Data Processing Agreement

Last modified: April 22, 2025

This Data Processing Agreement ("Agreement") is entered into by and between:

PROSOPO LIMITED, a company incorporated under the laws of England and Wales with company number 13421250, having its registered office at 27 Old Gloucester Street, London, England, WC1N 3AX (hereinafter referred to as the "Processor"),

and

the Company making use of the Processor's services (hereinafter referred to as the "Controller").

This Agreement governs the specific requirements of Data Protection Laws to the extent that the Controller's use of the Processor's services implies the processing of Personal Data subject to such laws.

This Agreement is complementary to our Privacy Policy, which serves as the primary reference for our data protection practices and measures.

The term of this Agreement shall follow the term of the service agreement between the parties. Terms not defined herein shall have the meaning as set forth in such agreement.

Important information

A) The Controller acts as a Data Controller.

B) The Controller wishes to subcontract certain services (as defined below), which imply the processing of Personal Data, to the Processor.

C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws.

D) The Parties wish to lay down their rights and obligations.

Agreement

1. Definitions and Interpretation

1.1) "Agreement" means this Data Processing Agreement and all Schedules;
1.2) "Company Personal Data" means any Personal Data related to the Controller or its customers or employees Processed in connection with the service agreement;
1.3) "Contracted Processor" means a Subprocessor;
1.4) "Data Protection Laws" means EU and UK Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.5) "EEA" means the European Economic Area;
1.6) "EU Data Protection Laws" means the GDPR and all laws implementing or supplementing it;
1.7) "GDPR" means EU General Data Protection Regulation 2016/679;
1.8) "Data Transfer" means:
  1.8.1) a transfer of Company Personal Data from the Controller to the Processor or a Contracted Processor; or
  1.8.2) an onward transfer of Company Personal Data from the Processor to a Subprocessor;
1.9) "Services" means the Processor's secure online services including, but not limited to, cloud-based tools, applications, and platforms;
1.10) "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of Controller.

Other GDPR-defined terms shall have the same meanings as defined in the regulation.

2. Processing of Company Personal Data

The Processor shall:
2.1) comply with all applicable Data Protection Laws;
2.2) only process Company Personal Data on the Controller's documented instructions.

Controller instructs Processor to process Company Personal Data to:
2.3) provide services and technical support;
2.4) fulfill legal obligations or resolve disputes;
2.5) improve the performance, security, and reliability of services;
2.6) conduct internal reporting and related administrative functions.

3. Processor Personnel

Processor shall ensure that access to Company Personal Data is restricted to only those personnel who need it to fulfil the purposes of this Agreement, and who are subject to confidentiality obligations.

4. Security

Processor shall implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR to ensure the security of Personal Data.

5. Subprocessing

Controller grants general authorization to Processor to engage Subprocessors. A list of current Subprocessors shall be made available upon request. The Processor shall impose equivalent data protection obligations on all Subprocessors.

6. Data Subject Rights

Processor shall:
6.1) notify the Controller if it receives a Data Subject request;
6.2) not respond to such requests unless instructed to do so by the Controller or required by law.

7. Personal Data Breach

Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach, providing sufficient information to meet any applicable legal obligations. The parties shall cooperate to manage the breach.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall assist the Controller in conducting data protection impact assessments and prior consultations with data protection authorities, as required under Articles 35 and 36 of the GDPR.

9. Deletion or Return of Company Personal Data

Upon termination of services, the Processor shall delete all Personal Data unless otherwise required by law. The Controller must request data prior to account closure.

10. Audit Rights

Processor shall make available relevant information to demonstrate compliance with this Agreement and allow audits subject to reasonable conditions, no more than once per year unless otherwise required by law or due to a breach.

11. Data Transfer

The Processor shall ensure that Personal Data is only transferred to countries offering adequate protection under the GDPR or through valid legal mechanisms such as Standard Contractual Clauses.

12. General Terms

• Compliance with Laws: Each party shall comply with applicable Data Protection Laws.
• Confidentiality: Each party shall keep confidential any information received from the other in connection with this Agreement, except as required by law or with the other party's consent.
• Notices: All communications under this Agreement shall be in writing and sent via email:
  • To Controller: the email associated with their account
  • To Processor: data@prosopo.io
• Governing Law and Jurisdiction: This Agreement is governed by the laws of England and Wales. Any disputes shall be resolved in the courts of London, England.

In the event of any discrepancies between versions, the English version shall prevail.