Data Processing Agreement

The purpose of this DPA is to ensure compliance with applicable data protection legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, and any other applicable data protection laws ("Data Protection Legislation").

This DPA applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the provision of the Services as described in the Main Agreement. The details of the processing operations, including the categories of personal data and the purposes of processing, are set out in Annex II.

Where this DPA uses terms that are defined in the Data Protection Legislation, those terms shall have the same meaning as in the Data Protection Legislation. This DPA shall be read and interpreted in light of the provisions of the applicable Data Protection Legislation.

This DPA is an integral part of the Main Agreement. In the event of any conflict between this DPA and any other agreement between the parties, the provisions of this DPA shall prevail with regard to data protection matters.

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex III. These measures include, as appropriate:

• The pseudonymisation and encryption of personal data
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

In assessing the appropriate level of security, the Processor shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

The parties shall be able to demonstrate compliance with this DPA. The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with this DPA.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted with reasonable notice of at least 72 hours, during normal business hours, and no more than once per year unless required by a supervisory authority or in the event of a personal data breach. The Controller shall bear the costs of any audit.

The Controller provides general authorization for the Processor to engage sub-processors from the agreed list set out in Annex IV. The Processor shall specifically inform the Controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 business days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).

Where the Controller objects to a new sub-processor, the Controller may terminate the Main Agreement by providing written notice. The Processor shall ensure that any sub-processor is bound by the same data protection obligations as set out in this DPA by way of a contract or other legal act.

The Processor shall remain fully liable to the Controller for the performance of any sub-processor's obligations. The current list of approved sub-processors is set out in Annex IV.

The Processor shall promptly notify the Controller of any request received directly from a data subject relating to the processing of their personal data. The Processor shall not respond to such a request itself unless it has been authorised to do so by the Controller.

The Processor shall assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights under the Data Protection Legislation.

The Processor shall also assist the Controller in ensuring compliance with obligations relating to the security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to the Processor.

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller for the Controller to comply with its obligations under the Data Protection Legislation, taking into account the nature of processing and the information available to the Processor.

The Processor shall assist the Controller in notifying the competent supervisory authority without undue delay after the Controller has become aware of the breach, where applicable.

Upon becoming aware of a personal data breach, the Processor shall notify the Controller without undue delay and provide the following information:

• A description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and personal data records concerned
• The name and contact details of the data protection officer or other contact point where more information can be obtained
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate its possible adverse effects

Without prejudice to any provisions of the Data Protection Legislation, in the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the processing of personal data until the Processor complies with this DPA or the Main Agreement is terminated.

The Controller shall be entitled to terminate this DPA and the Main Agreement insofar as it concerns processing of personal data in accordance with this DPA, if: (i) the processing of personal data by the Processor has been suspended by the Controller and compliance with this DPA is not restored within a reasonable time and in any event within one month; (ii) the Processor is in substantial or persistent breach of this DPA or its obligations under the Data Protection Legislation; or (iii) the Processor fails to comply with a binding decision of a competent court or supervisory authority.

Termination of the Main Agreement shall automatically terminate this DPA. Upon termination, the Processor shall, at the Controller's choice, promptly delete or return all personal data and certify in writing that it has done so, unless applicable law requires continued storage of the personal data.

The Processor implements the following technical and organisational measures to ensure the security of personal data:

• Encryption: Personal data is encrypted in transit (TLS 1.2+) and at rest using industry-standard encryption algorithms
• Access Controls: Role-based access controls with the principle of least privilege; multi-factor authentication required for system access
• Network Security: Firewall protection, intrusion detection systems, and network segmentation to prevent unauthorized access
• Data Integrity: Regular backups, data validation checks, and integrity monitoring to prevent accidental or malicious data modification
• Incident Response: Documented breach response procedures with defined roles, escalation paths, and notification timelines
• Employee Training: Regular data protection and security awareness training for all personnel with access to personal data
• Physical Security: Data is hosted in certified data centres with physical access controls, surveillance, and environmental protections
• Logging and Monitoring: Comprehensive audit logging of access to personal data with regular review and anomaly detection

The following sub-processors are approved for the processing of personal data:

This list may be updated from time to time. The Controller will be notified at least 15 business days in advance of any additions or changes to this list.