Data processing addendum
Last updated 2026-05-18
This data processing addendum (DPA) forms part of the Duress master services agreement and governs Duress's processing of personal data on behalf of customers under UK GDPR + Data Protection Act 2018 and, where applicable, the GDPR.
Roles
The customer is the data controller. Duress Pty Ltd is the processor. Sub-processors are listed in the sub-processor register.
Subject matter, duration, nature, purpose
Duress processes personal data to provide the workplace safety platform: device telemetry, incident records, monitoring centre dispatch, and platform analytics. Processing continues for the term of the agreement plus the data retention period.
Categories of data subjects
- Customer staff using Duress devices or the Duress app
- Administrators of the customer's Duress account
- Third parties whose data is captured during an active incident (audio, video, location)
Categories of personal data
- Identity: name, email, role, organisation
- Telemetry: device ID, battery, connectivity, location during active incidents and check-ins
- Incident: timestamps, audio, video, dispatch records, response notes
- Account: login records, IP, session tokens, audit logs
Security measures
Documented in our security overview. Highlights: ISO/IEC 27001:2022 certified, AES-256 at rest and in transit, SAML 2.0 / SCIM / OpenID Connect, audit logging, role-based access, annual penetration test, sub-15-minute incident response.
Sub-processors
The current sub-processor register is maintained at https://duress.com/en-gb/legal/sub-processors/. Duress provides 30 days' notice before adding a new sub-processor. Customers may object in writing.
Data residency
Production data for the United Kingdom region is hosted in AWS London with replicated backups in the same jurisdiction. Cross-region replication is not enabled by default.
International transfers
Where Duress transfers personal data outside the originating jurisdiction (e.g. for support access), it does so under standard contractual clauses and the UK IDTA where applicable, and only to sub-processors named in the register.
Data subject rights
Customers may export, correct, or delete personal data through Pathfinder admin or by writing to privacy@duress.com. Duress assists customer responses to data subject access requests within five business days of receipt.
Audit + reporting
Customers may request our most recent ISO 27001:2022 surveillance report, pen-test summary, and SOC 2 (in scope from 2026 Q4) once per twelve-month period under NDA. Procurement teams should request the full security pack: resources/security-pack.
Breach notification
Duress notifies affected customers within 24 hours of becoming aware of a personal-data breach affecting their data, with regulatory-grade detail within 72 hours.
Termination
On termination, Duress returns or deletes customer personal data within 30 days, with a deletion certificate available on request.
Signing
Most customers can rely on this online DPA as part of the master services agreement. If your procurement process requires a counter-signed copy, email legal@duress.com and we will turn it around within two business days.