DATA PROCESSING AGREEMENT

Version: 1.0
Last Updated: August 2025
Classification: Public
Contact: dpa@impgent.com

This Data Processing Agreement ("DPA") is entered into as of the date of signature of your agreement.

1. DEFINITIONS

In this DPA:

"Applicable Data Protection Law" means all applicable data protection and privacy laws including:

UK GDPR (as defined in the Data Protection Act 2018)
EU GDPR (Regulation (EU) 2016/679)
Data Protection Act 2018
Privacy and Electronic Communications Regulations 2003
Any other applicable data protection laws

"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.

"Early Adopter" means a Customer who enters into a Principal Agreement with Impgent Ltd under preferential commercial terms (such as discounted fees or pilot participation) in exchange for early access to the Services and/or participation in product feedback or testing initiatives. Early Adopters may be subject to different service levels, features, or support terms as mutually agreed in writing.

"Customer Data" means all Personal Data that the Processor processes on behalf of the Controller under this DPA.

"Subprocessor" means any third party appointed by the Processor to process Customer Data.

2. PROCESSING OF CUSTOMER DATA

2.1 Roles: The parties acknowledge that:

Customer is the Controller of Customer Data
Impgent is the Processor of Customer Data
This DPA applies to all Processing carried out under the Principal Agreement

2.2 Processor's Obligations: The Processor shall:

Process Customer Data only on documented instructions from the Controller (including as set out in Schedule 1)
Ensure that persons authorised to process Customer Data have committed to confidentiality
Implement appropriate technical and organisational measures to ensure security of processing
Not engage Subprocessors without the Controller's prior written consent
Assist the Controller with data subject requests and compliance obligations
Delete or return all Customer Data at the end of the provision of services
Make available to the Controller all information necessary to demonstrate compliance

2.3 Duration: Processing shall continue until the termination of the Principal Agreement and completion of any data deletion or return obligations.

3. SECURITY OF PROCESSING

3.1 The Processor shall implement and maintain appropriate technical and organisational measures including:

Technical Measures:

Encryption of data in transit (TLS 1.2 minimum) and at rest (AES256)
Multifactor authentication for administrative access
Regular security patches and updates
Firewalls and intrusion detection systems
Regular vulnerability scanning and penetration testing
Secure backup procedures with encrypted storage
Audit logging and monitoring

Organisational Measures:

Information security policies and procedures
Regular staff training on data protection
Access controls based on least privilege principle
Confidentiality agreements with all staff
Incident response procedures
Business continuity and disaster recovery plans
Regular security reviews and audits

3.2 The measures shall ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing.

4. SUBPROCESSORS

4.1 General Authorisation: The Controller provides general written authorisation for the Processor to engage Subprocessors listed in Schedule 2.

4.2 New Subprocessors: The Processor shall:

Inform the Controller of any intended changes concerning addition or replacement of Subprocessors
Provide at least 30 days' notice before engaging new Subprocessors
Give the Controller the opportunity to object to such changes

4.3 Subprocessor Obligations: The Processor shall:

Enter into written agreements with Subprocessors imposing the same data protection obligations as this DPA
Remain fully liable for Subprocessor performance
Ensure Subprocessors implement appropriate security measures

4.4 Objection Rights: If the Controller objects to a new Subprocessor:

The parties shall discuss the objection in good faith
If no resolution is found, the Controller may terminate the affected services

5. INTERNATIONAL TRANSFERS

5.1 The Processor shall not transfer Customer Data outside the UK/EEA without:

The Controller's prior written consent
Appropriate safeguards being in place (such as UK/EU Standard Contractual Clauses)
Compliance with Chapter V of UK/EU GDPR

5.2 Where transfers are authorised, the Processor shall:

Ensure appropriate safeguards are implemented
Provide copies of safeguards on request
Inform the Controller of any changes to transfer mechanisms

5A. Data Localisation and Hosting

5A.1 The Processor shall host and process Customer Data in the geographic region corresponding to the Customer's location, to the extent reasonably practicable. Specifically:

UK-based Customers: Data will be hosted in the United Kingdom.
EU-based Customers: Data will be hosted within the European Economic Area (EEA).
US-based Customers: Data will be hosted in the United States.
Customers outside these regions: Where regional hosting is not available or feasible, data will be hosted in the next closest available location that meets an equivalent standard of data protection and security.

5A.2 Where hosting outside the Customer's region is required, the Processor shall ensure that international transfers comply with Section 5 of this Agreement, including the use of Standard Contractual Clauses or other lawful mechanisms under Applicable Data Protection Law.

6. DATA SUBJECT RIGHTS

6.1 The Processor shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond except on documented instructions from the Controller.

6.2 The Processor shall assist the Controller in responding to Data Subject requests by:

Providing Customer Data in a structured, commonly used format
Implementing technical measures to support data portability
Facilitating data correction, deletion, or restriction of processing
Providing information about processing activities

6.3 The Processor may charge reasonable fees for assistance beyond initial support, based on time and materials.

7. DATA BREACH NOTIFICATION

7.1 The Processor shall notify the Controller without undue delay and within 24 hours of becoming aware of a Personal Data Breach.

7.2 The notification shall include:

Nature of the breach including categories and approximate numbers of Data Subjects and records
Name and contact details of the data protection officer or contact point
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate effects

7.3 The Processor shall:

Cooperate with the Controller in investigating the breach
Take immediate steps to mitigate the effects
Document all breaches and remedial actions
Not notify any third party without the Controller's consent (except as legally required)

8. AUDIT AND COMPLIANCE

8.1 The Processor shall make available all information necessary to demonstrate compliance and allow for audits by the Controller or authorised auditors.

8.2 Audit Rights: The Controller may conduct audits:

With 30 days' written notice (except for breach investigations)
During normal business hours
No more than once per year (except for cause)
Subject to confidentiality agreements

8.3 Audit Process:

The Controller shall provide an audit plan in advance
The Processor shall cooperate and provide reasonable assistance
Costs shall be borne by the Controller unless material noncompliance is found
The Processor may object to auditors who are competitors

8.4 The Processor shall maintain certifications such as ISO 27001 or SOC 2 and provide copies on request.

9. DATA PROTECTION IMPACT ASSESSMENTS

9.1 The Processor shall provide reasonable assistance to the Controller with:

Data Protection Impact Assessments (DPIAs)
Prior consultation with Supervisory Authorities
Assessment of processing security
Evaluation of necessity and proportionality

9.2 Assistance may be subject to reasonable fees based on time and materials.

10. DELETION AND RETURN OF DATA

10.1 Upon termination of the Principal Agreement or upon request, the Processor shall:

Cease all processing of Customer Data
Delete or return all Customer Data (at Controller's choice)
Delete existing copies unless retention is required by law
Provide written certification of deletion

10.2 Deletion Timeline:

Active data: Within 30 days of request
Backup data: Within 90 days (standard backup rotation)
Automatic deletion: As specified in the Principal Agreement

10.3 The Processor may retain Customer Data only:

As required by applicable law
Subject to confidentiality obligations
With security measures maintained

11. LIABILITY AND INDEMNIFICATION

11.1 Each party's liability under this DPA shall be subject to the limitations in the Principal Agreement.

11.2 Each party shall indemnify the other against:

Regulatory fines resulting from the indemnifying party's breach
Claims from Data Subjects arising from the indemnifying party's noncompliance
Costs and expenses arising from breach of this DPA

11.3 The indemnities shall not apply to the extent losses result from the other party's instructions or breach.

12. GENERAL PROVISIONS

12.1 Amendments: Changes to this DPA must be in writing and signed by both parties.

12.2 Severability: Invalid provisions shall not affect the remainder of this DPA.

12.3 Priority: In case of conflict, this DPA prevails over the Principal Agreement for data protection matters.

12.4 Governing Law: This DPA is governed by the laws of England and Wales.

12.5 Term: This DPA continues for the duration of any processing under the Principal Agreement.

SCHEDULE 1 - PROCESSING DETAILS

Nature and Purpose of Processing:

Provision of SaaS implementation agent services
Configuration management for business software
Data migration and transformation services
User onboarding and education services

Categories of Data Subjects:

Customer's employees
Customer's contractors
Customer's clients/customers
Customer's suppliers/vendors

Categories of Personal Data:

Identity Data: Names, titles, employee IDs
Contact Data: Email addresses, phone numbers
Employment Data: Job titles, departments, roles, salary information
System Data: Usernames, access logs, usage data
Financial Data: Payroll information, payment details
Business Data: As uploaded by Customer for migration/configuration

Sensitive Personal Data:

May include: Racial/ethnic origin, trade union membership, health data (as relevant to payroll/HR systems)
Special protective measures apply to any sensitive data

Duration of Processing:
Duration of the Principal Agreement plus any retention period

Processing Operations:

Storage and hosting
Backup and recovery
Access management
Data transformation and mapping
AI/ML processing for automation
Technical support
Reporting and analytics

SCHEDULE 2 - APPROVED SUBPROCESSORS

Subprocessor	Purpose	Location
Amazon Web Services (AWS)	Cloud Infrastructure & Storage	UK/EU/USA
Google Cloud Platform (GCP)	Cloud Infrastructure & ML Hosting	UK/EU/USA
Microsoft Azure	Cloud Infrastructure & Backups	UK/EU/USA
Stripe	Payment Processing	UK/EU
Auth0 (Okta)	Authentication & Identity Management	USA/EU
SendGrid (Twilio)	Transactional Email Delivery	USA/EU
Postmark (ActiveCampaign)	Email Delivery	USA/EU
Cloudflare	CDN, Firewall, DDoS Protection	Global
Datadog	Application Monitoring & Logs	USA/EU
Sentry	Error Monitoring	EU/USA
Anthropic	AI/LLM Services	USA
OpenAI	AI/LLM Services	USA
HubSpot	CRM & Marketing Automation	EU/USA
Intercom	Customer Support Chat	EU/USA
Slack	Internal Communication	USA
Linear	Project Management & Issue Tracking	USA
Notion	Internal Documentation	USA
Typeform	User Surveys and Forms	EU/Spain
Firebase (Google)	Authentication, Storage, Analytics, DB	USA/EU
PocketBase	Backend-as-a-Service (if used)	EU-based
Squarespace	Website Hosting & Analytics	USA