DATA PROCESSING AGREEMENT

Version: 1.0
Last Updated: September 2025
Classification: Public
Contact: hello@votis.io

This Data Processing Agreement ("DPA") is entered into as of the date of signature of your agreement.

1. DEFINITIONS

In this DPA:

"Applicable Data Protection Law" means all applicable data protection and privacy laws including:

  • UK GDPR (as defined in the Data Protection Act 2018)

  • EU GDPR (Regulation (EU) 2016/679)

  • Data Protection Act 2018

  • Privacy and Electronic Communications Regulations 2003

  • Any other applicable data protection laws

"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.

"Early Adopter" means a Customer who enters into a Principal Agreement with Votis Technologies Ltd under preferential commercial terms (such as discounted fees or pilot participation) in exchange for early access to the Services and/or participation in product feedback or testing initiatives. Early Adopters may be subject to different service levels, features, or support terms as mutually agreed in writing.

"Customer Data" means all Personal Data that the Processor processes on behalf of the Controller under this DPA.

"Subprocessor" means any third party appointed by the Processor to process Customer Data.

2. PROCESSING OF CUSTOMER DATA

2.1 Roles

The parties acknowledge that:

  • Customer is the Controller of Customer Data

  • Votis is the Processor of Customer Data

  • This DPA applies to all Processing carried out under the Principal Agreement

2.2 Processor's Obligations

The Processor shall:

  • Process Customer Data only on documented instructions from the Controller (including as set out in Schedule 1)

  • Ensure that persons authorised to process Customer Data have committed to confidentiality

  • Implement appropriate technical and organisational measures to ensure security of processing

  • Not engage Subprocessors without the Controller's prior written consent

  • Assist the Controller with data subject requests and compliance obligations

  • Delete or return all Customer Data at the end of the provision of services

  • Make available to the Controller all information necessary to demonstrate compliance

2.3 Duration

Processing shall continue until the termination of the Principal Agreement and completion of any data deletion or return obligations.

3. SECURITY OF PROCESSING

3.1 Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures including:

Technical Measures:

  • Encryption of data in transit (TLS 1.2 minimum) and at rest (AES256)

  • Multifactor authentication for administrative access

  • Regular security patches and updates

  • Firewalls and intrusion detection systems

  • Regular vulnerability scanning and penetration testing

  • Secure backup procedures with encrypted storage

  • Audit logging and monitoring

Organisational Measures:

  • Information security policies and procedures

  • Regular staff training on data protection

  • Access controls based on least privilege principle

  • Confidentiality agreements with all staff

  • Incident response procedures

  • Business continuity and disaster recovery plans

  • Regular security reviews and audits

3.2 Risk Assessment

The measures shall ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing.

4. SUBPROCESSORS

4.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage Subprocessors listed in Schedule 2.

4.2 New Subprocessors

The Processor shall:

  • Inform the Controller of any intended changes concerning addition or replacement of Subprocessors

  • Provide at least 30 days' notice before engaging new Subprocessors

  • Give the Controller the opportunity to object to such changes

4.3 Subprocessor Obligations

The Processor shall:

  • Enter into written agreements with Subprocessors imposing the same data protection obligations as this DPA

  • Remain fully liable for Subprocessor performance

  • Ensure Subprocessors implement appropriate security measures

4.4 Objection Rights

If the Controller objects to a new Subprocessor:

  • The parties shall discuss the objection in good faith

  • If no resolution is found, the Controller may terminate the affected services

5. INTERNATIONAL TRANSFERS

5.1 Transfer Requirements

The Processor shall not transfer Customer Data outside the UK/EEA without:

  • The Controller's prior written consent

  • Appropriate safeguards being in place (such as UK/EU Standard Contractual Clauses)

  • Compliance with Chapter V of UK/EU GDPR

5.2 Transfer Safeguards

Where transfers are authorised, the Processor shall:

  • Ensure appropriate safeguards are implemented

  • Provide copies of safeguards on request

  • Inform the Controller of any changes to transfer mechanisms

5A. DATA LOCALISATION AND HOSTING

5A.1 Geographic Hosting

The Processor shall host and process Customer Data in the geographic region corresponding to the Customer's location, to the extent reasonably practicable. Specifically:

  • UK-based Customers: Data will be hosted in the United Kingdom

  • EU-based Customers: Data will be hosted within the European Economic Area (EEA)

  • US-based Customers: Data will be hosted in the United States

  • Customers outside these regions: Where regional hosting is not available or feasible, data will be hosted in the next closest available location that meets an equivalent standard of data protection and security

5A.2 Compliance

Where hosting outside the Customer's region is required, the Processor shall ensure that international transfers comply with Section 5 of this Agreement, including the use of Standard Contractual Clauses or other lawful mechanisms under Applicable Data Protection Law.

6. DATA SUBJECT RIGHTS

6.1 Request Handling

The Processor shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond except on documented instructions from the Controller.

6.2 Assistance

The Processor shall assist the Controller in responding to Data Subject requests by:

  • Providing Customer Data in a structured, commonly used format

  • Implementing technical measures to support data portability

  • Facilitating data correction, deletion, or restriction of processing

  • Providing information about processing activities

6.3 Fees

The Processor may charge reasonable fees for assistance beyond initial support, based on time and materials.

7. DATA BREACH NOTIFICATION

7.1 Notification Timeline

The Processor shall notify the Controller without undue delay and within 24 hours of becoming aware of a Personal Data Breach.

7.2 Notification Content

The notification shall include:

  • Nature of the breach including categories and approximate numbers of Data Subjects and records

  • Name and contact details of the data protection officer or contact point

  • Likely consequences of the breach

  • Measures taken or proposed to address the breach and mitigate effects

7.3 Breach Response

The Processor shall:

  • Cooperate with the Controller in investigating the breach

  • Take immediate steps to mitigate the effects

  • Document all breaches and remedial actions

  • Not notify any third party without the Controller's consent (except as legally required)

8. AUDIT AND COMPLIANCE

8.1 Information Provision

The Processor shall make available all information necessary to demonstrate compliance and allow for audits by the Controller or authorised auditors.

8.2 Audit Rights

The Controller may conduct audits:

  • With 30 days' written notice (except for breach investigations)

  • During normal business hours

  • No more than once per year (except for cause)

  • Subject to confidentiality agreements

8.3 Audit Process

  • The Controller shall provide an audit plan in advance

  • The Processor shall cooperate and provide reasonable assistance

  • Costs shall be borne by the Controller unless material noncompliance is found

  • The Processor may object to auditors who are competitors

8.4 Certifications

The Processor shall maintain certifications such as ISO 27001 or SOC 2 and provide copies on request.

9. DATA PROTECTION IMPACT ASSESSMENTS

9.1 Assistance

The Processor shall provide reasonable assistance to the Controller with:

  • Data Protection Impact Assessments (DPIAs)

  • Prior consultation with Supervisory Authorities

  • Assessment of processing security

  • Evaluation of necessity and proportionality

9.2 Fees

Assistance may be subject to reasonable fees based on time and materials.

10. DELETION AND RETURN OF DATA

10.1 End of Processing

Upon termination of the Principal Agreement or upon request, the Processor shall:

  • Cease all processing of Customer Data

  • Delete or return all Customer Data (at Controller's choice)

  • Delete existing copies unless retention is required by law

  • Provide written certification of deletion

10.2 Deletion Timeline

  • Active data: Within 30 days of request

  • Backup data: Within 90 days (standard backup rotation)

  • Automatic deletion: As specified in the Principal Agreement

10.3 Legal Retention

The Processor may retain Customer Data only:

  • As required by applicable law

  • Subject to confidentiality obligations

  • With security measures maintained

11. LIABILITY AND INDEMNIFICATION

11.1 Limitation

Each party's liability under this DPA shall be subject to the limitations in the Principal Agreement.

11.2 Indemnification

Each party shall indemnify the other against:

  • Regulatory fines resulting from the indemnifying party's breach

  • Claims from Data Subjects arising from the indemnifying party's noncompliance

  • Costs and expenses arising from breach of this DPA

11.3 Exceptions

The indemnities shall not apply to the extent losses result from the other party's instructions or breach.

12. GENERAL PROVISIONS

12.1 Amendments

Changes to this DPA must be in writing and signed by both parties.

12.2 Severability

Invalid provisions shall not affect the remainder of this DPA.

12.3 Priority

In case of conflict, this DPA prevails over the Principal Agreement for data protection matters.

12.4 Governing Law

This DPA is governed by the laws of England and Wales.

12.5 Term

This DPA continues for the duration of any processing under the Principal Agreement.

SCHEDULE 1 - PROCESSING DETAILS

Nature and Purpose of Processing

  • Provision of SaaS implementation agent services

  • Configuration management for business software

  • Data migration and transformation services

  • User onboarding and education services

Categories of Data Subjects

  • Customer's employees

  • Customer's contractors

  • Customer's clients/customers

  • Customer's suppliers/vendors

Categories of Personal Data

  • Identity Data: Names, titles, employee IDs

  • Contact Data: Email addresses, phone numbers

  • Employment Data: Job titles, departments, roles, salary information

  • System Data: Usernames, access logs, usage data

  • Financial Data: Payroll information, payment details

  • Business Data: As uploaded by Customer for migration/configuration

Sensitive Personal Data

  • May include: Racial/ethnic origin, trade union membership, health data (as relevant to payroll/HR systems)

  • Special protective measures apply to any sensitive data

Duration of Processing

Duration of the Principal Agreement plus any retention period

Processing Operations

  • Storage and hosting

  • Backup and recovery

  • Access management

  • Data transformation and mapping

  • AI/ML processing for automation

  • Technical support

  • Reporting and analytics

SCHEDULE 2 - APPROVED SUBPROCESSORS Subprocessor Purpose Location Amazon Web Services (AWS) Cloud Infrastructure & Storage UK/EU/USA Google Cloud Platform (GCP) Cloud Infrastructure & ML Hosting UK/EU/USA Microsoft Azure Cloud Infrastructure & Backups UK/EU/USA Stripe Payment Processing UK/EU Auth0 (Okta) Authentication & Identity Management USA/EU SendGrid (Twilio) Transactional Email Delivery USA/EU Postmark (ActiveCampaign) Email Delivery USA/EU Cloudflare CDN, Firewall, DDoS Protection Global Datadog Application Monitoring & Logs USA/EU Sentry Error Monitoring EU/USA Anthropic AI/LLM Services USA OpenAI AI/LLM Services USA HubSpot CRM & Marketing Automation EU/USA Intercom Customer Support Chat EU/USA Slack Internal Communication USA Linear Project Management & Issue Tracking USA Notion Internal Documentation USA Typeform User Surveys and Forms EU/Spain Firebase (Google) Authentication, Storage, Analytics, DB USA/EU PocketBase Backend-as-a-Service (if used) EU-based Squarespace Website Hosting & Analytics USA