Data Processing Addendum

1. Definitions


For the purposes of this Addendum:

  • Controller, Processor, Personal Data, and Processing have the meanings set out in UK GDPR and EU GDPR

  • Customer is the Controller

  • Estaita Ltd is the Processor


2. Scope of processing


Estaita processes personal data solely to provide the platform and related services.

Processing activities include:

  • Hosting and storage

  • Communication enablement

  • Workflow automation

  • AI assisted processing

  • Support and maintenance


3. Processor obligations


Estaita shall:

  • Process personal data only on documented instructions

  • Ensure confidentiality of authorised personnel

  • Implement appropriate technical and organisational measures

  • Assist with data subject rights where reasonably required

  • Notify the Customer of personal data breaches without undue delay


4. Sub processors


The Customer authorises Estaita to use sub processors.

This includes providers for:

  • Hosting and infrastructure

  • Analytics

  • AI services including OpenAI

Estaita remains responsible for sub processor compliance.


5. International transfers


Where data is transferred outside the UK or EU, Estaita relies on:

  • UK and EU Standard Contractual Clauses

  • Equivalent contractual safeguards

These safeguards are incorporated by reference.


6. CCPA service provider status


For US personal data, Estaita acts as a service provider.

Estaita:

  • Does not sell personal data

  • Does not retain or use data outside service provision

  • Processes data solely for business purposes


7. Security measures


Estaita maintains appropriate security measures including:

  • Access controls

  • Logical separation

  • Monitoring and logging

  • Secure infrastructure practices

Detailed technical documentation may be provided at Estaita’s discretion.


8. Audit and information rights


Audit rights are limited.

Estaita will:

  • Provide reasonable information to demonstrate compliance

  • Respond to written security questionnaires where proportionate

On site audits are excluded unless required by law.


9. Deletion and return of data


On termination:

  • Data may be retained for legal or operational reasons

  • Deletion will occur where legally required

  • Data export may be provided at Estaita’s discretion


10. Updates


Estaita may update this Addendum with notice.

Continued use of the platform constitutes acceptance.