1. Roles
The client is usually controller for customer, engineer, site, job and compliance data used in its HVAC operation. Instaris acts as processor when it handles that data to deliver agreed pilot or managed operations services.
2. Processing details
| Item | Detail |
|---|---|
| Subject matter | Scheduling, contract control, PPM, compliance and reporting support |
| Data subjects | Client staff, engineers, customer contacts, suppliers and site contacts |
| Data types | Names, contact details, job notes, location/ETA data where enabled, service records and compliance evidence |
| Duration | For the pilot or service term, plus agreed retention or legal record periods |
3. Processor commitments
- Process personal data only on documented client instructions unless law requires otherwise.
- Keep people with access under confidentiality obligations.
- Apply appropriate technical and organisational security measures.
- Help the client respond to data subject requests, security incidents, DPIAs and regulator enquiries where reasonably required.
- Delete or return personal data at the end of the engagement, unless retention is required by law or agreed in writing.
4. Sub-processors
Instaris may use reputable hosting, email, analytics, automation, CRM and field-service tooling providers to deliver the service. We remain responsible for our sub-processor management and will use providers under appropriate contractual controls.
5. Reference standard
The ICO states that controller-processor contracts should cover documented instructions, confidentiality, security, sub-processors, rights assistance, end-of-contract provisions and audits. See ICO guidance on contracts between controllers and processors at ico.org.uk.