Data Processing Agreement

In this DPA, the following terms have the meanings given below:

• "Controller" means the customer entity that determines the purposes and means of processing personal data and has agreed to Siftological's Terms & Conditions.
• "Processor" means Siftological Ltd, which processes personal data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" has the meaning given in UK GDPR Article 4(1).
• "Processing" has the meaning given in UK GDPR Article 4(2).
• "UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended.
• "DPA 2018" means the Data Protection Act 2018.
• "Sub-processor" means any third party engaged by Siftological to process personal data in connection with the Services.
• "Services" means the Siftological platform and associated services as described in the Terms & Conditions.

The following describes the processing activities covered by this DPA:

Siftological (as Processor) agrees that it shall:

• Process personal data only on the documented instructions of the Controller, as set out in this DPA and the Terms & Conditions, unless required to do so by applicable law.
• Immediately inform the Controller if, in its opinion, an instruction infringes UK GDPR or other applicable data protection law.
• Ensure that all personnel authorised to process personal data are subject to an appropriate duty of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with UK GDPR Article 32.
• Not engage any sub-processor without prior written authorisation from the Controller, except as provided in Section 5 of this DPA.
• Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests under UK GDPR Chapter III, taking into account the nature of the processing.
• Assist the Controller in ensuring compliance with UK GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available to Siftological.
• At the Controller's election, delete or return all personal data to the Controller upon termination of the Services, and delete existing copies within 30 days, unless applicable law requires retention.
• Make available to the Controller all information necessary to demonstrate compliance with UK GDPR Article 28, and allow for and contribute to audits conducted by the Controller or its appointed auditor, subject to reasonable notice and confidentiality obligations.
• Not transfer personal data outside the UK without ensuring adequate safeguards are in place as required by UK GDPR Chapter V.

The Controller represents and warrants that:

• It has a valid lawful basis under UK GDPR for providing personal data to Siftological for processing under this DPA.
• It has provided all required fair processing information to Data Subjects whose data will be processed under this DPA.
• Its instructions to Siftological will at all times comply with applicable data protection law.
• It has the authority to connect the project management tools to the Siftological platform and to grant access to the metadata contained therein.

The Controller provides general written authorisation for Siftological to engage sub-processors, subject to the conditions in this section. Siftological shall ensure that any sub-processor is bound by data protection obligations at least equivalent to those in this DPA.

Siftological currently uses the following categories of sub-processor in connection with the Services:

Siftological will notify the Controller of any intended changes to sub-processors by updating this page with at least 30 days' prior notice. If the Controller objects to a new sub-processor on reasonable data protection grounds, it may terminate the Services in accordance with the Terms & Conditions.

Siftological implements the following technical and organisational measures to protect personal data:

• Encryption in transit: all data transmitted between the Controller's tools and the Siftological platform is encrypted using TLS 1.2 or higher.
• Encryption at rest: personal data stored on Siftological infrastructure is encrypted at rest using AES-256 or equivalent.
• Access controls: access to personal data is restricted to authorised personnel on a least-privilege basis, with access logs maintained.
• No source code storage: Siftological does not access, read, or store source code from connected repositories.
• Pseudonymisation: where practicable, personal identifiers in project metadata are pseudonymised before AI analysis.
• Security reviews: Siftological conducts regular reviews of its security posture and infrastructure.

In the event that Siftological becomes aware of a confirmed personal data breach affecting the Controller's personal data, Siftological shall:

• Notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach.
• Provide the Controller with sufficient information to enable it to fulfil its own breach notification obligations to the ICO (within 72 hours) and to affected Data Subjects.
• Co-operate with the Controller and take such steps as are reasonably directed by the Controller to investigate, remediate, and mitigate the effects of the breach.

Notification under this clause shall not constitute an admission of fault or liability by Siftological.

Siftological shall maintain technical and organisational measures to assist the Controller in responding to Data Subject rights requests within legally required timeframes. Upon receiving a Data Subject rights request directly (e.g. where a Data Subject contacts Siftological in error), Siftological shall promptly forward the request to the Controller and shall not respond to the Data Subject directly without the Controller's authorisation, except where required by law.

Siftological shall not transfer personal data outside the UK except:

• To a country subject to a UK adequacy decision; or
• Under appropriate safeguards, including the UK International Data Transfer Agreement (IDTA) or equivalent mechanism approved under UK GDPR Article 46.

Where sub-processors are located outside the UK, Siftological shall ensure that appropriate transfer mechanisms are in place.

This DPA shall remain in force for the duration of the Controller's use of the Services. Upon termination, the obligations in this DPA regarding security, confidentiality, sub-processors, and data deletion shall survive for a period of 12 months or until all personal data has been deleted or returned, whichever is later.

Upon termination of the Services, Siftological shall, at the Controller's election:

• Delete all personal data processed under this DPA within 30 days; or
• Return all personal data to the Controller in a commonly used machine-readable format, then delete all copies.

This DPA is governed by and construed in accordance with the law of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

For any data protection queries relating to this DPA, please contact: