Data Processing Agreement

BETWEEN:

(The Controller and the Processor are each referred to as a "Party" and collectively as the "Parties")

BACKGROUND

1. Definitions

• "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" shall have the meanings given to them in the UK GDPR.
• "UK Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any other applicable data protection and privacy legislation in force in the United Kingdom from time to time.
• "UK GDPR" means the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
• "ICO" means the Information Commissioner's Office, the UK's supervisory authority.

2. Details of Processing

The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are set out in Appendix 1 of this DPA.

3. Obligations of the Processor

The Processor agrees and warrants that it shall:

• 3.1. Only process Personal Data on the documented written instructions of the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by law.
• 3.2. Ensure that all personnel authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• 3.3. Implement and maintain the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Appendix 2.
• 3.4. Not engage another processor (a "Sub-processor") without the prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes.
• 3.5. Where a Sub-processor is engaged, the Processor shall ensure that the Sub-processor is bound by a written agreement containing data protection obligations no less protective than those in this DPA. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
• 3.6. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights (e.g., access, rectification, erasure).
• 3.7. Assist the Controller in ensuring compliance with its obligations regarding security of processing, notification of a Personal Data Breach to the ICO, communication of a Personal Data Breach to the Data Subject, and data protection impact assessments.
• 3.8. Notify the Controller without undue delay after becoming aware of a Personal Data Breach.
• 3.9. At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless law requires storage of the Personal Data.
• 3.10. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Obligations of the Controller

The Controller warrants that it has a valid lawful basis for the Processing of all Personal Data it instructs the Processor to carry out and that it has complied with all its obligations under UK Data Protection Laws.

5. International Transfers

The Processor shall not transfer any Personal Data outside of the United Kingdom without the prior written consent of the Controller. Where such a transfer occurs, the Processor must ensure that appropriate safeguards are in place as required under UK Data Protection Laws, such as an adequacy decision or by entering into the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU's Standard Contractual Clauses.

6. Term and Termination

This DPA shall remain in full force and effect for as long as the Processor processes Personal Data on behalf of the Controller under the Main Agreement. The termination of the Main Agreement shall automatically terminate this DPA.

7. Governing Law and Jurisdiction

This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The Parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim.

IN WITNESS WHEREOF, the Parties have caused this DPA to be executed by their duly authorised representatives.

Appendix 1: Details of the Processing

This Appendix forms part of the DPA and must be completed by the Parties.

Appendix 2: Technical and Organisational Security Measures

The Processor shall implement and maintain the following technical and organisational security measures to protect the Personal Data:

• Pseudonymisation and Encryption: All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 via AWS and Supabase's built-in encryption.
• Confidentiality, Integrity, and Availability: Access to personal data is restricted to authorised Simvera personnel on a strict need-to-know basis. Row-level security controls are implemented at the database layer via Supabase.
• Resilience of Processing Systems: The Processor's infrastructure is hosted on Amazon Web Services (AWS), which provides redundant systems, failover capabilities, and disaster recovery across availability zones.
• Testing and Assessment: Security configurations are reviewed periodically. The Processor relies on AWS and Supabase's independently audited security programmes, which include regular penetration testing and vulnerability assessments.
• Physical Security: All processing takes place within AWS data centres, which are protected by industry-standard physical access controls, surveillance, and environmental safeguards. No personal data is processed on local or personal devices.
• User Authentication: User authentication and identity management is handled by Clerk, which is SOC 2 Type II certified. No authentication credentials are stored directly by the Processor.

Appendix 3: Approved Sub-processors

As of the effective date of the DPA, the Controller provides general authorisation for the Processor to engage the following Sub-processors:

The Processor may engage additional Sub-processors from time to time and will notify the Controller at least 14 days in advance of any intended changes.