Data Processing Agreement

1. Definitions

In this Data Processing Agreement:

"Agreement" means this Data Processing Agreement together with all schedules.

"Controller" means the Customer (the organisation subscribing to Folelse).

"Processor" means Folelse Ltd (company number 17132576), acting on the Controller's instructions.

"Personal Data" has the meaning given in UK GDPR Article 4(1) — any information relating to an identified or identifiable natural person.

"Processing" has the meaning given in UK GDPR Article 4(2).

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.

"DPA 2018" means the Data Protection Act 2018.

2. Scope and purpose

2.1 This Agreement applies to all processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the provision of the Folelse platform ("Service").

2.2 The subject matter, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Schedule 1 (Processing Details).

2.3 The Processor shall process Personal Data only on documented instructions from the Controller (including as set out in this Agreement), unless required to do so by applicable law.

3. Processor obligations

The Processor shall:

3.1 Process Personal Data only on the documented instructions of the Controller and not for the Processor's own purposes.

3.2 Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.

3.3 Implement the technical and organisational measures set out in Schedule 2 (TOMs) to ensure a level of security appropriate to the risk.

3.4 Not engage Sub-processors without the Controller's prior written authorisation, and maintain a Sub-processor list (Schedule 3).

3.5 Assist the Controller in responding to Data Subject rights requests, including access, erasure, rectification, and portability requests, taking into account the nature of the processing.

3.6 Assist the Controller in ensuring compliance with security obligations (Article 32), breach notifications (Articles 33–34), DPIAs (Article 35), and prior consultation (Article 36).

3.7 Delete or return all Personal Data to the Controller at the Controller's choice at the end of the Service, and delete existing copies unless otherwise required by applicable law.

3.8 Make available all information necessary to demonstrate compliance with this Article and allow for and contribute to audits and inspections.

4. Controller obligations

The Controller shall:

4.1 Ensure it has a lawful basis for any processing it instructs the Processor to carry out.

4.2 Ensure the accuracy of Personal Data provided to the Processor.

4.3 Ensure appropriate Data Subject notices are in place for the processing described in Schedule 1.

4.4 Promptly notify the Processor of any change in instructions that may affect the Processor's compliance obligations.

4.5 Not instruct the Processor to carry out any processing that would breach applicable data protection law.

5. Sub-processors

5.1 The Controller grants general written authorisation for the Processor to engage Sub-processors listed in Schedule 3.

5.2 The Processor shall inform the Controller of any intended addition or replacement of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object.

5.3 The Processor shall impose obligations equivalent to those in this Agreement on each Sub-processor and shall remain liable to the Controller for the Sub-processor's performance.

Current Sub-processors (Schedule 3): • Microsoft Azure — cloud infrastructure, database, file storage and transactional email (United Kingdom, UK South region) • WorkOS — authentication and single sign-on • Stripe — payment processing • Cloudflare — DNS, content delivery (CDN) and DDoS protection

6. Security (Article 32)

The Processor implements the following Technical and Organisational Measures (Schedule 2):

Encryption: TLS 1.3 in transit; AES-256 at rest for all Customer Data.

Access controls: Role-based access with least-privilege; multi-factor authentication enforced for all staff and admin accounts.

Audit logging: Immutable logs of all data access and processing operations.

Vulnerability management: Automated dependency scanning; CREST-certified penetration testing annually.

Incident response: Documented incident response plan; breach notification within 24 hours of discovery (to allow Controller to meet the 72-hour ICO notification requirement).

Physical security: Microsoft Azure UK South data centres with ISO 27001 certification and SOC 2 Type II reports available on request.

Personnel: All Folelse staff with access to Customer Data undergo DBS checks and annual data protection training.

7. Personal data breaches

7.1 The Processor shall notify the Controller without undue delay (and in any event within 24 hours of becoming aware) of any Personal Data breach affecting Customer Data.

7.2 Notification shall include, to the extent known at the time: a description of the nature of the breach; categories and approximate number of Data Subjects concerned; categories and approximate number of records concerned; the likely consequences; and measures taken or proposed to address the breach.

7.3 The Processor shall cooperate fully with the Controller and take such steps as reasonably required to investigate, mitigate, and remediate the breach.

8. International data transfers

8.1 The Processor shall not transfer Personal Data outside the UK without the Controller's prior written consent.

8.2 Where any Sub-processor processes Personal Data outside the UK, the Processor shall ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs) or equivalent adequacy mechanisms.

8.3 The addendum to the ICO Standard Contractual Clauses (UK IDTA) for relevant Sub-processor transfers is incorporated by reference into this Agreement.

9. Audit rights

9.1 The Processor shall make available all information necessary to demonstrate compliance with Article 28 UK GDPR and this Agreement.

9.2 The Controller (or its appointed auditor) may, upon 30 days' written notice, conduct an audit of the Processor's data processing activities, no more than once per 12-month period, at the Controller's cost.

9.3 The Processor may satisfy audit obligations by providing relevant third-party certifications, penetration test reports, or SOC 2 Type II reports where available and relevant.

10. Term and termination

10.1 This Agreement shall remain in force for the duration of the Service Agreement between the parties.

10.2 On termination of the Service Agreement, the Processor shall, at the Controller's election: (a) return all Personal Data in a machine-readable format within 30 days; or (b) securely delete all Personal Data within 30 days and provide written confirmation.

10.3 The Processor may retain Personal Data where required by applicable law, notifying the Controller of the legal requirement.

Schedule 1 – Processing details

Subject matter: Provision of the Folelse platform for GDPR compliance management.

Nature of processing: Storage, retrieval, organisation, structuring, erasure, and transmission of Personal Data as instructed by the Controller.

Purpose: Enabling the Controller to manage its data protection obligations under UK GDPR, DPA 2018, and (where applicable) NHS DSPT requirements.

Duration: For the term of the Service Agreement.

Types of Personal Data: Names, email addresses, job titles, and employee identifiers of the Controller's staff; Personal Data contained in compliance records (e.g. SAR responses, breach reports, ROPA entries) as determined by the Controller.

Special category data: May include health data where processed by NHS organisations for clinical information governance purposes.

Categories of Data Subjects: The Controller's employees, contractors, patients (where applicable), and data subjects whose data appears in compliance records.