Data Processing Addendum

Last updated: 1st October 2023

Introduction FUTUREPROOF TECH LTD (“Futureproof”, “we”, “us”, “our”) has contracted to provide you (“you”, “your(s)”, “user”) with our cloud-based sustainability management software as a service called Futureproof through the Futureproof website (“Services”).

Futureproof has agreed to provide Services to you in accordance with the terms of the Terms of Service. In providing these Services, we shall process Customer Personal Data (as defined below) on your behalf. From the date that you agree to the Terms of Service, we will process and protect such Customer Personal Data in accordance with the terms of this Data Protection Addendum for the duration of your subscription to the Services.

You acknowledge that we may process personal data provided by you as a controller to provide the Services. Information regarding our obligations as a controller and your rights as a data subject are set out in our Privacy Policy. For personal data that we process under your instructions, we are a processor, and you hereby confirm that you have all necessary appropriate consents and notices in place to enable lawful transfer of such personal data to us.

Interpretation
In this DPA, save where the context requires otherwise, the following words and expressions have the following meaning:

"Customer Personal Data" means any personal data that you make available to us in connection with the provision of the Services, including, the personal data identified in Annex A;

"DPA" or “Data Protection Addendum” means this data processing addendum; "DPA 2018" means the Data Protection Act 2018;

"Data Protection Laws" means the GDPR, any national implementing or supplementary legislation and any other applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Customer Personal Data;

"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;

"GDPR" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (the "EU GDPR") and, where applicable, the "UK GDPR" as defined in The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019;

"ICO" means the UK Information Commissioner's Office;

"Objection" has the meaning given to it in paragraph 2.4;

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;

"Sub-Processor" means any processor engaged by Futureproof who agrees to receive from Customer Personal Data; and

The terms "controller", "processor", "data subject", "personal data", "process" and "supervisory authority" shall have the same meaning as set out in the GDPR.

1. Data Processing

1.1. Futureproof will only process Customer Personal Data in accordance with: (a) the Terms of Service, to the extent necessary to provide the Services to you; and (b) your written instructions,
unless processing is required by European Union, Member State or UK law to which Futureproof is subject, in which case Futureproof shall, to the extent permitted by applicable law, inform you of that legal requirement before processing that Customer Personal Data.

1.2. The Terms of Service (subject to any changes to the Services) and this DPA shall be your complete and final instructions to Futureproof in relation to the processing of Customer Personal Data.

1.3. Processing outside the scope of this DPA or the Terms of Service will require prior written agreement between you and Futureproof on additional instructions for processing.

1.4. You shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful processing of Customer Personal Data by Futureproof in accordance with the Terms of Service.

1.5. You will obtain any consents required under applicable Data Protection Laws for the lawful processing of Customer Personal Data by Futureproof in accordance with the Terms of Service.

2. Sub-Processors

2.1. You agree that Futureproof may use the Sub-Processors set out in Annex A to
process Customer Personal Data, provided it enters into a written agreement with the Sub-Processor which imposes the same obligations on the Sub-Processor with regard to their processing of Customer Personal Data as are imposed on Futureproof under this DPA.

2.2. Futureproof shall provide you with fourteen (14) days' notice of any proposed changes to the Sub-Processors it uses to process Customer Personal Data (including any addition or replacement of any Sub-Processors).

2.3. You may, on reasonable grounds, object to Futureproof's use of a new Sub-Processor by providing Futureproof with:

(a) written notice within seven (7) days after Futureproof has provided notice to you as described in paragraph 2.2;

(b) documentary evidence that reasonably shows that the Sub-Processor does not or cannot comply with the requirements in this DPA, (an "Objection").

2.4. In the event of an Objection, Futureproof will use reasonable endeavours to make available to you a commercially reasonable change to the Services to prevent the applicable Sub-Processor from processing the Customer Personal Data. If Futureproof is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate, without penalty, the Terms of Service by providing written notice to the other party.

3. International Transfers

3.1. Futureproof shall not transfer the Customer Personal Data to a recipient in a country or territory outside the UK or EEA unless:

(a) the recipient, or the country or territory in which it processes or accesses the Customer Personal Data, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Customer Personal Data as set out in the DPA 2018 or regulations made by the UK Secretary of State under the DPA 2018; or

(b) the transfer is based on:

(i) the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593;

(ii) the appropriate module of the Standard Contractual Clauses annexed to the Commission Implementing Decision C/2021/3972, in each case as amended and
approved by the ICO for use in respect of transfers subject to the UK GDPR; or (c) the transfer is:

(i) based on any other transfer mechanism approved by the ICO; or (ii) otherwise lawful under the GDPR.

4. Data Security, Audits and Security Notifications

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Futureproof shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures listed in Article 32(1) of the GDPR.

4.2. You may, upon reasonable notice and at reasonable times, audit (either by itself or using independent third party auditors) Futureproof’s compliance with the security measures set out in this DPA, including by conducting audits of Futureproof's data processing facilities. Futureproof shall assist with, and contribute to any audits conducted in accordance with this paragraph 4.2, provided that:

(a) such audits are not, other than following a Security Incident, carried out more than once a year;

(b) you reimburses Futureproof any costs or expenses charged to or incurred by Futureproof in arranging access to its Sub-Processors' processing facilities.

4.3. Upon your request, Futureproof shall make available all information reasonably necessary to demonstrate compliance with this DPA.

4.4. Where required under Article 28(3)(h) of the GDPR, Futureproof shall immediately notify you in the event that Futureproof believes your instructions conflict with the requirements of the GDPR or other EU, Member State or UK laws.

4.5. If Futureproof or any Sub-Processor becomes aware of a Security Incident, Futureproof will:

(a) notify you of the Security Incident without undue delay;

(b) investigate the Security Incident and provide such reasonable assistance to you (and any law enforcement or regulatory official) as required to investigate the
Security Incident; and

(c) take steps to remedy any non-compliance with this DPA.

4.6. Futureproof shall treat the Customer Personal Data as your confidential information, and shall ensure that any employees or other personnel that have access to the Customer Personal Data have agreed to protect the confidentiality and security of the Customer Personal Data and do not process such Customer Personal Data other than in accordance with this DPA.

5. Access Requests and Data Subject Rights

5.1. Save as required (or where prohibited) under applicable law, Futureproof shall notify you of any request received by Futureproof from a Data Subject, whether directly or through a Sub-Processor, in respect of their Personal Data included in the Customer Personal Data.

5.2. Futureproof shall:

(a) provide you with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Services; or

(b) where requested by you, promptly correct, delete, block, access or copy Customer Personal Data within the Services.

5.3. Futureproof shall notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

6. Assistance

6.1. Where applicable, taking into account the nature of the processing, and to the extent required under applicable Data Protection Laws, Futureproof shall:

(a) use all reasonable endeavours to assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising data subject rights laid down in the GDPR; and

(b) provide reasonable assistance to you with any data protection impact assessments and with any prior consultations to any Supervisory Authority of yours,
in each case solely in relation to processing of Customer Personal Data and taking into account the information available to Futureproof.

7. Duration and Termination

7.1. Subject to paragraph 7.2 below, Futureproof shall, within ninety (90) days of the date of cancellation of the Services:

(a) if requested to do so by you, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by you to Futureproof; and

(b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by Futureproof or any Sub-Processors.

7.2. Futureproof and its Sub-Processors may retain Customer Personal Data to the extent required by applicable law, or as Futureproof may deem necessary to prosecute or defend any legal claim, provided that such Customer Personal Data is retained only to the extent and for such period as required by applicable laws or pending resolution of any issue, and always provided that Futureproof shall ensure the confidentiality of all such Customer Personal Data.

ANNEX A

Personal Data Processing Purposes And Details:

Subject Matter: Provision of the Services

Duration of Processing: Duration of customer’s subscription to the Services

Data Processing Activities: Storing and managing environmental, social and governance records and documents, and facilitating sustainability processes.

Purposes:
● To enable users to use the Futureproof application.
● To improve the functionality of the Futureproof application.

Personal Data Categories:
To use the application, the user who signs up to the Services must provide the following information:
● First and last name
● Job role
● Email address
● Company name
● Company address
● Carbon emission data (e.g. travel, energy usage)

In addition to the above personal data categories, Futureproof processes:
● IP address information

Once users have signed up, all further data collection is optional, and the list of types of personal data collected can be customised and extended by the user, and it is their responsibility to communicate their requirements on personal data to their employees.

The application encourages but does not require the user to use the service to collect various personal data on employees, including but not limited to:
● First and last name
● Professional email addresses
● Any other personal data contained in the data provided by the user

The application encourages but does not require the user to use the service to collect various personal data on companies, including but not limited to:
● Company name
● Company website
● Company logo
● Company brand colours
● Company documents (policies, surveys, trainings and others)
● Company data for environmental measurement (energy, travel, expenditure)
● Company objectives
● Company ESG data
● Company suppliers
● Company employees, team and admins
● Any other company data contained in the data provided by the user

Approved Sub-Processors

Sub-Processors used for application infrastructure:

Entity: Amazon Website Services
● Processing activity: Infrastructure and web hosting
● Entity location: USA, Oregon

Entity: Bubble
● Processing activity: Development software
● Entity location: USA

Entity: Google
● Processing activity: Analytics, ads
● Entity location: USA and EU

Sub-Processors used for communication and customer support:

Entity: Sendgrid
● Processing activity: Marketing emails
● Entity location: USA

Entity: EmailOctopus
● Processing activity: Marketing emails
● Entity location: EU

Entity: GoCardless
● Processing activity: Payments
● Entity location: EU

Entity: Notion
● Processing activity: Customer relationship management
● Entity location: USA

Entity: Slack
● Processing activity: Internal comms
● Entity location: USA

Entity: DocuSign
● Processing activity: Contracts
● Entity location: USA and EU

Entity: Xero
● Processing activity: Bookkeeping
● Entity location: USA