfers are covered by the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
8. Data subject rights
Leavo provides admin self-service tooling for access, rectification, deletion, and export (Settings → Data & privacy). Where the Controller cannot fulfil a request through the product, the Processor will provide reasonable assistance at no charge.
9. Retention and deletion
Live personal data is deleted within 30 days of subscription termination or a confirmed deletion request. Records the law requires us to keep — for example, sickness records for Statutory Sick Pay purposes (HMRC minimum three years) — are retained for their statutory minimum only.
10. Audits
The Controller may request, no more than once per year, a summary of the Processor's security controls, latest penetration-test results, and an attestation of compliance with this DPA. Physical audits are by prior written agreement and at the Controller's cost.
Annex I — Processing details
- Subject matter: employee leave and sickness management.
- Nature and purpose: storing, displaying, notifying, and reporting on absence data within the Controller's organisation.
- Type of data: as listed in section 3.
- Categories of data subject: as listed in section 3.
Annex II — Security measures
- Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 at the storage layer).
- Multi-tenant isolation enforced by row-level security policies in the database, plus tenant-scoped API middleware.
- Least-privilege application roles; service-role access limited to server-only code paths.
- Access logging on every admin action (audit trail).
- Automated backups with encrypted storage and point-in-time recovery.
- Regression tests covering privilege-escalation paths, runnable from the admin console.
- Vendor and dependency updates monitored; supply-chain scanning on the build pipeline.
- Staff access to production data requires named accounts, MFA, and is time-limited to a specific support ticket.
Annex III — Approved sub-processors
We keep this list intentionally short. Additions are notified by email with at least 14 days' notice; you may object during that window.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (Lovable Cloud) | Managed Postgres, auth, object storage | EU (eu-west) |
| Cloudflare | Application hosting, CDN, WAF | Global edge, EU-preferred routing |
| Resend | Transactional email (invites, notifications) | EU / US (SCCs in place) |
| Stripe Payments UK Ltd | Subscription billing and invoicing | UK |
Contact
Data protection queries: privacy@leavo.co.uk. Signed DPA copies: request and we'll return within 5 working days.
