Business User Data Processing Schedule

Last updated: 14 July 2026 · Forms part of the Account and Tool Terms

1. Application

This Schedule applies where a business user uses a Wentworth Ridge account to enter, save or otherwise process personal information relating to another person for the business user's purposes. For that information the business user is the controller and Wentworth Ridge Ltd is the processor.

Wentworth Ridge remains a separate controller for account registration, authentication, billing if introduced, security, abuse prevention, legal compliance and its own business records.

2. Processing details

Subject matter: provision of the Wentworth Ridge account, saved-tool and document-generation services.

Duration: the period during which the account remains active, followed by the applicable deletion and backup-expiry periods.

Nature and purpose:hosting, organising, retrieving, transmitting, displaying, exporting, deleting and securing information in accordance with the business user's use of the account.

Categories of individuals (depending on the tools used): business-user personnel; clients and customer contacts; drivers, workers and subcontractors; vehicle keepers or users; invoice recipients; persons referred to in penalty or appeal records; and other persons whose information the relevant feature is expressly designed to hold.

Types of personal information (depending on the tools used): names and business contact details; postal addresses; vehicle registration marks; invoice and work information; internal reference numbers; penalty, deadline and correspondence information; draft letters; payment-account information entered into invoices; and other limited information entered into a designated field.

The service is not designed to process special-category information, criminal-offence information, identity documents, right-to-work records, children's information or payment-card information.

3. Instructions

Wentworth Ridge will process controller personal information only: to provide and secure the service; in accordance with the business user's documented instructions; as otherwise agreed in writing; or where required by applicable UK law. These terms, the user's configuration and use of the service, and written support requests constitute documented instructions. If Wentworth Ridge believes an instruction infringes data protection law, it will inform the business user unless prohibited by law.

4. Confidentiality

Wentworth Ridge will ensure that personnel authorised to process controller personal information are subject to an appropriate duty of confidentiality, receive access only where necessary for their role, and receive appropriate data protection and security instructions.

5. Security

Wentworth Ridge implements appropriate technical and organisational measures having regard to the nature, scope, context and risk of the processing, including:

  • encryption of information in transit (TLS) and at rest;
  • tenant separation enforced by database row-level security, under which each account can read and write only its own records;
  • restriction of privileged and administrative access to named authorised personnel, protected by multi-factor authentication;
  • provider-level logging and monitoring of the hosting and database platforms;
  • dependency and vulnerability management through version-controlled builds;
  • backup and recovery arrangements operated by the database provider;
  • secure development practice with all changes made through a version-controlled repository and reviewed builds; and
  • documented incident-response and breach-notification procedures.

6. Subprocessors

The business user gives general written authorisation for Wentworth Ridge to use subprocessors necessary to provide the service. Current subprocessors:

SubprocessorServicePrincipal processing location
Supabase Pte. LtdDatabase and authenticationIreland (EEA) hosting, under a signed data processing addendum incorporating the SCCs and the UK Addendum; Supabase Pte. Ltd is a Singapore company, and support (including via its group company Supabase, Inc.) may occur from outside the UK and EEA
Vercel, Inc.Hosting and infrastructureUnited States, with a global content delivery network
Plus Five Five, Inc., trading as ResendTransactional email deliveryUnited States and the European Union, with applicable subprocessors

Wentworth Ridge will:

  • maintain an up-to-date subprocessor list;
  • impose materially equivalent data protection obligations on each subprocessor;
  • remain responsible for its subprocessors' performance of those obligations; and
  • provide reasonable notice of a material new subprocessor.

A business user with reasonable data protection grounds may object to a new subprocessor. The parties will attempt to resolve the objection. Where no reasonable solution is available, the business user may stop using the affected feature and terminate the relevant account.

7. International transfers

Wentworth Ridge will apply the ICO Three-Step Test to determine whether a restricted transfer occurs. Where Wentworth Ridge initiates a restricted transfer, it will ensure that the transfer is covered by: applicable UK adequacy regulations; an active UK Extension to the EU-US Data Privacy Framework certification covering the relevant information; the UK International Data Transfer Agreement; the UK Addendum to approved standard contractual clauses; or another lawful transfer mechanism.

Where appropriate safeguards are used, Wentworth Ridge will complete any required transfer risk assessment and implement supplementary measures where necessary, and will periodically verify any certification on which it relies.

8. Individual rights

Taking into account the nature of the processing, Wentworth Ridge will provide reasonable assistance to enable the business user to respond to requests for access, rectification, erasure, restriction, portability, objection, and challenge or human review of relevant automated decisions.

If Wentworth Ridge directly receives a request relating to controller personal information, it will notify the business user without undue delay and will not respond substantively except on the business user's instructions or where legally required.

9. Complaints and regulatory cooperation

Wentworth Ridge will promptly notify the business user of a data protection complaint concerning controller personal information, and will provide reasonable information and cooperation needed for the business user to investigate and respond within applicable DUAA and UK GDPR timelines. The parties acknowledge that obtaining clarification or additional information does not suspend the statutory 30-day complaint acknowledgement period.

10. Personal data breaches

Wentworth Ridge will notify the business user without undue delay after becoming aware of a personal data breach affecting controller personal information and, where practicable, within 48 hours. The notice will include available information about the nature of the breach; affected information and individuals; likely consequences; containment and remediation measures; and a contact for further information. Wentworth Ridge will provide reasonable further cooperation to support regulatory or individual notifications.

11. DPIAs and prior consultation

Wentworth Ridge will provide information reasonably available to it to assist with data protection impact assessments, prior consultation with the Information Commissioner, and security and transfer-risk assessments.

12. Deletion and return

During the account term, the business user may export or delete information using available account functions. When the account ends, Wentworth Ridge will delete or return controller personal information in accordance with the business user's choice, except where UK law requires retention. Deletion from active systems begins immediately on account closure. Information deleted from active systems may remain temporarily in protected backups, beyond ordinary use, until the database provider's backup cycle expires: backups are taken daily and retained for 7 days.

13. Information and audits

Wentworth Ridge will make available information reasonably necessary to demonstrate compliance with Article 28 UK GDPR. It may satisfy routine audit requests through current independent audit reports, security summaries, certifications, policies and completed questionnaires. An on-site or bespoke audit may be requested where required by a regulator, a material incident has occurred, or supplied information does not reasonably demonstrate compliance. Audits must be proportionate, protect other users' information and confidential systems, and avoid unnecessary disruption.

14. Business-user responsibilities

The business user is responsible for:

  • having a lawful basis for the information entered;
  • providing required privacy information;
  • issuing lawful instructions;
  • ensuring data is adequate, relevant and accurate;
  • managing retention and deletion;
  • responding to individuals and regulators;
  • not entering prohibited categories of information; and
  • assessing whether the service is appropriate for its intended use.

15. Priority

If there is a conflict concerning the protection of controller personal information: mandatory data protection law prevails first; this Schedule prevails next; the Account and Tool Terms apply next; and other website terms apply last.

Questions about this Schedule can be sent to hello@wentworthridge.co.uk.