Revision 000 | Effective 27 May 2026
Document reference: SEVRON-LAC-DPA-C-002
SEVRON DATA PROCESSING ADDENDUM
BACKGROUND
(A) Sevron Ltd (“Sevron”, the “Processor”) and the customer identified in the Agreement (the “Customer”, the “Controller”) have entered into an Agreement under which Sevron provides the Safety365 platform and related services (the “Services”).
(B) The provision of the Services involves the Processor processing personal data on behalf of the Controller.
(C) This Data Processing Addendum (“DPA”) sets out the terms on which the Processor processes that personal data. The DPA is incorporated into and forms part of the Agreement as provided in the opening paragraph of the Sevron Standard Terms and Conditions. In the event of any conflict between this DPA and the other parts of the Agreement in relation to data protection matters, this DPA prevails.
1. DEFINITIONS AND INTERPRETATION
1.1 In this DPA, capitalised terms not otherwise defined have the meanings given in the Agreement. The following definitions apply:
1.1.1 “Customer Personal Data” means personal data that the Processor processes on the Controller's behalf in connection with the Services, as further described in Annex 1.
1.1.2 “Data Protection Laws” means all laws relating to the processing of personal data applicable to the Processor's performance of this DPA, including the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (“PECR”), and the Data (Use and Access) Act 2025 (“DUAA”), each as amended or replaced from time to time.
1.1.3 “IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner, as updated from time to time.
1.1.4 “Personal Data Breach” has the meaning given in the UK GDPR.
1.1.5 “Restricted Transfer” means a transfer of Customer Personal Data from the United Kingdom to a country not covered by UK adequacy regulations or by a UK “data bridge” in force at the time of the transfer.
1.1.6 “Subprocessor” means any third party engaged by the Processor to process Customer Personal Data on the Processor's behalf in connection with the Services.
1.1.7 “Controller”, “Processor”, “Data Subject”, “personal data”, “processing”, and “special category data” have the meanings given in the UK GDPR.
1.2 Section, clause, and Annex headings are for convenience only and do not affect the interpretation of this DPA. Any reference to a statute or statutory provision is to that statute or provision as amended, extended, or re-enacted from time to time.
2. ROLES AND SCOPE OF PROCESSING
2.1 The parties acknowledge that, for the purposes of this DPA, the Customer is the Controller and Sevron is the Processor in respect of Customer Personal Data.
2.2 Sevron acts as Processor only in relation to the categories of Customer Personal Data described in Annex 1 and only for the purposes set out in that Annex. Sevron does not act as Processor for personal data that it collects directly from website visitors, prospects, suppliers, or job applicants, or for personal data it uses to administer its own business (including billing, marketing, and account administration), in respect of which Sevron acts as a separate Controller and its own privacy notice (Sevron's Privacy Policy) applies.
2.3 The Customer warrants that it has all necessary rights, lawful bases, and where required consents and Article 9 conditions to provide Customer Personal Data to the Processor for the processing contemplated by the Agreement and this DPA. The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired that data.
2.4 The Processor will process Customer Personal Data only on the documented instructions of the Controller, including with regard to transfers of Customer Personal Data to a third country, unless required to do otherwise by applicable law. Where the Processor is required by law to process Customer Personal Data otherwise than on the Controller's instructions, it will, where legally permitted, inform the Controller of that legal requirement before processing.
2.5 The Controller's instructions for the processing of Customer Personal Data are set out in the Agreement, this DPA, and the Customer's use of the Services (including the Customer's configuration of the Services and the Customer's enabling or disabling of optional features, such as AI-assisted features under section 13 and the Fair Use Policy).
2.6 If the Processor considers that an instruction from the Controller infringes the Data Protection Laws, the Processor will inform the Controller without delay.
3. PERSONNEL AND CONFIDENTIALITY
3.1 The Processor will ensure that persons authorised to process Customer Personal Data:
3.1.1 have committed themselves to confidentiality, whether through a written agreement or a statutory duty;
3.1.2 access Customer Personal Data only on a need-to-know basis and only to the extent necessary to perform their role; and
3.1.3 have received appropriate data protection and information security training.
4. SECURITY OF PROCESSING
4.1 The Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
4.2 The current technical and organisational measures are set out in Annex 2. The Processor maintains an Information Security Management System certified to ISO/IEC 27001 and a Quality Management System certified to ISO 9001.
4.3 The Processor may update the measures described in Annex 2 from time to time, provided that the updates do not materially decrease the overall level of protection of Customer Personal Data.
5. SUBPROCESSORS
5.1 The Controller provides general written authorisation to the Processor to engage Subprocessors in connection with the Services. The Subprocessors engaged by the Processor at the effective date of this DPA are listed in Annex 3.
5.2 The Processor will impose on each Subprocessor data protection obligations no less protective than those set out in this DPA, including the obligations relating to security (section 4), personnel (section 3), international transfers (section 6), breach notification (section 8), and — where relevant — the no-training position in respect of AI-assisted features (section 13).
5.3 The Processor remains liable to the Controller for the acts and omissions of its Subprocessors as if they were the Processor's own.
5.4 Notice and right to object. The Processor will give the Controller at least 30 days' written notice (which may be by email to the Controller's nominated privacy contact, or by an update to a designated subprocessor change page that the Controller has subscribed to) before adding or replacing a Subprocessor. During that 30-day period, the Controller may object on reasonable data-protection grounds by notifying the Processor in writing.
5.5 If the Controller objects under clause 5.4, the parties will work together in good faith to resolve the objection, which may include the Processor offering an alternative way of providing the relevant part of the Services without the proposed Subprocessor. If the parties cannot resolve the objection within 30 days of the objection, the Controller may, as its sole remedy, terminate the part of the Services that cannot be provided without the proposed Subprocessor, on written notice to the Processor. Termination of part of the Services under this clause is without prejudice to the Controller's accrued rights and obligations under the Agreement.
5.6 If the Controller does not object within the 30-day notice period in clause 5.4, the Controller is deemed to have approved the proposed Subprocessor.
6. INTERNATIONAL TRANSFERS
6.1 The Processor will not make a Restricted Transfer of Customer Personal Data without putting in place a transfer mechanism that satisfies the Data Protection Laws.
6.2 Where a Restricted Transfer is necessary for the performance of the Services (for example, where a Subprocessor listed in Annex 3 processes Customer Personal Data in the United States), the parties agree that:
6.2.1 the IDTA is incorporated into this DPA and applies to that Restricted Transfer, with the Controller as the data exporter and the Processor (or the relevant Subprocessor, where the transfer is from the Processor to the Subprocessor) as the data importer;
6.2.2 where the destination country is covered by a UK adequacy regulation or a UK “data bridge” (including, for certified US recipients, the UK Extension to the EU–US Data Privacy Framework), the parties may rely on that adequacy regulation or data bridge instead of the IDTA; and
6.2.3 the Processor has carried out, and will keep under review, a transfer risk assessment confirming that the safeguards in the destination country are not materially lower than those in the United Kingdom, as required by the data protection test introduced by the DUAA.
6.3 Where the Processor relies on the IDTA, the details required by the IDTA tables are set out in Annex 4.
6.4 The Processor will not be required to challenge a lawful access request from a public authority or law enforcement agency. Where the Processor receives a request for Customer Personal Data from a public authority and the request appears unlawful or excessive under applicable law, the Processor will, where legally permitted, challenge the request and notify the Controller. Where the Processor is legally prohibited from notifying the Controller, the Processor will use reasonable efforts to obtain a waiver of that prohibition.
7. DATA SUBJECT RIGHTS AND ASSISTANCE
7.1 Taking into account the nature of the processing, the Processor will, by appropriate technical and organisational measures, assist the Controller insofar as possible in fulfilling its obligations to respond to requests from Data Subjects to exercise their rights under the Data Protection Laws.
7.2 If the Processor receives a request directly from a Data Subject in relation to Customer Personal Data, the Processor will, without undue delay, forward the request to the Controller and will not respond to the Data Subject other than to acknowledge receipt and direct the Data Subject to the Controller, unless the Controller instructs otherwise.
7.3 Taking into account the nature of the processing and the information available to the Processor, the Processor will assist the Controller in ensuring compliance with the Controller's obligations under Articles 32 to 36 of the UK GDPR, including in relation to data protection impact assessments and prior consultations with the Information Commissioner.
7.4 The Processor may charge a reasonable fee for assistance provided under this section 7 where that assistance is materially in excess of the Processor's ordinary cost of providing the Services.
8. PERSONAL DATA BREACH NOTIFICATION
8.1 The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
8.2 The notification under clause 8.1 will contain, to the extent known at the time of notification:
8.2.1 a description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects and records concerned;
8.2.2 the name and contact details of the Processor's data protection contact;
8.2.3 the likely consequences of the Personal Data Breach; and
8.2.4 the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
8.3 Where it is not possible to provide all of the information in clause 8.2 at the same time, the information may be provided in phases as it becomes available, without further undue delay.
8.4 The Processor's notification of a Personal Data Breach is not an acknowledgement by the Processor of any fault or liability with respect to the Personal Data Breach.
9. RETURN AND DELETION OF CUSTOMER PERSONAL DATA
9.1 Return and deletion of Customer Personal Data on termination or expiry of the Agreement is governed by clause 9.8(c) of the Sevron Standard Terms and Conditions. In summary, the Processor may destroy or otherwise dispose of Customer Personal Data in its possession unless the Controller submits a written request to the Processor, no later than 10 days after the effective date of termination, for delivery of the most recent back-up of the data. The Processor will use reasonable and commercial endeavours to deliver the back-up within 30 days of receipt of the request, subject to the Controller having paid all outstanding fees.
9.2 The Processor is permitted to retain Customer Personal Data after termination to the extent that: (a) applicable law requires retention; (b) the data is contained in routine backups, in which case the Processor will retain that data only until the backups are overwritten in the ordinary course, and will continue to apply the security obligations in section 4 to that data until it is overwritten; or (c) the data is contained in records that the Processor is required to retain for legal, accounting, audit, or insurance purposes.
9.3 On request, the Processor will provide written confirmation to the Controller that it has complied with this section 9.
10. AUDITS AND INFORMATION
10.1 The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR.
The Processor will satisfy this obligation by providing the following on reasonable written request by the Controller, no more than once in any 12-month period (except where a Personal Data Breach has occurred or the Controller is required to audit by a regulator or by law):
10.1.1 a current ISO/IEC 27001 certificate, summary of the certification scope, and Statement of Applicability (redacted as the Processor reasonably considers necessary);
10.1.2 responses in writing to a reasonable information security and data protection questionnaire submitted by the Controller; and
10.1.3 a summary of the Processor's most recent penetration test, redacted as the Processor reasonably considers necessary to protect security and confidentiality.
10.2 The Controller acknowledges that the documentation described in clause 10.1 will ordinarily satisfy the audit requirements of Article 28(3)(h) of the UK GDPR.
10.3 An on-site audit will be permitted only where required by applicable law or by the Controller's regulator. Any such on-site audit will:
10.3.1 be conducted on at least 30 days' prior written notice to the Processor (or such shorter notice as is required by the relevant law or regulator);
10.3.2 be conducted during the Processor's normal business hours;
10.3.3 be limited in scope to the Processor's processing of Customer Personal Data under this DPA, and excluding any premises, systems, or information of other Processor customers or third parties;
10.3.4 be conducted by the Controller or by a qualified independent auditor appointed by the Controller and reasonably acceptable to the Processor, in either case subject to written confidentiality obligations no less protective than those in the Agreement; and
10.3.5 be at the Controller's cost, unless the audit reveals a material breach by the Processor of this DPA, in which case the Processor will reimburse the Controller's reasonable audit costs.
10.4 The Controller will share with the Processor any audit reports or findings produced under this section 10 and will treat those reports and findings as the Processor's confidential information.
11. LIABILITY
11.1 Each party’s liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, is subject to and counts toward the limitations and exclusions of liability set out in clause 7 of the Sevron Standard Terms and Conditions, including the 12-month Subscription Fee cap in clause 7.4.
11.2 Nothing in this DPA excludes or limits a party's liability for fraud, fraudulent misrepresentation, death or personal injury caused by negligence, or any other liability that cannot lawfully be excluded or limited.
11.3 The Processor maintains appropriate cyber insurance to support its obligations under this DPA. On reasonable request, the Processor will provide the Controller with a summary of the policy's scope and limits, redacted as the Processor reasonably considers necessary.
12. TERM
12.1 This DPA takes effect on the effective date of the Agreement and continues in force for so long as the Processor processes Customer Personal Data, including any period after termination or expiry of the Agreement during which the Processor retains Customer Personal Data under section 9.
12.2 Sections that by their nature are intended to survive termination or expiry will survive, including sections 7 (Data subject rights), 8 (Breach notification), 9 (Return and deletion), 10 (Audits), 11 (Liability), 13 (AI-assisted features) in respect of historical processing, and this clause 12.2.
13. AI-ASSISTED FEATURES
13.1 Where the Services include AI-assisted features (for example, AI-assisted risk assessment review, SDS scraping, or AI-assisted suggestions within Safety365), the following terms apply in addition to the rest of this DPA. Operational fair-use requirements for those features are set out in the Fair Use Policy.
13.2 Customer control. AI-assisted features are optional and can be enabled or disabled by the Controller within the Services. Where AI-assisted features are disabled, Customer Personal Data will not be sent to AI Subprocessors for those features. The Controller is responsible for configuring the AI-assisted features it wishes to use.
13.3 No training on Customer Personal Data. The Processor will not use Customer Personal Data to train or improve the Processor's own AI models or those of any third party. The Processor will ensure that its contracts with AI Subprocessors contractually prohibit the use of Customer Personal Data submitted via the Services to train or improve those Subprocessors' models. The current AI Subprocessors and their contractual position are set out in Annex 3.
13.4 Abuse-monitoring retention. The Controller acknowledges that AI Subprocessors typically retain prompts, outputs, and uploaded files for a limited period for abuse-monitoring purposes. The current retention positions of the Processor's AI Subprocessors are summarised in Annex 3 and in section 7 of the Fair Use Policy. Zero Data Retention arrangements may not be available on all tiers; if a Controller requires Zero Data Retention for specific flows, the parties will discuss in good faith the operational and commercial implications.
13.5 Human review. AI-assisted features are designed to support human users. Outputs of AI-assisted features should be reviewed by a human user within the Controller's organisation before being relied on, added to records, or acted on. The Processor does not represent that AI outputs are free from error or fit for any particular purpose.
13.6 Solely automated decisions. The AI-assisted features do not make solely automated decisions producing legal or similarly significant effects on Data Subjects within the meaning of Article 22 of the UK GDPR. If the Processor introduces a feature that does, the Processor will notify the Controller in advance and will not enable that feature for the Controller without the Controller's consent.
14. GENERAL
14.1 Conflict. In the event of any conflict between this DPA and the Agreement in relation to data protection matters, this DPA prevails. In all other respects, the Agreement prevails.
14.2 Variation. This DPA may be varied in accordance with the variation provisions of the Sevron Standard Terms and Conditions (clause 12.4 of those terms), provided that no such variation will materially reduce the level of protection afforded to Customer Personal Data.
14.3 Governing law and jurisdiction. This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, except that the Information Commissioner has jurisdiction in relation to the IDTA where the IDTA so provides.
14.4 Severance. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.
14.5 No third-party rights. A person who is not a party to this DPA has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms, except that a Data Subject may enforce rights expressly granted to Data Subjects under the IDTA where the IDTA so provides.
14.6 Force majeure. Force majeure under this DPA is governed by clause 10 of the Sevron Standard Terms and Conditions.
14.7 Confidentiality. Confidentiality of information exchanged under this DPA is governed by clause 12.1 of the Sevron Standard Terms and Conditions, in addition to the personnel confidentiality obligations in section 3 of this DPA.
ANNEX 1
Description of the processing
Subject matter
Provision by the Processor of the Safety365 platform and related services to the Controller under the Agreement, including the processing of Customer Personal Data necessary to deliver, support, secure, and improve those Services.
Duration
From the effective date of the Agreement until termination or expiry of the Agreement, plus any retention period under section 9.
Nature and purpose
Hosting, storage, transmission, and processing of Customer Personal Data within Safety365 to enable the Controller to manage workplace health and safety compliance, including risk assessments, COSHH records, safety data sheet management, incident records, and related workflows; provision of related platform features (authentication, search, in-app messaging, analytics, monitoring, and optional AI-assisted features).
Types of Customer Personal Data
Names, job titles, employee or contractor identifiers, work contact details, work location, signatures, training and competency records, PPE-related records, exposure-related records, incident and accident records, and any other personal data the Controller chooses to enter into the Services.
Special category data
Customer Personal Data entered into the Services may include data relating to health (for example, exposure records or fitness-to-work records). The Controller is responsible for identifying the Article 9 condition for such processing.
Categories of Data Subjects
Employees, contractors, agency workers, visitors, and other individuals about whom the Controller chooses to enter information into the Services.
Frequency of transfer
Continuous, for the duration of the Agreement.
Retention
Customer Personal Data is retained for the duration of the Agreement and is returned or deleted in accordance with section 9 of this DPA on termination or expiry. Records that Sevron processes as Controller (including support tickets, billing records, security logs, and data protection records) are retained in accordance with Sevron's Privacy Policy and Data Retention Policy, separately from Customer Personal Data processed under this DPA.
ANNEX 2
Technical and organisational security measures
The Processor implements the following technical and organisational measures to protect Customer Personal Data, as part of an Information Security Management System certified to ISO/IEC 27001.
1. Governance
- Information Security Management System certified to ISO/IEC 27001.
- Quality Management System certified to ISO 9001.
- Documented information security policies reviewed and approved at least annually.
- Risk assessment and treatment process aligned with ISO/IEC 27005 principles.
2. Access control
- Role-based access controls, with access granted on a least-privilege and need-to-know basis.
- Multi-factor authentication required for administrative and remote access.
- Periodic access reviews and prompt revocation of access on role change or departure.
- Centralised identity management; passwords stored in hashed form using current industry-standard algorithms.
3. Encryption
- Customer Personal Data encrypted in transit using TLS 1.2 or higher.
- Customer Personal Data encrypted at rest using AES-256 or equivalent.
- Key management aligned with industry standards.
4. Network and infrastructure security
- Production infrastructure hosted in AWS eu-west-1 (Ireland), with logical separation from non-production environments.
- Network-layer controls including firewalls, security groups, and AWS-native protective services.
- Regular vulnerability scanning, patch management, and penetration testing.
- Logging and monitoring across production systems, with alerting on anomalous activity.
5. Application security
- Secure development lifecycle including code review, dependency management, and static analysis.
- Audit logging of administrative and security-relevant actions within Safety365.
- Input validation and protection against common application-layer attacks (OWASP Top 10).
6. Resilience
- Backups taken on a defined schedule and retained for a defined period, with periodic restore testing.
- Documented business continuity and disaster recovery plans, tested at least annually.
- Multi-Availability-Zone deployment within AWS eu-west-1 for production workloads.
7. Personnel
- Pre-employment screening for personnel in roles with access to Customer Personal Data.
- Confidentiality obligations in employment contracts.
- Mandatory data protection and information security training on induction and at least annually thereafter.
8. Subprocessor management
- Written data processing terms with all Subprocessors processing Customer Personal Data.
- Pre-engagement due diligence, including review of subprocessor certifications and DPAs.
- Periodic review of Subprocessors against the requirements of this DPA.
9. Incident management
- Documented incident response plan, tested at least annually.
- Designated incident response personnel and escalation paths.
- Personal Data Breach notification procedure aligned with section 8 of this DPA.
ANNEX 3
Subprocessors
The Subprocessors engaged by the Processor at the effective date of this DPA are listed below. The Processor will give the Controller at least 30 days' notice of any change, in accordance with section 5.4 of this DPA. The most current version of this list is mirrored in Annex A of the Processor's Privacy Policy at www.sevron.co.uk/privacy-policy.
Table 1A – Sub-processors used to deliver Safety365
These providers process personal data of customers and end-users as part of operating the Safety365 service. Each is bound by a written data processing agreement under Article 28 UK GDPR.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Platform hosting and infrastructure, and transactional email delivery via Amazon SES. | EU (eu-west-1, Ireland) |
| FusionAuth | Authentication and identity management for Safety365 users | EU – Ireland |
| Microsoft (Entra ID / SSO) | Single sign-on identity provider for Safety365 customer flows that use Microsoft authentication. | EU |
| Algolia | Search indexing (substances, SDS, customer portal). | EU – France |
| New Relic | Application performance monitoring and security-event logging, used to detect and investigate suspicious access attempts. | EU |
| Intercom | In-app messaging and customer support. | US |
| PostHog | Product analytics and feature flags. Loaded subject to website cookie consent under PECR; see our Cookie Policy for details. | EU Cloud |
| OpenAI | AI inference for the landing-site chatbot, SDS scraping, SPOTAI, and the Risk Assessment audit tool. *Under the OpenAI Data Processing Addendum effective 1 January 2026, API content is not used to train OpenAI's models. | United States. OpenAI's data processing terms identify OpenAI OpCo, LLC as the contracting entity for personal data subject to UK GDPR and OpenAI Ireland Ltd. for personal data subject to EU GDPR; in both cases the EU Standard Contractual Clauses (with the UK Addendum where relevant) apply to transfers outside the EEA/UK. |
| Google (AI Studio / Gemini API) | AI inference for SDS scraping and SPOTAI. *Under the Gemini API Additional Terms of Service, paid-tier content is not used to improve Google's products. | Globally, with EU-hosted processing where possible. Google Ireland Ltd. is the EEA/UK contracting entity under the Google Cloud Data Processing Addendum, which incorporates the EU SCCs and UK Addendum for transfers outside the EEA/UK. |
Table 2 – Internal operational vendors
These providers support Sevron's internal operations. Their primary function is not to process customer or user data, but in the course of normal use they may incidentally process personal data where customers or counterparties are referenced in internal records. They are bound by data processing agreements and recorded in Sevron's internal record of processing activities.
| Provider | Purpose | Location |
|---|---|---|
| Atlassian (Jira, Confluence, Bitbucket) | Internal issue tracking, documentation, and source control | EU (Sevron tenant on Atlassian Cloud) |
| Microsoft (Teams, OneDrive, Microsoft 365) | Internal collaboration, email, and file storage. | EU |
For full transparency about other vendors Sevron uses in its own controller capacity (for example, payment processing, accounting, marketing, and contract signing), see Annex A of Sevron's Privacy Policy.
Changes to this Annex
Sevron will update this Annex when a subprocessor is added, replaced, or removed. Customers who wish to be notified of changes can subscribe by contacting privacy@sevron.co.uk.
ANNEX 4
International data transfer details (IDTA tables)
Where the IDTA applies to a Restricted Transfer under section 6 of this DPA, the following details apply. Defined terms used in this Annex have the meanings given in the IDTA.
| Field | Details |
|---|---|
| Table 1: Parties — Data Exporter | The Controller, being the Customer identified in the Agreement. Contact: as identified in the Agreement, or otherwise as notified by the Customer to privacy@sevron.co.uk. |
| Data Importer | Sevron Ltd, Room 2, Floor 3, Maybrook House, 27–35 Grainger Street, Newcastle upon Tyne, NE1 5JE, United Kingdom, where the Processor itself receives Restricted-Transfer data; or the relevant Subprocessor listed in Annex 3, where the transfer is from the Processor to that Subprocessor. Contact: privacy@sevron.co.uk. |
| Table 2: Transfer details — UK country's law that governs the IDTA | England and Wales |
| Primary place for legal claims | England and Wales |
| Status of the parties | Exporter: Controller. Importer: Processor (or Subprocessor of the Processor, as applicable). |
| Linked Agreement | The Agreement and this DPA. |
| Term | Coterminous with the Agreement, except for retention periods provided for in section 9 of this DPA. |
| Table 3: Transferred data | As described in Annex 1 of this DPA. |
| Table 4: Security requirements | As described in Annex 2 of this DPA. The Importer's additional technical and organisational measures specific to international transfers include reliance on SCCs in subprocessor contracts and ongoing transfer risk assessment as described in section 6 of this DPA. |