Legal

Data Processing Addendum (DPA)

Effective date: 1 July 2026. This DPA forms part of the OperExa Terms & Conditions between Brain Junks Limited (company no. 15736691) as processor and the subscribing customer as controller.

Legal-review placeholder. This page describes the standard processor terms we operate under. It is offered as a template and does not itself constitute legal advice. Customers requiring a countersigned DPA should contact privacy@brainjunks.com and we will provide a version for signature.

1. Scope and roles

This DPA applies where Brain Junks Limited processes personal data on behalf of the Customer in the course of providing the OperExa platform. The Customer is the controller and Brain Junks Limited is the processor for such data under UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR.

2. Subject-matter and duration

Processing takes place for the duration of the subscription plus any grace period set out in the Terms & Conditions. The subject-matter is the provision of the OperExa SaaS platform (hospitality analytics, HR, payroll, stock, banking and reporting).

3. Nature, purpose and categories of data

The processor processes categories of personal data determined by the Customer. Typical categories include: employee identifiers and contact data; contract, holiday and payroll data; bank details supplied for payroll; TRONC allocations; supplier and customer contacts; deposit-related booking details. Categories of data subject include the Customer's employees, contractors, suppliers and prospective customers.

4. Processor obligations

  • Process personal data only on the Customer's documented instructions, including as set out in the Terms & Conditions, this DPA and the in-product configuration chosen by the Customer.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see section 6).
  • Assist the Customer, so far as possible, to respond to data subject rights requests.
  • Assist the Customer with security, DPIA and breach-notification obligations.
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.
  • On termination, delete or return Customer Data in line with the Terms & Conditions and the documented retention schedule.
  • Make available information necessary to demonstrate compliance and allow reasonable audits, subject to confidentiality.

5. Sub-processors

The Customer provides general authorisation for the use of the sub-processors listed in our Privacy Policy and any updated list made available on request from privacy@brainjunks.com. We will impose written data-protection terms on each sub-processor that are no less onerous than those in this DPA, and remain liable for their acts and omissions in respect of Customer personal data. We will give reasonable notice of any intended addition or replacement of a sub-processor and the Customer may object on reasonable data-protection grounds.

6. Security measures

  • Encryption in transit (TLS) and at rest for the primary datastore and backups.
  • Row-level security in the database and role-based access controls in the application.
  • Least-privilege access for Company personnel; multi-factor authentication on administrative accounts.
  • Audit logging for period-close, financial and privileged actions.
  • Secrets management, dependency vulnerability scanning and secure SDLC practices.
  • Regular backups with a defined retention window and tested restoration procedures.
  • Segregation of Customer tenants by application controls and RLS policies.

7. International transfers

Customer Data is primarily hosted inside the United Kingdom / European Economic Area. Where any transfer outside the UK/EEA is required, we rely on an adequacy decision or, failing that, on appropriate safeguards such as the UK International Data Transfer Addendum or the EU Standard Contractual Clauses together with any supplementary measures identified by a transfer risk assessment.

8. Data subject rights and assistance

Where an individual contacts us to exercise a right in respect of Customer Data, we will refer them to the Customer as controller and, on request, provide reasonable technical assistance to enable the Customer to respond within statutory deadlines.

9. Deletion and return of data

On termination the Customer may export Customer Data through the in-product export functions during the grace period defined in the Terms & Conditions. After that period the Company will delete or irreversibly anonymise Customer Data in accordance with its documented retention schedule, save where retention is required by law.

10. Retention schedule (placeholder)

Indicative retention periods, subject to statutory requirements and Customer instructions:

Data categoryIndicative retentionRationale
HR records (active employees)Duration of employmentEmployment contract
HR records (former employees)6 years after leaving dateEmployment law limitation period
Payroll & TRONC records6 years after tax year endHMRC / PAYE record-keeping (Reg. 97, Income Tax (PAYE) Regs 2003)
Accounting records6 years from end of financial yearCompanies Act 2006 s.388
Inventory & stock records6 yearsAligned with accounting retention
Audit logs (period close, deposits, roles)6 yearsFinancial audit and regulatory review
User account recordsDuration of account + 30 daysService delivery; grace-period export
Marketing contactsUntil opt-out or 3 years of inactivityLegitimate interests / consent
Support correspondence24 monthsService delivery
Server & security logsUp to 12 monthsSecurity monitoring
BackupsRolling 30 daysDisaster recovery

Retention periods are indicative pending final legal review; Customers may specify shorter or longer periods in writing where lawful.

11. Liability

The liability of each party under or in connection with this DPA is subject to the limits and exclusions set out in the Terms & Conditions.

12. Contact

Data-protection queries and requests to countersign this DPA should be sent to privacy@brainjunks.com.