Data Processing Agreement

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the UK GDPR, the EU GDPR (Regulation (EU) 2016/679), the UK Data Protection Act 2018, and any successor or equivalent laws.

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the UK GDPR.

"Customer Personal Data" means Personal Data processed by Passportbase on behalf of the Customer in connection with the Services.

"Sub-processor" means a third party engaged by Passportbase to process Customer Personal Data.

"Restricted Transfer" means a transfer of Customer Personal Data to a country outside the UK or EEA that is not subject to an adequacy decision.

With respect to Customer Personal Data, the Customer is the Controller (or a Processor acting on behalf of a third-party controller) and Passportbase is the Processor. Where the Customer acts as a Processor, the Customer warrants that it has the authority to instruct Passportbase on behalf of the ultimate Controller and has all necessary agreements in place.

Each party will comply with its respective obligations under Data Protection Laws in relation to Customer Personal Data.

Passportbase will Process Customer Personal Data only: (i) to provide and support the Services in accordance with the Agreement; (ii) on documented instructions from the Customer (including via configuration, API calls, and support requests); and (iii) as required by applicable law, in which case Passportbase will notify the Customer unless that law prohibits notice on important grounds of public interest.

The subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data Processed are set out in Annex A.

Passportbase will immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

Passportbase will ensure that persons authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and receive appropriate data protection training.

Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, Passportbase will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex B.

Passportbase may update these measures from time to time, provided the overall level of security is not materially reduced.

The Customer provides a general authorization for Passportbase to engage Sub-processors (including Passportbase affiliates) to Process Customer Personal Data for the purposes of providing the Services. A current list of Sub-processors is available on request from [email protected].

Passportbase will: (i) impose on each Sub-processor data protection obligations that are no less protective than those in this DPA; (ii) remain liable for the acts and omissions of its Sub-processors to the same extent as for its own; and (iii) give the Customer reasonable advance notice of any intended addition or replacement of a Sub-processor used to Process Customer Personal Data.

The Customer may object on reasonable data-protection grounds within 14 days of notice. The parties will work in good faith to resolve the objection. If the parties cannot resolve it, either party may terminate the affected portion of the Services without penalty.

Passportbase may transfer Customer Personal Data outside the UK or EEA where necessary to provide the Services. For any Restricted Transfer, the parties agree that:

• transfers from the UK are made subject to the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs);
• transfers from the EEA are made subject to the EU SCCs (Module 2 or Module 3 as appropriate, Commission Decision (EU) 2021/914), incorporated into this DPA by reference and deemed executed between the parties;
• the parties will implement supplementary measures where required by applicable law.

Where a framework superseding the SCCs or IDTA becomes available and applicable (for example, a successor mechanism or adequacy decision), the parties will rely on it.

The Services provide functionality that enables the Customer to access, correct, export, or delete Customer Personal Data, so the Customer can respond to requests from Data Subjects. To the extent the Customer cannot address such a request through the Services, Passportbase will, at the Customer's reasonable request and cost, provide reasonable assistance.

If Passportbase receives a request directly from a Data Subject relating to Customer Personal Data, Passportbase will, unless legally prohibited, redirect the request to the Customer and not respond substantively on behalf of the Customer.

Passportbase will notify the Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time and as it becomes known:

• a description of the nature of the breach;
• the categories and approximate number of Data Subjects and records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its effects;
• a contact point for further information.

Passportbase will provide reasonable assistance to the Customer in fulfilling its breach notification obligations under Data Protection Laws. Notification is not, by itself, an acknowledgment of fault or liability.

Taking into account the nature of Processing and the information available to Passportbase, Passportbase will, at the Customer's reasonable request and cost, provide reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities relating to Customer Personal Data.

Passportbase will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, primarily through up-to-date security documentation, summaries of third-party audits or certifications (where available), and written responses to reasonable information requests.

Where the Customer reasonably believes this information is insufficient to demonstrate compliance, the Customer may, on reasonable advance written notice and no more than once per year (except where required by a Supervisory Authority or following a Personal Data Breach), request an audit conducted by the Customer or a qualified independent auditor bound by confidentiality. Audits must be conducted during normal business hours, must not unreasonably interfere with operations, and must respect Passportbase's security and confidentiality obligations to other customers. Each party bears its own costs.

On termination or expiry of the Agreement, Passportbase will, at the Customer's choice, delete or return Customer Personal Data within 30 days, and delete existing copies, except to the extent that applicable law requires retention. Backups are deleted on their standard rotation cycle, and remain subject to this DPA until deletion.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits liability that cannot be limited under applicable law.

In the event of a conflict between this DPA and other terms of the Agreement, this DPA prevails on matters of data protection. Where transfer mechanisms referenced in section 7 apply, those mechanisms prevail over this DPA to the extent of any conflict solely in respect of the Restricted Transfer to which they apply.

Passportbase may amend this DPA from time to time, including to reflect changes in Data Protection Laws or transfer mechanisms. Material changes will be indicated by updating the "Last updated" date and, where appropriate, additional notice. Continued use of the Services after changes take effect constitutes acceptance.

This DPA is governed by the laws and subject to the jurisdiction specified in the Agreement. Where the Agreement does not specify, this DPA is governed by the laws of England & Wales, and the courts of England & Wales have exclusive jurisdiction.

Subject matter: provision of the Passportbase Services (website, apps, API, and related support) to the Customer.

Duration: for the term of the Agreement, plus the retention period described in section 12.

Nature and purpose: hosting, transmission, storage, access control, security monitoring, logging, support, billing, and other operations necessary to provide the Services.

Categories of Data Subjects: the Customer's authorized users, billing contacts, and the Customer's end users where those end users interact with the Services through the Customer.

Types of Personal Data: account identifiers (name, email), authentication metadata, API credential metadata, IP address, user agent, device identifiers, request metadata, support correspondence, and any other Personal Data the Customer chooses to submit through the Services. The Services are not intended to Process special category data, payment card data, or children's data, and the Customer must not submit such data except where expressly supported.

Frequency of Processing: continuous during the term.

Passportbase implements measures including:

• Encryption of Customer Personal Data in transit (TLS) and at rest for primary datastores;
• Access controls based on least privilege, role-based permissions, and multi-factor authentication for administrative access;
• Credential handling — full API key secrets are shown once and stored as hashes;
• Network security including firewalling, DDoS mitigation, and rate limiting;
• Logging and monitoring of security-relevant events with alerting for anomalous activity;
• Backups and recovery with defined retention and restore procedures;
• Change management with code review, automated testing, and deployment controls;
• Vendor management including due diligence and contractual safeguards for Sub-processors;
• Incident response processes for detection, triage, containment, notification, and remediation;
• Personnel controls including confidentiality obligations and data protection training.

Passportbase reviews these measures periodically and updates them as the threat landscape evolves.

Vexon Group LTD, trading as Passportbase. Registered in England & Wales. Data protection queries: [email protected]. Legal and contract queries: [email protected].