Data Processing Agreement (DPA)

Effective Date: April 15, 2026  |  Last Updated: April 15, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or Master Service Agreement ("Agreement") between:

This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller in connection with the Smalt AI platform (the "Service").

1. Definitions

• "Data Protection Laws" means the UK GDPR, EU GDPR (Regulation 2016/679), the UK Data Protection Act 2018, and any other applicable data protection legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

3. Controller Obligations

The Controller shall:

1. Ensure it has a lawful basis for providing Personal Data to the Processor.
2. Provide clear instructions to the Processor regarding the processing of Personal Data.
3. Ensure that data subjects have been informed about the processing in accordance with Data Protection Laws.
4. Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

4. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required by law.
2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality.
3. Implement appropriate technical and organisational security measures (see Section 6).
4. Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller (see Section 7).
5. Assist the Controller in responding to data subject rights requests.
6. Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation.
7. At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless retention is required by law.
8. Make available to the Controller all information necessary to demonstrate compliance with this DPA.
9. Not use Personal Data for any purpose other than providing the Service, including not using Personal Data to train AI models.

5. Data Subject Rights

The Processor shall:

• Promptly notify the Controller if it receives a request from a data subject to exercise their rights under Data Protection Laws.
• Not respond to such requests directly unless authorised by the Controller.
• Provide reasonable assistance to enable the Controller to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
• Provide self-service tools within the platform to enable the Controller to manage data subject requests where feasible (e.g., data export, account deletion).

6. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures, including:

Technical Measures

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Logical separation of customer data (tenant isolation)
• Access controls with role-based permissions and least-privilege principle
• Automated vulnerability scanning and security monitoring
• Secure software development lifecycle practices
• Regular backups with encryption
• DDoS protection and network security controls

Organisational Measures

• Access limited to authorised personnel on a need-to-know basis
• Confidentiality obligations for all personnel
• Security awareness training
• Documented incident response procedures
• Regular review and testing of security measures

7. Sub-processors

7.1 Authorised Sub-processors

The Controller provides general written authorisation for the Processor to engage the sub-processors listed below. An up-to-date list is maintained on our website.

7.2 Changes to Sub-processors

• The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor.
• The Controller may object to a new sub-processor by notifying the Processor in writing within 14 days of notification.
• If the Controller objects, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected portion of the Service.
• The Processor shall impose data protection obligations on sub-processors no less protective than those in this DPA.

8. Data Breach Notification

1. The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Data Breach affecting the Controller's Personal Data.
2. The notification shall include:
   • A description of the nature of the breach, including categories and approximate number of data subjects and records affected
   • The name and contact details of the Processor's contact point
   • A description of the likely consequences of the breach
   • A description of the measures taken or proposed to address the breach
3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

9. International Data Transfers

• Where Personal Data is transferred outside the UK/EEA, the Processor shall ensure appropriate safeguards are in place.
• Transfers to the United States and other third countries are protected by:
  • Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor)
  • The UK International Data Transfer Addendum (IDTA) where applicable
• The SCCs and/or IDTA are incorporated into this DPA by reference and shall be deemed executed between the parties.

10. Audits

• The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
• The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and scope.
• Audits shall be conducted during normal business hours, no more than once per year (unless required by a Data Protection Authority or following a Data Breach), and subject to reasonable confidentiality obligations.

11. Data Retention and Deletion

• Upon termination of the Agreement, the Processor shall:
  • Provide the Controller with the ability to export their data for a period of 30 days
  • Delete all Personal Data within 30 days of the end of the export period
  • Provide written confirmation of deletion upon request
• The Processor may retain Personal Data to the extent required by applicable law, and only for the purposes and duration required by such law.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.

13. Term and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. It shall automatically terminate when the Agreement terminates and all Personal Data has been deleted or returned.

14. Contact

By using the Service, the Controller acknowledges and agrees to this Data Processing Agreement.