Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Enterprise Terms of Service ("Terms") between:

• the customer identified in the applicable Order Form ("Controller"); and
• Cognati Ltd (trading as Cubiq Cloud), registered number 13081108, whose registered office is at 20 Egerton Close, London, HA5 2LP, United Kingdom ("Processor").

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Service.

1. Definitions and Interpretation

Capitalised terms not defined in this DPA have the meanings given in the Terms or in UK GDPR.

• Data Protection Laws means UK GDPR, the Data Protection Act 2018, and any applicable guidance issued by the UK Information Commissioner's Office ("ICO").
• Personal Data Breach has the meaning given in UK GDPR.
• Sub-processor means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

This DPA supplements the Terms. In the event of conflict, this DPA prevails in relation to data protection matters.

2. Roles of the Parties

The Controller determines the purposes and means of Processing. The Processor Processes Personal Data solely on behalf of the Controller.

The Processor shall Process Personal Data only on documented instructions from the Controller, including those set out in the Terms, this DPA, any Order Form, and any other written instructions agreed between the parties. Instructions may be given in writing, including by email or via the Service.

Where required by law to Process otherwise, the Processor shall inform the Controller unless prohibited.

3. Details of Processing

The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.

4. Security of Processing

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• pseudonymisation and encryption;
• resilience and availability;
• timely restoration;
• regular testing and evaluation.

Measures are described in Annex 2 and may evolve with risk.

5. Confidentiality of Personnel

Processor ensures all authorised persons are bound by confidentiality and process only on instructions.

6. Sub-processors

Controller grants general authorisation for Sub-processors. Processor shall maintain a list and give prior notice of changes, allowing reasonable objection.

Processor remains fully liable for Sub-processors and shall be responsible for their acts and omissions as if they were its own. All Sub-processors must be bound by equivalent obligations.

7. Data Subject Rights

Processor shall assist the Controller in responding to rights requests. Direct requests shall be forwarded without response.

8. Assistance and Compliance

Processor shall assist with Articles 32–36 UK GDPR, including DPIAs and ICO consultation.

Processor shall make available all information necessary to demonstrate compliance to the Controller and, where required, to the ICO.

9. Personal Data Breach

Processor shall notify Controller without undue delay and provide required details and cooperation.

10. Audits

Controller may audit annually on 30 days' notice during business hours. Processor may provide certifications where appropriate.

11. Deletion and Return

Upon termination, Personal Data shall be returned or deleted at Controller's choice. Data may be retained for 90 days per the Terms.

Processor shall certify deletion upon request.

12. International Transfers

Transfers outside the UK shall use UK IDTA and/or UK SCC Addendum with Transfer Risk Assessments.

13. Liability Interface

Liability follows the Terms. Nothing limits liability for death, injury, or fraud.

14. Governing Law

This DPA is governed by the laws of England and Wales.

ANNEX 1 – DETAILS OF PROCESSING

ANNEX 2 – TECHNICAL & ORGANISATIONAL MEASURES