RosterElf UK GDPR Data Processing Addendum

Introduction

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms and Conditions ("Agreement") between Roster Elf Software Solutions Pty Ltd ABN 69 618 933 526 ("RosterElf", "Processor", "we", "us") and the Customer ("Controller", "you").

This DPA applies where the Customer is subject to the UK General Data Protection Regulation ("UK GDPR") and RosterElf processes Personal Data on behalf of the Customer in connection with the provision of the RosterElf platform and related services (the "Services").

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail solely with respect to data protection matters. Capitalised terms not defined herein have the meaning given to them in the Agreement or UK GDPR.

---

1. Roles of the parties

1.1 The Customer acts as Data Controller in respect of Personal Data relating to its employees, workers, contractors, and other individuals whose data is entered into or processed by the RosterElf platform.

1.2 RosterElf acts as Data Processor when processing such Personal Data on behalf of and under the instructions of the Customer.

1.3 Each party shall comply with its respective obligations under UK GDPR, the Data Protection Act 2018, and any other applicable data protection legislation.

1.4 RosterElf may act as an independent Data Controller in respect of data it collects for its own purposes (including account registration, billing, and marketing). In those circumstances, RosterElf's Privacy Policy applies.

---

2. Subject matter & duration

2.1 The subject matter of the processing is the provision of the RosterElf rostering, time and attendance, scheduling, shift management, payroll integration, and workforce management services as described in the Agreement.

2.2 The duration of processing under this DPA corresponds to the term of the Agreement and for a reasonable period thereafter to enable data return or deletion in accordance with clause 11, unless otherwise required by applicable law.

---

3. Nature and purpose of processing

3.1 RosterElf will process Personal Data for the following purposes on behalf of the Customer:

• creating and managing employee schedules, rosters, and shift patterns;
• recording and reporting time and attendance data;
• facilitating shift swapping, leave requests, and availability management;
• generating payroll-related reports and data exports for integration with payroll systems;
• providing workforce analytics and management insights to the Customer;
• sending shift notifications and platform communications to employees on behalf of the Customer; and
• any other processing described in the Agreement or agreed in writing between the parties.

3.2 RosterElf shall process Personal Data only in accordance with the documented instructions of the Customer (including the Agreement and the Customer's configuration and use of the Services), unless required to do so by applicable law.

---

4. Types of personal data

4.1 The categories of Personal Data processed under this DPA include, to the extent entered into the platform by or on behalf of the Customer:

• name, contact details (email address, phone number, postal address);
• employment details (job title, department, employment type, start date);
• work schedule, roster, and shift pattern data;
• time and attendance records (including clock-in and clock-out times, breaks);
• pay rates and payroll-relevant information (where entered by the Customer);
• profile photographs (where uploaded by the Customer or employee); and
• bank account details (where entered by the Customer for payroll integration purposes).

4.2 The categories of data subjects whose Personal Data is processed under this DPA include:

• employees, workers, and casual staff of the Customer;
• managers and supervisors of the Customer; and
• contractors and other individuals whose data the Customer enters into the platform.

---

5. Processor obligations

5.1 RosterElf shall process Personal Data only on documented instructions from the Customer, including as set out in the Agreement and this DPA, unless required to do so by applicable law. Where RosterElf is required by law to process Personal Data other than in accordance with the Customer's instructions, RosterElf shall inform the Customer of that legal requirement before processing, unless prohibited by law.

5.2 RosterElf shall ensure that all personnel authorised to process Personal Data under this DPA are subject to binding confidentiality obligations and are informed of the confidential nature of the Personal Data.

5.3 RosterElf shall implement and maintain the technical and organisational security measures described in clause 10 of this DPA.

5.4 RosterElf shall provide reasonable assistance to the Customer, taking into account the nature of the processing and the information available to RosterElf, to support the Customer's compliance with Articles 32–36 of UK GDPR, to the extent reasonably practicable and proportionate.

5.5 Where assistance requested by the Customer requires material additional work beyond the standard functionality of the Services, RosterElf may charge reasonable fees for such assistance.

5.6 RosterElf shall notify the Customer without undue delay upon becoming aware of a personal data breach involving Personal Data processed under this DPA, in accordance with clause 11.

5.7 RosterElf shall, at the Customer's choice, delete or return all Personal Data upon termination of the Agreement, in accordance with clause 12.

5.8 RosterElf shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA and permit and contribute to audits in accordance with clause 13.

---

6. Subprocessors

6.1 The Customer grants RosterElf general authorisation to engage subprocessors to assist in the provision of the Services. RosterElf will maintain a current list of subprocessors engaged in the processing of Personal Data under this DPA and make that list available to the Customer upon request.

6.2 RosterElf shall notify the Customer of any intended changes to that list (additions or replacements of subprocessors) with reasonable prior notice, giving the Customer the opportunity to object to such changes on reasonable grounds relating to data protection. If the Customer objects and the parties cannot resolve the objection within 30 days, either party may terminate the Agreement on written notice.

6.3 RosterElf shall enter into written agreements with subprocessors that require them to implement appropriate technical and organisational measures and to process Personal Data in accordance with applicable data protection laws.

6.4 RosterElf shall remain responsible for the performance of its obligations under this DPA but shall not be liable for the acts or omissions of subprocessors beyond the extent to which RosterElf is responsible under applicable law.

---

7. International transfers

7.1 RosterElf is headquartered in Australia. Where Personal Data of UK individuals is transferred to Australia, such transfer is made on the basis of a UK adequacy regulation in respect of Australia (where in force and applicable), or in the absence of such a regulation, on the basis of the UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

7.2 Where Personal Data is transferred outside the United Kingdom, RosterElf shall implement appropriate safeguards as required under applicable data protection law.

7.3 RosterElf shall provide reasonable information regarding applicable transfer safeguards upon request.

---

8. Data subject rights

8.1 Taking into account the nature of the processing, RosterElf shall provide reasonable assistance to the Customer in responding to Data Subject requests to the extent required under applicable data protection law and insofar as such requests cannot be addressed by the Customer through the Services.

8.2 If RosterElf receives a request directly from a data subject in relation to Personal Data processed under this DPA, RosterElf shall promptly notify the Customer of that request and shall not respond to the data subject directly unless authorised in writing to do so by the Customer, or unless required by applicable law to respond.

8.3 RosterElf shall implement appropriate technical measures within the platform to allow the Customer to access, correct, and delete Personal Data to assist in responding to data subject requests.

---

9. Security measures

9.1 RosterElf shall implement and maintain appropriate technical and organisational measures designed to protect Personal Data, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks to individuals.

---

10. Personal data breach

10.1 RosterElf shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.

10.2 Such notification shall include information reasonably available to RosterElf to assist the Customer in meeting its obligations under applicable data protection law.

10.4 RosterElf may make disclosures relating to a Personal Data Breach where required by applicable law and shall inform the Customer where legally permitted.

---

11. Return and deletion

11.1 Upon termination of the Agreement, the Customer may request deletion or return of Personal Data within a reasonable period.

11.2 In the absence of a request under clause 11.1, RosterElf may delete Personal Data in accordance with its standard retention practices.

---

12. Audit rights

12.1 The Customer may request information reasonably necessary to demonstrate RosterElf's compliance with this DPA.

12.2 RosterElf may satisfy such requests through the provision of certifications, audit reports, or other third-party assessments.

12.3 On-site audits shall be permitted only where required by applicable law and where documentation provided under clause 12.2 is insufficient, no more than once per 12-month period (unless required by law), on reasonable notice, during business hours, subject to confidentiality obligations and reimbursement of reasonable costs incurred by RosterElf.

---

13. Automated processing

13.1 RosterElf shall not make decisions based solely on automated processing of Personal Data, including profiling, that produce legal effects or similarly significantly affect data subjects, unless expressly instructed to do so by the Customer in writing.

13.2 Where the Customer instructs RosterElf to carry out automated decision-making as described in clause 13.1, the Customer shall ensure that an appropriate legal basis exists under UK GDPR for such processing, and that data subjects have been provided with the information required under UK GDPR, including their right to object and their right to request human review of the decision.

13.3 For the avoidance of doubt, the automated scheduling, rostering, and attendance features of the RosterElf platform do not constitute solely automated decision-making producing legal or similarly significant effects for the purposes of Article 22 of UK GDPR where those features operate subject to human review and approval by the Customer.

---

14. Liability

14.1 Liability arising under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, to the maximum extent permitted by applicable data protection law.

14.2 Each party shall be responsible only for damage caused by its own breach of this DPA or applicable data protection law.

14.3 Nothing in this DPA shall limit or exclude either party's liability for: fraud or fraudulent misrepresentation; death or personal injury caused by negligence; or any other matter in respect of which liability cannot be excluded or limited under applicable law.

14.4 For the avoidance of doubt, this DPA does not confer any rights on data subjects as third-party beneficiaries. Data subjects may exercise their rights under UK GDPR directly against the Customer as Data Controller.