Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Enthron AI Ltd Terms of Service (the "Agreement") between Enthron AI Ltd ("Enthron", "we", "us", or "our") and the customer entity that has accepted the Agreement ("Customer" or "Controller"). Together, Enthron and the Customer are referred to as the "Parties".

This DPA applies where Enthron processes personal data on the Customer's behalf in its capacity as a data processor under UK GDPR. Where Enthron determines the purposes and means of processing independently (e.g. account or billing), it acts as a data controller and the Privacy Policy applies instead.

By accessing or using the Services, the Customer agrees to the terms of this DPA. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have authority to bind that entity to these terms.

Capitalised terms used but not otherwise defined in this DPA have the meanings given to them in the Agreement. The following additional definitions apply:

• "UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
• "Controller" means the natural or legal person that determines the purposes and means of the processing of personal data, which in this context is the Customer.
• "Processor" means the natural or legal person that processes personal data on behalf of the Controller, which in this context is Enthron.
• "Customer Data" means any personal data that the Customer (or its authorised users) submits to, or that Enthron otherwise processes through, the Services on the Customer's behalf.
• "Data Subject" means an identified or identifiable natural person to whom Customer Data relates.
• "Services" has the meaning set out in the Agreement and includes Enthron's web platform, APIs, and related products.
• "Sub-processor" means any third-party processor engaged by Enthron to process Customer Data.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data transmitted, stored, or otherwise processed by Enthron.

The Customer acts as the Controller in respect of Customer Data. Enthron acts as the Processor of Customer Data and shall process it only on the documented instructions of the Customer, as set out in this DPA and the Agreement, unless required to do otherwise by applicable law.

Where Enthron is required by law to process Customer Data other than in accordance with the Customer's instructions, Enthron shall notify the Customer of that legal requirement before processing, unless such notification is itself prohibited by law.

The details of the processing of Customer Data by Enthron are as follows:

Enthron shall, in its capacity as Processor:

• Process Customer Data only on the documented instructions of the Customer (including those set out in this DPA and the Agreement), except where processing is required by applicable law.
• Ensure that all personnel authorised to process Customer Data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organisational security measures described in Section 8 (Security Measures).
• Assist the Customer, by appropriate technical and organisational measures insofar as possible, in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under UK GDPR.
• Assist the Customer in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation with the ICO, taking into account the nature of processing and the information available to Enthron.
• Not engage a Sub-processor without prior written authorisation from the Customer, except as set out in Section 6 (Sub-processors).
• Promptly inform the Customer if, in Enthron's opinion, an instruction infringes UK GDPR or other applicable data protection law.

The Customer, in its capacity as Controller, shall:

• Ensure there is a valid lawful basis under UK GDPR for the processing of Customer Data prior to submitting it to the Services.
• Provide all required notices to, and obtain all required consents from, Data Subjects in connection with the processing of their personal data through the Services.
• Ensure that its instructions to Enthron are and remain lawful throughout the term of the Agreement.
• Not instruct Enthron to process special categories of personal data (as defined in UK GDPR Article 9) through the Services without implementing appropriate additional safeguards and notifying Enthron in advance.

The Customer provides general authorisation for Enthron to engage Sub-processors, subject to the conditions in this Section. Enthron's current Sub-processors include infrastructure and cloud hosting providers (Amazon Web Services), database services (Supabase), payment processors (Stripe), and single sign-on providers (Google OAuth). An up-to-date list of Sub-processors is available upon request by contacting contact@enthron.ai.

Enthron shall notify the Customer of any intended changes to its list of Sub-processors (additions or replacements) at least 14 days prior to making such changes. The Customer may object to a new Sub-processor on reasonable grounds relating to data protection by notifying Enthron in writing within that 14-day period. Where the Customer objects and the Parties cannot agree a resolution, either Party may terminate the affected Services on written notice.

Enthron shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, by way of written contract. Enthron remains fully liable to the Customer for the performance of any Sub-processor's obligations.

Where Enthron receives a request directly from a Data Subject seeking to exercise a right under UK GDPR (including rights of access, rectification, erasure, restriction, portability, or objection), Enthron shall, without undue delay, forward the request to the Customer and shall not respond to such a request without the Customer's prior written consent, except to confirm that it is redirecting the request.

Enthron shall, taking into account the nature of the processing, provide reasonable assistance to enable the Customer to respond to such requests within the applicable statutory timeframes. Enthron may charge a reasonable fee for assistance that requires disproportionate effort.

Enthron shall implement and maintain appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, at minimum:

• Encryption: Customer Data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 or equivalent.
• Access controls: Access to Customer Data is restricted to personnel who require it to perform their duties, governed by role-based access control.
• Infrastructure security: Services are hosted on reputable cloud infrastructure providers with SOC 2 Type II or equivalent certifications.
• Vulnerability management: Enthron conducts regular security assessments, penetration testing, and applies security patches in a timely manner.
• Incident response: Enthron maintains a documented incident response plan and Business Continuity/Disaster Recovery procedures.

Enthron may update its security measures from time to time to reflect improvements in technology and evolving threats, provided that any such updates shall not materially reduce the overall level of protection afforded to Customer Data.

In the event of a confirmed Personal Data Breach affecting Customer Data, Enthron shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the breach. Notification shall be made by email to the Customer's registered contact address and shall include, to the extent then known:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records affected.
• The name and contact details of the data protection point of contact at Enthron.
• The likely consequences of the breach.
• The measures taken or proposed by Enthron to address the breach, including mitigation steps.

Where information is not available at the time of the initial notification, Enthron shall provide it in subsequent written updates as it becomes available. The Customer is solely responsible for any notifications it is required to make to the ICO or affected Data Subjects under UK GDPR. Enthron shall cooperate in good faith to assist the Customer in meeting its notification obligations.

Customer Data is primarily stored and processed within the United Kingdom. Where a transfer of Customer Data outside of the UK is necessary (for example, in connection with certain Sub-processors), Enthron shall ensure such transfers comply with Chapter V of UK GDPR by relying on one or more of the following mechanisms:

• An adequacy decision issued by the UK Secretary of State in respect of the destination country.
• UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses.
• Any other appropriate safeguard recognised under UK GDPR.

Details of the international transfer mechanisms applicable to specific Sub-processors are available upon written request.

Upon termination or expiry of the Agreement (or upon the Customer's written request during the term), Enthron shall, at the Customer's election:

• Return all Customer Data in a commonly used, machine-readable format within 30 days of the date of request; and/or
• Securely delete or destroy all Customer Data and, where applicable, instruct Sub-processors to do the same, and confirm deletion in writing within 30 days.

Enthron may retain Customer Data beyond this period only to the extent required by applicable law or for the defence of legal claims, and only for so long as strictly necessary. Any retained data shall remain subject to the protections set out in this DPA.

The Customer may, upon giving at least 30 days' prior written notice to Enthron, request an audit of Enthron's data processing activities as they relate to Customer Data, no more than once per calendar year. Such audits shall be conducted during normal business hours, shall not unreasonably disrupt Enthron's operations, and shall be subject to confidentiality obligations agreed in advance by the Parties.

To avoid unnecessary disruption, Enthron may satisfy an audit request by providing the Customer with an up-to-date copy of a relevant third-party audit report (such as SOC 2 Type II) or by responding in writing to a reasonable audit questionnaire. Costs arising from any audit shall be borne by the Customer unless the audit reveals a material breach by Enthron.

Each Party's liability under this DPA shall be subject to the limitations and exclusions set out in the Agreement. To the extent permitted by applicable law, Enthron's total aggregate liability to the Customer under or in connection with this DPA shall not exceed the amounts paid or payable by the Customer to Enthron in the 12 months immediately preceding the event giving rise to the claim.

Nothing in this DPA excludes or limits either Party's liability for fraud, for death or personal injury caused by negligence, or to the extent that liability cannot be excluded or limited under applicable law, including under UK GDPR.

This DPA shall remain in force for the duration of the Agreement and shall automatically terminate upon the termination or expiry of the Agreement, subject to any obligations that survive termination (including those relating to deletion of Customer Data and confidentiality).

The obligations of Enthron under Sections 4 (Processor Obligations), 8 (Security Measures), and 11 (Return & Deletion) shall survive the termination or expiry of this DPA to the extent necessary to give them full effect.

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Each Party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales in relation to any dispute arising out of or in connection with this DPA.

Where this DPA involves cross-border processing subject to EU GDPR (for example, in relation to data subjects located in the European Economic Area), the Parties agree to implement such additional contractual protections as may be necessary to comply with applicable EEA data protection law.

For questions about this DPA, to request a countersigned copy, or to exercise any rights under this agreement, please contact us: