Data Processing Agreement

Version 1.0 — March 2026

1. Definitions

In this Data Processing Agreement ("Agreement"), the following terms have the meanings set out below:

• "UK GDPR" means the United Kingdom General Data Protection Regulation (as contained in the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025 ("DUAA") and any subsequent legislation).
• "UK Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025, each as amended from time to time.
• "Controller" means the client organisation that has entered into the Snubnose Subscription Agreement and determines the purposes and means of processing personal data via the Snubnose Platform. Where Assessor Organisations access a Supplier's data on the Platform, the Supplier remains the Controller for that data.
• "Supplier" means a Controller using the Platform for its own compliance and certification purposes.
• "Assessor Organisation" means a DCC certifying body or assessor that uses the Platform to review and assess Supplier data, and which may also use the Platform for its own compliance purposes. When an Assessor Organisation uses the Platform for its own compliance purposes, it is a Controller in respect of its own data.
• "Processor" means Snubnose Ltd (company number 17048932, registered in England and Wales), which processes personal data on behalf of the Controller.
• "Sub-processor" means an entity engaged by the Processor to process personal data on behalf of the Controller.
• "Personal Data" has the meaning given in the UK GDPR.
• "Processing" has the meaning given in the UK GDPR.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
• "Platform" means the Snubnose compliance management platform, accessible at app.snubnose.io and any associated systems or services.
• "Confidential Information" means all information disclosed by one party to the other in connection with this Agreement, marked as confidential or reasonably understood to be confidential.

2. Scope and Purpose of Processing

2.1 Roles

The parties acknowledge and agree that:

1. The Controller determines the purposes and means of processing personal data via the Platform;
2. The Processor processes personal data only on documented instructions from the Controller;
3. This Agreement sets out the terms on which the Processor shall process personal data on behalf of the Controller.

2.2 Purpose of Processing

The Processor processes personal data for the purpose of providing compliance management services, including:

• Facilitating DefStan 05-138 certification assessment for the Controller's organisation;
• Storing, analysing, and validating cybersecurity scope assessments and security control assessments;
• Providing evidence document management and storage;
• Delivering AI-assisted evidence validation and control applicability analysis;
• Conducting audit reviews and tracking certification status;
• Managing user authentication, authorisation, and communication.

The Controller shall document and communicate any additional or alternative purposes to the Processor in writing.

3. Duration of Processing

3.1 Term

The Processor shall process personal data during the term of the Controller's subscription to the Platform, commencing on the date of the Snubnose Subscription Agreement and ending on termination or expiry thereof.

3.2 Cessation

Upon termination of the service contract, the Processor shall, at the Controller's written election:

1. Delete all personal data processed on behalf of the Controller, except where UK law requires retention; or
2. Return all personal data to the Controller in a structured, commonly used, machine-readable format.

4. Nature and Purpose of Processing

4.1 Processing Activities

The Processor shall process personal data in order to:

1. Provide, maintain, and improve the Platform and associated services;
2. Enable the Controller to perform cybersecurity compliance assessments and scope definition;
3. Validate and analyse security control evidence submitted by the Controller;
4. Apply artificial intelligence techniques to assess control applicability and validate evidence quality;
5. Support the Controller's audit activities and certification tracking;
6. Authenticate users and manage role-based access control;
7. Deliver transactional communications (account notifications, password resets, etc.);
8. Maintain security logs and perform incident response and investigation;
9. Comply with legal and regulatory obligations.

4.2 Automated Decision-Making

The Processor does not perform any processing that results in automated decision-making with legal or similarly significant effects concerning the Controller or any Data Subject, except where such decision-making is necessary for the provision of the Platform and the Controller has been notified. Any such processing shall be subject to the AI Processing Addendum (Section 11) and shall not occur without human review and Controller oversight.

In accordance with the Data (Use and Access) Act 2025 (DUAA), the Processor shall ensure that appropriate safeguards are maintained for any automated decision-making, including: providing clear information about the logic involved; enabling meaningful human intervention; and supporting the Controller in facilitating Data Subjects' rights to make representations and contest automated decisions.

5. Types of Personal Data Processed

The Processor processes the following categories of personal data on behalf of the Controller:

5.1 User Personal Data

• Full names and email addresses of individuals accessing the Platform;
• Profile images and biographical information;
• Role assignments and access level metadata;
• Authentication credentials and login activity logs;
• Communication records (messages, notifications).

5.2 Organisation Data

• Company legal name, registration details, and company number;
• Business addresses (registered office and operational locations);
• Industry classification and business sector information;
• Website URL and public contact information;
• Organisational structure and departmental information.

5.3 Cybersecurity Compliance Data

• Scope assessments, including:
  • Identified locations and facilities;
  • Technology assets and systems;
  • Business operations and processes;
  • Data storage locations and systems;
  • Personnel and staffing information;
  • Administrative functions and controls;
• Security control assessments, including:
  • Individual control identifications and descriptions;
  • Control implementation status (not assessed, planned, in progress, implemented);
  • Security assessment records and ratings;
• Evidence documents (uploaded files), including:
  • Policies, procedures, and governance records;
  • Technical configuration documentation;
  • Audit reports and assessment records;
  • Training materials and personnel records;
  • Incident response and investigation records;
• AI-generated validation results and analysis outputs;
• Audit reviews, findings, and certification records;
• System-generated metadata (timestamps, version history, change logs, IP addresses).

6. Categories of Data Subjects

The personal data processed relates to the following categories of Data Subjects:

• Employees and contractors of the Controller's organisation who are assigned access to the Platform;
• Supervisors, managers, and senior personnel responsible for compliance functions;
• DCC Assessors (individuals from Assessor Organisations) who are granted access to the Controller's workspace by the Controller to conduct certification assessments and reviews;
• Other individuals whose personal data may be included in scope assessments, evidence documents, or audit records (including third-party personnel, suppliers, or service providers mentioned in compliance documentation).

6.1 Assessor Access and Data Controller Responsibilities

Where the Controller invites an Assessor Organisation to access its data on the Platform:

1. The Controller remains the data controller for all personal data accessed by the Assessor Organisation in the Controller's workspace;
2. The Controller is responsible for determining whether to grant, restrict, or revoke the Assessor Organisation's access;
3. The Processor facilitates this access through the Platform but does not determine the purposes or means of the Assessor Organisation's processing of the Controller's data;
4. Snubnose may facilitate introductions between Controllers and Assessor Organisations, but the decision to grant access remains solely with the Controller;
5. Where an Assessor Organisation registers its own organisation on the Platform for its own compliance purposes, it becomes a separate Controller in respect of its own data, and a separate Data Processing Agreement applies to that processing relationship.

7. Obligations of the Controller

7.1 Data Protection Compliance

The Controller shall:

1. Ensure that it has a lawful basis for processing personal data and for engaging the Processor;
2. Provide transparent privacy information to all Data Subjects whose personal data is processed via the Platform, including information about the Processor and Sub-processors;
3. Be responsible for responding to Data Subject rights requests (access, correction, deletion, portability, objection) in accordance with the UK GDPR, with assistance from the Processor as detailed in Section 8.5;
4. Notify the Processor without undue delay of any Data Subject rights request received by the Controller;
5. Implement and maintain appropriate organisational and technical measures to ensure that only authorised personnel have access to the Platform;
6. Ensure that all individuals accessing the Platform on behalf of the Controller are appropriately trained in data protection and confidentiality obligations;
7. Ensure that personal data provided to the Processor is accurate, up-to-date, and processed only in accordance with UK GDPR;
8. Inform the Processor of any changes to the scope, purposes, or nature of processing;
9. Conduct Data Protection Impact Assessments where necessary and consult the Information Commissioner's Office (ICO) where high-risk processing is identified.

7.2 Instruction to the Processor

The Controller shall provide clear written instructions regarding:

1. The processing to be carried out (purposes, data types, duration);
2. Any restrictions or conditions on processing;
3. Rights of access or requests from Data Subjects;
4. Data Subject categories and retention periods;
5. Any additional security requirements beyond the standard measures set out in Annex A.

8. Obligations of the Processor

8.1 Processing on Instructions

The Processor shall:

1. Process personal data only on documented instructions from the Controller;
2. Not process personal data for any purpose other than those specified in this Agreement, except where required by UK law;
3. Ensure that persons engaged to process personal data on behalf of the Processor have committed to confidentiality or are under an appropriate legal obligation of confidentiality;
4. Implement and maintain appropriate technical and organisational measures as set out in Annex A to ensure the security of personal data and to comply with the UK GDPR.

8.2 Confidentiality Obligations

The Processor shall ensure that:

1. All personnel with access to personal data are subject to binding confidentiality obligations (either as employees or through contractual arrangements);
2. These confidentiality obligations survive the termination of employment or engagement;
3. Personnel understand and comply with these obligations as a condition of access to personal data;
4. A documented training programme is in place to ensure personnel understand their confidentiality and data protection responsibilities.

8.3 Security Measures

The Processor has implemented the technical and organisational security measures detailed in Annex A, including:

8.3.1 Encryption

• In Transit: All data transmitted between the user's browser and the Platform's servers is encrypted using TLS 1.3 or higher;
• At Rest: All personal data stored in the Platform's database is encrypted at rest using AES-256 encryption;
• File Storage: Evidence documents and attachments stored in object storage (Tigris) are encrypted at rest.

8.3.2 Access Control and Authentication

• Authentication: The Platform uses OAuth 2.0 for user authentication, with support for Microsoft and Google identity providers. Users are not required to store passwords with the Processor;
• Role-Based Access Control (RBAC): Access to personal data is restricted according to the user's assigned role and permissions within the Controller's organisation;
• Session Management: User sessions are encrypted and time-limited, with automatic expiration of idle sessions;
• Administrative Access: Administrative access to infrastructure and databases is restricted to authorised personnel and is protected by multi-factor authentication.

8.3.3 Infrastructure and Data Residency

• Application Hosting: The Platform is hosted on Fly.io using resources located in the London, UK (LHR) region;
• Database: Personal data is stored in a Fly.io Managed PostgreSQL database located in the London, UK region;
• Backup and Recovery: Regular automated backups are maintained in the same region, encrypted at rest.

8.3.4 Application Security

• Server-Side Rendering: The Platform uses server-side rendering to ensure sensitive data is not exposed to client-side JavaScript;
• API Authentication: All API requests are authenticated and authorised;
• Input Validation: All user inputs are validated and sanitised to prevent injection attacks;
• Security Headers: The Platform implements appropriate security headers (Content-Security-Policy, X-Frame-Options, HSTS, etc.) to prevent common attack vectors.

8.3.5 Personnel Security

• Background Checks: Personnel with access to personal data are subject to appropriate background checks commensurate with risk;
• Need-to-Know: Access is restricted on a need-to-know basis;
• Offboarding: Upon termination of employment or engagement, access to systems and personal data is revoked immediately.

8.3.6 Incident Response

• Detection: The Platform includes monitoring and logging systems to detect unauthorised access or anomalous activity;
• Response Plan: The Processor maintains a documented incident response plan and shall take prompt action upon detecting a Data Breach;
• Notification: The Processor shall notify the Controller of any confirmed Data Breach without undue delay and in any case within 24 hours of becoming aware of the breach.

8.3.7 Business Continuity

• Availability: The Processor maintains a 99.9% monthly Uptime Commitment as set out in Section 10 of the Snubnose Subscription Agreement, with defined service credits for any failure to meet this commitment;
• Disaster Recovery: The Processor maintains documented procedures for disaster recovery and data recovery;
• Testing: Disaster recovery procedures are tested at least annually.

8.4 Sub-Processor Management

8.4.1 Approved Sub-Processors

The Controller acknowledges and authorises the Processor to engage the Sub-processors listed in Annex B. The Processor shall:

1. Provide the Controller with a current list of all Sub-processors and notify the Controller of any changes at least 30 days in advance;
2. Provide the Controller with reasonable opportunity to object to the engagement of a new Sub-processor (by withdrawing from the service if the objection cannot be resolved);
3. Ensure that each Sub-processor is bound by equivalent data protection obligations through written data processing agreements or other appropriate contractual arrangements;
4. Remain liable to the Controller for any failure of a Sub-processor to fulfil its data protection obligations.

8.4.2 Data Transfers to Sub-Processors

The Processor shall ensure that personal data transferred to Sub-processors is done so:

1. Only on the basis of documented instructions from the Controller;
2. With appropriate safeguards in place, including Sub-processor agreements that implement appropriate data protection obligations;
3. In compliance with Section 10 (International Data Transfers) where the Sub-processor is located outside the UK.

8.5 Assistance with Data Subject Rights

The Processor shall, without undue delay and in any case within 15 working days of receiving a request from the Controller, assist the Controller in fulfilling Data Subject rights requests, including:

1. Right of Access: Providing personal data in a structured, commonly used, machine-readable format;
2. Right to Rectification: Correcting inaccurate personal data upon the Controller's instruction;
3. Right to Erasure: Deleting personal data upon the Controller's instruction, except where retention is required by law;
4. Right to Restrict Processing: Limiting processing to storage only upon the Controller's instruction;
5. Right to Data Portability: Exporting personal data in a standard format upon the Controller's instruction;
6. Right to Object: Discontinuing processing on the basis of the Controller's instruction (subject to other legal obligations).

The Processor shall not be responsible for responding directly to Data Subjects but shall provide reasonable cooperation and assistance to enable the Controller to respond to such requests.

8.6 Data Protection Impact Assessment Assistance

The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs), including:

1. Providing information about the nature, scope, and details of processing;
2. Identifying the technical and organisational security measures implemented;
3. Assisting in risk assessment and mitigation planning;
4. Making available audit results and security certifications where applicable.

8.7 Audit Rights and Inspections

8.7.1 Right to Audit

The Controller shall have the right to:

1. Audit the Processor's compliance with this Agreement;
2. Inspect the Processor's security measures and controls;
3. Request evidence of compliance, including security audits, certifications, or assessments;
4. Conduct audits no more than once per year during normal business hours, or more frequently if required due to an identified security concern or breach.

8.7.2 Scope and Confidentiality

1. The Processor may require the Controller's auditors to sign a confidentiality agreement before accessing Confidential Information;
2. The Controller shall ensure that any auditors or inspectors are bound by confidentiality obligations;
3. The Processor shall cooperate fully with reasonable audit requests but may charge reasonable costs for significant audit or inspection activities.

8.7.3 Audit Reports

1. The Processor shall make available or conduct audits (such as SOC 2 Type II audits) to demonstrate compliance with this Agreement;
2. The Processor shall provide audit reports or summaries to the Controller upon request, subject to confidentiality safeguards.

8.8 Data Breach Notification

8.8.1 Processor Notification of Breaches

Upon becoming aware of a Data Breach, the Processor shall:

1. Notify the Controller without undue delay and in any case within 24 hours of becoming aware of the breach;
2. Provide the Controller with the following information:
   • A description of the personal data involved;
   • The likely consequences of the breach;
   • The measures taken or proposed to be taken by the Processor to address and mitigate the breach;
   • The contact details of a person at the Processor from whom further information can be obtained;
3. Cooperate fully with the Controller's investigation and notification obligations;
4. Provide reasonable assistance to the Controller in fulfilling the Controller's obligations to notify the Information Commissioner's Office (ICO) and affected Data Subjects where required by UK GDPR.

8.8.2 Joint Incident Response

1. The Processor shall provide prompt and detailed information to assist the Controller in assessing the impact and scope of any breach;
2. The Processor shall preserve all evidence related to the breach for investigation and potential regulatory purposes;
3. The Processor shall comply with the Controller's reasonable instructions regarding containment, investigation, and remediation.

9. Approved Sub-Processors

The Controller acknowledges and authorises the Processor to engage the Sub-processors listed in Annex B. Details of each Sub-processor, including their location, purpose, and the categories of data processed, are set out in Annex B.

The Controller may request an updated list of Sub-processors at any time, and the Processor shall provide such a list within 10 working days.

10. International Data Transfers

10.1 Processing Location and Data Residency

All Customer personal data is stored at rest exclusively in the United Kingdom. The Processor's primary infrastructure operates from the London, UK (LHR) region:

• Application Hosting: Fly.io (London, UK region)
• Database Storage: Fly.io Managed PostgreSQL (London, UK region)
• Backup Storage: Fly.io (London, UK region)
• File Storage: Tigris object storage (accessed via Fly.io, London, UK region)

No personal data is stored at rest outside the United Kingdom. Personal data stored and processed within the UK is not subject to additional transfer restrictions under UK GDPR.

10.2 Sub-Processor Locations

The Processor engages certain Sub-processors located outside the United Kingdom, as detailed in Annex B. These transfers are transient in nature — data is transmitted for real-time processing and is not stored at rest outside the UK:

• Anthropic (United States) — AI processing for evidence validation and control analysis. Under the Processor's Zero Data Retention (ZDR) enrolment, Anthropic does not retain any data beyond the duration of each individual API request. The Controller may opt out of AI processing entirely (see Section 11.7), eliminating this transfer.
• Resend (United States) — Transactional email delivery (limited to email addresses and account notification content)
• Google LLC (United States) — OAuth authentication and address autocomplete (limited to authentication tokens and address data)
• Microsoft Corporation (United States) — OAuth authentication (limited to authentication tokens and profile data)

10.3 Transfers to the United States

For any Sub-processor located in the United States, the Processor shall ensure that one of the following safeguards is in place:

1. Standard Contractual Clauses (SCCs): The Processor has entered into the UK-approved International Data Transfer Agreement or the EU Standard Contractual Clauses (as recognised under UK GDPR), as applicable;
2. Adequacy Decision: The jurisdiction has been granted an adequacy decision by the UK Government;
3. Contractual Provisions: The Sub-processor agreement includes contractual provisions that guarantee an adequate level of data protection equivalent to that afforded under UK GDPR.

10.4 Transfers to Other Jurisdictions

For any transfer of personal data to jurisdictions outside the UK, the Processor shall:

1. Identify the relevant legal regime and data protection laws applicable in that jurisdiction;
2. Implement appropriate safeguards to ensure a level of protection substantially equivalent to that required by UK GDPR;
3. Notify the Controller and obtain written consent before engaging a new Sub-processor in a jurisdiction without an adequacy decision.

10.5 Risk of US Government Access

The Controller acknowledges that personal data transferred to Sub-processors located in the United States may be subject to access by US government agencies under US law (including the Foreign Intelligence Surveillance Act). The Controller is responsible for assessing this risk as part of its own data protection compliance obligations. The Processor shall ensure that Sub-processor agreements include provisions to minimise and mitigate such risks where possible.

10.6 Data Localisation

The Controller has the right to:

1. Request that certain personal data be stored or processed only within the United Kingdom;
2. Opt out of AI processing features (see Section 11) where data would be transferred to the United States;
3. Restrict or prohibit the use of specific Sub-processors.

Any such requests should be communicated in writing to the Processor, and the Processor shall implement reasonable measures to comply with such requests.

10.7 Export Controls

1. The Controller acknowledges that personal data and other information provided to the Platform may include data relevant to UK export control legislation, including the Export Control Order 2008 and the Trade and Investment Act 2021.
2. The Controller is responsible for:
   • Determining whether any data provided to the Platform constitutes controlled goods, technology, or information under applicable export control laws;
   • Obtaining any necessary export licences or authorisations from the Foreign, Commonwealth & Development Office (FCDO) or other relevant authority before providing such data to the Platform;
   • Ensuring that the transmission of data to Sub-processors located outside the United Kingdom (including Anthropic in the United States) complies with all applicable export control requirements.
3. The Processor shall cooperate with the Controller in meeting export control obligations upon reasonable written request.
4. The Controller may opt out of AI-assisted processing (see Section 11.7) to ensure that no data is transmitted outside the United Kingdom.
5. The Processor shall not knowingly process data in a manner that would violate UK export control laws.

11. AI Processing Addendum

11.1 AI-Assisted Processing

The Processor uses artificial intelligence services provided by Anthropic (Claude AI) to support the following functionality on the Platform:

1. Evidence Validation: Analysing the quality, completeness, and appropriateness of evidence documents submitted by the Controller;
2. Control Applicability Assessment: Assessing whether specific security controls are applicable to the Controller's scope and environment;
3. Gap Analysis: Identifying potential gaps or weaknesses in the Controller's security control implementation;
4. Compliance Recommendations: Suggesting improvements or recommendations for security controls.

11.2 Data Transferred to Anthropic

In order to provide the above AI-assisted services, the Processor transmits the following categories of personal data and non-personal data to Anthropic:

1. Evidence Document Content: The full text or content of evidence documents uploaded by the Controller's employees;
2. Organisation Metadata: Company name, industry sector, location, and business description;
3. Scope Assessment Data: Details of the organisation's systems, processes, locations, and personnel structure included in scope assessments;
4. Security Control Details: Descriptions of security controls being assessed and their implementation status;
5. Structured Prompts: Formatted requests containing the above data, configured to request specific analysis or validation.

11.3 Anthropic's Role

The Processor acknowledges and confirms that:

1. Anthropic is a Sub-processor and processes personal data on behalf of the Controller, as instructed by the Processor;
2. Anthropic is located in the United States and is subject to US law;
3. A data processing agreement has been entered into between the Processor and Anthropic to ensure equivalent data protection obligations;
4. Personal data transmitted to Anthropic may be processed and stored in the United States;
5. The Processor has enrolled in Anthropic's Zero Data Retention (ZDR) programme, under which Anthropic does not retain any personal data or Customer data submitted via the API beyond the duration of each individual processing request;
6. A Data Processing Agreement incorporating Standard Contractual Clauses (SCCs) has been executed between the Processor and Anthropic.

11.4 No Automated Decision-Making with Legal Effects

1. The Processor does not perform any AI processing that results in automated decision-making with legal or similarly significant effects concerning the Controller or any Data Subject;
2. AI-generated recommendations and analysis are provided to the Controller as assistive tools only;
3. The Controller retains full responsibility for all compliance decisions and any actions taken on the basis of AI-generated analysis;
4. All final decisions regarding security controls, evidence acceptance, or compliance status remain under the exclusive control of the Controller.

11.4A DUAA Compliance for AI Processing

In accordance with the Data (Use and Access) Act 2025 (DUAA), the Processor shall ensure that AI-assisted processing on the Platform:

1. Does not constitute solely automated decision-making with significant effects, as all AI outputs are presented as recommendations subject to human review and Controller oversight;
2. Maintains appropriate safeguards, including clear information to the Controller about the logic involved in AI analysis, meaningful human intervention in all decision-making, and the ability for Data Subjects to make representations and contest decisions through the Controller;
3. Complies with any guidance issued by the Information Commissioner's Office (ICO) regarding the application of the DUAA to AI-assisted processing;
4. Is kept under review to ensure ongoing compliance as DUAA provisions are commenced and as ICO guidance evolves.

11.5 Data Minimisation in AI Prompts

The Processor shall:

1. Minimise the amount of personal data transmitted to Anthropic by removing or redacting personally identifiable information where possible;
2. Configure AI prompts to request only the specific analysis required and not to retain or further process the data provided;
3. Instruct Anthropic not to use personal data provided for AI training, model improvement, or any purpose other than fulfilling the specific request.

11.6 Data Retention by Anthropic

The Processor shall ensure that:

1. Under the Processor's enrolment in Anthropic's Zero Data Retention (ZDR) programme, Anthropic does not retain any personal data or Customer data beyond the duration of each individual API request;
2. No personal data is stored, logged, cached, or used by Anthropic for model training, improvement, or any purpose other than fulfilling the specific processing request in real time;
3. The Processor's ZDR enrolment status may be verified by the Controller upon reasonable written request;
4. In the event the Processor's ZDR enrolment is terminated or modified, the Processor shall notify the Controller within 14 days and provide details of any changes to Anthropic's data retention practices.

11.7 Controller's Right to Opt Out

1. The Controller may opt out of AI-assisted processing at any time by written notice to the Processor at legal@snubnose.io. The Processor shall disable AI-assisted features for the Controller's account within 5 business days of receiving the request;
2. Where the Controller opts out, the Processor shall not transmit personal data to Anthropic for AI processing, and no personal data will be transferred outside the United Kingdom in connection with AI features;
3. The Platform remains fully functional without AI-assisted features; opting out does not limit other Platform functionality. The Processor intends to provide a self-service toggle within the Platform to allow Controllers to enable or disable AI-assisted features directly.

11.8 Transparency and Consent

1. The Processor shall ensure that the Controller and all Data Subjects are informed about AI-assisted processing through Platform documentation and privacy information;
2. The Processor shall ensure that the Controller obtains appropriate consent from Data Subjects whose personal data may be transmitted to Anthropic for AI processing;
3. Where applicable, the Controller is responsible for informing Data Subjects about this processing in privacy notices and other transparency information.

11.9 AI Processing Compliance

The Processor's use of AI processing shall comply with:

1. The provisions of UK GDPR (as amended by the DUAA) concerning automated decision-making and profiling, including the expanded lawful bases and safeguard requirements introduced by the DUAA;
2. Any guidance issued by the Information Commissioner's Office (ICO) regarding AI, automated decision-making, and data protection;
3. The principle of lawfulness, fairness, and transparency;
4. Data minimisation and purpose limitation principles;
5. The Data (Use and Access) Act 2025 and any regulations, codes of practice, or statutory instruments made thereunder.

12. Data Deletion and Return on Termination

12.1 Termination of Service

Upon termination or expiry of the service contract between the Controller and the Processor:

1. The Processor shall, at the Controller's written election, either delete all personal data processed on behalf of the Controller or return it in a structured, commonly used, machine-readable format;
2. The Controller must provide written instructions regarding data deletion or return within 30 days of termination;
3. Where no instructions are provided within 30 days, the Processor shall delete all personal data;
4. Deletion shall be completed within 90 days of termination, except where retention is required by law.

12.2 Exceptions to Deletion

The Processor may retain personal data where:

1. Legal Obligation: Retention is required by UK law, regulatory requirements, or a court order;
2. Backup Systems: Personal data may be retained in automated backup systems for a limited period (not exceeding 90 days) to allow for data recovery; such data is not actively accessed or processed;
3. Tax or Accounting Records: Personal data retained for tax, accounting, or audit purposes, in accordance with UK law.

12.3 Evidence of Deletion

The Processor shall provide the Controller with reasonable evidence of deletion (such as a certification letter or deletion report) upon request.

12.4 Return of Data

Where the Controller requests return of personal data:

1. The Processor shall provide all personal data in a structured, commonly used, machine-readable format (such as CSV or JSON);
2. The export shall include all relevant metadata and historical records where reasonably practicable;
3. The Processor shall use reasonable efforts to ensure the completeness and accuracy of exported data.

13. Liability

13.1 Liability Cap

The liability of the Processor under or in connection with this Agreement shall be subject to and limited by the liability cap set out in the Snubnose Subscription Agreement.

13.2 Exceptions

The liability cap shall not apply to:

1. Either party's indemnification obligations;
2. Breaches of confidentiality;
3. Infringement of intellectual property rights;
4. Either party's death or personal injury caused by negligence;
5. Fraud or fraudulent misrepresentation;
6. Any liability that cannot be limited or excluded under UK law.

13.3 Processor Liability

The Processor shall be liable for:

1. Losses arising from the Processor's failure to fulfil its obligations under this Agreement;
2. Losses arising from a Data Breach caused by the Processor's failure to implement appropriate security measures;
3. Losses arising from unauthorised sub-processor engagement or sub-processor failures;
4. Failure to assist the Controller in meeting its UK GDPR obligations.

Subject to the limitation of liability provisions in the Snubnose Subscription Agreement and applicable law, the Processor's aggregate liability for any claim under this Agreement shall not exceed the greater of: (a) the service fees paid by the Controller in the 24 months preceding the claim; or (b) £25,000.

13.4 Regulatory Fines and Penalties

1. Each party shall be responsible for any regulatory fines, penalties, or enforcement actions imposed on it by the Information Commissioner's Office (ICO) or any other supervisory authority arising from its own acts or omissions in relation to the processing of personal data under this Agreement.
2. The Processor shall not be liable for ICO fines imposed on the Controller except to the extent that such fines are directly attributable to the Processor's breach of its obligations under this Agreement.
3. Where an ICO investigation or enforcement action relates to the processing of personal data under this Agreement, the parties shall:
   • Promptly notify the other party of any investigation, complaint, or enforcement action by the ICO or any supervisory authority that relates to personal data processed under this Agreement;
   • Cooperate in good faith and provide reasonable assistance to the other party in responding to any such investigation or enforcement action;
   • Share relevant information and documentation as reasonably necessary for the other party to respond to regulatory enquiries, subject to legal privilege and confidentiality obligations.
4. Where an ICO fine or penalty is imposed as a result of a Data Breach or non-compliance attributable to the acts or omissions of both parties, each party shall bear a proportionate share of any resulting costs, to be determined in good faith by the parties or, failing agreement, by the courts of England and Wales.
5. Nothing in this Section 13.4 limits or excludes either party's liability for its own wilful default, gross negligence, or fraud.

13.5 Service Level Commitments

The Processor's service availability commitments, including the Uptime Commitment and service credit provisions, are set out in Section 10 of the Snubnose Subscription Agreement. Service credits provided under those provisions shall be the Controller's sole and exclusive remedy for failure to meet the Uptime Commitment, without prejudice to the Controller's other rights under this Agreement.

14. Term and Termination

14.1 Term

This Agreement shall commence on the date the Controller enters into the Snubnose Subscription Agreement and shall continue for the duration of the service contract unless earlier terminated in accordance with this Section 14.

14.2 Termination

1. By the Controller: The Controller may terminate this Agreement in accordance with the termination provisions in the Snubnose Subscription Agreement;
2. By the Processor: The Processor may terminate this Agreement upon 30 days' written notice to the Controller;
3. Automatic Termination: This Agreement shall automatically terminate upon termination of the Snubnose Subscription Agreement.

14.3 Effect of Termination

Upon termination:

1. The Processor shall cease processing personal data, except as required by law;
2. The Processor shall comply with the data deletion or return requirements set out in Section 12;
3. The Processor's confidentiality and security obligations shall survive termination;
4. Any provision of this Agreement that, by its nature, should survive termination shall continue in force.

14.4 Suspension of Service

The Processor may suspend the Controller's access to the Platform if:

1. The Controller breaches its obligations under this Agreement and fails to remedy the breach within 15 days of written notice;
2. Required by law or court order;
3. The Processor reasonably believes that continuation would violate UK law or cause serious harm.

The Processor shall provide prompt notice of any suspension and shall cooperate with the Controller to remedy the underlying issue.

15. General Provisions

15.1 Amendment

This Agreement may be amended by the Processor with 30 days' written notice to the Controller. If the Controller does not accept the amended terms, the Controller may terminate the service contract.

15.2 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of England and Wales, without regard to conflict of law principles.

15.3 Jurisdiction

Both parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

15.4 Entire Agreement

This Agreement, together with the Snubnose Subscription Agreement, constitutes the entire agreement between the parties regarding data processing and supersedes all prior negotiations, representations, and agreements.

15.5 Severability

If any provision of this Agreement is found to be invalid, illegal, or unenforceable, such provision shall be severed and the remaining provisions shall continue in force.

15.6 Notices

Notices under this Agreement shall be sent to the contact details provided by each party and shall be deemed received when delivered in person, sent by email (with read receipt), or delivered by post (5 working days after posting).

15.7 No Waiver

The failure of either party to enforce any right or provision of this Agreement shall not constitute a waiver of such right or provision.

Annex A: Technical and Organisational Security Measures (TOMs)

A1. Encryption

A1.1 Encryption in Transit

• All data transmitted between the user's browser and the Platform's servers is encrypted using TLS 1.3 or higher;
• All API communications use HTTPS with TLS 1.3;
• Email communications containing sensitive data are encrypted where practicable;
• Sub-processor communications are encrypted in transit.

A1.2 Encryption at Rest

• All personal data stored in the PostgreSQL database is encrypted at rest using AES-256;
• Encryption keys are managed by Fly.io's managed PostgreSQL service and are separate from the plaintext data;
• Evidence documents and file attachments are encrypted at rest in Tigris object storage using AES-256;
• Automated backups are encrypted at rest.

A1.3 Key Management

• Encryption keys are stored securely by Fly.io's managed services;
• The Processor does not manage encryption keys; key management is delegated to Fly.io's infrastructure;
• Key rotation is performed automatically by the managed services at intervals commensurate with security best practices.

A2. Access Control

A2.1 Authentication

• Users authenticate via OAuth 2.0 using Microsoft or Google identity providers;
• Users are not required to store passwords with the Processor;
• Multi-factor authentication (MFA) is supported and recommended;
• Authentication tokens are encrypted and expire after a fixed period of inactivity.

A2.2 Authorisation and RBAC

• The Platform implements role-based access control (RBAC) to restrict access based on assigned roles;
• Typical roles include: administrator, auditor, evidence manager, and viewer;
• Role permissions are documented and enforced at the application level;
• Default permissions follow the principle of least privilege;
• Access can be customised and revoked by the Controller at any time.

A2.3 Session Management

• User sessions are encrypted and stored server-side;
• Sessions expire automatically after a defined period of inactivity (typically 24 hours);
• Sessions can be manually terminated by the user or administrator;
• Session IDs are randomised and cryptographically secure.

A2.4 Administrative Access

• Administrative access to infrastructure, databases, and systems is restricted to authorised personnel;
• Administrative access is protected by multi-factor authentication;
• All administrative actions are logged and monitored;
• Administrative access is reviewed regularly and revoked upon termination of employment.

A2.5 API Authentication

• All API requests require authentication using bearer tokens (OAuth tokens or API keys);
• API keys are rate-limited and can be rotated or revoked by the Controller;
• API access logs are maintained for audit purposes.

A3. Infrastructure and Data Residency

A3.1 Application Hosting

• The Platform is hosted on Fly.io using infrastructure located in the London, UK (LHR) region;
• Fly.io provides managed infrastructure including load balancing, auto-scaling, and failover;
• The Processor uses Fly.io's provided security features, including DDoS protection.

A3.2 Database and Storage

• Personal data is stored in a Fly.io Managed PostgreSQL database located in the London, UK region;
• The database is configured with automated backups and replication for high availability;
• Evidence documents and attachments are stored in Tigris object storage (also accessed via Fly.io);
• All storage is encrypted at rest.

A3.3 Backup and Recovery

• Automated backups of the database are created daily;
• Backups are stored in the same region as the primary database (London, UK);
• Backups are encrypted at rest and can be used for point-in-time recovery;
• Backup retention policies are documented and reviewed annually;
• Disaster recovery procedures are tested at least annually.

A3.4 High Availability and Business Continuity

• The Platform is designed with redundancy to ensure service continuity;
• Fly.io provides service level agreements (SLAs) regarding uptime;
• The Processor maintains a 99.9% monthly Uptime Commitment as set out in the Snubnose Subscription Agreement;
• The Processor maintains a business continuity plan with the following targets:
  • Recovery Time Objective (RTO): 4 hours — the target maximum time to restore Service availability following a major incident;
  • Recovery Point Objective (RPO): 1 hour — the target maximum period of data loss in the event of a major incident;
• RTO and RPO targets represent reasonable endeavours and are subject to the nature and severity of the incident;
• Disaster recovery procedures are documented, reviewed, and tested at least annually.

A4. Application Security

A4.1 Server-Side Rendering

• The Platform uses server-side rendering to minimise the exposure of sensitive data to client-side JavaScript;
• This reduces the risk of sensitive data being accessible through browser developer tools or client-side vulnerabilities.

A4.2 API Security

• All API endpoints require authentication and authorisation;
• API requests are logged for audit purposes;
• Rate limiting is implemented to prevent abuse;
• API responses include security headers to prevent common attacks.

A4.3 Input Validation and Sanitisation

• All user inputs are validated against expected formats and lengths;
• Inputs are sanitised to prevent injection attacks (SQL injection, cross-site scripting, etc.);
• File uploads are scanned and validated;
• Special characters and potentially dangerous content are escaped or removed.

A4.4 Security Headers

The Platform implements the following security headers:

• Content-Security-Policy (CSP): Restricts the sources from which content can be loaded, preventing XSS attacks;
• X-Frame-Options: Prevents the application from being framed by other websites, preventing clickjacking;
• X-Content-Type-Options: Prevents MIME type sniffing;
• Strict-Transport-Security (HSTS): Enforces HTTPS communication;
• Referrer-Policy: Controls what referrer information is sent with requests;
• Permissions-Policy: Restricts access to browser features and APIs.

A4.5 Dependency Management

• The Platform's dependencies are regularly reviewed and updated to address known vulnerabilities;
• Automated security scanning tools are used to identify vulnerable dependencies;
• Security patches are applied promptly.

A5. Personnel Security

A5.1 Confidentiality Obligations

• All personnel with access to personal data are subject to binding confidentiality obligations;
• Confidentiality obligations are documented in employment contracts or separate agreements;
• These obligations survive termination of employment or engagement.

A5.2 Background Checks

• Personnel with access to personal data are subject to appropriate background checks;
• Background checks are commensurate with the sensitivity of data accessed;
• Ongoing clearance reviews are conducted.

A5.3 Need-to-Know Access

• Access to personal data is restricted on a need-to-know basis;
• Personnel are only granted access to the data and systems required to perform their role;
• Access rights are reviewed regularly.

A5.4 Training and Awareness

• A documented data protection and information security training programme is in place;
• All personnel with access to personal data receive annual training;
• Training covers data protection principles, confidentiality obligations, and incident response procedures;
• Training records are maintained.

A5.5 Offboarding

• Upon termination of employment or engagement, all access to systems and personal data is revoked immediately;
• IT assets are returned and securely wiped;
• Confidentiality obligations continue to apply after termination.

A6. Monitoring and Logging

A6.1 System Logging

• All access to personal data is logged, including:
  • User authentication and session events
  • Data access and modification events
  • Administrative actions
  • Error and exception events
• Logs are retained for a minimum of 12 months;
• Logs are protected from unauthorised access and modification.

A6.2 Anomaly Detection

• System monitoring tools are in place to detect unauthorised access or anomalous activity;
• Alerts are generated for suspicious activities;
• Alerts are reviewed by authorised personnel and investigated promptly.

A6.3 Performance Monitoring

• The Platform's performance and availability are monitored continuously;
• Monitoring data is used to optimise performance and identify potential issues;
• Service status is communicated to users.

A7. Incident Management

A7.1 Incident Response Plan

• A documented incident response plan is in place;
• The plan defines roles and responsibilities, escalation procedures, and communication protocols;
• The plan is reviewed and tested at least annually.

A7.2 Detection and Response

• Systems are in place to detect Data Breaches and security incidents;
• Upon detection, the incident is contained and investigated promptly;
• Affected systems are isolated if necessary;
• Evidence is preserved for investigation and regulatory purposes.

A7.3 Notification Procedures

• The Processor notifies the Controller of any confirmed Data Breach without undue delay and in any case within 24 hours of becoming aware of the breach;
• Notification includes a description of the breach, likely impact, and measures taken;
• The Processor cooperates with the Controller's notification obligations to the Information Commissioner's Office (ICO) and affected Data Subjects.

A7.4 Post-Incident Actions

• A post-incident review is conducted to identify lessons learned;
• The incident response plan and security measures are updated based on findings;
• Reports are provided to relevant stakeholders.

A8. Vulnerability Management

A8.1 Vulnerability Assessment

• Regular vulnerability assessments and penetration testing are conducted;
• Vulnerabilities are prioritised based on risk and exploitability;
• A remediation plan is developed for identified vulnerabilities.

A8.2 Patch Management

• Security patches and updates are applied promptly;
• Patch management procedures are documented;
• Critical patches are applied within 30 days; other patches within 90 days.

A8.3 Third-Party Assessments and Certifications

• The Processor holds current Cyber Essentials certification and is pursuing Cyber Essentials Plus certification;
• The Processor maintains cyber liability insurance with a reputable insurer, providing coverage for event management, data protection investigations, data protection fines (where legally payable), liability, and business interruption;
• The Processor shall use reasonable efforts to maintain its Cyber Essentials certification (or equivalent) throughout the term of this Agreement;
• The Processor maintains relevant security certifications or assessments (such as SOC 2 Type II) to demonstrate compliance with security standards;
• Evidence of current certifications and insurance coverage is made available to the Controller upon reasonable written request.

A9. Data Protection by Design and Default

A9.1 Privacy by Design

• Data protection and privacy are considered in the design and development of the Platform;
• Privacy impact assessments are conducted for new features or changes;
• Data minimisation is applied to reduce the personal data collected and processed.

A9.2 Privacy by Default

• The Platform's default settings are configured to protect privacy;
• Users can customise their privacy settings where appropriate;
• Retention periods are minimised.

Annex B: Approved Sub-Processor List

Notes:

• Fly.io (London): Whilst Fly.io is a US-incorporated company, the Platform's primary infrastructure operates from the London, UK (LHR) region. Personal data is stored and processed in the UK.
• Data Localisation: The Controller may request that certain personal data be stored only in the UK (Fly.io London region) and not transmitted to other Sub-processors. Contact the Processor for options.
• Changes to Sub-Processors: The Processor shall notify the Controller of any changes to the Sub-processor list at least 30 days in advance. The Controller has the right to object to the engagement of a new Sub-processor.
• Data Processing Agreements: All Sub-processors are bound by written data processing agreements that require them to implement equivalent data protection obligations and comply with UK GDPR.

Glossary

Document History

Contact

For enquiries regarding this Data Processing Agreement, please contact:

Snubnose Ltd
Company number: 17048932
Registered in England and Wales
Email: legal@snubnose.io
Website: snubnose.io