1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller:The waste carrier ("you") who uses WasteDoc to create waste transfer notes on behalf of your customers.
- Data Processor:Velara HSEC Ltd ("we", "us"), the operator of WasteDoc.
2. Purpose of Processing
We process personal data solely to provide the WasteDoc service — specifically, creating, storing, and delivering waste transfer notes as required by the Environmental Protection (Duty of Care) Regulations 1991 (England) and 2014 (Scotland).
3. Data Processed
The personal data processed includes:
- Waste producer names, addresses, and contact details (email, phone)
- Carrier company details and registration numbers
- Waste descriptions, EWC codes, and quantities
- Confirmation names and timestamps
4. Our Obligations
As data processor, we will:
- Process personal data only on your documented instructions and solely for the purpose of providing the WasteDoc service
- Ensure that persons authorised to process the data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures, including encryption at rest and in transit
- Not engage sub-processors without your general authorisation (see Section 6)
- Assist you in responding to data subject requests (access, rectification, deletion)
- Notify you without undue delay upon becoming aware of a personal data breach
- Delete or return all personal data upon termination of the service, subject to the legal retention period for waste transfer notes
5. Security Measures
- All data stored in the UK (AWS eu-west-2, London)
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Row-level security ensuring customers cannot access each other's data
- Authentication via secure tokens with automatic session management
- Regular security reviews of application code and infrastructure
6. Sub-processors
We use the following sub-processors to deliver the service. By using WasteDoc, you provide general authorisation for these sub-processors:
- Supabase — database and authentication (UK region)
- Vercel — application hosting
- Stripe — payment processing (if subscribed)
- Resend — email delivery of waste transfer notes
- Twilio — SMS delivery of waste transfer notes
We will notify you of any intended changes to sub-processors, giving you the opportunity to object.
7. Data Retention
Waste transfer notes are retained for a minimum of 2 years as required by law. Upon account deletion or service termination, we will delete all personal data within 30 days, except where retention is required by law.
8. Data Breach Notification
In the event of a personal data breach, we will notify you within 72 hours of becoming aware of the breach, providing details of the nature of the breach, categories of data affected, and measures taken to address it.
This DPA is effective from the date you create a WasteDoc account and remains in effect for the duration of your use of the service. Last updated: April 2026.