Data Processing Agreement

      Summary: This Data Processing Agreement ("DPA") explains how DIVCAAS, acting as a data processor, handles personal data on behalf of your Organisation (the data controller). It sets out what we process, why, how we protect it, who our sub-processors are, and your rights as controller. It is designed to support GDPR and UK GDPR compliance.
    

This DPA forms part of, and is incorporated by reference into, the Terms of Service between DIVCAAS ("Processor", "we", "us") and the Customer Organisation ("Controller", "you"). It applies whenever we process personal data on your behalf in connection with the DIVCAAS platform (the "Service").

Where there is a conflict between this DPA and the Terms of Service in relation to data protection, this DPA prevails.

Definitions
Roles of the Parties
Scope & Subject Matter of Processing
Controller Instructions & Obligations
Processor Obligations
Security Measures
Sub-Processors
International Transfers
Data Subject Rights
Personal Data Breach
Return & Deletion of Data
Audit & Records
Liability & Term
Contact

1 Definitions

Terms such as "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-Processor" and "Personal Data Breach" have the meanings given to them in the UK GDPR and the EU General Data Protection Regulation (Regulation (EU) 2016/679), as applicable.

Why GDPR applies even though DIVCAAS is UAE-based: data protection law follows the data subjects, not the provider's location. Because DIVCAAS serves the offshore diving industry — whose personnel are frequently based in the UK and EU — we apply UK GDPR / EU GDPR standards to all Customer Data. The governing law of the underlying contract is set out in our Terms of Service (United Arab Emirates).

"Controller" — the Customer Organisation that determines the purposes and means of processing personal data.
"Processor" — DIVCAAS, which processes personal data on behalf of the Controller.
"Customer Data" — personal data submitted to the Service by or on behalf of the Controller.

2 Roles of the Parties

For the personal data processed through the Service, your Organisation is the Controller and DIVCAAS is the Processor. DIVCAAS processes Customer Data only on documented instructions from the Controller, as set out in this DPA, the Terms of Service, and your configuration and use of the Service.

3 Scope & Subject Matter of Processing

Item	Details
Subject matter	Provision of a diving competency assessment & portfolio management platform
Duration	For the term of the Controller's use of the Service, plus retention periods
Nature & purpose	Hosting, storing, displaying and transmitting competency records; issuing certificates; sending notifications
Categories of data subjects	Candidates (divers), assessors, verifiers, administrators
Categories of personal data	Name, email, diver ID, job role, employer, assessment responses, sign-off records, digital signatures, uploaded evidence, certificate data, login activity & IP addresses
Special category data	Only if voluntarily uploaded as evidence (e.g. medical/fitness documents). The Controller is responsible for any such data it chooses to upload.

4 Controller Instructions & Obligations

The Controller warrants it has a lawful basis to collect and provide the Customer Data to DIVCAAS.
The Controller is responsible for the accuracy, content and legality of the Customer Data.
The Controller instructs DIVCAAS to process Customer Data solely to provide and maintain the Service.
The Controller is responsible for ensuring data subjects have been provided appropriate privacy information.

5 Processor Obligations

DIVCAAS will:

Process Customer Data only on the Controller's documented instructions, unless required by law.
Ensure persons authorised to process Customer Data are bound by confidentiality.
Implement appropriate technical and organisational security measures (see Section 6).
Assist the Controller, taking into account the nature of processing, in responding to data subject requests and in meeting its security, breach-notification and impact-assessment obligations.
Not engage a new sub-processor without the Controller's general authorisation and prior notice of changes (see Section 7).
Make available information necessary to demonstrate compliance with this DPA.

6 Security Measures

DIVCAAS implements technical and organisational measures appropriate to the risk, including:

Encryption of data in transit (HTTPS / TLS 1.3) and at rest at the storage layer.
Passwords stored using PBKDF2 hashing (100,000 iterations) — never in plain text.
Strict multi-tenant isolation so each Organisation's data is logically separated.
Role-based access control (candidate, assessor, verifier, administrator).
Brute-force login protection with account lockout.
Signed, time-limited session tokens (HMAC).
A server-side audit log recording security-relevant events (logins, password changes, deletions).

Full details are published on our Security & Compliance page.

7 Sub-Processors

The Controller provides general authorisation for DIVCAAS to engage the sub-processors listed below. We will give reasonable prior notice of any intended addition or replacement, giving the Controller the opportunity to object on reasonable data-protection grounds.

Sub-Processor	Purpose	Location
Cloudflare, Inc.	Platform hosting, edge compute, D1 database, R2 file storage, CDN, DNS	Global edge network
Resend (Plus Five Five, Inc.)	Branded transactional email delivery (password reset codes)	United States
EmailJS	Fallback transactional email delivery	United States
Zoho Corporation	Business mailbox for support correspondence ([email protected])	EU / global

      DIVCAAS remains fully liable to the Controller for the performance of each sub-processor's data-protection obligations. Each sub-processor is engaged under terms offering an equivalent level of data protection to this DPA.
    

8 International Transfers

Some sub-processors operate outside the UK/EEA (e.g. in the United States). Where personal data is transferred internationally, such transfers are made under an appropriate safeguard recognised by UK/EU data protection law — for example the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses (SCCs), or an adequacy decision — as offered by the relevant sub-processor.

9 Data Subject Rights

The Service provides functionality that allows the Controller to access, correct, export (JSON/CSV) and delete Customer Data, enabling the Controller to respond to data subject requests (access, rectification, erasure, portability, restriction and objection). Where a data subject contacts DIVCAAS directly, we will promptly refer the request to the relevant Controller and assist as reasonably required.

10 Personal Data Breach

DIVCAAS will notify the Controller without undue delay — and in any event within 72 hours — after becoming aware of a Personal Data Breach affecting the Controller's Customer Data. The notification will describe, to the extent known, the nature of the breach, likely consequences, and measures taken or proposed to address it. DIVCAAS will reasonably assist the Controller in meeting its own breach-notification obligations to regulators and data subjects.

11 Return & Deletion of Data

On termination of the Service, or on the Controller's written request, DIVCAAS will — at the Controller's choice — return or delete all Customer Data, unless retention is required by law. Deletion of account data is completed within 30 days of a valid request. Certificate and sign-off records may be retained longer where required by regulatory obligations, as described in our Privacy Policy.

12 Audit & Records

DIVCAAS maintains records of its processing activities and a server-side audit log of security events. On reasonable written request (no more than once per year unless required by a regulator), DIVCAAS will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and the security of other customers' data.

13 Liability & Term

This DPA takes effect when the Controller begins using the Service and continues for as long as DIVCAAS processes Customer Data on the Controller's behalf. The liability provisions of the Terms of Service apply to this DPA. Sections concerning confidentiality, deletion and liability survive termination.

      Note: This DPA is a good-faith template reflecting our current processing. For Organisations requiring a counter-signed DPA, a bespoke agreement, or the relevant SCCs/IDTA appended, contact us using the details below and we will arrange a signed copy.
    

📧 Contact

To request a counter-signed DPA, ask about our sub-processors, or raise a data-protection matter, contact us at:

[email protected] Back to DIVCAAS

DIVCAAS · divcaas.com · Data Processing Agreement v1.0 · June 2026

Contents