Data Processing Agreement

1. Purpose

1.1 This data processing agreement (“DPA”) governs the processing of personal data by Basker Ltd (“Basker”) in connection with the provision of Services by Basker for the Customer pursuant to the terms and conditions to which this DPA is scheduled (the “Services Agreement”).

1.2 In this DPA, the terms defined in, or construed for the purposes of, the Services Agreement have the same meanings when used in this DPA (unless the same are otherwise defined in this DPA). At all times the following terms have the following meanings:

1.2.1 the terms "personal data", "controller", "processor", “data subject”, “personal data breach”, "process/processing" and “supervisory authority” shall have the definitions provided to them under Data Protection Laws. “Controller” includes a “business” as defined under the CCPA and “processor” includes a “service provider” as defined under the CCPA.

1.2.2 a “sub-processor” is another processor engaged by Basker to process personal data; and

1.2.3 “SCCs” means the standard contractual clauses for the personal data transfers from an EU or UK controller to a processor established in third countries which do not ensure an adequate level of data protection as set out in (a) where the EU GDPR applies, the Annex to Commission Implementing Decision 2021/914 on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, pursuant to the European Commission Decision of 4 June 2021, as may be updated by the European Commission from time to time; or (b) where the UK GDPR applies, the Standard Data Protection Clauses as issued by the Information Commissioner under s119A( 1 ) DPA, in the form of an (i) International Data Transfer Agreement; or (ii) International Data Transfer Addendum to the EU Commission Standard Contractual Clauses.

1.3 The parties agree that for the purposes of Data Protection Laws, the Customer is the controller of its personal data and Basker the processor.

1.4 The Appendix to this DPA sets out the scope, nature and purpose of processing by Basker, the duration of the processing and the types of personal data and categories of data subject.

2 Customer obligations

2.1 The Customer instructs Basker to process the Customer’s personal data in accordance with this DPA.

2.2 The Customer is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Basker to process the Customer’s personal data.

3 Basker obligations

3.1 Basker must:

3.1.1 only process personal data in accordance with this DPA and the Customer’s instructions (unless legally required to do otherwise);

3.1.2 not sell, retain or use any personal data for any purpose other than in relation to the provision of the Services and as permitted by this DPA;

3.1.3 inform the Customer immediately if (in Basker’s opinion) the Customer’s instructions break Data Protection Laws;

3.1.4 use appropriate technical and organisational measures when processing personal data to ensure a level of security appropriate to the risk involved, as described in Basker’s information security policy from time to time;

3.1.5 notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s personal data and provide the Customer with reasonable assistance as required under Data Protection Laws in responding to it;

3.1.6 ensure that anyone authorised by Basker to process personal data is committed to confidentiality obligations;

3.1.7 without undue delay, provide the Customer with reasonable assistance at the Customer’s expense with:

(a) data protection impact assessments;

(b) responses to data subjects’ requests to exercise their rights under Data Protection Laws; and

(c) engagement with supervisory authorities;

3.1.8 maintain records of processing activities carried out on the Customer’s behalf as required by Data Protection Laws;

3.1.9 allow for audits by making available to the Customer on request an audit report, which the Customer must treat confidentially (and the Customer may not exercise this right more than once per year); and

3.1.10 return personal data on written request from the Customer or delete the Customer’s personal data upon the termination of the Services Agreement, unless retention is legally required.

4 Compliance with laws

Each party must comply with Data Protection Laws in connection with personal data.

5 Sub-processing

5.1 The Customer authorises Basker to engage sub-processors when processing personal data. Basker’s existing sub-processors are listed in Appendix 2.

5.2 Basker must:

5.2.1 require its sub-processors to comply with obligations equivalent to its own under this DPA; and

5.2.2 inform the Customer of any intended additions or replacements of sub-processors by updating the list of sub-processors and to give the Customer the opportunity to agree or object to such changes.

5.3 Basker is liable to the Customer for any acts and omissions of its sub-processors that would breach Basker’s obligations under this DPA as if they were a party to it.

6 International data transfers

6.1 The Customer agrees that Basker may transfer personal data outside of the European Economic Area or United Kingdom as required to perform the Services, as long as Basker ensures that all transfers comply with Data Protection Laws.

6.2 Any transfer of personal data from the UK or the EEA to third countries which do not ensure an adequate level of data protection where processors are established shall be in accordance with the SCCs. The SCCs shall come into effect and be incorporated from the date of the first relevant transfer. Any processing of such personal data shall be (i) under the SCCs; (ii) reflect the subject matter, purpose and scope of personal data processed under this DPA; and (iii) subject to the technical and organisational measures provided for by Basker. Either Party may, at any time with not less than 30 days’ notice, revise this paragraph 6.2 by replacing it with any applicable form of SCC with the agreement of both Parties by way of amendment to this DPA.

Appendix 1 - Data processing information

1 Subject matter of processing

Basker’s provision of the Services to the Customer.

2 Duration of the processing

In respect of the Customer’s personal data, the duration of Services Agreement, plus up to thirty (30) days after the termination of the Services Agreement.

3 Nature and purpose of the processing

To provide the Services to the Customer including access to and use of the Application and set-up, maintenance and support services in relation to the Application.

4 Type of Personal Data

First and last name
Title
Position
Employer
Contact information (email address, phone, mailing address)
Professional life data
Personal life data

5 Categories of Data Subjects

Prospects, customers, business partners and vendors of the Customer or the Customer affiliates (who are natural persons)
Employees or contact persons of the Customer’s or the Customer affiliates’ prospects, customers, business partners and vendors
Employees, agents, advisors, freelancers of the Customer (who are natural persons)

6 Technical and organisational security measures

Described in Basker’s information security policy as updated from time to time.

Appendix 2 - Sub Processors

Name: Amazon Web Services
Service Provided: Hosting, file storage
Sub Processing Activity: Cloud Service Provider
Location of sub-processing activities: USA (North Virginia), EU (Dublin).

Name: MongoDB Atlas
Service Provided: Database management
Sub Processing Activity: Managed database services
Location of sub-processing activities: USA (North Virginia), EU (Dublin).

Name: Stripe
Service Provided: Payment processing
Sub Processing Activity: Payment gateway
Location of sub-processing activities: USA

Name: Sentry
Service Provided: Error tracking and monitoring
Sub Processing Activity: Application monitoring
Location of sub-processing activities: USA (North Virginia)

Name: Intercom
Service Provided: Customer support and communication
Sub Processing Activity: Customer support tools
Location of sub-processing activities: USA

Name: Anthropic (via AWS Bedrock)
Service Provided: AI processing
Sub Processing Activity: AI model processing
Location of sub-processing activities: USA (North Virginia)