Data Processing Addendum (DPA)

1. Purpose and Scope

This Data Processing Addendum (DPA) forms part of the Metiflow Terms and Conditions between the customer organisation (Controller) and Metiflow Group (Processor), and applies where we process personal data on your behalf.

If there is any conflict between this DPA and the Terms and Conditions on data protection matters, this DPA takes priority for those matters.

2. Definitions

• Applicable Privacy Laws means UK data protection laws, including UK GDPR and the Data Protection Act 2018.
• Controller Personal Data means personal data processed by us on your behalf in connection with the services.
• Personal Data Breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
• Services means Metiflow services provided under the Terms and Conditions.
• Subprocessor means a third party appointed by us to process personal data for the Services.
• UK IDTA/Addendum means the UK-approved contractual transfer mechanism for restricted transfers.

3. Roles of the Parties

You are the Controller for Controller Personal Data and are responsible for complying with your obligations under Applicable Privacy Laws, including transparency and lawful basis obligations.

We act as your Processor and will process Controller Personal Data only as set out in the Terms, this DPA, and your documented instructions.

4. Processing Instructions and Restrictions

We will process Controller Personal Data only:

• on your documented instructions, including use of the Services by your authorised users;
• for the purpose of providing and supporting the Services;
• in accordance with Applicable Privacy Laws; and
• as otherwise required by law (in which case we will notify you unless legally prohibited).

If we believe an instruction breaches Applicable Privacy Laws, we will notify you without undue delay.

5. Confidentiality and Security

We ensure that personnel authorised to process Controller Personal Data are bound by appropriate confidentiality obligations.

We implement appropriate technical and organisational measures designed to protect Controller Personal Data, including measures relating to confidentiality, integrity, availability, and resilience.

We regularly evaluate and improve these measures in line with risk and industry practice.

6. Subprocessors

You provide general authorisation for us to appoint Subprocessors where needed to provide the Services, provided we impose data protection obligations on them that are materially equivalent to those in this DPA.

As at the date of this DPA, our primary Subprocessor for core platform data hosting and database services is Supabase.

We remain responsible for the acts and omissions of our Subprocessors in relation to processing carried out for the Services.

7. International Transfers

Where Controller Personal Data is transferred outside the UK, we ensure appropriate safeguards are in place as required by Applicable Privacy Laws, including use of UK IDTA/Addendum where relevant.

8. Assistance to Controller

Taking into account the nature of processing and information available to us, we will provide reasonable assistance to help you meet your obligations regarding:

• data subject rights requests;
• data protection impact assessments;
• security and breach reporting obligations; and
• regulatory inquiries related to processing under this DPA.

9. Personal Data Breach

If we become aware of a confirmed Personal Data Breach affecting Controller Personal Data, we will notify you without undue delay and, where feasible, within 72 hours of awareness.

We will provide available information including:

• nature of the breach;
• categories of data and data subjects affected (where known);
• likely consequences; and
• measures taken or proposed to contain and remediate the breach.

10. Audit and Information Rights

On reasonable written request and no more than once per year (unless required by law or following a confirmed Personal Data Breach), we will provide information reasonably necessary to demonstrate compliance with this DPA.

11. Return and Deletion

On termination of the Services, we will delete or return Controller Personal Data in accordance with your instructions and our retention obligations under law and the Terms and Conditions.

12. Liability

Liability under this DPA is subject to the liability terms and limitations set out in the Terms and Conditions, except where otherwise required by Applicable Privacy Laws.

13. Contact

For DPA and data protection queries, contact: