Data Processing Agreement

1. Introduction

1.1. This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Terms") between Crakd Limited ("Crakd", "Processor", "we", "us") and the subscribing organisation ("Customer", "Controller", "you") and governs the processing of personal data by Crakd on behalf of the Customer.

1.2. Crakd Limited is a company registered in England and Wales under company number 16339368, with its registered office at 70 Home Park Road, London, England, SW19 7HN.

1.3. This DPA is entered into to ensure compliance with UK data protection legislation, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

1.4. In the event of a conflict between this DPA and the Terms, this DPA shall prevail in respect of data protection matters.

2. Definitions

In this DPA, unless otherwise defined, capitalised terms have the meanings given in the Terms. Additionally:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Crakd on behalf of the Customer through the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, transmission, erasure, and destruction.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by Crakd to process Personal Data on behalf of the Customer.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Supervisory Authority" means the Information Commissioner's Office (ICO) or any successor authority.

3. Scope and Roles

3.1. The Customer is the Controller and Crakd is the Processor in respect of the Personal Data described in this DPA.

3.2. The subject matter, duration, nature, and purpose of processing, the types of Personal Data, and the categories of Data Subjects are described in Schedule 1 of this DPA.

3.3. Crakd shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law, in which case Crakd shall inform the Customer of that legal requirement before processing (unless prohibited by law from doing so).

4. Processor Obligations

Crakd shall:

• 4.1. Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data outside the UK, unless required by law.
• 4.2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• 4.3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the UK GDPR, including:
  • encryption of Personal Data in transit (TLS);
  • access controls and role-based permissions;
  • regular security testing and vulnerability assessments;
  • measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems; and
  • a process for regularly testing, assessing, and evaluating the effectiveness of security measures.
• 4.4. Assist the Customer, taking into account the nature of processing, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under UK GDPR (including access, rectification, erasure, restriction, portability, and objection).
• 4.5. Assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Crakd.
• 4.6. At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
• 4.7. Make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and the UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
• 4.8. Immediately inform the Customer if, in Crakd's opinion, an instruction infringes the UK GDPR or other applicable data protection provisions.

5. Sub-processors

5.1. The Customer provides general authorisation for Crakd to engage Sub-processors. A list of current Sub-processors is available on request from support@crakd.ai.

5.2. Crakd shall inform the Customer of any intended changes to Sub-processors (additions or replacements) at least 14 days before the change takes effect, giving the Customer the opportunity to object.

5.3. If the Customer objects to a new Sub-processor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If the objection cannot be resolved within 30 days, the Customer may terminate the affected part of the Service by providing written notice.

5.4. Where Crakd engages a Sub-processor, Crakd shall:

• impose data protection obligations on the Sub-processor that are no less protective than those set out in this DPA;
• ensure the Sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures; and
• remain fully liable to the Customer for the performance of the Sub-processor's obligations.

6. International Transfers

6.1. Crakd shall not transfer Personal Data outside the United Kingdom unless:

• the transfer is to a country that has been deemed to provide an adequate level of protection by the UK Secretary of State;
• appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses; or
• a specific derogation under UK GDPR applies.

6.2. Where a transfer relies on appropriate safeguards, Crakd shall provide the Customer with details of the safeguards on request.

7. Personal Data Breach

7.1. Crakd shall notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach.

7.2. The notification shall include, to the extent available:

• a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
• the name and contact details of the point of contact at Crakd;
• a description of the likely consequences of the breach; and
• a description of the measures taken or proposed to address the breach, including measures to mitigate its effects.

7.3. Crakd shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

7.4. Notification of a breach shall not be construed as an acknowledgement of fault or liability by Crakd.

8. Data Subject Requests

8.1. If Crakd receives a request from a Data Subject in relation to their Personal Data, Crakd shall promptly redirect the Data Subject to the Customer and notify the Customer of the request.

8.2. Crakd shall not respond to a Data Subject request directly unless instructed to do so by the Customer or required by applicable law.

8.3. Crakd shall provide reasonable assistance to the Customer in responding to Data Subject requests, taking into account the nature of processing.

9. Audit Rights

9.1. Crakd shall make available to the Customer, on request, all information reasonably necessary to demonstrate compliance with this DPA.

9.2. The Customer (or an independent third-party auditor appointed by the Customer) may conduct an audit of Crakd's processing activities, subject to:

• at least 30 days' prior written notice;
• the audit being conducted during normal business hours;
• the auditor entering into appropriate confidentiality obligations; and
• the audit not unreasonably disrupting Crakd's operations.

9.3. If an audit reveals a material non-compliance, Crakd shall take prompt corrective action at its own cost.

9.4. Crakd may satisfy audit requests by providing relevant certifications, audit reports, or summaries of third-party assessments, where available.

10. Data Retention and Deletion

10.1. Crakd shall process Personal Data only for the duration of the Subscription, unless otherwise required by applicable law.

10.2. Upon termination or expiry of the Subscription, Crakd shall, at the Customer's choice:

• return all Personal Data to the Customer in a structured, commonly used, and machine-readable format; or
• securely delete all Personal Data and confirm deletion in writing.

10.3. Crakd shall complete the return or deletion within 30 days of termination, unless applicable law requires continued storage.

10.4. Operational data transmitted via the Crakd Gateway is accessed on demand from the Customer's Opera database and is not retained by Crakd beyond what is necessary for active processing sessions.

11. Liability

11.1. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.

11.2. Nothing in this DPA limits either party's liability for breaches of UK GDPR to the extent that such liability cannot be limited under applicable law.

12. Schedule 1 — Processing Details

Subject matter and duration

The processing of Personal Data by Crakd as necessary to provide the Crakd platform and automation applications to the Customer for the duration of the Subscription.

Nature and purpose of processing

Accessing, retrieving, and processing data from the Customer's Pegasus Opera database via the Crakd Gateway for the purposes of:

• providing real-time dashboards and financial reporting;
• automating bank reconciliation and payment matching;
• processing direct debit receipts via GoCardless integration;
• automating procurement workflows (invoice capture, approval, posting);
• automating supplier statement reconciliation and response; and
• any additional Apps subscribed to by the Customer.

Types of Personal Data

• Contact details of the Customer's suppliers and customers (names, email addresses, business phone numbers)
• Contact details of the Customer's employees/Users (names, email addresses, job titles)
• Invoice references, transaction references, and payment information
• User account data (name, email, login credentials)

Categories of Data Subjects

• Customer's authorised Users (employees, contractors)
• Customer's suppliers' contact persons
• Customer's customers' contact persons

13. Contact

For questions about this Data Processing Agreement or to exercise your rights: