Data Processing Agreement

1.1In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

Agreement: this Data Processing Agreement, including Schedules 1 and 2 and any schedules attached to it, which forms part of the Principal Agreement.

Client Personal Data: the personal data processed by the Supplier on behalf of the Client under this Agreement, as described in Schedule 1 and any applicable Order Form.

Data Protection Laws: all applicable data protection and privacy legislation in force from time to time, including: (a) in the United Kingdom, the UK GDPR (as defined in the Data Protection Act 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426); and (b) where applicable, the EU GDPR (Regulation (EU) 2016/679); in each case as amended, updated or replaced, together with relevant binding guidance or codes of practice issued by a DP Regulator.

DP Regulator: a competent supervisory authority under Data Protection Laws (in the UK, the Information Commissioner's Office).

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data.

Principal Agreement: the Platform Terms and Conditions, the applicable Order Form and any other agreement between the Parties governing the provision of the Services.

Standard Contractual Clauses (SCCs): the ICO's International Data Transfer Agreement (IDTA) and/or the ICO's International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, or such alternative clauses as may be approved from time to time.

Sub-Processor(s): any processor engaged by the Supplier (or by any other Sub-Processor) to process Client Personal Data on behalf of the Client.

1.2Terms such as "controller", "processor", "data subject", "personal data", "processing" and "appropriate technical and organisational measures" have the meanings given in Data Protection Laws.

1.3Headings do not affect interpretation. References to legislation include amendments and replacements. "Including" shall not be limiting.

1.4In the case of conflict or ambiguity between:

(a)any provision contained in the body of this Agreement and any provision contained in a Schedule, the provision in the body of this Agreement shall prevail;

(b)any of the provisions of this Agreement and the provisions of the Principal Agreement, the provisions of this Agreement shall prevail in respect of data protection matters; and

(c)any of the provisions of this Agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses shall prevail.

2.1The Parties acknowledge that the Client is the controller of Client Personal Data and the Supplier is the processor of Client Personal Data.

2.2Each Party shall comply with its respective obligations under Data Protection Laws. This Agreement does not relieve a Party of its own responsibilities under Data Protection Laws.

2.3The Client warrants and represents that: (a) the Supplier's expected use of Client Personal Data for the purposes described in Schedule 1, and as specifically instructed by the Client from time to time, will comply with Data Protection Laws; (b) the Client remains responsible for providing any required notices to data subjects and obtaining any required consents; and (c) the Client has all necessary authority to transfer Client Personal Data to the Supplier for the duration and purposes of this Agreement.

3.1Controller instructions. The Supplier shall process Client Personal Data only on the documented instructions of the Client (the provision of the Services being the Client's instruction for processing), unless required by applicable law. Where processing is required by law, the Supplier shall (where legally permitted) inform the Client before processing.

3.2Notification of unlawful instructions. The Supplier shall notify the Client if, in its reasonable opinion, an instruction infringes Data Protection Laws.

3.3Compliance with Client instructions. The Supplier shall promptly comply with any reasonable written instruction from the Client requiring the Supplier to amend, transfer, delete or otherwise process Client Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.4Security measures. The Supplier shall implement appropriate technical and organisational measures to protect Client Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Such measures shall include, as appropriate:

(a)pseudonymisation and encryption of Client Personal Data;

(b)ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c)the ability to restore availability and access to Client Personal Data in a timely manner following an incident; and

(d)a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

3.5Confidentiality and personnel. The Supplier shall ensure that all persons authorised to process Client Personal Data:

(a)are bound by appropriate confidentiality obligations (whether contractual or statutory);

(b)are informed of the confidential nature of Client Personal Data;

(c)receive appropriate training in data protection; and

(d)are aware of the Supplier's duties and their own personal duties and obligations under Data Protection Laws and this Agreement.

3.6Data subject requests. The Supplier shall, to the extent permitted by law:

(a)promptly notify the Client (and in any event within five (5) Business Days of receipt) of any requests or communications received directly from data subjects or a DP Regulator relating to Client Personal Data; and

(b)not respond to such requests except on the Client's documented instructions or as required by law.

3.7Government and law enforcement access requests. The Supplier shall, to the extent legally permitted, promptly notify the Client of any legally binding request received from a government authority or law enforcement agency for access to Client Personal Data, and shall not disclose Client Personal Data to any such authority unless legally compelled to do so.

3.8Assistance. Taking into account the nature of the processing and information available to the Supplier, the Supplier shall provide reasonable assistance to the Client to support compliance with Data Protection Laws in relation to:

(a)security obligations and breach notifications;

(b)data protection impact assessments and prior consultations with DP Regulators (where the Client's use of the Services is likely to result in a high risk to data subjects); and

(c)data subject rights requests.

Where assistance materially exceeds the scope of the Services, the Supplier may charge at its reasonable standard rates unless the assistance is required due to the Supplier's breach.

3.9Records of processing activities. The Supplier shall maintain records of processing activities carried out on behalf of the Client as required by Article 30(2) of the UK GDPR, including: (a) the name and contact details of the Supplier and, where applicable, its data protection officer; (b) the categories of processing carried out on behalf of the Client; (c) where applicable, details of transfers to third countries and the safeguards in place; and (d) a general description of the technical and organisational security measures implemented.

3.10Cost-prohibitive instructions. Where a change in the Client's processing instructions would incur material additional cost for the Supplier to comply: (a) the Supplier shall promptly inform the Client with full details; (b) the Supplier shall cease affected processing (except secure storage) until revised instructions are received; and (c) any changes affecting the pricing structure or commercial relationship shall require written agreement between the Parties.

4.1The Supplier shall notify the Client without undue delay and, where feasible, within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Client Personal Data.

4.2Such notification shall include, to the extent available at the time of notification (and supplemented as further information becomes available):

(a)a description of the nature of the Personal Data Breach, including the categories of Client Personal Data affected and the approximate number of data subjects and personal data records concerned;

(b)the likely consequences of the Personal Data Breach;

(c)a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects; and

(d)such further information as the Client may reasonably require to support its obligations under Data Protection Laws.

4.3Immediately following any Personal Data Breach, the Parties shall co-ordinate with each other to investigate the matter. The Supplier shall reasonably co-operate with the Client in the Client's handling of the matter, including preserving evidence and providing information necessary for the Client to comply with its notification obligations to DP Regulators and affected data subjects.

4.4The Supplier agrees, subject to any obligation under applicable law, that the Client shall have the sole right to determine: (a) whether to provide notice of the Personal Data Breach to any data subjects, DP Regulators, law enforcement agencies or others, as required by law or regulation or in the Client's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected data subjects, including the nature and extent of such remedy.

5.1General authorisation. The Client gives prior general authorisation for the Supplier to appoint Sub-Processors to process Client Personal Data for the purposes of delivering the Services.

5.2Flow-down terms. The Supplier shall ensure that Sub-Processors are engaged under written terms that impose data protection obligations no less onerous than those set out in this Agreement and as required by Data Protection Laws.

5.3Responsibility. The Supplier shall remain fully responsible for the acts and omissions of its Sub-Processors as if they were the Supplier's own acts and omissions.

5.4Changes and objections. The Supplier shall inform the Client by email of any intended changes concerning the addition or replacement of Sub-Processors, giving the Client a reasonable opportunity to object. The Client may object on reasonable grounds relating to data protection or security within fifteen (15) days of notice. The Parties shall work in good faith to resolve the objection. If the Parties are unable to resolve the objection within a further fifteen (15) days:

(a)where the Client's objection is based on a demonstrable actual or likely breach of Data Protection Laws, the Supplier shall not appoint the proposed Sub-Processor for the processing of Client Personal Data; or

(b)where the Client's objection cannot be so demonstrated, and the Supplier reasonably determines that the Sub-Processor is necessary for the continued provision of the Services, the Client may terminate the affected Order Form on thirty (30) days' written notice, and the Supplier shall refund any prepaid Fees for the unexpired portion of the Subscription Term on a pro-rata basis.

5.5Approved Sub-Processors. The Supplier's current Sub-Processors are set out in Schedule 2 and may be updated in accordance with clause 5.4. The Supplier shall maintain an up-to-date list of Sub-Processors, which may be published on the Supplier's website or trust centre.

6.1The Supplier may transfer Client Personal Data outside the UK and/or EEA only where necessary to provide the Services and only in accordance with Data Protection Laws. The Client acknowledges that the Supplier's approved Sub-Processors (as set out in Schedule 2) may process Client Personal Data in the locations specified in that Schedule, which may include locations outside the UK and/or EEA.

6.2Where international transfers occur, the Supplier shall ensure appropriate safeguards are in place in accordance with Data Protection Laws, which may include (as applicable):

(a)the UK International Data Transfer Agreement (IDTA) and/or UK Addendum to the EU SCCs;

(b)EU Standard Contractual Clauses (SCCs); and/or

(c)an adequacy decision or regulation, together with supplementary measures where required.

6.3Transfer impact assessments. Where required by Data Protection Laws or regulatory guidance, the Supplier shall conduct a transfer impact assessment to evaluate whether the legal framework in the recipient country provides adequate protection for Client Personal Data, and shall implement supplementary measures where the assessment identifies a risk that the safeguards in clause 6.2 may not be effective.

6.4The Client shall reasonably co-operate with any transfer documentation required to enable lawful transfers, including executing relevant standard clauses where necessary.

6.5If any transfer requires execution of Standard Contractual Clauses, the Parties shall complete all relevant details and execute the applicable SCCs promptly, and take all other actions required to legitimise the transfer.

7.1Neither Party excludes or limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot lawfully be excluded or limited.

7.2Subject to clause 7.1, the aggregate liability of either Party arising under or in connection with this Agreement shall be subject to the liability cap set out in the Principal Agreement. For the avoidance of doubt, any liability arising under this Agreement shall count towards (and not be in addition to) the aggregate liability cap in the Principal Agreement.

8.1The Supplier shall maintain appropriate records of processing activities carried out on behalf of the Client as required by Data Protection Laws and clause 3.9.

8.2Upon written request, the Supplier shall make available to the Client information reasonably necessary to demonstrate compliance with this Agreement.

8.3Audit right. The Client (or its appointed independent auditor, subject to reasonable confidentiality obligations) may conduct an audit of the Supplier's compliance with this Agreement no more than once per year, on at least thirty (30) days' prior written notice, during normal business hours, and in a manner that minimises disruption and does not compromise security or other clients' confidentiality.

8.4Breach exception. In the event of an actual or reasonably suspected Personal Data Breach affecting Client Personal Data, the Client may request an additional audit limited to matters relevant to that breach.

8.5Audit method and costs. The Supplier may satisfy audit requests by providing reasonable evidence such as security certifications (e.g., Cyber Essentials, ISO 27001), independent audit reports (e.g., SOC 2), completed security questionnaires, and/or documented policies before any on-site inspection is required. The Client shall bear its own audit costs. The Supplier may charge reasonable costs for supporting audits beyond the standard evidence package, except where the audit is required due to the Supplier's breach.

9.1This Agreement remains in effect for the duration of the processing as described in Schedule 1 and shall terminate automatically upon termination or expiry of the Principal Agreement.

9.2Upon termination or expiry of the Services, and at the Client's written direction given no later than ten (10) days following termination, the Supplier shall return or delete (so far as technically possible) Client Personal Data and any copies within thirty (30) days of receipt of such direction. Where no direction is received within the ten (10) day period, the Supplier shall delete Client Personal Data within sixty (60) days of termination, unless:

(a)the Parties agree a different period in an Order Form; or

(b)the Supplier is required by law to retain certain data (in which case the data shall be protected and access restricted to only what is required for the legal obligation, and the Supplier shall inform the Client of the legal requirement and the data retained).

9.3Client Personal Data shall be considered deleted when it can no longer be used by the Supplier for any processing purpose and is not reasonably retrievable from live systems. Routine backups retained solely for disaster recovery purposes will be overwritten in accordance with the Supplier's standard backup retention schedules.

9.4Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination in order to protect Client Personal Data shall remain in full force and effect.

10.1The Supplier shall indemnify the Client for direct losses, claims, damages, liabilities, fines (to the extent permitted by law), penalties, costs and expenses (including reasonable legal fees) arising out of or in connection with a breach by the Supplier of its obligations under this Agreement, subject to the liability provisions in clause 7.

10.2The Client shall indemnify the Supplier for direct losses, claims, damages, liabilities, fines (to the extent permitted by law), penalties, costs and expenses (including reasonable legal fees) arising out of or in connection with: (a) a breach by the Client of its obligations under this Agreement or Data Protection Laws, including any failure to obtain required consents or provide required notices; (b) any processing instructions given by the Client that infringe Data Protection Laws; or (c) any claim brought by a data subject arising from the Client's breach of its controller obligations, subject to the liability provisions in clause 7.

10.3Each Party's liability under this clause 10 is subject to the liability cap in clause 7.2.

11.1Costs. Each Party is responsible for its own legal and other costs in relation to the preparation and performance of this Agreement.

11.2Survival. The Parties intend clauses 1, 6, 7, 8, 9, 10 and 11 and any clauses required for their interpretation to survive termination.

11.3Relationship. The Parties are independent contractors and nothing in this Agreement creates a partnership, agency or employment relationship.

11.4Third-Party Rights. No third party has rights under the Contracts (Rights of Third Parties) Act 1999 to enforce this Agreement.

11.5Assignment. Neither Party may assign or transfer this Agreement without the other Party's prior written consent, except that the Supplier may assign this Agreement to a successor in connection with a merger, acquisition or sale of all or substantially all of its assets.

11.6Entire Agreement. This Agreement, the Principal Agreement and documents referred to in them contain the whole agreement between the Parties regarding its subject matter and supersede prior understandings. Nothing in this clause limits liability for fraud.

11.7Variation. No variation of this Agreement is valid unless in writing and signed by authorised signatories of both Parties, save that the Supplier may update Schedule 2 (Sub-Processors) in accordance with clause 5.4.

11.8Severability. If any provision is invalid or unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the remainder continues in effect.

11.9Waiver. A failure or delay to exercise a right is not a waiver of that or any other right.

11.10Notices. Notices must be in writing and sent to the address or email in the Order Form or as set out in this Agreement. UK letters are deemed delivered three (3) Business Days after posting. Emails are deemed delivered the same day (or next Business Day if sent after 5 pm or on a non-business day at the recipient's location).

11.11Counterparts. This Agreement may be signed in counterparts and by electronic signature.

11.12Governing Law and Jurisdiction. This Agreement is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.

Agreement Acceptance

By signing the Order Form, the Parties agree to the terms of this Agreement with effect from the Effective Date of the Order Form.

Schedule 2 — Approved Sub-Processors

The following Sub-Processors are authorised to process Client Personal Data in connection with the delivery of the Services. This list may be updated by the Supplier in accordance with clause 5.4.

An up-to-date list of Sub-Processors may also be maintained on the Supplier's website or trust centre.

Northern Tech Hub Ltd

Ground Floor, Radley House, Richardshaw Road, Leeds, LS28 6LE

Company Number: 16428857

Contact: notices@northerntechhub.com