Cliq WebManager Direct Customer DPA v 02 2026 - DATA PROCESSING AGREEMENT

(A) The Controller is a data controller in respect of certain Personal Data and wishes to engage the Processor to Process such Personal Data on its behalf in connection with the Services.

(B) The Processor provides the Cliq Webmanager cloud-hosted platform (the "Services") for the purpose of managing the customer access solution.

(C) The Personal Data will be hosted on Amazon Web Services ("AWS") servers located in Ireland, and the Processor engages further Sub-processors located in Finland, Malta, Poland, and Sweden.

(D) The Parties wish to enter into this Agreement to ensure compliance with applicable Data Protection Laws, including the UK GDPR and the EU GDPR, and to set out their respective rights and obligations in relation to the Processing of Personal Data.

(E) This Agreement is supplemental to and forms part of the sales and licence agreement entered into between the Parties pursuant to which the Processor provides the Services to the Controller and grants the Controller a licence to use the platform (the "Sales and Licence Agreement").

(F) This Agreement shall take effect on the date on which the Sales and Licence Agreement is executed by both Parties or, if later, the date on which the Controller first accesses or uses the Services (the "Effective Date").

NOW IT IS AGREED as follows:

1.1 Definitions

In this Agreement, unless the context otherwise requires, the following terms shall have the meanings set out below:

"Applicable Data Protection Laws" means all laws and regulations relating to data protection, the processing of personal data, and privacy that apply to the Processing of Personal Data under this Agreement, including: (a) the UK GDPR; (b) the Data Protection Act 2018; (c) the Privacy and Electronic Communications Regulations 2003; (d) the EU GDPR (to the extent applicable); and (e) any other applicable national implementing legislation, as amended, replaced, or superseded from time to time.

"Controller" means the Customer identified in the Sales and Licence Agreement, being the entity that determines the purposes and means of the Processing of Personal Data and engages the Processor to Process Personal Data on its behalf.

"Controller Personal Data" means any Personal Data Processed by the Processor on behalf of the Controller pursuant to or in connection with this Agreement.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored, or otherwise Processed by the Processor or any Sub-processor.

"Data Protection Impact Assessment" means an assessment by the Controller of the impact of the envisaged Processing on the protection of Personal Data as required under Article 35 of the UK GDPR and/or Article 35 of the EU GDPR.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Data Subject Request" means a request made by a Data Subject to exercise any of their rights under Applicable Data Protection Laws in respect of their Personal Data.

"EEA" means the European Economic Area.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, supplemented, or replaced from time to time.

"International Data Transfer" means any transfer of Controller Personal Data from the United Kingdom to a country outside the United Kingdom, or from the EEA to a country outside the EEA, where such transfer is not covered by an adequacy decision or adequacy regulations (as applicable).

"Personal Data" has the meaning given to it in the UK GDPR and, where the EU GDPR applies, includes personal data as defined in the EU GDPR.

"Processing" has the meaning given to it in the UK GDPR and "Process", "Processes", and "Processed" shall be construed accordingly.

"Restricted Transfer" means: (a) where the UK GDPR applies, a transfer of Controller Personal Data from the United Kingdom to a country outside the United Kingdom which is not the subject of UK Adequacy Regulations; and (b) where the EU GDPR applies, a transfer of Controller Personal Data from the EEA to a country outside the EEA which is not the subject of an EU adequacy decision.

"Sales and Licence Agreement" means the sales and licence agreement, subscription agreement, order form, or other commercial agreement entered into between the Processor and the Controller pursuant to which the Processor agrees to provide the Services to the Controller, together with any schedules, appendices, or annexes thereto.

"Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

"Sub-processor" means any third party (including any Processor Affiliate, but excluding employees of the Processor) appointed by or on behalf of the Processor to Process Controller Personal Data on behalf of the Controller.

"Supervisory Authority" means: (a) the Information Commissioner's Office in respect of the UK GDPR; and (b) any supervisory authority with competent jurisdiction under the EU GDPR.

"Technical and Organisational Measures" means the technical and organisational security measures implemented by the Processor as set out in Appendix 2 to this Agreement.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under Section 119A of the Data Protection Act 2018, as amended, supplemented, or replaced from time to time.

"UK Adequacy Regulations" means regulations made pursuant to Section 17A of the Data Protection Act 2018 specifying that a third country, territory, or international organisation ensures an adequate level of protection for Personal Data.

"UK GDPR" means the retained EU law version of the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended).

1.2 Interpretation

In this Agreement, unless the context otherwise requires:

(a) references to clauses and appendices are to clauses of and appendices to this Agreement;

(b) headings are for convenience only and shall not affect the interpretation of this Agreement;

(c) words in the singular include the plural and vice versa;

(d) a reference to a statute or statutory provision is a reference to it as amended, extended, or re-enacted from time to time, and includes any subordinate legislation made under it;

(e) any obligation on a Party not to do something includes an obligation not to allow that thing to be done;

(f) the terms "include", "including", "in particular", "for example", or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms; and

(g) any words following the terms "other" or "otherwise" shall not be given a restrictive meaning because they follow more specific words.

2.1 Scope and Purpose of Processing

The Processor shall Process Controller Personal Data only for the purposes of providing the Services to the Controller as specified in the Sales and Licence Agreement and as further described in Appendix 1 to this Agreement, unless Processing is required by Applicable Data Protection Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Data Protection Laws, inform the Controller of that legal requirement before the relevant Processing of that Controller Personal Data.

2.2 Details of Processing

The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects are as set out in Appendix 1. The Controller acknowledges that Appendix 1 provides an accurate description of the Processing to be carried out under this Agreement.

2.3 Controller Instructions

The Processor shall Process Controller Personal Data only on documented instructions from the Controller, including with regard to transfers of Controller Personal Data to a third country or an international organisation, unless required to do so by Applicable Data Protection Laws to which the Processor is subject. Where the Processor is required to Process Controller Personal Data by Applicable Data Protection Laws, the Processor shall inform the Controller of such requirement prior to Processing, unless Applicable Data Protection Laws prohibit such notification on important grounds of public interest.

2.4 Written Instructions

The Controller's instructions as at the Effective Date are set out in Appendix 1 and include the provision of the Services in accordance with the Sales and Licence Agreement. The Controller may issue additional written instructions to the Processor from time to time, provided that such instructions are consistent with the terms of this Agreement and the Sales and Licence Agreement. If the Processor considers that any instruction from the Controller infringes Applicable Data Protection Laws, it shall promptly notify the Controller and shall be entitled not to comply with that instruction until the Controller has confirmed or modified it in writing.

2.5 Processor's Compliance

The Processor warrants and undertakes that it shall:

(a) comply with all Applicable Data Protection Laws in the Processing of Controller Personal Data;

(b) not Process Controller Personal Data other than on the Controller's documented instructions unless Processing is required by Applicable Data Protection Laws to which the Processor is subject;

(c) take all measures required pursuant to Article 32 of the UK GDPR and Article 32 of the EU GDPR (to the extent applicable); and

(d) not transfer Controller Personal Data to a country outside the United Kingdom or the EEA except as permitted under Clause 9 of this Agreement.

4.1 Confidentiality Obligations

The Processor shall ensure that all persons authorised to Process Controller Personal Data:

(a) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(b) Process Controller Personal Data only in accordance with the Controller's instructions; and

(c) are informed of the confidential nature of the Controller Personal Data and of any security obligations under this Agreement or Applicable Data Protection Laws.

4.2 Training

The Processor shall ensure that all personnel who have access to and/or Process Controller Personal Data are adequately trained in data protection and are aware of their obligations under this Agreement and Applicable Data Protection Laws.

4.3 Access Limitation

The Processor shall ensure that access to Controller Personal Data is limited to those personnel who need access to the Controller Personal Data to meet the Processor's obligations under this Agreement and the Sales and Licence Agreement.

5.1 Security Measures

Taking into account the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

(a) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;

(b) the ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident; and

(c) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

5.2 Specific Security Measures

Without prejudice to the generality of Clause 5.1, the Processor shall implement and maintain the Technical and Organisational Measures set out in Appendix 2 to this Agreement. The Processor may update or modify the Technical and Organisational Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processing.

5.3 Controller Acknowledgement

The Controller acknowledges that the Technical and Organisational Measures are subject to technical progress and development and that the Processor may update or modify such measures from time to time, provided that such updates or modifications do not result in a material decrease in the level of protection afforded to Controller Personal Data.

5.4 AWS Hosting

The Parties acknowledge that Controller Personal Data will be hosted on AWS servers located in Ireland. The Processor shall ensure that appropriate contractual arrangements are in place with AWS that are consistent with the Processor's obligations under this Agreement and Applicable Data Protection Laws.

6.1 Authorised Sub-processors

The Controller provides a general authorisation to the Processor to engage Sub-processors to Process Controller Personal Data, subject to the requirements of this Clause 6. The Sub-processors authorised by the Controller as at the Effective Date are listed in Appendix 3 to this Agreement.

6.2 Sub-processor Requirements

Before engaging any Sub-processor, the Processor shall:

(a) carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Controller Personal Data required by this Agreement and Applicable Data Protection Laws;

(b) enter into a written contract with the Sub-processor that imposes on the Sub-processor data protection obligations that are no less onerous than those imposed on the Processor under this Agreement, including in particular the obligation to implement appropriate technical and organisational measures; and

(c) remain fully liable to the Controller for the performance of the Sub-processor's obligations in respect of the Processing of Controller Personal Data.

7.1 Data Subject Requests

The Processor shall promptly, and in any event within 5 Business Days, notify the Controller if it receives any request from a Data Subject in respect of Controller Personal Data, including any request to exercise any of the following rights under Applicable Data Protection Laws:

(a) right of access;

(b) right to rectification;

(c) right to erasure (right to be forgotten);

(d) right to restriction of processing;

(e) right to data portability;

(f) right to object; and

(g) rights in relation to automated decision-making and profiling.

7.2 Processor Assistance

The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data Subject Requests.

7.3 No Direct Response

The Processor shall not respond directly to any Data Subject Request without the Controller's prior written authorisation, unless required to do so by Applicable Data Protection Laws, in which case the Processor shall, to the extent permitted by Applicable Data Protection Laws, inform the Controller of that legal requirement before responding.

7.4 Costs

The Controller shall reimburse the Processor for any reasonable costs incurred in providing assistance under this Clause 7, calculated at the Processor's then-current professional services rates, provided that the Processor shall provide the Controller with a reasonable estimate of such costs before incurring them.

8.1 Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting Controller Personal Data. Such notification shall include, to the extent then known:

(a) a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) the name and contact details of the Processor's data protection officer or other contact point where more information can be obtained;

(c) the likely consequences of the Data Breach; and

(d) the measures taken or proposed to be taken by the Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.2 Controller Notification Obligations

The Controller shall be responsible for determining whether any Data Breach requires notification to a Supervisory Authority and/or to affected Data Subjects, and for making such notifications in accordance with Applicable Data Protection Laws.

9.1 General Prohibition

The Processor shall not transfer or otherwise Process Controller Personal Data in a country outside the United Kingdom or the EEA unless:

(a) the transfer is to a country, territory, sector, or international organisation that has been deemed to provide an adequate level of protection under Applicable Data Protection Laws;

(b) the transfer is made pursuant to appropriate safeguards in accordance with Article 46 of the UK GDPR and/or Article 46 of the EU GDPR (as applicable);

(c) the transfer is subject to binding corporate rules approved in accordance with Article 47 of the UK GDPR and/or Article 47 of the EU GDPR (as applicable); or

(d) one of the derogations for specific situations set out in Article 49 of the UK GDPR and/or Article 49 of the EU GDPR (as applicable) applies.

9.2 UK to EEA Transfers

The Parties acknowledge that Controller Personal Data will be transferred from the United Kingdom to Ireland (where the Processor's AWS servers are located) and to Finland, Malta, Poland, and Sweden (where Sub-processors are located). As at the Effective Date, the United Kingdom has determined that the EEA provides an adequate level of protection for Personal Data. In the event that such adequacy determination is withdrawn, modified, or no longer applies, the Parties shall enter into appropriate transfer mechanisms to ensure that such transfers continue to comply with Applicable Data Protection Laws.

9.3 EEA to UK Transfers

Where Controller Personal Data is transferred from the EEA to the United Kingdom, such transfers shall be made in reliance upon: (a) the adequacy decision adopted by the European Commission in relation to the United Kingdom (as may be extended, modified, or replaced from time to time); or (b) in the absence of such adequacy decision, appropriate safeguards in accordance with Article 46 of the EU GDPR.

9.4 Transfer Mechanisms

Where Restricted Transfers are made in reliance on appropriate safeguards, the following transfer mechanisms shall apply:

(a) UK GDPR: For Restricted Transfers subject to the UK GDPR, the Parties agree to be bound by the UK Addendum as set out in Appendix 4, which shall be deemed incorporated into and form part of this Agreement.

(b) EU GDPR: For Restricted Transfers subject to the EU GDPR, the Parties agree to be bound by the EU SCCs as set out in Appendix 5, which shall be deemed incorporated into and form part of this Agreement.

9.5 Future Adequacy Changes

In the event of any change to the adequacy status of any relevant country or territory, or any change to Applicable Data Protection Laws affecting the lawfulness of International Data Transfers, the Parties shall cooperate in good faith to implement such additional measures or alternative transfer mechanisms as may be necessary to ensure continued compliance with Applicable Data Protection Laws.