Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Subscription Agreement between Perkstar Ltd ("Processor") and the customer organisation ("Controller") for the provision of digital loyalty platform services. By agreeing to the Subscription Agreement, the Controller accepts the terms of this DPA.

1. Definitions and Interpretation

In this DPA:

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the UK GDPR, the EU GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.

"UK GDPR" means the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

"Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Personal Data Breach" have the meanings set out in the UK GDPR.

"Services" means the digital loyalty platform services provided by Perkstar as described in the Subscription Agreement.

"Sub-Processor" means any third party engaged by Perkstar to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

2.1 The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Services as described in Schedule 1.

2.2 The Processor shall only process Personal Data in accordance with documented instructions from the Controller, unless required to do so by applicable law. Where the Processor is required by law to process Personal Data, it shall inform the Controller of this requirement before processing, unless the law prohibits such notification.

2.3 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

3. Obligations of the Processor

3.1 The Processor shall:

(a) Process Personal Data only in accordance with the Controller's documented instructions and the terms of this DPA.

(b) Ensure that all persons authorised to process Personal Data are subject to binding confidentiality obligations.

(c) Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, access controls, regular security testing, and backup procedures as described in Clause 5.

(d) Respect the conditions for engaging Sub-Processors as set out in Clause 4.

(e) Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in responding to requests from Data Subjects exercising their rights under Data Protection Laws.

(f) Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the UK GDPR, including security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

(g) At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless retention is required by applicable law.

(h) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, as set out in Clause 9.

4. Sub-Processors

4.1 The Controller provides general authorisation for the Processor to engage Sub-Processors for the purposes of providing the Services.

4.2 Current Sub-Processors are listed in Schedule 2 and maintained at perkstar.co.uk/sub-processors.

4.3 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors at least 14 days before the change takes effect, giving the Controller the opportunity to object.

4.4 If the Controller objects to a new Sub-Processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution can be reached within 30 days, the Controller may terminate the affected Services without penalty.

4.5 The Processor shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.

5. Data Security

5.1 The Processor implements and maintains appropriate technical and organisational measures including:

(a) Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256).

(b) Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

(c) Role-based access controls and multi-factor authentication for administrative access.

(d) Regular testing and evaluation of the effectiveness of security measures, including vulnerability assessments.

(e) Automated daily backups encrypted at rest, stored within the same geographic jurisdiction as primary data, with a retention period of 30 days.

(f) Procedures for restoring availability and access to Personal Data in a timely manner following an incident.

5.2 The Processor shall regularly review and update these measures to maintain an appropriate level of security, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

6. Data Breach Notification

6.1 The Processor shall notify the Controller without undue delay, and in any event within 24 hours, upon becoming aware of any Personal Data Breach.

6.2 The notification shall include:

(a) The nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and records affected.

(b) The likely consequences of the breach.

(c) The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

6.3 The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

6.4 The Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

7. Data Subject Rights

7.1 The Processor shall, within 48 hours of receipt, forward to the Controller any request received directly from a Data Subject exercising their rights under Data Protection Laws.

7.2 The Processor shall assist the Controller in responding to such requests by appropriate technical and organisational measures, including providing tools for data export and deletion where available through the Services.

7.3 The Processor shall not respond directly to a Data Subject request unless instructed to do so by the Controller or required by applicable law.

8. Data Transfers

8.1 The Processor shall not transfer Personal Data outside the Controller's assigned geographic region without prior written consent from the Controller.

8.2 Personal Data shall be processed and stored in the data centre(s) appropriate to the Controller's registered business location as specified in Schedule 3.

8.3 Where Personal Data is transferred outside the United Kingdom or European Economic Area, the Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses or other legally approved transfer mechanisms.

8.4 UK and EU customer data shall at all times remain within UK/EU jurisdictions unless the Controller provides explicit written consent to an alternative arrangement.

9. Audits and Compliance

9.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and with the Processor's obligations under Data Protection Laws.

9.2 The Controller may, upon at least 30 days' written notice and during normal business hours, audit the Processor's compliance with this DPA. Audits shall be conducted no more than once per year unless a Personal Data Breach or regulatory investigation requires an additional audit.

9.3 The Controller shall ensure that any audit is conducted in a manner that minimises disruption to the Processor's business operations and that any auditor is bound by appropriate confidentiality obligations.

9.4 The Processor shall cooperate with any audit or inspection carried out by the Controller or by a supervisory authority.

10. Data Protection Impact Assessments

10.1 The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities, where required under Data Protection Laws, taking into account the nature of the processing and the information available to the Processor.

11. Term and Termination

11.1 This DPA shall remain in effect for the duration of the Subscription Agreement and for as long as the Processor processes Personal Data on behalf of the Controller.

11.2 Upon termination of the Subscription Agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days and delete existing copies unless retention is required by applicable law.

11.3 The Processor shall certify in writing to the Controller that it has complied with the requirements of Clause 11.2 upon request.

12. Liability

12.1 Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Subscription Agreement.

12.2 Nothing in this DPA limits or excludes either party's liability for breaches of Data Protection Laws to the extent such liability cannot be limited under applicable law.

13. General

13.1 This DPA shall be governed by the laws of England and Wales.

13.2 Any disputes arising from this DPA shall be subject to the dispute resolution process set out in the Subscription Agreement.

13.3 In the event of any conflict between this DPA and the Subscription Agreement, the terms of this DPA shall prevail in respect of data protection matters.

13.4 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Schedule 1: Details of Processing

Nature and Purpose: Provision of digital loyalty platform services, including the creation, management, distribution, and analysis of digital loyalty cards via Apple Wallet and Google Wallet.

Types of Personal Data:

• Customer names, email addresses, and phone numbers

• Loyalty card data (points, stamps, rewards, and transaction history)

• Device identifiers and digital wallet credentials

• Administrative user account data

• IP addresses and usage data

Categories of Data Subjects:

• End customers of the Controller's loyalty programme

• Administrative users of the Controller's account

Duration of Processing: For the duration of the Subscription Agreement, plus any post-termination retention period required by applicable law or as set out in Clause 11.2.

Schedule 2: Sub-Processors

Sub-Processor Service Location Safeguards DigitalOcean LLC Cloud hosting infrastructure UK, EU, and US (London, Amsterdam, Frankfurt, New York, San Francisco, Atlanta) Data stored in data centre appropriate to customer location Postmark (Wildbit LLC) Transactional email delivery USA Standard Contractual Clauses Stripe Inc. Payment processing USA/EU Standard Contractual Clauses

An up-to-date list of Sub-Processors is maintained at perkstar.co.uk/sub-processors.

Schedule 3: Data Hosting

Data Centre Locations: Perkstar stores customer data exclusively in the United Kingdom, European Union, and United States:

• UK: London (DigitalOcean LON1)

• EU: Amsterdam, Netherlands (DigitalOcean AMS3); Frankfurt, Germany (DigitalOcean FRA1)

• US: New York City (DigitalOcean NYC1/NYC2/NYC3); San Francisco (DigitalOcean SFO2/SFO3); Atlanta (DigitalOcean ATL1)

Data Centre Assignment: Customers are automatically assigned to the most appropriate data centre based on their registered business location, ensuring compliance with data protection regulations and optimal performance.

Data Sovereignty Guarantees:

• UK/EU customers: Data always remains within UK/EU jurisdictions.

• US customers: Data remains within the United States.

• International customers: Assigned to the nearest data centre with robust data protection laws.

Backups: Automated daily backups are encrypted at rest (AES-256), stored within the same geographic jurisdiction as primary data, and retained for 30 days.

Contact

For questions regarding this DPA, please contact:

Perkstar Ltd Company No. 16256732 86-90 Paul Street, 3rd Floor London, EC2A 4NE United Kingdom

Email: legal@perkstar.co.uk