Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Core M8 Ltd(“Corem8”, “we”, “our”, the Processor) and the customer identified in the underlying subscription or order form (“Customer”, “you”, the Controller) governing the use of the Corem8field service management platform (the “Service”).

It reflects the parties' obligations under Article 28 of the UK General Data Protection Regulation, the EU General Data Protection Regulation, and the UK Data Protection Act 2018.

This page reproduces the operative terms of the DPA in readable form. A version ready for counter-signature is available on request from privacy@corem8.com.

Terms used in this DPA have the meanings given to them in the UK GDPR and EU GDPR unless otherwise defined. In particular:

• Personal Data means personal data as defined in Article 4(1) UK GDPR that is processed by the Processor on behalf of the Controller in connection with the Service.
• Data Subject means an identified or identifiable natural person to whom Personal Data relates.
• Sub-processor means any third party engaged by the Processor to process Personal Data on its behalf.
• Personal Data Breach has the meaning given in Article 4(12) UK GDPR.
• Standard Contractual Clauses or SCCs means the clauses adopted by the European Commission on 4 June 2021 pursuant to Article 46(2)(c) EU GDPR, together with the UK International Data Transfer Addendum issued by the Information Commissioner's Office.

The Processor will process Personal Data only on documented instructions from the Controller. The Controller's instructions are set out in this DPA, in the underlying subscription agreement, and in the Controller's configuration and use of the Service. Additional instructions outside the ordinary use of the Service are subject to mutual agreement and may be chargeable.

The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes the UK GDPR or the EU GDPR.

The Processor ensures that personnel authorised to process Personal Data are bound by appropriate obligations of confidentiality.

The Controller grants the Processor a general authorisation to engage the sub-processors listed at corem8.com/sub-processors, as updated from time to time.

The Processor will:

• Enter into a written contract with each sub-processor that imposes data-protection obligations no less protective than those in this DPA.
• Remain liable to the Controller for the acts and omissions of its sub-processors to the same extent as for its own acts.
• Notify the Controller in advance of any new sub-processor or replacement, in accordance with the notification procedure published at corem8.com/sub-processors.

The Controller may object to a new sub-processor on reasonable data protection grounds as described in that page.

The Processor implements and maintains appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Current measures include, at a minimum:

• Encryption of Personal Data in transit using TLS 1.2 or higher.
• Encryption at rest of secrets, OAuth tokens, and integration credentials using AES-256-GCM.
• Identity and access management through a SOC 2 Type II accredited provider (Clerk), with enforced multi-factor authentication for administrative accounts.
• Role-based access control within the Service, tenant isolation through scoped database queries, and defence-in-depth row-level safeguards on sensitive tables.
• Rate limiting, request signing for webhook endpoints, and content sanitisation.
• Continuous logging and error monitoring, security patching on a risk-prioritised schedule, and periodic access reviews.
• Background checks, written confidentiality obligations, and security training for personnel with access to Personal Data.

These measures are reviewed periodically and updated to reflect changes in threat landscape, technology, and regulatory expectations.

Personal Data may be transferred to jurisdictions outside the United Kingdom or the European Economic Area for the purpose of operating the Service. The Processor relies on appropriate transfer mechanisms as set out at corem8.com/sub-processors, including the Standard Contractual Clauses, the UK IDTA Addendum, and the UK–US and EU–US Data Privacy Frameworks where applicable.

Where the Controller requires the SCCs to apply directly between the parties, the parties agree that the SCCs (module two, controller to processor) are incorporated into this DPA by reference and apply in the following configuration: the Controller is the data exporter, the Processor is the data importer, Clause 7 (docking) applies, Clause 9(a) option 2 (general authorisation) applies with the notification period published at corem8.com/sub-processors, Clause 11 is not used, Clause 17 selects the law of England and Wales, and Clause 18 selects the courts of England and Wales.

The Service provides the Controller with tools to respond to data subject requests for access, rectification, erasure, restriction, and portability in respect of Personal Data within the Service.

Where a Data Subject submits a request directly to the Processor, the Processor will, without undue delay, forward it to the Controller and will not respond substantively unless instructed to do so.

The Processor will assist the Controller, taking into account the nature of the processing and the information available to the Processor, to fulfil the Controller's obligation to respond to Data Subject requests.

The Processor will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

The notification will include, to the extent known at the time:

• The nature of the breach and affected data categories.
• The approximate number of Data Subjects and records affected.
• The likely consequences of the breach and the measures taken or proposed to address it, including mitigation of adverse effects.
• The name and contact details of our data protection contact.

The Processor will provide reasonable assistance to the Controller in meeting its notification obligations to supervisory authorities and affected Data Subjects.

On termination or expiry of the underlying subscription, the Processor will, at the Controller's option, either return or delete all Personal Data in its possession, subject to the following:

• The Controller may export its Personal Data from the Service for a period of 30 days following termination.
• Where not otherwise instructed, the Processor will delete Controller Personal Data from production systems within 60 days of termination.
• Personal Data contained in routine backups will be overwritten in the ordinary course of backup rotation, typically within 90 days.
• The Processor may retain Personal Data to the extent required by applicable law (including UK tax law for financial records) and for the minimum period required by that law.

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 UK GDPR and this DPA. This will ordinarily be satisfied by providing current certifications or independent audit reports of the Processor's sub-processors and of the Processor itself where available.

Where the Controller has a reasonable basis to believe the certifications and reports do not provide sufficient assurance, the Controller may request an audit subject to reasonable scope, advance notice, confidentiality, and frequency (not more than once in any 12 month period unless required by a supervisory authority).

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the underlying subscription agreement, except where such exclusion or limitation would be unlawful under the UK GDPR or the EU GDPR.

A Controller that wishes to put a counter-signed copy of this DPA in place should email privacy@corem8.com from the billing contact on the account, stating the registered business name, registered office address, and billing contact. We will return a counter-signed PDF within five business days.

Where a Controller begins use of the Service without executing a separate DPA, this page forms part of the Controller's agreement with Corem8 and will govern the processing of Personal Data.

Email: privacy@corem8.com

Entity: Core M8 Ltd, registered in England & Wales

Sub-processor list: corem8.com/sub-processors