We use essential cookies to keep the site secure and functional. With your consent, we also run session recording and analytics (Microsoft Clarity and Google Analytics 4) and load fonts from Google. See our Cookie Policy for full details.
Article 28 UK GDPR / EU GDPR agreement between the Client Organisation (Data Controller) and The BI Method Ltd (Data Processor). Required before any employee assessment data is processed on the Platform.
Last Updated: April 2026 — v1.0Why This Document Exists — Article 28 GDPR
Under Article 28 of the UK GDPR and EU GDPR, when a business (the Data Controller) uses a third-party service to process personal data on its behalf, it must have a written contract with that third party (the Data Processor). Without this agreement, both parties are in breach of GDPR. This DPA is that contract between your organisation and BIP.
Section 01
This Data Processing Agreement ("DPA") is entered into between:
The Data Controller
[CLIENT ORGANISATION NAME] — the company, organisation, or individual that has subscribed to the Behaviour Intelligence Platform and is responsible for the lawful basis of processing its employees' and team members' data ("Controller," "you").
This field is completed with your organisation's legal name at the point of subscription acceptance. By using the Platform, you are deemed to have accepted this DPA with your organisation's details inserted.
The Data Processor
The BI Method Ltd, incorporated in England and Wales ("Processor," "BIP," "we").
The Controller has subscribed to The BI Method platform, which involves the Processor processing personal data of the Controller's employees, contractors, or team members ("Participants") on behalf of the Controller. This DPA governs the Processor's processing of personal data and supplements the Terms of Service. In the event of conflict, this DPA shall prevail in matters relating to data protection.
This DPA takes effect on the date of the Controller's first use of the Platform and continues until termination of the subscription agreement, subject to the data retention provisions in Section 13.
Section 02
Section 03
The details of the processing carried out by the Processor on behalf of the Controller are as follows:
Subject Matter
Processing of personal data of the Controller's employees and team members in connection with the delivery of The BI Method platform services.
Nature of Processing
Types of Personal Data Processed
Categories of Data Subjects
Employees, contractors, consultants, or other team members of the Controller who are invited to complete a BIP assessment.
Section 04
The Processor shall process Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service, unless required to do so by Applicable Data Protection Law.
All persons authorised to process the Personal Data are subject to appropriate confidentiality obligations and have received adequate data protection training.
The Processor will not process, use, or disclose Personal Data for any purpose other than delivering the Platform services to the Controller, except as permitted under Section 12 (Benchmark Dataset) and the Privacy Policy.
The Controller warrants that:
Section 05
The Controller provides general written authorisation to the Processor to engage Sub-Processors. Current approved Sub-Processors include Supabase (database hosting and authentication), Stripe (payment processing), and email delivery providers. The Processor shall not engage additional Sub-Processors without 30 days' prior notice.
The Processor shall impose equivalent data protection obligations on all Sub-Processors by written contract. The Processor remains fully liable to the Controller for the performance of Sub-Processors' obligations.
The Processor will notify the Controller at least 30 days before engaging any new Sub-Processor. If the Controller reasonably objects on data protection grounds within 14 days, the parties will discuss in good faith. If they cannot reach agreement, the Controller may terminate the subscription without penalty.
Section 06
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subjects exercising their rights under Applicable Data Protection Law. The Processor will:
If a Participant contacts the Processor directly, the Processor will acknowledge receipt and direct the Participant to contact their employer (the Controller) as the Data Controller responsible for their data.
Section 07
The Processor has implemented and maintains the following technical and organisational security measures:
| Category | Measure | Detail |
|---|---|---|
| Access Control | Authentication | Multi-factor authentication available for all accounts. Enforced for BIP staff with access to production systems. |
| Access Control | Row-Level Security | Database-level enforcement — authenticated users can only access data belonging to their organisation. |
| Encryption | In Transit | All data encrypted using TLS 1.2 or higher. HTTPS enforced sitewide. |
| Encryption | At Rest | Personal Data encrypted at rest using AES-256 in the database layer. |
| Data Protection | No Raw Data Export | The Platform does not expose raw Assessment Data via any API endpoint or CSV export. Only processed Reports are accessible. |
| Data Protection | API Rate Limiting | All report-generation and data-access endpoints are rate-limited per authenticated account. High-volume access triggers automated alerts. |
| Incident Response | Anomaly Detection | Automated monitoring for unusual login patterns and high-volume data access. |
| Organisational | Staff Training | All BIP staff handling Personal Data receive data protection training at onboarding and annually. |
| Benchmark Isolation | Data Separation | The anonymised Benchmark Dataset is stored in a logically isolated data store with no join keys to identifiable Personal Data. |
Section 08
The Processor shall notify the Controller of any confirmed or reasonably suspected Data Breach within 36 hours of becoming aware of it. This is shorter than the 72-hour regulatory deadline to allow the Controller sufficient time to assess and notify the Supervisory Authority.
The breach notification will include, to the extent available at the time:
The Processor shall assist the Controller in meeting its obligations to notify the Supervisory Authority (Article 33 GDPR) and, where applicable, affected Data Subjects (Article 34 GDPR). The decision to notify remains with the Controller as Data Controller.
Section 09
The Processor shall provide reasonable assistance to the Controller in carrying out DPIAs as required by Article 35 UK GDPR / EU GDPR where such assessments relate to the processing carried out by the Processor under this DPA.
DPIA Recommendation for Controllers
The ICO recommends conducting a DPIA before beginning large-scale processing of employee data, particularly where automated processing is used to evaluate aspects of employees' work performance or behaviour. BIP will provide assistance and its own processing records to support this.
Section 10
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 UK GDPR / EU GDPR, and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.
As an alternative to an on-site audit, the Processor may provide copies of relevant security certifications, third-party audit reports, or penetration test summaries, which the Controller may accept as sufficient evidence of compliance.
Section 11
The Processor shall not transfer Personal Data to any country or territory outside the UK or EEA unless one of the following conditions is met:
Where Sub-Processors are located outside the UK/EEA, the Processor has put in place appropriate UK IDTAs or EU SCCs with those Sub-Processors.
Section 12
BIP's Data Strategy — Transparent Disclosure
BIP's core value proposition depends on building a proprietary Benchmark Dataset from anonymised, aggregated assessment data. This section transparently discloses how this works and why it is consistent with GDPR. The Controller's acceptance of this DPA constitutes informed consent to this specific processing activity.
As part of delivering the Platform services, the Processor derives anonymised, aggregated statistical data from Assessment Data. This involves:
Consistent with Recital 26 of the UK GDPR and EU GDPR, the Benchmark Dataset — once anonymised — does not constitute Personal Data and is therefore outside the scope of GDPR. The right to erasure (Article 17) does not extend to anonymised data that cannot be linked to a Data Subject.
Section 13
Upon termination or expiry of the subscription agreement, the Processor shall:
Upon written request, the Processor will provide written certification of deletion of the Controller's Personal Data within 14 days of deletion being completed.
Notwithstanding Section 13.1, the Processor may retain Personal Data for longer where required to comply with applicable law (for example, financial records required under HMRC regulations). Any such retention will be for the minimum period necessary.
Anonymised Benchmark Data is not subject to deletion on termination of this DPA, as it does not constitute Personal Data (see Section 12).
Section 14
Each party shall be liable to the other for direct losses arising from its breach of this DPA, subject to the limitations set out in the Terms of Service.
Each party shall be responsible for regulatory fines and penalties imposed by a Supervisory Authority that arise from its own breach of Applicable Data Protection Law. Where a fine arises from joint fault, liability shall be apportioned in accordance with each party's relative responsibility.
If a Data Subject brings a claim for compensation under Article 82 UK GDPR / EU GDPR against the Controller arising from the Processor's breach, the Processor shall indemnify the Controller for the portion attributable to the Processor's breach — provided the Controller notifies the Processor promptly and does not settle without the Processor's prior written consent.
Section 15
This DPA is governed by and construed in accordance with the laws of England and Wales.
In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail in matters relating to the processing of Personal Data.
This DPA may only be amended by written agreement signed by both parties, or by the Processor providing reasonable notice of updates required to comply with changes in Applicable Data Protection Law.
The Processor maintains a Record of Processing Activities (ROPA) as required by Article 30 UK GDPR / EU GDPR. A summary relevant to this DPA is available upon written request to privacy@behaviourintelligenceplatform.com.