Data Processor Agreement

    Data Processing Agreement (DPA)

    Document Reference: DC-DPA-2026-V1
    Last Modified: June 2026
    Classification: Legal Infrastructure & Compliance Framework

    PREAMBLE & BINDING NATURE

    This Customer Data Processing Addendum, including its schedules and appendices (the "Addendum"), is entered into between Data Compass Ltd (Company No: 16430399), whose registered office is at Rosings, Smarden Rd, Headcorn, Kent, TN27 9HP, United Kingdom ("Data Compass"), and the corporate counterparty accepting this Addendum ("Customer").

    This Addendum is incorporated by reference into, and forms part of, the Data Compass Terms of Service or alternative core software subscription agreement (the "Agreement"). It governs the processing of personal data uploaded, ingested, or managed via the Data Compass operational operating system platform. In the event of any conflict or inconsistency between the terms of the Agreement and this Addendum, the terms of this Addendum shall take precedence concerning data processing obligations.

    1. DEFINITIONS

    In this Addendum, the following terms shall have the meanings set out below:

    • 1.1. "Account" means any system instances or enterprise profiles created by or on behalf of the Customer within the Data Compass environment.
    • 1.2. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with one of the parties.
    • 1.3. "Applicable Data Protection Laws" means all regional data privacy laws applicable to the Processing of Customer Personal Data, specifically including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR), as amended or replaced.
    • 1.4. "Contracted Processor" means any third-party infrastructure vendor or operational entity appointed by or on behalf of Data Compass to process Customer Personal Data.
    • 1.5. "Customer Personal Data" means any Personal Data contained within the Customer data pipeline that Data Compass processes on behalf of the Customer to deliver the platform services. It explicitly excludes the Customer’s meta-account billing info or basic relationship management details where Data Compass acts as a standalone Controller.
    • 1.6. "Restricted Transfer" means a transfer of Customer Personal Data to a country outside the United Kingdom or European Economic Area (EEA) which is not recognized by competent authorities as providing an adequate level of data protection.
    • 1.7. "Services" means the provision of the Data Compass operational operating system on a monthly/yearly subscription built natively upon white-labeled underlying technology frameworks.
    • 1.8. "Standard Contractual Clauses" (SCCs) means the model clauses approved by the European Commission or the UK Information Commissioner’s Office (ICO) for international data transfers.

    Terms such as "Controller", "Processor", "Data Subject", "Processing", "Personal Data Breach", and "Supervisory Authority" shall be interpreted in accordance with Applicable Data Protection Laws.

    2. SCOPE, APPLICATION, AND OPERATIONAL BOUNDARIES

    • 2.1. Duration: This Addendum takes effect on the Effective Date of the Agreement and remains in full force concurrently for the duration that Customer Personal Data is processed within our system architecture.
    • 2.2. Scope: This Addendum applies globally to all Customer Personal Data processed by Data Compass across all communication pipelines and functional modules.
    • 2.3. Structural Compliance Boundaries:
      • The Revenue Interface Boundary: The Unified Revenue Core module operates strictly as a transactional contract-to-cash pipeline accelerator, digital sign-off engine, and billing trigger mechanism. It does not process data for automated tax compliance, CPA ledger accounting, or regulatory bookkeeping. The Customer acknowledges that controllership for regulatory financial ledger compliance remains entirely external to Data Compass.
      • The Logic-Driven AI Boundary: Artificial Intelligence capabilities within Data Compass operate strictly as logic-driven structural systems built on a native ecosystem to execute autonomous background routines, triage inbound conversational threads, and process URL knowledge-base ingestion. These features do not constitute unverified standalone neural net forecasting engines, and processing occurs dynamically based on the Customer's consumption of AI Compute Tokens.

    3. ROLE OF THE PARTIES & DOCUMENTED INSTRUCTIONS

    • 3.1. Controllership Division: The Customer acts as the Controller of Customer Personal Data, and Data Compass acts as the Processor. Where the Customer acts as a Processor to its own downstream enterprise clients, Data Compass acts as a Sub-Processor.
    • 3.2. Documented Instructions: Data Compass shall process Customer Personal Data exclusively on the Customer's documented instructions. This Addendum and the Agreement constitute the complete and finalized instructions from the Customer to Data Compass.
    • 3.3. Optimization and Telemetry Authorization: The Customer explicitly instructs and authorizes Data Compass to anonymize, de-identify, or aggregate Customer Personal Data to run automated workflow triage validation, optimize communication routing health, and manage system performance parameters within the platform.
    • 3.4. Infringement Warning: Data Compass shall immediately inform the Customer if, in its professional opinion, a processing instruction given by the Customer infringes Applicable Data Protection Laws.

    4. COMPLIANCE ASSURANCES & PERSONNEL PRIVILEGES

    • 4.1. Confidentiality Vetting: Data Compass ensures that all employees, contractors, and engineering personnel who have access to Customer Personal Data are bound by strict contractual or statutory obligations of confidentiality.
    • 4.2. Access Minimization: Access to the Customer's instance ledger is dynamically restricted to those technicians and support personnel who strictly require such access to maintain infrastructure stability, resolve system errors, or fulfill Customer-initiated support tickets.

    5. SECURITY OF PROCESSING

    • 5.1. Technical and Organizational Measures (TOMs): Data Compass maintains rigorous security measures to protect Customer Personal Data against unauthorized access, alteration, disclosure, or destruction. Because the platform is built completely on top of premier cloud infrastructure, our environment inherits state-of-the-art administrative and logical safeguards including:
      • Native AES-256 data encryption at rest and TLS 1.3 transit encryption across all API routing endpoints.
      • Isolated container security frameworks and continuous logical firewalls hosted via Google Cloud Services and Amazon Web Services (AWS).
      • Real-time security access control logging and centralized vulnerability tracking.

    6. AUTHORIZED CONTRACTED PROCESSORS (SUB-PROCESSORS)

    • 6.1. General Authorization: The Customer provides general written authorization for Data Compass to engage Contracted Processors to perform specialized backend functions (such as telephony hosting, email delivery layers, and billing gateways).
    • 6.2. Current Sub-Processor Infrastructure: The Customer explicitly authorizes the engagement of the sub-processors detailed within the Data Compass Enterprise Sub-Processor Disclosure Document, including Google Cloud, AWS, Twilio, Mailgun, Stripe, and OpenAI.
    • 6.3. Notification of Amendments: Data Compass shall provide notice of any planned additions or replacements to its authorized sub-processors. Customers can monitor infrastructure updates or request systemic notices by reviewing our legal portal or contacting data@datacompass.co.uk.
    • 6.4. Objection Protocol: The Customer may object to a new sub-processor within fourteen (14) days of notification by submitting a reasonable statement of security non-compliance to data@datacompass.co.uk. The parties will review the objection in good faith. If a commercially viable alternative is unavailable, the Customer may terminate the Agreement upon written notice without incurring termination penalties, subject to settling all outstanding fuel consumption fees accrued up to the termination date.
    • 6.5. Downstream Liability: Data Compass remains fully liable to the Customer for the performance of its Contracted Processors' data protection obligations to the extent required under Applicable Data Protection Laws.

    7. RIGHTS OF THE DATA SUBJECTS

    • 7.1. Regulatory Cooperation: Data Compass shall implement appropriate technical workflows to assist the Customer in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws (including access, rectification, erasure, and portability requests).
    • 7.2. Inbound Request Hand-off: If Data Compass or any Contracted Processor receives a direct request from a data subject regarding Customer Personal Data, Data Compass will forward the query to the Customer without undue delay and will not respond to the data subject directly unless legally compelled to do so.

    8. PERSONAL DATA BREACH MANAGEMENT

    • 8.1. Triage & Containment: In the event of a confirmed or reasonably suspected Personal Data Breach impacting Customer Personal Data, Data Compass shall immediately implement containment measures to halt unauthorized access and isolate the affected ledger nodes.
    • 8.2. Notification Window: Data Compass shall notify the Customer without undue delay, and in any event within seventy-two (72) hours of acquiring verified awareness of the breach.
    • 8.3. Information Disclosure: The breach notification will detail the nature of the security incident, the categories and approximate numbers of data records compromised, the anticipated operational impact, and the remediation steps executed or planned by Data Compass.
    • 8.4. Exclusion of Fault: A notification issued under this Section shall not be construed as an admission of fault, legal liability, or negligence by Data Compass.

    9. ASSISTANCE AND COMPLIANCE AUDITS

    • 9.1. Regulatory Impact Assessments: Taking into account the information available to us, Data Compass shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) or consulting with the ICO or other supervisory bodies.
    • 9.2. Audit Parameters: Data Compass shall contribute to audits and system inspections conducted by the Customer or an approved independent auditor. Audits must be requested with reasonable notice, conducted during normal business hours, and structured to prevent operational disruption to our multi-tenant cloud environment. The Customer shall reimburse Data Compass for engineering hours expended during such audits at our then-current professional services rates.

    10. DELETION OR RETURN OF DATA

    • 10.1. Cessation Scenarios: Upon termination or expiration of the software subscription service, Data Compass shall, at the choice of the Customer, delete or return all Customer Personal Data residing within active database ledgers, except where retention is strictly mandatory under applicable UK or European statutes.
    • 10.2. Backup Isolation: Residual data residing on archived, non-indexed backup systems will be securely isolated, excluded from further processing operations, and left to expire in accordance with our standard lifecycle rotation protocols.

    11. INTERNATIONAL DATA TRANSFERS (RESTRICTED TRANSFERS)

    • 11.1. Cross-Border Mechanics: Because the underlying runtime infrastructure utilizes primary storage clusters located in the United States, Restricted Transfers of Customer Personal Data will be executed via legally recognized transfer mechanisms.
    • 11.2. Contractual Safeguards: Transfers to non-adequate third countries are governed by the appropriate Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum, which are deemed executed upon the activation of the Customer's Account. Data Compass ensures that its primary upstream platform providers remain fully aligned with authorized data protection networks, such as the UK Extension to the EU-U.S. Data Privacy Framework.

    12. COMMERCIAL INTEGRITY: NO SELLING OF DATA

    • 12.1. Data Ownership: Data Compass explicitly acknowledges that it receives no personal data as consideration or currency. As between the parties, the Customer retains absolute ownership, title, and intellectual rights over all ingested Customer Personal Data. Data Compass shall never sell, rent, trade, or commercially exploit Customer Personal Data.

    13. GOVERNANCE AND CONTACT

    • 13.1. Formality of Comms: All formal regulatory notifications, breach reporting updates, or inquiries concerning this DPA must be routed directly to the Data Compass Compliance Desk via data@datacompass.co.uk.
    • 13.2. Severability: If any provision of this Addendum is found by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the clauses shall continue in full force and effect, and the invalid segment will be substituted with a lawful provision that closest preserves our commercial and compliance intent.

    Corporate Contact Information

    Data Compass Ltd is a registered corporate entity in England and Wales (Company No: 16430399).

    Registered Office: Rosings, Smarden Rd, Headcorn, Kent, TN27 9HP.

    Contact: data@datacompass.co.uk