Data Processing Agreement — SwardOps
Effective 18 June 2026. This Data Processing Agreement forms part of the SwardOps Terms of Service. Party details are completed on acceptance at sign-up.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
-
Fix My Pitch Ltd, a company registered in England and Wales (company number 16902430), whose registered office is at 1 Jesse Green, Olney, Milton Keynes, England, MK46 4FU, trading as and operating the SwardOps platform ("SwardOps", "Processor", "we", "us"); and
-
The Customer — the business or individual that registers for and uses the SwardOps service under our Terms of Service ("Customer", "Controller", "you"),
each a "Party" and together the "Parties".
This DPA forms part of, and is subject to, the SwardOps Terms of Service (the "Principal Agreement"). On creating a SwardOps account you accept this DPA. Where this DPA conflicts with the Principal Agreement on data-protection matters, this DPA prevails.
2. Background
2.1 The Customer uses SwardOps to manage its grounds-maintenance / field-service operation, including records relating to its own customers, contacts, sites, staff, jobs, quotes, invoices and (where enabled) crew location.
2.2 In doing so the Customer determines the purposes and means of processing personal data and is the Controller; Fix My Pitch Ltd processes that personal data on the Customer's behalf and is the Processor.
2.3 This DPA sets out the terms on which the Processor processes personal data for the Controller, as required by Article 28 of the UK GDPR.
3. Definitions
3.1 "Data Protection Laws" means all laws applicable to the processing of personal data under this DPA, including the UK GDPR, the Data Protection Act 2018, and (where applicable) the EU GDPR, together with the Privacy and Electronic Communications Regulations 2003.
3.2 "UK GDPR" has the meaning given in section 3(10) of the Data Protection Act 2018.
3.3 "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Sub-processor" and "Supervisory Authority" have the meanings given in the Data Protection Laws.
3.4 "Customer Personal Data" means any Personal Data processed by the Processor on behalf of the Controller under the Principal Agreement, as described in Annex 1.
3.5 "Services" means the SwardOps platform and related services provided under the Principal Agreement.
4. Roles and scope
4.1 The Parties acknowledge that, for Customer Personal Data, the Customer is the Controller and Fix My Pitch Ltd is the Processor.
4.2 The Customer is responsible for ensuring it has a lawful basis for the processing it instructs, and for providing any required privacy information to its own Data Subjects.
4.3 This DPA applies for the duration of the Processor's processing of Customer Personal Data under the Principal Agreement. Annex 1 sets out the subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects.
5. Processor obligations (Article 28(3))
The Processor shall:
5.1 Documented instructions. Process Customer Personal Data only on the Controller's documented instructions, including the instructions set out in the Principal Agreement, this DPA, and the Controller's configuration and use of the Services, unless required to do otherwise by law (in which case it will, where lawful, inform the Controller first).
5.2 Confidentiality. Ensure that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality.
5.3 Security. Implement and maintain the technical and organisational measures set out in Annex 2, appropriate to the risk, in accordance with Article 32 of the UK GDPR.
5.4 Sub-processors. Be entitled to engage Sub-processors as set out in clause 6 and Annex 3.
5.5 Assistance with Data Subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under the Data Protection Laws (access, rectification, erasure, restriction, portability and objection). The Services provide self-service tools enabling the Controller to export and erase Data Subject data directly.
5.6 Assistance with compliance. Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of processing and the information available to the Processor.
5.7 Breach notification. Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing sufficient information to allow the Controller to meet its own breach-notification obligations.
5.8 Deletion or return. At the Controller's choice, delete or return all Customer Personal Data at the end of the provision of the Services, and delete existing copies unless retention is required by law. Backups are purged on their normal rotation cycle (see Annex 2).
5.9 Demonstrating compliance. Make available to the Controller information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to clause 9.
6. Sub-processors
6.1 The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in Annex 3 to process Customer Personal Data.
6.2 The Processor shall impose data-protection obligations on each Sub-processor that are substantially equivalent to those in this DPA, and remains liable to the Controller for the performance of each Sub-processor's obligations.
6.3 The Processor shall give the Controller at least 30 days' notice of any intended addition or replacement of a Sub-processor (by updating Annex 3 / the published sub-processor list and/or by email), during which the Controller may object on reasonable data-protection grounds. If an objection cannot be resolved, the Controller may terminate the Principal Agreement in respect of the affected processing.
7. International transfers
7.1 The Processor shall not transfer Customer Personal Data outside the UK unless it has taken such measures as are necessary to ensure the transfer is lawful under the Data Protection Laws. Where Sub-processors process data outside the UK, such transfers are made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), save where the destination benefits from UK adequacy regulations.
7.2 Annex 3 identifies Sub-processors that may process data outside the UK and the safeguards relied on.
8. Controller obligations
8.1 The Controller warrants that it has a lawful basis for the processing it instructs and has provided all necessary notices and obtained all necessary consents from its Data Subjects.
8.2 The Controller's instructions will not put the Processor in breach of the Data Protection Laws.
9. Audit
9.1 The Processor will, on reasonable written request and no more than once per year (or following a Personal Data Breach, or where required by a Supervisory Authority), make available information reasonably necessary to demonstrate compliance with this DPA.
9.2 Audits shall be conducted on reasonable notice, during business hours, subject to confidentiality, and so as to minimise disruption. Compliance reports or third-party certifications of the Processor or its Sub-processors may be provided to satisfy an audit request.
10. Liability
10.1 Subject to clause 10.2, each Party's total aggregate liability arising out of or in connection with this DPA, whether in contract, tort (including negligence) or otherwise, shall not exceed £2,000 (two thousand pounds), and is otherwise subject to the limitations and exclusions of liability set out in the Principal Agreement.
10.2 Nothing in this DPA limits or excludes either Party's liability for death or personal injury caused by negligence, fraud, or any liability that cannot be limited or excluded by law.
11. Term and termination
11.1 This DPA takes effect on acceptance and continues for as long as the Processor processes Customer Personal Data under the Principal Agreement. Clauses intended to survive (including confidentiality, deletion/return and liability) survive termination.
12. General
12.1 Governing law. This DPA is governed by the laws of England and Wales, and the Parties submit to the exclusive jurisdiction of its courts.
12.2 Order of precedence. On data-protection matters, this DPA prevails over the Principal Agreement.
12.3 Variation. The Processor may update this DPA where required to reflect changes in law, the Services or Sub-processors, giving reasonable notice; material adverse changes entitle the Controller to object as in clause 6.3.
12.4 Severance / entire agreement / notices as set out in the Principal Agreement.
Annex 1 — Details of Processing
| Subject matter | Provision of the SwardOps field-service management platform to the Controller. |
| Duration | For the term of the Principal Agreement and any data-retention period thereafter (see Annex 2). |
| Nature & purpose | Hosting, storage, organisation, retrieval, display, transmission and deletion of records to schedule and deliver grounds-maintenance work; quoting, invoicing and payment collection; accounting sync; crew coordination and (where enabled) location for lone-worker safety; transactional email. |
| Types of Personal Data | Names, business and personal contact details (email, phone), postal/site addresses, job & visit history, quotes, invoices and payment status, staff records and (where the Controller enables it) staff working-time and location data. No special-category data is required or intended. |
| Categories of Data Subjects | The Controller's customers and their contacts; the Controller's staff/crew; prospective customers who submit enquiries. |
Annex 2 — Technical & Organisational Measures (Article 32)
- Encryption in transit: all traffic over HTTPS/TLS.
- Encryption at rest: database and file storage encrypted at rest by the hosting sub-processor.
- Tenant isolation: per-business row-level security (RLS) enforced at the database, so one Controller cannot access another's data.
- Access control: role-based access (office vs crew); least-privilege service credentials; sensitive integration tables restricted to server-side service role only.
- Authentication: password authentication with optional two-factor authentication (TOTP) for office accounts.
- Payment & integration security: card payments handled by Stripe (PCI-DSS); inbound payment/accounting webhooks are cryptographically signature-verified; OAuth tokens stored server-side with restricted access.
- Auditability: an audit log records changes to key records (who/what/when).
- Retention & deletion: crew location history purged after 90 days; read notifications after 90 days; audit logs after 2 years; on data-subject erasure, personal data is anonymised while financial records are retained (anonymised) for the statutory tax-retention period; backups are purged on their normal rotation cycle, within 30 days.
- Breach management: processes to detect, investigate and notify Personal Data Breaches without undue delay.
- Sub-processor diligence: sub-processors selected on the basis of their security and data-protection commitments (clause 6).
Annex 3 — Approved Sub-processors
| Sub-processor | Purpose | Processing location | Transfer safeguard (if outside UK) |
|---|---|---|---|
| Supabase | Database & authentication hosting | EU (London region) | — |
| Vercel | Application hosting & content delivery | EU / global edge | UK IDTA / SCC Addendum |
| Stripe | Card payment processing (Connect) | EU / US | UK IDTA / SCC Addendum |
| GoCardless | Direct Debit collection | UK / EU | — |
| Xero | Accounting synchronisation (invoices) | UK / EU | — |
| Resend | Transactional email delivery | EU / US | UK IDTA / SCC Addendum |
| OpenStreetMap / Nominatim | Address lookup (geocoding) | EU | — |
| Open-Meteo | Weather data (spray-condition guidance) | EU | — |
The current sub-processor list is also published at https://swardops.vercel.app/privacy.
Signed for and on behalf of Fix My Pitch Ltd: ……………………………… Date: …………
Accepted by the Customer (electronically, on account creation): name, business and date captured at sign-up.