Data Processing Addendum

Last Updated: April 02, 2026

This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement (“Agreement”) between Reg X Innovations Ltd. (“Processor” or “Reg X”) and the entity identified in the Agreement (“Controller” or “Customer”).

This DPA reflects the parties’ agreement with respect to the Processing of Personal Data in accordance with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the Data Protection Act 2018, and any successor or implementing legislation.

1. DEFINITIONS

1.1 Capitalized terms not otherwise defined in this DPA shall have the meanings set out in the Agreement or the GDPR.
1.2 “Personal Data”, “Processing”, “Controller”, “Processor”, and “Data Subject” shall have the meanings set out in the GDPR.
1.3 “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, the UK GDPR, the Data Protection Act 2018, and any applicable national implementing or successor laws.
1.4 “Personal Data Breach” shall have the meaning given in Article 4(12) of the GDPR.
1.5 “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. SUBJECT MATTER AND SCOPE

2.1 This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of services under the Agreement.
2.2 The details of the Processing, including subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are described in Annex I to this DPA.

3. Compliance and Cooperation

3.1 The parties acknowledge that:

• (a) the Controller acts as the Data Controller; and
• (b) Reg X acts as the Data Processor.

3.2 The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. Where such legal requirement exists, the Processor shall inform the Controller of that requirement before Processing, unless prohibited by law.
3.3 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable Data Protection Laws.
3.4 The Controller shall ensure that it has, and will continue to have, all necessary rights, consents, and lawful bases to provide Personal Data to the Processor and shall be responsible for the accuracy, quality, and legality of the Personal Data.

4. COMPLIANCE AND ASSISTANCE

4.1 The Processor shall comply with all applicable Data Protection Laws in its role as Processor.
4.2 Taking into account the nature of the Processing, the Processor shall reasonably assist the Controller, at the Controller’s cost and expense, in fulfilling its obligations under Data Protection Laws, including with respect to:

• responding to Data Subject requests under Articles 12–23 GDPR;
• ensuring compliance with Articles 32–36 GDPR;
• conducting Data Protection Impact Assessments; and
• consulting supervisory authorities where required.

4.3 Where the Processor receives a request directly from a Data Subject, it shall not respond to such request unless authorized to do so by law, and shall promptly notify the Controller.

5. CONFIDENTIALITY

5.1 The Processor shall ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations and receive appropriate data protection and information security training.
5.2 Access to Personal Data shall be limited to personnel who require such access for the performance of the services.

6. SECURITY MEASURES

6.1 Authorization

6.1 The Processor shall implement and maintain appropriate technical and organizational measures (“TOMs”) to ensure a level of security appropriate to the risk, including, as appropriate:

• encryption of data in transit and at rest;
• access controls and least-privilege principles;
• multi-factor authentication;
• logging and monitoring;
• secure development practices;
• business continuity and disaster recovery measures.

6.2 The technical and organizational measures implemented by the Processor are described in Annex II. The Processor may update such measures from time to time, provided that any update does not materially reduce the overall level of protection afforded to the Personal Data.

7. SUB-PROCESSORS

7.1 The Controller provides general authorization for the Processor to engage Sub-processors.
7.2 The Processor shall maintain an up-to-date list of Sub-processors and shall provide at least thirty (30) days’ prior notice of any intended changes. The Controller may object to the engagement of a new Sub-processor on reasonable data protection grounds by providing written notice within the notice period.
7.3 The Processor shall ensure that each Sub-processor is engaged under a written agreement imposing data protection obligations equivalent to those set out in this DPA and shall remain fully liable for the performance of its Sub-processors.

8. INTERNATIONAL DATA TRANSFERS

8.1 Where Personal Data is transferred outside the EEA, the United Kingdom, or Switzerland to a jurisdiction not subject to an adequacy decision, the parties shall rely on appropriate safeguards, including:

• the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914);
• the UK International Data Transfer Addendum; and
• Swiss adaptations, where applicable.

8.2 The Processor shall implement supplementary measures where required to ensure an essentially equivalent level of protection, taking into account applicable regulatory guidance and relevant case law.

9. PERSONAL DATA BREACHES

9.1 The Processor shall notify the Controller without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a Personal Data Breach.
9.2 The notification shall include, to the extent available:

• a description of the nature of the Personal Data Breach;
• the categories and approximate number of affected Data Subjects;
• the likely consequences of the breach; and
• the measures taken or proposed to mitigate its effects.

10. AUDIT AND COMPLIANCE

10.1 Deletion Timeline

10.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
10.2 The Processor may satisfy audit obligations by providing relevant third-party certifications (such as ISO 27001 or SOC 2 reports) or standardized security questionnaires.
10.3 The Controller may conduct audits no more than once per year, upon reasonable prior notice, at its own cost, and subject to the Processor’s reasonable confidentiality and security requirements, provided that such audits do not materially disrupt the Processor’s operations.

11. DATA RETENTION AND DELETION

11.1 Upon termination or expiry of the Agreement, the Processor shall retain Personal Data for a period of six (6) months, unless otherwise agreed in writing or required to comply with applicable law.
11.2 Upon expiration of the retention period, the Processor shall delete or irreversibly anonymize the Personal Data and, upon request, return Personal Data to the Controller in a commonly used, machine-readable format.

12. GOVERNMENT ACCESS REQUESTS

12.1 The Processor shall not disclose Personal Data to public authorities except as required by applicable law.
12.2 Where legally permitted, the Processor shall notify the Controller of any such request and shall challenge unlawful or disproportionate requests.
12.3 Any disclosure shall be limited to the minimum amount of data legally required.
12.4 The Processor may publish aggregated transparency reports regarding government access requests where legally permitted.

13. LIABILITY

13.1 Each party’s liability under this DPA shall be subject to the limitations of liability set out in the Agreement.
13.2 Nothing in this DPA shall limit or exclude any liability that cannot be limited or excluded under applicable Data Protection Laws.

14. ORDER OF PRECEDENCE

14.1 In the event of any conflict between this DPA, the Agreement, and the Standard Contractual Clauses:

• (a) the Standard Contractual Clauses shall prevail;
• (b) this DPA shall prevail over the Agreement with respect to data protection matters.

15. CONTACT DETAILS

Reg X Innovations Ltd.
Email: [email protected]
Address:
30 Churchill Place
Canary Wharf Estate
London E14 5RE
United Kingdom

ANNEX I – DETAILS OF PROCESSING

Data Subjects:
Employees, authorized users, client representatives, end customers.
Categories of Personal Data:
Identification data, contact details, professional data, system usage data, regulatory reporting data.
Nature of Processing:
Hosting, storage, transmission, analysis, monitoring, technical support.
Purpose of Processing:
Service delivery, compliance, billing, security, service improvement.
Retention Period:
Six (6) months following termination of the Agreement.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES

The Processor maintains appropriate technical and organizational measures, including:

• Information security management system aligned with ISO/IEC 27001
• Role-based access control and multi-factor authentication
• Encryption using industry-standard protocols (TLS 1.2+ and AES-256)
• Network security, vulnerability management, and penetration testing
• Secure software development lifecycle and application testing
• Logging, monitoring, and SIEM
• Incident response procedures
• Business continuity and disaster recovery plans
• Vendor risk management
• Employee training and confidentiality controls

ANNEX III – STANDARD CONTRACTUAL CLAUSES

The parties incorporate by reference the Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.
Modules 2 (Controller to Processor) and 3 (Processor to Processor) apply as relevant.
The UK International Data Transfer Addendum and Swiss adaptations apply where required.
Governing Law: England and Wales.

Download PDF