Data Processing Agreement

Last updated · 25 May 2026

Template. This is the standard DPA Pointnode offers. It is offered on a take-it-or-leave-it basis at pilot scale; enterprise Customers may request material amendments via legal@pointnode.io. An executed version, signed by both parties, is part of the contract — this web copy is informational and not itself a contract.

This Data Processing Agreement ("DPA") forms part of the agreement between Pointnode Ltd ("Processor") and the Customer ("Controller") for the supply of the Pointnode platform under our Terms of Service.

It implements the Controller's and Processor's respective obligations under UK GDPR and the Data Protection Act 2018 in respect of personal data processed by Pointnode on the Controller's behalf.

1. Definitions

Capitalised terms not defined in this DPA have the meanings given in UK GDPR (Article 4) or in the Terms of Service. In particular:

Customer Personal Data means personal data uploaded to, generated by, or otherwise processed through the platform on the Controller's behalf.
Sub-processor means any third party engaged by Pointnode to process Customer Personal Data — see /legal/sub-processors.

2. Subject matter and duration

Subject matter: provision of the Pointnode Cloud dashboard and supporting services as described in the Terms.
Duration: for the term of the Customer's subscription, plus the 30-day post-termination return / deletion window.
Nature and purpose: hosting and processing the Controller's personal data to enable condition monitoring, asset records (statutory inspections, services, pre-use safety checks, and ad-hoc reports), lock-out / tag-out coordination, and related notification and audit functions.

3. Categories of data subjects and personal data

See Annex 1 (Description of Processing) below.

4. Pointnode's obligations

Pointnode shall:

Process Customer Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required by law to do otherwise.
Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations.
Implement and maintain the technical and organisational measures described in Annex 3 (Security Measures).
Engage Sub-processors only on terms equivalent to this DPA, and remain responsible for their performance. The current list is at /legal/sub-processors.
Assist the Controller, taking into account the nature of the processing, in fulfilling its obligation to respond to data subject requests under UK GDPR Articles 12 to 23.
Assist the Controller in ensuring compliance with Articles 32 to 36 (security, breach notification, DPIA, prior consultation), taking into account the information available to Pointnode.
On termination, at the Controller's choice, return or delete all Customer Personal Data within 30 days, unless retention is required by law. On deletion of an individual user account (by the Controller's admin or by the user themselves under our self-serve delete flow), any programmatic-access tokens (API tokens) that user created are revoked in the same database transaction as the account deletion, so an outstanding token cannot survive the user it belonged to. Outgoing webhook configurations created by the deleted user remain enabled at the Controller's discretion, on the basis that the configuration belongs to the Controller's organisation rather than to the individual.
Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits — see Section 9.

5. Sub-processors

The Controller authorises Pointnode to engage the Sub-processors listed at /legal/sub-processors. Pointnode will give at least 30 days notice by email before engaging a new Sub-processor or replacing an existing one. The Controller may object on reasonable data-protection grounds; if the parties cannot agree a workable alternative, the Controller may terminate the affected services without penalty.

6. International transfers

Where Customer Personal Data is transferred outside the UK or EEA, Pointnode will ensure an appropriate transfer mechanism is in place — the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses (SCCs), or any successor mechanism approved by the UK ICO or European Commission. The current Sub-processor list identifies which providers require which mechanism.

7. Personal data breaches

Pointnode shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting the Controller's data. The notification will include the information required by UK GDPR Article 33(3) to the extent then known, and follow-up information will be provided as soon as it is established.

The Controller is responsible for any onward notification to data subjects and to the ICO.

8. Data subject rights

Where Pointnode receives a data subject request directly from an individual whose personal data is held on the Controller's behalf, Pointnode will, without undue delay:

Acknowledge receipt and inform the data subject that the request should be directed to the Controller, providing the Controller's contact details.
Notify the Controller and assist them as reasonably required to respond.

9. Audit rights

The Controller may, on at least 30 days written notice and not more than once per year, audit Pointnode's compliance with this DPA. The annual-frequency limit does not apply: (a) following a personal data breach affecting the Controller; (b) where an audit is required by a regulator with jurisdiction over the Controller (for example a financial-services or health-and-safety regulator); or (c) where the Controller has reasonable grounds to suspect material non-compliance. In practice the audit obligation is satisfied by:

Pointnode providing relevant excerpts of its security policies on request, and
Where applicable in future, sharing third-party audit reports (e.g. SOC 2 Type II) under NDA.

Audits must be conducted during business hours, with reasonable cooperation, and at the Controller's cost unless they reveal a material breach by Pointnode.

10. Liability

Each party's liability under or in connection with this DPA is subject to the liability cap and exclusions set out in the Terms of Service.

11. Term and termination

This DPA takes effect on the start date of the Customer's subscription and remains in force for as long as Pointnode processes Customer Personal Data. Sections that by nature should survive termination (in particular Sections 4(g) and 9) survive.

Annex 1 — Description of Processing

Categories of data subjects

Operators (employees of the Customer who use the monitored assets).
Site managers and supervisors employed by the Customer.
Org admins and engineers employed by the Customer.
Pointnode staff users (Pointnode is the Controller for these).

Categories of personal data

Identifiers: display name, email address.
Profile contact details where supplied by the user: phone number, job title.
Authentication: hashed password, TOTP MFA factor enrolment record, hashed single-use MFA recovery codes, session tokens.
Role assignments inside the Customer organisation.
Activity records: audit log, login history, configuration changes.
Asset records: statutory inspections (LOLER, PUWER, wire rope), services, pre-use safety check submissions, and ad-hoc reports filed against a specific asset, together with any attached PDF evidence files. 5-year retention for statutory inspections and services; 2-year retention for pre-use checks.
Operator activity records: LOTO issue / release records, asset session start / end timestamps.
Notification preferences and recipient details.
Photos and PDF evidence files uploaded as part of asset record submissions (pre-use safety checks, statutory inspection reports, services) — may incidentally include faces or other identifiers.
Support tickets and conversation history: ticket subject, message bodies, attachments uploaded as part of the request, ticket number, category, priority, status, and the threaded follow-up messages.
Help-content feedback: was-this-helpful votes and any optional free-text feedback the user supplies against a help article slug, recorded against their user identity for staff follow-up.
Integration configuration: outgoing webhook destination URLs and per-webhook HMAC signing secrets; long-lived API tokens used for programmatic access (stored as one-way hash, never cleartext).
Webhook delivery records: frozen snapshots of the event payloads delivered to the Customer's configured webhook endpoints, including operator identity (issued_by) where the event is a LOTO action.

Special categories of personal data

Pointnode is not designed to process special-category data (Article 9). Customers must not upload health data, biometric identifiers, or other Article 9 data through the platform.

Processing operations

Storage in an EU-region encrypted database (eu-west-1).
Display on the Pointnode Cloud dashboard and, for the crane vertical, the craneIQ iOS app.
Transmission to recipients via the email provider listed in our sub-processor list.
Backup and retention per Privacy Policy Section 6.

Annex 2 — Sub-processors

Per the live list at /legal/sub-processors.

Annex 3 — Security Measures

This annex is written for your security team. A plain-English overview of the same controls is published at /security.

Network security. Modern encryption (TLS 1.2 or higher) on every external connection. On the Cloud dashboard: HSTS with preload-ready policy, Content-Security-Policy with allow-listed connection origins (the Pointnode database project and the Sentry ingest host only), X-Frame-Options DENY, Cross-Origin Opener Policy same-origin, Cross-Origin Resource Policy same-origin, and upgrade-insecure-requests in production.
Database security. Customer data is isolated per-organisation at the database level — cross-tenant access is prevented one layer below the application, so a bug in the application code cannot return another customer’s data. Technically: Postgres Row-Level Security policies enforce isolation at the row level, an ensure_rls event trigger blocks any new table from being created without an RLS policy attached, and SECURITY DEFINER functions have their search_path pinned and their EXECUTE privilege revoked from PUBLIC with explicit per-role grants.
Audit log integrity. The audit log is append-only — nobody, including Pointnode staff, can edit or delete past entries. Technically: the public.logs table has BEFORE UPDATE / DELETE triggers (logs_block_mutation, SECURITY DEFINER with locked search_path) that raise an exception against any mutation attempt, including from the service-role connection used by Edge Functions and from the database provider’s SQL editor. Retention pruning runs under a session-local marker that the trigger short-circuits on, so the 7-year retention DELETE is the only DELETE path that can succeed.
Per-asset device authentication. Every asset has its own unique digital certificate bound to that asset only. Compromise of one asset cannot impersonate another. If a certificate is ever compromised, revocation propagates to the platform within 5 minutes. Technically: each asset authenticates with its own X.509 client certificate, cryptographically bound to its mqtt_id. Customer leaf certificates have a 3-year validity (in line with NIST SP 800-89 for industrial control systems with strong revocation infrastructure); Pointnode service certificates have a 90-day validity and auto-renew. Revocation propagates via a published Certificate Revocation List (CRL) that the message broker re-checks every 5 minutes. New assets are provisioned with certificate-based authentication by default; the legacy username / password mode remains available as a fallback.
Rate limiting. Per-asset caps on how much data an asset can send (rate and number of distinct readings), enforced via token bucket per mqtt_id with per-asset overrides on the assets row. Per-actor rate limiting on mutating actions (e.g. 30/min for alarm thresholds, 5/hour for test email sends). Per-organisation daily caps on outbound transactional emails.
Secrets management. Internal admin credentials are never exposed to browsers or to on-asset controllers. Third-party provider API keys (message broker admin API, email provider, payment-webhook signing secret) are stored as encrypted server-side secrets, not in the dashboard's environment. Customer-facing API tokens are stored as one-way SHA-256 hashes; the cleartext value is shown once on creation and never persisted.
Encryption at rest. Industry-standard AES-256 managed by our hosting providers (covering the database, file storage, and the ingest service’s persistent volume). Authenticator-app shared secrets are held inside the authentication provider (provider-managed); recovery codes are stored as one-way hashes and verified by hash comparison only.
Authentication. Email and password with optional authenticator-app multi-factor authentication. Self-serve MFA enrolment is available in the dashboard. Session cookies are httpOnly, secure, and sameSite=lax.
Logging and monitoring. Structured logs across hosting providers. The ingest service exposes Prometheus metrics on its internal interface. An independent external monitor (UptimeRobot) polls public health endpoints (/api/health/cron, /api/health/stripe-webhook-errors, and the ingest's /health). Application errors are captured by Sentry where a project DSN is configured; email addresses appearing in event payloads are replaced with a deterministic SHA-256 hash before transmission, and a defence-in- depth string scrubber in the SDK's beforeSend hook redacts email-shaped strings that bypass the helper.
Personnel. Pointnode staff with access to production systems are bound by confidentiality obligations and use unique named accounts. Access is reviewed periodically. Pointnode's engineering use of AI-assisted tooling does not touch production Customer data — see the sub-processor list for the relevant carve-out.
Incident response. Documented runbook (PRODUCTION-RUNBOOK.md), with five symptom → diagnose → fix → escalation entries covering the most likely production incident shapes. 48-hour Customer notification per Section 7 above. Coordinated-disclosure policy published at /.well-known/security.txt per RFC 9116.
Software supply chain. A complete inventory of every library shipped in production (a CycloneDX 1.6 Software Bill of Materials) is regenerated on every deployment and published at /sbom.json for Customer compliance teams to fetch.

Annex 4 — International Transfer Provisions

Where the Sub-processor list identifies a transfer outside the UK / EEA, the parties incorporate by reference the relevant transfer instrument:

For transfers from the UK: the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, version B1.0 (or its successor).
For transfers from the EEA: the EU Commission's Standard Contractual Clauses (Module Two: Controller to Processor, Decision 2021/914) (or its successor).

Pointnode acts as data importer (Module Two); the Controller is the data exporter. Annex 1 of the SCCs is satisfied by the Description of Processing in Annex 1 above; Annex 2 is satisfied by the Security Measures in Annex 3 above.

Where execution of the SCCs / IDTA is required for a specific Customer, the populated annexes (Annex 1 — Description of Processing, Annex 2 — Security Measures, Annex 3 — Sub-processors) are physically attached to the executed instrument rather than incorporated by reference only. The web copy of this DPA is informational; the signed PDF version constitutes the contractual record.

Sign and return

To execute this DPA, email legal@pointnode.io with the Customer's legal entity name and the signing representative. We'll return a PDF version with both parties' details ready for signature.