Data Processing Addendum

1. Scope and Definitions

This Data Processing Addendum ("DPA") applies where No7 Software Limited ("Processor") processes Personal Data on behalf of the Client ("Controller") in the course of providing software development and eCommerce services.

Definitions used here align with the UK GDPR and the Data Protection Act 2018.

2. Processing of Personal Data

The Processor shall only process Personal Data on the Controller's documented instructions, including with regard to transfers of personal data to a third country.

• Subject Matter: Provision of technical eCommerce services (Shopify/BigCommerce).
• Duration: The duration of the service agreement.
• Nature: Software engineering, maintenance, and technical support.

3. Technical and Organizational Measures (TOMs)

We implement appropriate security measures to ensure a level of security appropriate to the risk, including:

• Pseudonymisation and encryption of personal data (TLS 1.3+ and AES-256).
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
• Multi-factor authentication (MFA) on all production environments.
• Regular vulnerability scanning and penetration testing.

4. Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach.

5. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors (e.g., AWS, Shopify, GitHub). The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors.

6. International Transfers

Any transfer of Personal Data outside the UK or EEA shall be conducted in accordance with the UK International Data Transfer Agreement (IDTA) or the relevant Standard Contractual Clauses.