Data Processing Addendum (DPA)
Last updated: 14 May 2026
This DPA forms part of the Terms & Conditions between the customer ("Controller") and FORGEAI STUDIO LTD (trading as NovaStack), operator of GuardFlow ("Processor").
1. Subject matter
The Processor processes personal data on behalf of the Controller solely to provide the GuardFlow service.
2. Categories of data subjects
Employees, sub-contracted security operatives, applicants, the Controller's customer contacts.
3. Categories of personal data
Identity, contact, employment, location (during clock-in/out), SIA licence, right-to-work, training certificates, banking (where used for payroll integration).
4. Processor obligations
- Process data only on documented instructions from the Controller.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational measures (Article 32).
- Assist the Controller in fulfilling data subject requests.
- Notify the Controller of any personal data breach without undue delay.
- Delete or return personal data on termination.
- Make available all information necessary to demonstrate compliance.
5. Sub-processors
Listed in our GDPR statement. We give 30 days' notice of any change.
6. International transfers
Where required, transfers outside the UK rely on the UK Addendum to the EU Standard Contractual Clauses.
7. Audit
The Controller may, on reasonable notice and at their cost, audit the Processor's compliance once per 12 months.