Data Processing Addendum (DPA)
Effective date: 1 July 2026. This DPA forms part of the OperExa Terms & Conditions between Brain Junks Limited (company no. 15736691) as processor and the subscribing customer as controller.
Legal-review placeholder. This page describes the standard processor terms we operate under. It is offered as a template and does not itself constitute legal advice. Customers requiring a countersigned DPA should contact privacy@brainjunks.com and we will provide a version for signature.
1. Scope and roles
This DPA applies where Brain Junks Limited processes personal data on behalf of the Customer in the course of providing the OperExa platform. The Customer is the controller and Brain Junks Limited is the processor for such data under UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR.
2. Subject-matter and duration
Processing takes place for the duration of the subscription plus any grace period set out in the Terms & Conditions. The subject-matter is the provision of the OperExa SaaS platform (hospitality analytics, HR, payroll, stock, banking and reporting).
3. Nature, purpose and categories of data
The processor processes categories of personal data determined by the Customer. Typical categories include: employee identifiers and contact data; contract, holiday and payroll data; bank details supplied for payroll; TRONC allocations; supplier and customer contacts; deposit-related booking details. Categories of data subject include the Customer's employees, contractors, suppliers and prospective customers.
4. Processor obligations
- Process personal data only on the Customer's documented instructions, including as set out in the Terms & Conditions, this DPA and the in-product configuration chosen by the Customer.
- Ensure persons authorised to process personal data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see section 6).
- Assist the Customer, so far as possible, to respond to data subject rights requests.
- Assist the Customer with security, DPIA and breach-notification obligations.
- Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.
- On termination, delete or return Customer Data in line with the Terms & Conditions and the documented retention schedule.
- Make available information necessary to demonstrate compliance and allow reasonable audits, subject to confidentiality.
5. Sub-processors
The Customer provides general authorisation for the use of the sub-processors listed in our Privacy Policy and any updated list made available on request from privacy@brainjunks.com. We will impose written data-protection terms on each sub-processor that are no less onerous than those in this DPA, and remain liable for their acts and omissions in respect of Customer personal data. We will give reasonable notice of any intended addition or replacement of a sub-processor and the Customer may object on reasonable data-protection grounds.
6. Security measures
- Encryption in transit (TLS) and at rest for the primary datastore and backups.
- Row-level security in the database and role-based access controls in the application.
- Least-privilege access for Company personnel; multi-factor authentication on administrative accounts.
- Audit logging for period-close, financial and privileged actions.
- Secrets management, dependency vulnerability scanning and secure SDLC practices.
- Regular backups with a defined retention window and tested restoration procedures.
- Segregation of Customer tenants by application controls and RLS policies.
7. International transfers
Customer Data is primarily hosted inside the United Kingdom / European Economic Area. Where any transfer outside the UK/EEA is required, we rely on an adequacy decision or, failing that, on appropriate safeguards such as the UK International Data Transfer Addendum or the EU Standard Contractual Clauses together with any supplementary measures identified by a transfer risk assessment.
8. Data subject rights and assistance
Where an individual contacts us to exercise a right in respect of Customer Data, we will refer them to the Customer as controller and, on request, provide reasonable technical assistance to enable the Customer to respond within statutory deadlines.
9. Deletion and return of data
On termination the Customer may export Customer Data through the in-product export functions during the grace period defined in the Terms & Conditions. After that period the Company will delete or irreversibly anonymise Customer Data in accordance with its documented retention schedule, save where retention is required by law.
10. Retention schedule (placeholder)
Indicative retention periods, subject to statutory requirements and Customer instructions:
| Data category | Indicative retention | Rationale |
|---|---|---|
| HR records (active employees) | Duration of employment | Employment contract |
| HR records (former employees) | 6 years after leaving date | Employment law limitation period |
| Payroll & TRONC records | 6 years after tax year end | HMRC / PAYE record-keeping (Reg. 97, Income Tax (PAYE) Regs 2003) |
| Accounting records | 6 years from end of financial year | Companies Act 2006 s.388 |
| Inventory & stock records | 6 years | Aligned with accounting retention |
| Audit logs (period close, deposits, roles) | 6 years | Financial audit and regulatory review |
| User account records | Duration of account + 30 days | Service delivery; grace-period export |
| Marketing contacts | Until opt-out or 3 years of inactivity | Legitimate interests / consent |
| Support correspondence | 24 months | Service delivery |
| Server & security logs | Up to 12 months | Security monitoring |
| Backups | Rolling 30 days | Disaster recovery |
Retention periods are indicative pending final legal review; Customers may specify shorter or longer periods in writing where lawful.
11. Liability
The liability of each party under or in connection with this DPA is subject to the limits and exclusions set out in the Terms & Conditions.
12. Contact
Data-protection queries and requests to countersign this DPA should be sent to privacy@brainjunks.com.
