Data Processing Addendum

Last updated: July 28, 2025

This Addendum forms part of our Terms and Conditions.

1. Definitions

For the purposes of this Addendum:

• "UK Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and any related laws or regulations.
• "Customer" means the business entity that has entered into the Terms and Conditions with Us.
• "Personal Data", "Controller", "Processor", "Data Subject", "Processing" and related terms shall have the meanings given under UK GDPR.
• "Services" means the services provided by Us under the Terms and Conditions.
• "Subprocessor" means any third party engaged by Us to process Personal Data on behalf of the Customer.

2. Scope and Role of the Parties

The Customer is the Controller, and We are the Processor with respect to Personal Data processed in the course of providing the Services. We will process Personal Data only on behalf of the Customer and in accordance with the Terms, this Addendum, and documented instructions from the Customer.

Each party shall comply with its respective obligations under applicable Data Protection Law. We will not determine the purposes or means of the processing of Personal Data and shall act solely on the Customer’s instructions, except where required by applicable law.

3. Purpose of Processing

We will process Personal Data solely to deliver the Services, including:

• Receiving, storing, and transmitting data submitted by the Customer or its end-users,
• Supporting customer configuration and integration,
• Communicating with the Customer and fulfilling technical or support obligations.

We shall not process Personal Data for any other purpose unless required by law.

4. Subprocessing

We may engage Subprocessors to process Personal Data on our behalf. We will ensure that each Subprocessor is contractually bound to obligations no less protective of Personal Data than those set out in this Addendum. We remain fully liable to the Customer for the performance of each Subprocessor. The Customer may object to the appointment of a new Subprocessor by notifying us within 10 business days of receiving notice. If the Customer reasonably objects on data protection grounds, We will work in good faith to address the concern.

5. International Transfers

We may transfer Personal Data outside the UK and European Economic Area (EEA) where required for service delivery. Such transfers will rely on appropriate safeguards, including:

• UK International Data Transfer Addendum (IDTA), or
• Standard Contractual Clauses (SCCs) approved by the UK Government or European Commission.

6. Security

We implement appropriate technical and organisational measures to protect Personal Data, including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Logging and monitoring
• Secure development and deployment practices

7. Data Subject Rights

We will assist the Customer in fulfilling its obligations to respond to requests from Data Subjects to exercise their rights under applicable Data Protection Law, including but not limited to:

• Access, rectification, or erasure of Personal Data
• Restriction or objection to processing
• Data portability

Upon receiving a request from a Data Subject that relates to the Customer's data, We will:

• Promptly inform the Customer
• Not respond to the request directly unless instructed to do so by the Customer

We will provide reasonable assistance to enable the Customer to respond to such requests within the timeframes required by law.

8. Personal Data Breach

If We become aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer, We will:

• Notify the Customer without undue delay after becoming aware of the breach
• Provide relevant information as it becomes known
• Assist the Customer in meeting any notification obligations under applicable law

9. Deletion or Return of Data

Upon termination of the Services, We will:

• At the Customer’s election, delete all Personal Data, and
• Delete existing copies within 30 days of termination unless storage is required by applicable law.

We may retain anonymised data not constituting Personal Data after deletion, solely for analytical or service improvement purposes, unless otherwise agreed.

10. Audit and Assistance

We will make available all information necessary to demonstrate compliance with this Addendum. We will allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer (not more than once per year), provided reasonable notice is given and the audit does not unreasonably disrupt our operations.

11. Customer Obligations

The Customer represents and warrants that:

• It has a valid legal basis to collect and transfer Personal Data to Us.
• It will comply with its obligations under applicable data protection laws in relation to its processing of Personal Data.

12. Term and Survival

This Addendum shall remain in effect for as long as We process Personal Data on behalf of the Customer. Clauses that by their nature should survive termination (e.g. Sections 9, 10) shall survive.

13. Governing Law

This Addendum is governed by and construed in accordance with the laws of Scotland, and the parties submit to the exclusive jurisdiction of the Scottish courts.

14. Contact

If you have questions or comments about this policy, you may contact us by email at .