Data Processing Addendum

1. General

This Data Processing Addendum (DPA) supplements and is incorporated into our Aphex Platform Terms of Service (Terms) agreed between Aphex Software Limited, a company registered in England and Wales with company number 09681747 (we, us or our), and the Customer (you or your). This DPA applies to our provision of Services to you under the Terms. This DPA applies from the date you agree to our Terms, and will continue in accordance with the terms of this DPA.

2. Definitions

2.1 Capitalised terms in this DPA have the meaning given in the Terms, the Annexures, and as set out below:

Customer means the contracting entity purchasing services from us, as set out in the Terms.

EU GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

Platform means the Aphex platform.

Transferred Data means any Personal Data Processed by us or our Personnel on behalf of you in connection with the Terms.

Restricted Transfer means a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

Services means the services we agree to provide to you pursuant to the Terms.

UK GDPR means the EU GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

UK Addendum means the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers approved by the Information Commissioner’s Office under section 119A of the Data Protection Act 2018 on 21 March 2022 (version B.1.0), and as updated from time to time.

2.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Sub-Processor” shall have the same meaning as in the UK GDPR.

3. Roles of the Parties

The Parties acknowledge and agree that in connection with the Terms, where you provide us with Transferred Data, you will be the Controller, and we will process the Transferred Data on your instructions as a Processor.

4. Processing of Personal Data

4.1 Each Party agrees to comply with Applicable Data Protection Law in the Processing of Transferred Data.

4.2 You instruct us to process Transferred Data in accordance with this DPA (including in accordance with Annex 1).

4.3 We agree to not process Transferred Data other than on your documented instructions.

5. Our Personnel

We agree to take reasonable steps to ensure the reliability of any of our Personnel who may have access to the Transferred Data, ensuring in each case that:

(a) access is strictly limited to those individuals who need to know / access the relevant Transferred Data, as strictly necessary for the purposes of the Terms; and

(b) the relevant Personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

6. Security

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we agree to implement appropriate technical and organisational measures in relation to the Transferred Data to ensure a level of security appropriate to that risk in accordance with Applicable Data Protection Law, and as further particularised in Annex 2.

6.2 In assessing the appropriate level of security, we agree to take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

7. Sub-Processing

7.1 Where we wish to engage a new Sub-Processor, we agree to provide written notice to you of the details of the engagement of the Sub-Processor at least 14 days’ prior to engaging the new Sub-Processor (including details of the processing it will perform). You may object in writing to our appointment of a new Sub-Processor within 7 days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties are not able to achieve resolution, we may, at our election:

(a) not appoint the proposed Sub-Processor;

(b) not disclose any Transferred Data we process on your behalf to the proposed Sub-Processor; or

(c) inform you that we may terminate the Terms (including this DPA) for convenience, in which case, clause 14.2 will apply.

7.2 You agree that the remedies described above in clauses 7.2(a)-(c) are the only remedies available to you if you object to our engagement of any proposed Sub-Processor by us.

7.3 Where we engage a Sub-Processor to process Transferred Data, we agree to enter into a written agreement with the Sub-Processor containing data protection obligations no less protective that those in this DPA with respect to the Transferred Data, and to remain responsible to you for the performance of such Sub-Processor’s data protection obligations under such terms.

7.4 Where the the transfer of Transferred Data from us to a Sub-Processor is a Restricted Transfer, it will be subject to the UK Addendum (and documents or legislation referred to within it), which shall be deemed to be incorporated into this DPA, and the UK Addendum is considered an appropriate safeguard.

8. Data Subject Rights

8.1 Taking into account the nature of the Processing, we agree to assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations, as reasonably understood by you, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Law.

8.2 We agree to:

(a) promptly notify you if we receive a request from a Data Subject under any Applicable Data Protection Law in respect of Transferred Data; and

(b) ensure that we do not respond to that request except on your documented instructions or as required by Applicable Data Protection Law to which we are subject, in which case we shall, to the extent permitted by Applicable Data Protection Law, inform you of that legal requirement before we (or our Sub-Processor) respond to the request.

9. Personal Data Breach

9.1 We agree to notify you without undue delay upon becoming aware of a Personal Data Breach affecting Transferred Data, and to provide you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

9.2 We agree to co-operate with you and take reasonable commercial steps as directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9.3 If you decide to notify a Supervisory Authority, Data Subjects or the public of a Personal Data Breach, you agree to provide us with advance copies of the proposed notices and, subject to Applicable Data Protection Law (including any mandated deadlines under the UK GDPR), allow us an opportunity to provide any clarifications or corrections to those notices.

10. Data Protection Impact Assessment and Prior Consultation

We agree to provide reasonable assistance to you, at your cost (to be charged on a reasonable time and materials basis), with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which you reasonably consider to be required by article 35 or 36 of the UK GDPR or equivalent provisions of any other Data Protection Law (to the extent you do not otherwise have access to the relevant information and such information is in our control).

11. Deletion or return of Personal Data

Subject to this clause 11, and subject to any document retention requirements at law, we agree to promptly and in any event within 30 business days of any valid requests involving the Processing of Transferred Data (Cessation Date), delete and procure the deletion of all copies of those Transferred Data.

12. Audit Rights

12.1 Subject to this clause 12, where required by law, we shall make available to you on request all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by you or an auditor mandated by you in relation to the Processing of Transferred Personal Data by us.

12.2 Where clause 12.1 applies, any audit (or inspection):

(a) must be conducted during our regular business hours, with reasonable advance notice (which shall not be less than 30 business days);

(b) will be subject to our reasonable confidentiality procedures;

(c) must be limited in scope to matters specific to you and agreed in advance with us;

(d) must not require us to disclose to you any information that could cause us to breach any of our obligations under Applicable Data Protection Law;

(e) to the extent we need to expend time to assist you with the audit (or inspection), this will be funded by you, in accordance with pre-agreed rates; and

(f) may only be requested by you a maximum of one time per year, except where required by a competent Supervisory Authority or where there has been a Personal Data Breach in relation to Transferred Personal Data, caused by us.

12.3 Your information and audit rights only arise under clause 12.1 to the extent that the Terms does not otherwise give you information and audit rights that meet the relevant requirements of Applicable Data Protection Law.

13. Liability

Despite anything to the contrary in the Terms or this DPA, to the maximum extent permitted by law, the Liability of each Party and its affiliates under this DPA is subject to the exclusions and limitations of Liability set out in the Terms.

14. Termination

14.1 Each Party agrees that a failure or inability to comply with the terms of this DPA and/or the Applicable Data Protection Law constitutes a material breach of the Terms. In such event, you may, without penalty:

(a) require us to suspend the processing of Transferred Data until such compliance is restored; or

(b) terminate the Terms effective immediately on written notice to us.

14.2 In the case of such suspension or termination by you, we shall provide a prompt pro-rata refund of all sums paid in advance under the Terms which relate to the period of suspension or the period after the date of termination (as applicable).

14.3 Notwithstanding the expiry or termination of this DPA, this DPA will remain in effect until, and will terminate automatically upon, deletion by us of all Transferred Data covered by this DPA, in accordance with this DPA.

14.4 You authorise our engagement of the Sub-Processors already engaged by us at the date of this DPA, which are set out at trust.aphex.co. .

ANNEX 1

DESCRIPTION OF TRANSFERS

ANNEX 2

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

In assessing the appropriate level of security, we agree to take into account the risks that are presented by Processing, in particular from a Personal Data Breach. We have implemented and will maintain the following technical and organisational measures to protect Transferred Data:

Technical Security Measures

6.2.1 Encryption and Data Protection

• Data at Rest: All Transferred Data is encrypted at rest using industry-standard AES-256 encryption

• Data in Transit: All data transmissions are protected using TLS 1.2 or higher encryption protocols

• Key Management: Cryptographic keys are managed through secure key management systems with automated rotation, role-based access controls, and comprehensive audit logging

• Database Security: Production databases are encrypted and access is restricted to authorised personnel only through secure authentication mechanisms

6.2.2 Access Controls and Authentication

• Multi-Factor Authentication (MFA): Required for all employee access to systems containing or processing Transferred Data

• Role-Based Access Control (RBAC): Access to Transferred Data is granted based on the principle of least privilege and business need-to-know basis

• Regular Access Reviews: Systematic review and audit of user access rights conducted quarterly to ensure continued appropriateness

• Single Sign-On (SSO): Centralised authentication system with secure identity management

• Session Management: Automatic session timeouts and secure session handling protocols

6.2.3 Network Security

• Web Application Firewall (WAF): All public-facing endpoints are protected by managed WAF solutions to prevent common web application attacks

• Network Segmentation: Production environments are logically separated from development and testing environments

• Intrusion Detection and Prevention Systems (IDS/IPS): Network-based and host-based monitoring systems for detecting and preventing unauthorised access attempts

• DDoS Protection: Distributed denial-of-service protection mechanisms implemented at network level

• Virtual Private Networks (VPN): Secure remote access channels for authorised personnel

6.2.4 System Security and Monitoring

• Security Information and Event Management (SIEM): Comprehensive logging and real-time monitoring of security events across all systems processing Transferred Data

• Vulnerability Management: Regular vulnerability scanning and penetration testing, with documented remediation processes

• Endpoint Protection: Advanced threat detection and response solutions deployed on all endpoints

• Backup and Recovery: Automated daily backups of all Transferred Data with encryption matching production data standards

• System Hardening: Operating systems and applications configured according to industry security benchmarks

6.2.5 Application Security

• Secure Development Lifecycle (SDLC): Security considerations integrated throughout the software development process

• Code Analysis: Static and dynamic code analysis tools used to identify security vulnerabilities

• Threat Modelling: Security threat assessments conducted for new features and system changes

• Third-Party Security Assessment: Regular penetration testing and security assessments by qualified external security firms

Organisational Security Measures

6.2.6 Information Security Management

• ISO 27001 Certification: Our information security management system is certified to ISO 27001:2022 standards

• Security Governance: Dedicated information security team with defined roles, responsibilities, and escalation procedures

• Risk Management: Regular security risk assessments and documented risk treatment plans

• Incident Response Plan: Comprehensive incident response procedures with defined roles, communication protocols, and recovery processes

• Business Continuity: Documented business continuity and disaster recovery plans tested at least annually

6.2.7 Personnel Security

• Background Checks: Security screening of personnel with access to Transferred Data in accordance with applicable laws

• Confidentiality Agreements: All personnel with potential access to Transferred Data are bound by confidentiality obligations

• Security Training: Mandatory security awareness training for all employees, conducted annually with additional role-specific training for technical staff

• Access Provisioning and De-provisioning: Formal processes for granting and revoking system access, including immediate access revocation upon employment termination

6.2.8 Vendor and Sub-processor Management

• Due Diligence: Security assessments of all sub-processors and vendors with access to Transferred Data

• Contractual Requirements: All sub-processors subject to data protection obligations equivalent to those in this DPA

• Regular Audits: Periodic assessment of sub-processor security controls and compliance

• Supply Chain Security: Monitoring and assessment of third-party security practices and incident notifications

6.2.9 Physical and Environmental Security

• Data Centre Security: Physical security controls managed by certified cloud infrastructure providers (with SOC 2 Type II and ISO 27001 certifications)

• Office Security: Access controls, visitor management, and clean desk policies at corporate facilities

• Equipment Security: Secure disposal and sanitisation of hardware containing Transferred Data

• Environmental Controls: Appropriate environmental monitoring and controls for systems processing Transferred Data

6.2.10 Compliance and Audit

• Regular Audits: Internal security audits conducted at least annually, with external compliance audits for relevant certifications

• Documentation: Comprehensive documentation of all security controls and procedures

• Policy Management: Regular review and update of security policies and procedures to reflect current threats and best practices

• Compliance Monitoring: Ongoing monitoring and assessment of compliance with applicable data protection regulations and industry standards

Review and Improvement

We commit to:

• Regularly reviewing and updating these measures to address evolving security threats and technological developments

• Conducting annual assessments of the effectiveness of implemented security controls

• Implementing improvements based on audit findings, security assessments, and industry best practices

• Notifying you of any material changes to our security measures that may affect the protection of Transferred Data

These measures are designed to ensure an appropriate level of security taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

ANNEX 3

LIST OF SUBPROCESSORS

Available at https://trust.aphex.co/