Data Processing Addendum

1. Definitions

Terms used in this DPA have the same meaning as in the UK General Data Protection Regulation and (where applicable) the EU GDPR. Where this DPA refers to "Applicable Data Protection Law" it means, as the case may be, the UK GDPR, the Data Protection Act 2018, the EU GDPR, the Privacy and Electronic Communications Regulations 2003, and any other data-protection law or guidance of a competent supervisory authority that applies to the parties' processing.

2. Subject-matter and roles

The subject-matter of the processing under this DPA is the personal data submitted to the Services by or on behalf of the Customer, as further described in Annex A. The Customer is the controller and Specialist Electronics Ltd is the processor for this personal data. Where Specialist Electronics Ltd processes personal data for its own purposes (for example, internal analytics, fraud prevention, or to comply with legal obligations such as AML/KYC recordkeeping), Specialist Electronics Ltd acts as a controller and the Privacy Policy applies.

3. Processor obligations

We will:

• Process personal data only on the documented instructions of the Customer, including with regard to transfers to a third country, unless required to do so by law (in which case we will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Take all measures required pursuant to Article 32 of UK/EU GDPR, as further set out in Annex B.
• Respect the conditions for engaging sub-processors set out in clause 6.
• Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.
• Assist the Customer in ensuring compliance with its obligations pursuant to Articles 32 to 36 of UK/EU GDPR taking into account the nature of processing and the information available to us.
• At the choice of the Customer, delete or return all personal data to the Customer after the end of the provision of services, and delete existing copies unless storage is required by Applicable Data Protection Law.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (subject to the conditions in clause 8).

4. Customer obligations

The Customer warrants that it has provided all required notices and, where relevant, obtained all necessary consents from data subjects to permit our processing of their personal data under the agreement and this DPA. The Customer is responsible for the accuracy of the personal data it submits, for ensuring that its instructions comply with Applicable Data Protection Law, and for assessing the legality of any disclosure of personal data to Specialist Electronics Ltd under this DPA.

5. Security

We will implement and maintain the technical and organisational measures set out in Annex B. We may update those measures from time to time, provided that the level of security is not materially reduced.

6. Sub-processors

7. International transfers

Where the processing of personal data under this DPA involves a transfer of personal data outside the United Kingdom or the European Economic Area to a country that has not been the subject of an adequacy decision, the parties agree to be bound by the UK International Data Transfer Agreement or the EU Standard Contractual Clauses (Module Two: Controller to Processor) (the "SCCs"), supplemented as needed by the UK Addendum to the SCCs. The SCCs are incorporated by reference into this DPA. In the event of conflict between this DPA and the SCCs, the SCCs prevail.

8. Audits

On the Customer's request and no more than once per calendar year (except where required following a personal-data breach), we will make available information reasonably necessary to demonstrate our compliance with this DPA, including by responding to a written audit questionnaire and by sharing the results of relevant third-party certifications and audit reports (such as ISO 27001 or SOC 2, where held). Any on-site audit shall be conducted at the Customer's expense by an independent third-party auditor reasonably acceptable to Specialist Electronics Ltd, on at least 30 days' notice, during normal business hours, and in a manner that does not interfere unreasonably with our operations or expose the personal data of other customers.

9. Personal-data breach

We will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting the Customer's personal data. The notification will, to the extent then available, describe the nature of the breach (including categories and approximate number of data subjects and records concerned), provide the contact point for further information, describe the likely consequences, and describe the measures taken or proposed to address the breach and mitigate adverse effects.

10. Data-subject requests

If a data subject contacts us directly with a request to exercise their rights under Applicable Data Protection Law in relation to personal data we process on behalf of the Customer, we will inform the data subject to contact the Customer directly and (where consistent with our legal obligations) refer the request to the Customer. We will assist the Customer in responding to such requests by appropriate technical and organisational measures, taking into account the nature of the processing.

11. Return or deletion

On termination of the underlying agreement, and at the Customer's choice notified to us in writing within 30 days of termination, we will return or delete the Customer's personal data, including all copies, except where applicable law requires continued storage. Where personal data is retained for legal reasons, we will continue to apply this DPA to it.

12. Liability

The liability of each party under this DPA is subject to the limitations of liability set out in the underlying agreement, except where Applicable Data Protection Law requires otherwise.

13. Order of precedence

In the event of conflict between this DPA and the underlying agreement, this DPA prevails to the extent of the conflict, except as expressly stated in the SCCs.

Annex A — Description of the processing

Subject matter

Provision of the Services to the Customer as set out in the underlying agreement.

Duration

For the term of the agreement plus any period during which we retain personal data in accordance with this DPA or applicable law.

Nature and purpose

Hosting, processing, storage, transmission and back-up of personal data in connection with the Services; user authentication; order placement, fulfilment and support; analytics; security.

Categories of data subjects

The Customer's end-users (typically natural persons who buy from the Customer through the Services), the Customer's staff and authorised contacts, and any other individuals whose personal data the Customer submits to the Services.

Categories of personal data

Contact data (name, email, telephone, address), account data, order data, payment metadata, content of communications, identity-verification data where applicable, device and connection data, security telemetry.

Special categories

Identity-document images that may contain biometric data; nationality information that may appear in identity documents.

Annex B — Technical and organisational measures

• Encryption: TLS 1.2 or above for data in transit; AES-256 for data at rest in cloud storage; column-level encryption for high-sensitivity fields where appropriate.
• Identity and access management: unique user IDs; least-privilege role-based access controls; mandatory multi-factor authentication for administrative accounts.
• Segregation: identity documents stored in encrypted object storage isolated from the application database; separate environments for development, staging and production.
• Logging and monitoring: structured audit logs for security-sensitive events; alerting on anomalous patterns; log retention with restricted access.
• Vulnerability management: dependency vulnerability scanning; periodic infrastructure scanning; documented patching cadence with shorter SLAs for critical vulnerabilities.
• Incident response: documented incident-response plan; on-call rota; breach-notification runbooks aligned to this DPA.
• Backups: regular encrypted backups; tested restore procedures; restricted access to backup media.
• Personnel: confidentiality undertakings on hire; annual security training; revocation of access on offboarding.
• Vendor management: due diligence before onboarding processors; written processing agreements meeting UK GDPR Article 28; periodic reassessment.
• Business continuity: redundant infrastructure; documented recovery objectives; periodic continuity exercises.