Data Processing Agreement
Last updated: 5 July 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Consigns & Comply Ltd (Company No. 17328092, registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ — "we", "us") and the customer organisation that holds a Consigns account ("you"). It applies whenever we process personal data on your behalf under the UK GDPR and the Data Protection Act 2018. If you need a signed copy for your records, ask through our contact form and we will provide one.
1. Roles
For the personal data inside your waste records — the names, signatures, contact details and site addresses of your customers, drivers and receiving sites — you are the controller and we are your processor. You decide what goes into a consignment note; we store and process it so you can meet your duty-of-care and waste-tracking obligations.
For your own account data (your team's sign-in details, billing records, and product analytics on how Consigns is used), we are the controller. That processing is described in our Privacy Policy, not this DPA.
2. What we process for you
- Subject matter: the operation of the Consigns service for your organisation.
- Duration: the life of your account, plus the statutory retention periods below.
- Nature and purpose: storing, displaying and transmitting waste movement records — consignment notes, transfer notes, signatures, collection photos and the returns you produce.
- Categories of data subjects: your team members, your customers' staff and contacts, drivers, and receiving-site signatories.
- Categories of personal data: names, business contact details, site addresses, signatures, photographs of collections, vehicle registrations, and (where you record one for Environment Agency returns) a responsible person's name and date of birth. No special-category data is required by the service.
3. Our commitments as your processor
- We process your records only on your instructions — the instructions being your use of the service and this DPA — unless the law requires otherwise.
- Everyone with access to your data is bound by confidentiality obligations.
- We protect your data with encryption in transit and at rest, role-based access controls, per-organisation row-level security in the database, and regular security review.
- We help you respond to data-subject requests (access, correction, deletion) — most can be handled directly in the product, and we assist with the rest without undue delay.
- We tell you without undue delay if we become aware of a personal data breach affecting your records, and give you the information you need for your own reporting duties.
- We make available the information reasonably needed to show this DPA is being met, and allow audits where the UK GDPR requires them.
4. Sub-processors
You authorise the sub-processors below. If we add or replace one, we will update this page at least 30 days before the change takes effect so you can object.
| Sub-processor | What they do | Where |
|---|---|---|
| Supabase | Database, authentication and file storage | EU (Ireland / France) |
| netcup GmbH | Application server hosting | Austria |
| Cloudflare | Content delivery, DNS and bot protection | Global network, UK/EU safeguards |
| Stripe | Payment processing | UK/EU entities, global group with safeguards |
| Resend | Transactional email delivery | USA, UK-approved safeguards |
| PostHog | Product analytics (EU-hosted, only after cookie consent) | EU |
| Sentry | Error monitoring | Germany (EU data residency) |
Some services are connected at your direction and are not our sub-processors: DEFRA's Digital Waste Tracking Service (we submit your receipts because the law requires you to file them), and any integration you connect yourself, such as Xero, Sage or a vehicle tracking provider. Those providers process your data under your own agreement with them.
5. International transfers
Your waste records live on servers in the UK and the European Economic Area. Where a sub-processor processes personal data outside the UK or the EEA (for example email delivery), we rely on UK-approved safeguards such as the UK Addendum to the EU Standard Contractual Clauses or a UK adequacy decision.
6. Deletion and retention
When your account closes, we delete or return your personal data — with one carve-out: waste records the law requires you to keep. Consignment notes carry statutory retention periods (three years for hazardous waste notes, two years for waste transfer notes, five years for receiving-site records), and we retain those records for the retention window shown on your account before deletion, so closing your account never destroys a record the regulator could still ask for.
7. Liability and precedence
This DPA is subject to the limitation of liability in the Terms of Service. If this DPA and the Terms conflict on data protection matters, this DPA wins.