This Data Processing Addendum ("DPA") forms part of the Terms of Service between Simple Works LTD ("Processor") and the customer ("Controller") and applies where we process personal data on the Controller's behalf in the course of providing SimpleAMS.
1. Roles
For Customer Data, the Controller determines the purposes and means of processing; Simple Works LTD acts as Processor and processes personal data only on documented instructions from the Controller (including via the Terms and use of the Service).
2. Subject matter & duration
Subject matter: provision of the SimpleAMS IT asset management service. Duration: for the term of the subscription plus any retention period.
3. Nature & purpose
Hosting, storage and processing of Customer Data to operate the Service (inventory, checkout, licenses, maintenance, reporting, integrations the Controller enables).
4. Types of data & data subjects
Data subjects: the Controller's staff and people referenced in asset records. Data types: names, work contact details, job titles, device assignments and related records the Controller chooses to store.
5. Processor obligations
We will: (a) process only on instructions; (b) ensure persons authorised to process are bound by confidentiality; (c) implement appropriate technical and organisational security measures; (d) respect the conditions for engaging sub-processors below; (e) assist the Controller with data-subject requests and with security, breach and DPIA obligations; and (f) delete or return Customer Data at the end of the service.
6. Sub-processors
The Controller authorises Simple Works LTD to engage sub-processors (e.g. hosting and email providers) under written terms no less protective than this DPA. We will inform the Controller of changes and remain responsible for our sub-processors.
7. International transfers
Any transfer of Customer Data outside the European Economic Area (EEA) will be covered by an appropriate transfer mechanism, primarily the European Commission's Standard Contractual Clauses (SCCs), together with any supplementary measures required.
8. Personal data breach
We will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Data and provide reasonable information to help the Controller meet its obligations.
9. Audit
We will make available information reasonably necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality and security limits.
10. Return & deletion
On termination we will, at the Controller's choice, delete or return Customer Data within a reasonable period, except where retention is required by law.
11. Contact
Data protection contact: privacy@simpleams.co.uk.
Annex A - Sub-processors
We use the following categories of sub-processors to deliver the Service:
- Hosting / infrastructure - hosts the application and per-tenant databases (EU/EEA region).
- Email delivery - sends transactional and account emails.
- Optional AI provider - only when the Controller enables the AI assistant and provides their own API key; prompts are sent to the provider the Controller selected (e.g. OpenAI or Anthropic).
- Optional directory/MDM integrations - only those the Controller explicitly connects (e.g. Google Workspace, Jamf, Mosyle).
A current, detailed list is available on request at privacy@simpleams.co.uk.
Annex B - Technical & organisational measures
- Encryption in transit (TLS) for all traffic; sensitive secrets encrypted at rest.
- Strict tenant isolation: each customer's data lives in a separate database.
- Role-based access control and granular permissions inside each workspace; optional two-factor authentication and SSO (Google / SAML / LDAP).
- Hashed passwords (bcrypt), CSRF protection and rate-limited authentication.
- Least-privilege access for our staff, logging of administrative actions, and regular backups.