Data Processing Agreement (DPA)

Last Updated: 26^th May 2026

This Data Processing Agreement ("DPA") applies where personal data is stored or processed within a MIDAS system that we host on our servers. This includes both "cloud-hosted" subscriptions and free trials of MIDAS. It forms part of, and should be read alongside, our Cloud Hosted Terms & Conditions, our Free Trial Terms & Conditions, our Software Privacy Policy, our Data Retention Policy, and our GDPR Statement. References below to your "hosted MIDAS system" apply equally to a cloud-hosted subscription and to a trial system.

This DPA reflects the requirements of Article 28 of the UK GDPR. Terms such as "controller", "processor", "sub-processor", "data subject", "personal data", "processing", and "personal data breach" have the meanings given to them in the UK GDPR and the Data Protection Act 2018.

1. Roles of the parties

• In respect of any personal data contained within your hosted MIDAS system, you (the customer) are the controller and we are the processor. You determine the purposes and means of processing that data; we process it only on your behalf.

• You confirm that you have a lawful basis for the processing of any personal data you place within your hosted MIDAS system, that the data has been collected lawfully, and that you are entitled to provide it to us for processing under this DPA.

2. Subject matter and details of processing

• Subject matter: the provision of the hosted MIDAS room booking and resource scheduling service, whether by way of a cloud-hosted subscription or a free trial.

• Duration: for the duration of your active cloud-hosted subscription or trial period, followed by the retention periods set out in our Data Retention Policy.

• Nature and purpose: the hosting, storage, and processing of data necessary to operate your room booking and resource scheduling system.

• Types of personal data: typically the names and contact details of your MIDAS users and of persons associated with bookings, together with any other personal data you or your users choose to enter into your MIDAS system.

• Categories of data subjects: typically your staff, your MIDAS users, and individuals associated with bookings made within your system.

3. Our obligations as processor

We shall:

• process the personal data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case we will inform you of that legal requirement before processing, unless the law prohibits us from doing so). Your instructions are constituted by this DPA and your use of the features and configuration options within your MIDAS system;

• ensure that persons authorised to process the personal data are subject to an appropriate duty of confidentiality;

• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing;

• taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under the UK GDPR;

• assist you in ensuring compliance with your obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with the Information Commissioner's Office, taking into account the nature of processing and the information available to us;

• notify you without undue delay after becoming aware of a personal data breach affecting your data;

• at your choice, delete or return all the personal data to you after the end of the provision of services relating to processing, and delete existing copies unless we are required by law to retain a copy. The applicable timescales for deletion and the availability of data export are set out in our Data Retention Policy; and

• make available to you all information necessary to demonstrate compliance with the obligations in Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, subject to reasonable notice, confidentiality undertakings, and our reasonable security and operational requirements.

4. Sub-processors

• By entering into this DPA, you authorise us to engage sub-processors to assist in providing the hosted service. A current list of the sub-processors we use, together with their purpose and location, is maintained at our Sub-Processors & Third Party Services page.

• We ensure that each sub-processor we engage is bound by data protection obligations equivalent to those set out in this DPA. We remain responsible to you for the performance of each sub-processor's obligations.

• We will inform you of any intended changes concerning the addition or replacement of sub-processors involved in providing your hosted MIDAS system, thereby giving you the opportunity to object to such changes. Where you object, we will work with you in good faith to address your concerns, which may include making available any alternative configuration that avoids the sub-processor in question (where one exists). If we are unable to resolve your objection and the sub-processor is essential to the service, you may discontinue the affected service.

5. International transfers

• We offer a choice of data center locations for your live MIDAS database. Where personal data is transferred outside the UK, such transfers will be protected by an appropriate safeguard recognised under the UK GDPR, such as the standard data protection clauses adopted or approved for use in the UK.

6. Liability

• The limitations and exclusions of liability set out in our Cloud Hosted Terms & Conditions (for cloud-hosted subscriptions) or our Free Trial Terms & Conditions (for trials) apply equally to this DPA, save to the extent that any liability cannot lawfully be limited or excluded.

7. Governing law

• This DPA is governed by the law of England and Wales, and is subject to the exclusive jurisdiction of the courts of England and Wales.