Skip to main content
Field ForgeBack to website
Privacy PolicyTerms of ServiceCookie PolicyAcceptable Use PolicyData Processing AgreementSoftware Licence Agreement

Data Processing Agreement

Last updated: 31 March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and Field Forge Limited, a company registered in Northern Ireland (company number NI715154) with its registered office at Office 1739, 92 Castle Street, Belfast, BT1 1HE (the "Processor"), together the "Parties".

This DPA applies where Field Forge processes personal data on your behalf in providing the Service, and sets out the Parties' obligations in relation to such processing in compliance with UK GDPR and the Data Protection Act 2018.

1. Definitions

In this DPA, the following terms have the meanings set out below:

  • "UK GDPR" means the retained EU law version of the General Data Protection Regulation (EU) 2016/679 as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018.
  • "Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope & Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data solely for the purpose of providing the Field Forge platform and related services as described in the Terms of Service.

2.2 Nature of Processing

The processing activities include:

  • Storage of client, contact, site, and staff records
  • Generation and management of quotes, jobs, and invoices
  • AI-powered quote generation (sending job descriptions to AI sub-processors)
  • Scheduling and calendar management
  • Payment processing via Stripe
  • File storage (documents, photos)
  • Audit logging and activity tracking

2.3 Categories of Data Subjects

  • Controller's employees and staff members
  • Controller's clients and their contacts
  • Controller's suppliers and subcontractors
  • End users of the Controller's customer portal

2.4 Types of Personal Data

  • Names, email addresses, phone numbers
  • Business addresses and site locations (including GPS coordinates)
  • Job titles and roles
  • Financial information (invoices, payment records)
  • Employment-related data (hourly rates, trades, roles)
  • Photos and documents uploaded to the Service
  • Activity and audit logs (timestamps, user actions)

2.5 Duration

Processing will continue for the duration of the Controller's Subscription, plus any retention periods specified in the Privacy Policy.

3. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    • Encryption in transit (TLS/HTTPS) and at rest (AES-256)
    • Firebase Authentication with secure credential management
    • Role-based access controls
    • Firestore Security Rules enforcing data isolation between companies
    • Regular security assessments
  • Not engage a Sub-processor without prior written authorisation from the Controller (see Section 4)
  • Assist the Controller in responding to Data Subject requests (see Section 5)
  • Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation
  • At the choice of the Controller, delete or return all Personal Data upon termination of the Service, and delete existing copies unless storage is required by law
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

4. Sub-processors

4.1 Authorised Sub-processors

The Controller authorises the Processor to engage the following Sub-processors:

Sub-processorProcessing ActivityLocation
Google Cloud Platform / FirebaseCloud hosting, database (Firestore), authentication, file storage, serverless computeEU / US
Stripe, Inc.Payment processing and subscription billingUS (with EU infrastructure)
Google LLC (Gemini AI)AI-powered quote generationUS
OpenAI, Inc.AI-powered quote generation (fallback provider)US

4.2 Changes to Sub-processors

The Processor will notify the Controller of any intended changes to Sub-processors at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds relating to data protection, the Parties will discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected Service.

4.3 Sub-processor Obligations

The Processor will ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its Sub-processors.

5. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests under UK GDPR, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor will:

  • Promptly notify the Controller if it receives a request directly from a Data Subject
  • Not respond to the Data Subject directly unless instructed by the Controller
  • Provide the Controller with the ability to access, export, correct, and delete Personal Data through the Service's features
  • Provide reasonable additional assistance where the Service's features are insufficient to fulfil a request

6. Data Breach Notification

In the event of a Data Breach, the Processor will:

  • Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach
  • Provide the Controller with sufficient information to enable the Controller to meet its obligation to notify the ICO within 72 hours, including:
    • The nature of the breach, including categories and approximate number of Data Subjects affected
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach
  • Co-operate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
  • Document the breach, including its effects and remedial actions taken

7. International Data Transfers

Where Personal Data is transferred outside the United Kingdom, the Processor ensures that appropriate safeguards are in place in accordance with UK GDPR, including:

  • Standard Contractual Clauses (SCCs) as approved by the ICO
  • The UK International Data Transfer Agreement (IDTA) where applicable
  • UK adequacy decisions where available

All Sub-processors listed in Section 4.1 maintain appropriate data transfer mechanisms.

8. Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor. Such audits will be:

  • Conducted with reasonable prior notice (at least 30 days)
  • Carried out during normal business hours
  • Conducted no more than once per year, unless a Data Breach or regulatory investigation necessitates an additional audit
  • Subject to reasonable confidentiality obligations

9. Deletion & Return of Data

Upon termination of the Service or upon the Controller's request:

  • The Controller may export their data using the Service's built-in export features
  • The Processor will delete all Personal Data within 90 days of termination, unless retention is required by applicable law
  • The Processor will confirm deletion in writing upon request
  • Data in backups will be deleted in accordance with the backup retention schedule (within 90 days)

10. Liability

Each Party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

11. Governing Law

This DPA is governed by the laws of Northern Ireland and subject to the exclusive jurisdiction of the courts of Northern Ireland.

12. Contact

  • Field Forge Limited (Processor)
  • Office 1739, 92 Castle Street, Belfast, BT1 1HE, Northern Ireland
  • Company Number: NI715154
  • Email: contact@fieldforge.io

Cookie Preferences

We use essential cookies to make Field Forge work. With your consent we'll also load analytics cookies to understand how the product is used. You can reject analytics without losing any core functionality. For details see our Cookie Policy.