Data Processing Addendum

This Data Processing Addendum DPA forms part of the Enterprise Customer Agreement, Vendor Agreement, Switched On App Ltd Trading as DocuRail Terms of Use available at www.DocuRail.com/terms-conditions, or other written or electronic agreement entered into between Switched On App Ltd Trading as DocuRail Switched On App Ltd Trading as DocuRail and the undersigned customer Customer for the provision of digital site solutions, application, optimisation, and related software services the Main Agreement.

All capitalised terms not defined in this DPA have the meaning given in the Main Agreement. Each of Switched On App Ltd Trading as DocuRail and the Customer may be referred to as a party and together as the parties.

If the Customer entity identified in this DPA is not a direct contractual counterparty of Switched On App Ltd Trading as DocuRail for example it obtains services indirectly via an authorised reseller, this DPA is not valid or legally binding. Such entities should contact their vendor to determine whether amendments are required.

Switched On App Ltd Trading as DocuRail operates service deployments within the United Kingdom and selected European data regions Service Nodes. Switched On App Ltd Trading as DocuRail commits to hosting all Customer data exclusively within the Customer’s chosen Service Node. Switched On App Ltd Trading as DocuRail personnel based outside of that region may require access to certain Personal Data for support, testing, or maintenance purposes. The parties anticipate that Switched On App Ltd Trading as DocuRail may process Personal Data outside of the UK or EU in compliance with Applicable Data Protection Laws.

Data Processing Terms

In providing the Service, Switched On App Ltd Trading as DocuRail may process Personal Data as Processor, Controller, or sub Processor on behalf of Customer. Such processing will comply with Applicable Data Protection Laws. The parties enter into this DPA to ensure appropriate safeguards for such Personal Data.

1. Definitions

a) Affiliate: any corporate entity that Controls, is Controlled by, or is under Common Control with a party.

b) Switched On App Ltd Trading as DocuRail Group: Switched On App Ltd Trading as DocuRail UK Ltd and its Affiliates.

c) Applicable Data Protection Laws include:

• UK Data Protection Act 2018 and UK GDPR.
• EU GDPR where applicable.
• ePrivacy Directive 2002/58/EC.
• Any other relevant data protection laws to the extent they apply to the processing of Personal Data.

d) Controller and Processor and Data Subject: as defined under UK GDPR and EU GDPR.

e) Customer Group: the Customer and its Affiliates.

f) Restricted Transfer: a transfer of Personal Data to a country outside the UK or EEA that is not subject to an adequacy decision.

g) Service: all products, websites, apps, APIs, and related services provided by Switched On App Ltd Trading as DocuRail.

h) SCCs include:

• EU Standard Contractual Clauses Implementing Decision 2021/914.
• UK International Data Transfer Addendum as issued by the ICO under s119A 1 of the Data Protection Act 2018.

Control definitions remain as in the original text.

2. Status of the Parties

• Customer acts as Controller or Processor on behalf of a third party Controller.
• Switched On App Ltd Trading as DocuRail acts as Processor or sub Processor where applicable.
• For Customer registration and usage data, Switched On App Ltd Trading as DocuRail acts as independent Controller.

3. Switched On App Ltd Trading as DocuRail Obligations

• Process Personal Data only in accordance with the Customer’s written instructions and Applicable Laws.
• Not sell, retain, use, or disclose Personal Data except as required for the Service.
• Maintain technical and organisational security measures see Annex 2.
• Ensure confidentiality of staff handling Personal Data.
• Notify Customer without undue delay of any Personal Data Breach.
• Assist Customer with Data Subject Requests where feasible.
• Delete or return Personal Data upon termination of the Main Agreement unless law requires retention.
• Support Customer with data protection impact assessments, breach notifications, and security compliance on a cost recovery basis.

4. Sub Processing

• Switched On App Ltd Trading as DocuRail may engage sub Processors including Switched On App Ltd Trading as DocuRail Group companies, data centre operators, and support providers.
• Customer is deemed to authorise these sub Processors subject to a thirty 30 day objection period.
• Switched On App Ltd Trading as DocuRail will ensure sub Processors are bound by equivalent contractual protections.

5. Audit and Records

• Customer may request evidence of compliance through external third party audit reports for example SOC 2 or ISO 27001.
• Switched On App Ltd Trading as DocuRail will provide additional information required by supervisory authorities.
• One on site audit per year if necessary, subject to cost reimbursement.

6. International Data Transfers

• Transfers outside the UK or EEA are subject to SCCs and or the UK Addendum.
• Annexes 1 and 2 provide details of parties, processing, and security measures.
• In case of conflict, SCCs prevail.

7. Third Party Data Access

• Switched On App Ltd Trading as DocuRail will notify Customer of government or third party data requests unless prohibited by law.
• Switched On App Ltd Trading as DocuRail commits never to weaken encryption, provide backdoors, or grant bulk access to data.

8. General

• This DPA prevails over the Main Agreement in matters of Personal Data processing.
• Liability is governed by the Main Agreement, subject to Applicable Laws.
• Governing law is England and Wales, with jurisdiction of the English courts unless otherwise agreed in the Main Agreement.
• If any provision is invalid, the remainder of the DPA remains in effect.

Annex 1 – Description of Processing

Exporter: Customer Controller.

Importer: Switched On App Ltd Trading as DocuRail UK Ltd, United Kingdom.

Data Subjects: Employees, contractors, administrators, end users.

Categories of Data: User credentials, identifiers, logs, Customer Content including potential special category data.

Purpose: Provision of the Service.

Duration: Term of the Main Agreement.

Supervisory Authority: UK Information Commissioner’s Office ICO and relevant EU authorities if EU GDPR applies.

Annex 2 – Security Measures

• Encryption AES 256 and TLS for data in transit.
• Role based access control with MFA.
• Logging and monitoring of access.
• Regular penetration testing and SOC 2 or ISO 27001 audits.
• Business continuity and disaster recovery planning.
• Data deletion and retention policies aligned with Customer control.
• Sub Processors restricted to compliant, accredited providers primarily Microsoft Azure.