Data Processing Agreement

Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller ("Controller" or "Customer"):
Company name: [Customer legal name]
Registered address: [Customer registered address]
Company number: [Customer company number]
ICO registration number (if applicable): [Customer ICO number]

Data Processor ("Processor" or "Ubrix"):
Ubrix Ltd, 4 McMillan Close, Saltwell Business Park, Gateshead, United Kingdom, NE9 5BF. Company number 15136854. ICO registration number ZB730543.

Together referred to as the "Parties" and individually as a "Party".

This DPA forms part of and supplements the Terms and Conditions or other principal agreement between the Parties (the "Principal Agreement") under which Ubrix provides software and related services to the Customer. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall take precedence in respect of data protection matters.

1. Definitions

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the UK GDPR or the Principal Agreement as applicable.

• "Applicable Data Protection Law" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other applicable data protection legislation in force from time to time, including where applicable the EU GDPR and the laws of the Republic of Ireland.
• "Controller Personal Data" means any Personal Data processed by Ubrix as a data processor on behalf of the Customer under this DPA.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Personal Data", "Processing", "Data Controller", "Data Processor", "Sub-processor", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the UK GDPR.
• "Services" means the software, platform, and related services provided by Ubrix to the Customer under the Principal Agreement.
• "UK GDPR" means the retained EU law version of the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

2. Roles of the Parties

The Parties acknowledge and agree that:

1. the Customer acts as the Data Controller in respect of Controller Personal Data processed under this DPA;
2. Ubrix acts as the Data Processor in respect of Controller Personal Data, processing such data only on behalf of and under the documented instructions of the Customer; and
3. nothing in this DPA prevents either Party from complying with any legal obligation imposed upon it by Applicable Data Protection Law.

3. Processing Instructions

3.1 Ubrix shall process Controller Personal Data only on documented instructions from the Customer, including the instructions set out in Schedule 1 to this DPA, unless required to do so by applicable law. Where Ubrix is required by law to process Controller Personal Data other than in accordance with the Customer's instructions, Ubrix shall notify the Customer before such processing unless prohibited by law.

3.2 The Customer warrants that it has the legal authority to give the instructions contained in this DPA and that its instructions comply with Applicable Data Protection Law.

3.3 Ubrix shall promptly notify the Customer if, in Ubrix's opinion, any instruction given by the Customer infringes Applicable Data Protection Law. Ubrix shall not be required to follow any instruction that it reasonably believes to be unlawful.

4. Purpose Limitation and Permitted Processing

Ubrix shall process Controller Personal Data solely for the purposes of providing the Services as described in the Principal Agreement and Schedule 1, and shall not process Controller Personal Data for any other purpose, including for its own commercial or business purposes, without the prior written consent of the Customer.

5. Security of Processing

5.1 Ubrix shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing of Controller Personal Data, having regard to the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of Data Subjects.

5.2 Ubrix's security measures include as a minimum:

• hosting of all Controller Personal Data on Microsoft Azure cloud infrastructure within the UK and/or EU;
• multi-factor authentication enforced across all remote access, email, cloud resources, and administrative systems;
• role-based access controls limiting access to Controller Personal Data to authorised Ubrix personnel on a need-to-know basis;
• data encrypted in transit using TLS and at rest using AES-256 or equivalent;
• automated daily encrypted backups with geographically separated instances, at least one of which is immutable;
• regular backup integrity testing and periodic security reviews;
• unique credentials required for all user accounts with lockout and brute force protections;
• automatic security patching with critical updates applied within 14 days of release;
• endpoint protection with real-time threat detection across all in-scope devices; and
• Cyber Essentials certification (certificate number 2cb48456-ab0e-498a-aa46-606dd725ef9f, certified 10 April 2026).

5.3 Ubrix shall ensure that all personnel authorised to process Controller Personal Data are subject to appropriate confidentiality obligations and receive adequate data protection training.

5.4 Ubrix shall cooperate with the Customer in ensuring compliance with security obligations and shall provide the Customer with such information as is reasonably necessary to demonstrate compliance with this clause 5, including making available relevant documentation and, on reasonable notice, permitting and contributing to audits conducted by the Customer or its appointed auditor, subject to reasonable confidentiality protections.

6. Sub-processors

6.1 The Customer provides general written authorisation for Ubrix to engage sub-processors for the processing of Controller Personal Data, subject to the conditions set out in this clause 6.

6.2 Ubrix's current sub-processors are listed in Schedule 2 to this DPA. Ubrix shall notify the Customer of any intended addition or replacement of sub-processors at least 30 days before the change takes effect by email to the Customer's nominated contact. The Customer may object to any proposed change on reasonable grounds relating to data protection by notifying Ubrix in writing within 14 days of receiving notice. The Parties shall use good faith efforts to resolve any such objection. If the objection cannot be resolved, either Party may terminate the Principal Agreement on written notice, subject to the terms of the Principal Agreement.

6.3 Ubrix shall impose on all sub-processors data protection obligations equivalent to those set out in this DPA by way of a written contract. Ubrix remains fully liable to the Customer for the performance of sub-processors' data protection obligations to the extent that Ubrix itself would be liable under this DPA.

7. Data Subject Rights

7.1 Ubrix shall maintain technical and organisational measures to assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including the rights of access, rectification, erasure, restriction, portability, and objection.

7.2 Where Ubrix receives a request directly from a Data Subject in respect of Controller Personal Data, Ubrix shall promptly forward that request to the Customer and shall not respond to the Data Subject directly unless authorised by the Customer or required to do so by applicable law.

7.3 Ubrix shall provide such assistance to the Customer as the Customer reasonably requires in order to respond to Data Subject requests within the applicable statutory timeframes, taking into account the nature of the processing.

8. Personal Data Breaches

8.1 Ubrix shall notify the Customer without undue delay, and in any event within 48 hours of becoming aware, of any confirmed or reasonably suspected Personal Data Breach affecting Controller Personal Data. Ubrix's notification shall include, to the extent available at the time of notification:

• a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Controller Personal Data records affected;
• the name and contact details of Ubrix's data protection contact;
• a description of the likely consequences of the Personal Data Breach; and
• a description of the measures taken or proposed to be taken by Ubrix to address the breach, including where appropriate measures to mitigate its possible adverse effects.

8.2 Where Ubrix cannot provide all information required at the time of initial notification, it shall provide the available information promptly and supplement it as further information becomes available.

8.3 Ubrix shall cooperate with the Customer and take such reasonable steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

8.4 The notification obligation in clause 8.1 shall not apply to Personal Data Breaches caused by the Customer or its Authorised Users.

9. Data Protection Impact Assessments and Prior Consultation

Ubrix shall provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) and in any prior consultation with a Supervisory Authority, where such assessments or consultations are required by Applicable Data Protection Law and relate to the processing of Controller Personal Data under this DPA.

10. International Transfers

10.1 Ubrix shall not transfer Controller Personal Data outside the UK or the EEA without the prior written consent of the Customer, except where such transfer is to a country or territory benefiting from an adequacy decision under UK GDPR or is subject to appropriate safeguards as required by Applicable Data Protection Law.

10.2 Where Ubrix engages sub-processors that process Controller Personal Data outside the UK or EEA, Ubrix shall ensure that appropriate safeguards are in place, including the use of the International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or reliance on UK adequacy regulations as applicable.

11. Retention and Return or Deletion of Data

11.1 Ubrix shall retain Controller Personal Data only for as long as is necessary for the performance of the Services or as required by applicable law.

11.2 Upon termination or expiry of the Principal Agreement, or on request by the Customer at any time, Ubrix shall at the Customer's election:

• return to the Customer all Controller Personal Data in a commonly used, machine-readable format within 30 days; and/or
• securely delete or destroy all copies of Controller Personal Data in Ubrix's possession or control, including copies held by sub-processors, and provide written confirmation of such deletion within 30 days.

11.3 Ubrix shall be entitled to retain Controller Personal Data beyond the period in clause 11.2 where required to do so by applicable law, in which case Ubrix shall notify the Customer of the nature and duration of such retention and shall ensure that the retained data is processed only to the extent required by that legal obligation.

12. Audit Rights

12.1 Ubrix shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall permit the Customer or its appointed independent auditor (subject to reasonable confidentiality obligations) to conduct audits and inspections of Ubrix's processing activities and systems relating to Controller Personal Data, subject to:

• reasonable advance written notice of not less than 30 days (except in the case of a confirmed Personal Data Breach);
• audits being conducted during normal business hours and in a manner that does not unreasonably disrupt Ubrix's operations;
• the frequency of audits not exceeding once per calendar year unless required by a Supervisory Authority or following a confirmed Personal Data Breach; and
• the Customer bearing all reasonable costs of the audit unless the audit reveals a material breach of this DPA by Ubrix.

12.2 Ubrix may satisfy its obligations under this clause 12 in whole or in part by providing the Customer with the results of a relevant third-party audit or certification (such as Cyber Essentials or ISO 27001) where the scope of such audit covers the relevant processing activities.

13. Liability

Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA shall limit or exclude either Party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot lawfully be limited or excluded under Applicable Data Protection Law.

14. General

14.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales and the Parties submit to the exclusive jurisdiction of the courts of England and Wales.

14.2 This DPA shall remain in force for as long as Ubrix processes Controller Personal Data on behalf of the Customer, including any period following termination of the Principal Agreement during which Controller Personal Data is retained in accordance with clause 11.

14.3 This DPA may not be amended except by a written instrument signed by authorised representatives of both Parties. Ubrix may update Schedule 2 (Sub-processors) in accordance with clause 6.2 without requiring a formal amendment to this DPA.

14.4 If any provision of this DPA is held to be invalid or unenforceable, that provision shall be modified to the minimum extent necessary to make it enforceable, or if not capable of modification, severed, and the remaining provisions shall continue in full force and effect.

Signatures

The Parties have executed this Data Processing Agreement as of the date last signed below.

FOR AND ON BEHALF OF THE CUSTOMER (DATA CONTROLLER)

Signature: _______________________________
Full name: _______________________________
Job title: _______________________________
Company name: _______________________________
Date: _______________________________

FOR AND ON BEHALF OF UBRIX LTD (DATA PROCESSOR)

Signature: _______________________________
Full name: _______________________________
Job title: _______________________________
Date: _______________________________

Schedule 1: Details of Processing

This schedule sets out the details of the personal data processing carried out by Ubrix as Data Processor on behalf of the Customer.

Schedule 2: Approved Sub-processors

The following sub-processors are currently approved by the Customer for the processing of Controller Personal Data. Ubrix will notify the Customer of any changes in accordance with clause 6.2.

The Customer acknowledges that this Schedule may be updated from time to time in accordance with clause 6.2 of this DPA. The most current version will be provided to the Customer on request.