Threat Protect: Cybersecurity, compliance & AI governance

Data Processing Agreement

Version 1.0 · Last updated 10 June 2026

1Background

Threat Protect Limited, referred to in this DPA as Supplier, and the Customer are parties to an agreement under which Supplier provides products or services to the Customer.

In providing those products or services, Supplier may process Customer Personal Data on behalf of the Customer.

This DPA sets out the basis on which Supplier processes Customer Personal Data as Processor on behalf of the Customer.

If there is a conflict between this DPA and the Agreement in relation to the processing of Customer Personal Data, this DPA shall prevail. The Agreement shall apply to all other matters.

2Definitions and interpretation

2.1

Unless otherwise defined in this DPA, words and expressions used in this DPA have the meanings given to them in the Agreement.

2.2

In this DPA:

Agreement means the agreement between Supplier and the Customer, including Threat Protect’s Terms and Conditions, the applicable Quote, Order Form, Statement of Work and any documents incorporated by reference.

Customer Personal Data means Personal Data supplied to Supplier by or on behalf of the Customer, or obtained, generated or created by Supplier on behalf of the Customer, where such Personal Data is processed by Supplier as Processor in connection with the Agreement.

Data Protection Laws means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and all applicable UK data protection and privacy laws.

Restricted Transfer means a transfer of Customer Personal Data outside the United Kingdom where such transfer is restricted under Data Protection Laws.

Sub-processor means a third party appointed by Supplier to process Customer Personal Data on behalf of Supplier.

Supplier means Threat Protect Limited.

UK GDPR has the meaning given to it in the Data Protection Act 2018.

2.3

The terms Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing, process and special category data have the meanings given to them in Data Protection Laws.

3Data protection

3.1Roles and processing activities

3.1.1

The parties acknowledge that, where Supplier processes Customer Personal Data on behalf of the Customer in connection with the Agreement, the Customer is the Controller and Supplier is the Processor.

3.1.2

Where the Customer is not the Controller of the Customer Personal Data, the Customer warrants that it has authority from the relevant Controller to instruct Supplier to process the Customer Personal Data in accordance with this DPA and the Agreement.

3.1.3

The subject matter, duration, nature and purpose of processing, types of Personal Data and categories of Data Subjects are set out in Annex 1.

3.2General obligations

3.2.1

Each party shall comply with Data Protection Laws applicable to it in connection with the processing of Customer Personal Data.

3.2.2

The Customer is responsible for ensuring that:

(a)

the supply of Customer Personal Data to Supplier complies with Data Protection Laws;

(b)

there is a lawful basis for Supplier’s processing of Customer Personal Data;

(c)

Data Subjects have been provided with appropriate privacy information; and

(d)

the Customer’s instructions to Supplier comply with Data Protection Laws.

3.3Supplier obligations

3.3.1

Supplier shall process Customer Personal Data only on the Customer’s documented instructions, unless required to do otherwise by applicable law.

3.3.2

Supplier shall inform the Customer if, in Supplier’s opinion, an instruction infringes Data Protection Laws.

3.3.3

Supplier shall ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.

3.3.4

Supplier shall implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

3.3.5

Supplier shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

3.3.6

Taking into account the nature of the processing, Supplier shall provide reasonable assistance to the Customer with:

(a)

responding to Data Subject rights requests;

(b)

security obligations under Data Protection Laws;

(c)

Personal Data Breach notifications;

(d)

data protection impact assessments; and

(e)

consultations with the ICO or other supervisory authority.

3.3.7

On termination or expiry of the relevant services, Supplier shall, at the Customer’s choice, delete or return Customer Personal Data unless applicable law requires storage of the Customer Personal Data.

3.3.8

Supplier shall make available information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits or inspections where required by Data Protection Laws, subject to reasonable notice, confidentiality, security and non-disruption requirements.

3.4Costs of assistance

3.4.1

Supplier may charge reasonable fees for assistance provided under this DPA where the assistance is outside the ordinary course of providing the products or services, unless the assistance is required because of Supplier’s breach of this DPA.

3.5Sub-processors

3.5.1

The Customer gives Supplier general written authorisation to appoint Sub-processors.

3.5.2

The Customer approves the Sub-processors listed in Annex 2.

3.5.3

Supplier shall ensure that each Sub-processor is subject to written data protection obligations that provide a materially equivalent level of protection for Customer Personal Data as this DPA.

3.5.4

Supplier shall remain liable to the Customer for the acts and omissions of its Sub-processors in relation to Customer Personal Data.

3.5.5

Supplier may update its Sub-processors from time to time.

3.5.6

Where required by Data Protection Laws, Supplier shall notify the Customer of intended material changes to Sub-processors and give the Customer an opportunity to object on reasonable data protection grounds.

3.5.7

If the Customer objects to a new Sub-processor on reasonable data protection grounds, the parties shall work together in good faith to resolve the objection. If the objection cannot reasonably be resolved, Supplier may be unable to continue providing the affected products or services.

3.6Restricted Transfers

3.6.1

Supplier shall not make a Restricted Transfer unless appropriate safeguards or another lawful transfer mechanism are in place.

3.6.2

Appropriate safeguards may include:

(a)

UK adequacy regulations;

(b)

the UK International Data Transfer Agreement;

(c)

the UK Addendum to the EU Standard Contractual Clauses; or

(d)

another lawful transfer mechanism permitted under Data Protection Laws.

3.6.3

The Customer authorises Supplier and its Sub-processors to make Restricted Transfers where necessary to provide the products or services, provided that the requirements of this clause are met.

3.7Liability

3.7.1

Liability under or in connection with this DPA is subject to the liability provisions in the Agreement, unless Data Protection Laws require otherwise.

3.7.2

Nothing in this DPA limits or excludes liability that cannot lawfully be limited or excluded.

4General

4.1

This DPA applies only to Supplier’s processing of Customer Personal Data as Processor on behalf of the Customer.

4.2

This DPA does not apply where Supplier processes Personal Data as an independent Controller.

4.3

This DPA supersedes any previous agreement between the parties relating specifically to the processing of Customer Personal Data by Supplier as Processor.

Annex 1: Details of processing

Subject matter of processing

Processing of Customer Personal Data to enable Supplier to provide the products and services under the Agreement.

Duration of processing

For the term of the relevant products or services and any further period required for deletion, return, backup retention, legal compliance, dispute management or agreed post-termination assistance.

Nature and purpose of processing

Supplier may collect, receive, access, view, store, organise, use, transmit, disclose, delete or otherwise process Customer Personal Data as necessary to:

(a)

provide products and services;

(b)

administer customer onboarding and service delivery;

(c)

communicate with Customer personnel;

(d)

configure, provision or administer products or services;

(e)

manage project delivery and operational communications;

(f)

prepare reports, outputs, evidence, records or deliverables;

(g)

manage billing, finance and contract administration;

(h)

support legal, security, compliance and audit requirements; and

(i)

perform Supplier’s obligations under the Agreement.

Categories of Data Subjects

Customer Personal Data may relate to:

(a)

Customer personnel;

(b)

Customer contractors;

(c)

Customer administrators and authorised users;

(d)

Customer technical, security, compliance, finance and procurement contacts;

(e)

Customer end users, where relevant to the products or services; and

(f)

other individuals whose Personal Data is provided by or on behalf of the Customer.

Types of Personal Data

Customer Personal Data may include:

(a)

names;

(b)

business email addresses;

(c)

business telephone numbers;

(d)

job titles and roles;

(e)

employer or organisation details;

(f)

usernames or business account identifiers;

(g)

technical identifiers such as IP addresses, device identifiers, hostnames or log data;

(h)

security, compliance or assessment information supplied by the Customer;

(i)

communications content provided by or on behalf of the Customer;

(j)

information contained in forms, questionnaires, documents, evidence, reports or service records; and

(k)

other Personal Data provided by or on behalf of the Customer in connection with the products or services.

Special category data

Supplier does not intentionally require or request special category data to provide the products or services.

The Customer should not provide special category data unless it is necessary for the agreed products or services and the Customer has confirmed the lawful basis and any applicable conditions for processing.

Location of processing

United Kingdom, EEA, United States and other locations where approved Sub-processors process Customer Personal Data in accordance with this DPA.

Annex 2: Authorised Sub-processors

The following are Supplier’s authorised Sub-processors.

A Sub-processor may not be used for every Customer or every product or service.

Sub-processor	Purpose	Location	Transfer safeguard
Zoho Corporation (CRM)	Prospect, contact and opportunity management	E.U.	UK adequacy regulations / supplier contractual safeguards
Zoho Corporation (Books)	Invoicing and billing	E.U.	UK adequacy regulations / supplier contractual safeguards
Zoho Corporation (Sign)	E-signature integration	E.U.	UK adequacy regulations / supplier contractual safeguards
Microsoft	Email, meetings, file storage and office productivity	E.U.	UK adequacy regulations / supplier contractual safeguards
Slack Technologies	Internal collaboration, including customer-related operational discussions	United States	UK IDTA, UK Addendum to EU SCCs, UK-US Data Bridge or other lawful transfer mechanism, as applicable
QuickBooks / Intuit	Accounting and finance administration	E.U.	UK adequacy regulations / supplier contractual safeguards
Revolut	Business banking and payment administration, including customer payment details	E.U.	UK adequacy regulations / supplier contractual safeguards

Supplier may update this list from time to time in accordance with clause 3.5.

Legal documents