Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

• The Controller: The customer or organisation that has entered into an agreement with Malliva Labs Ltd for the use of the Anvora platform ("Controller", "you", "your").
• The Processor: Malliva Labs Ltd, a company registered in the United Kingdom, operating the Anvora platform ("Processor", "we", "us", "our").

The purpose of this DPA is to define the conditions under which the Processor may process personal data on behalf of the Controller in connection with the provision of the Anvora platform, and to ensure compliance with applicable data protection legislation including UK GDPR and EU GDPR.

This DPA is incorporated by reference into the Terms of Service and applies to all processing of personal data carried out by the Processor in connection with the platform.

In this DPA, unless the context requires otherwise:

• "Applicable Data Protection Law" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and any other applicable data protection legislation in relevant jurisdictions.
• "Controller" means the party that determines the purposes and means of the processing of personal data.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" means any information relating to a Data Subject, as defined in Applicable Data Protection Law.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• "Processor" means the party that processes personal data on behalf of the Controller.
• "Subprocessor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
• "Platform" means the Anvora secure communication platform and related services provided by the Processor.

Terms not defined in this DPA shall have the meanings given to them in Applicable Data Protection Law or, where applicable, the Terms of Service.

The Processor processes personal data on behalf of the Controller in connection with the provision of the Anvora platform. The full details of the processing activities — including the subject matter, duration, nature and purpose of processing, the categories of Data Subjects, and the types of personal data — are set out in Annex 1.

The exact data processed depends on how the Controller configures and uses the platform. The Controller shall not use the platform to process special category data (as defined in Applicable Data Protection Law) unless the Controller has ensured that an appropriate lawful basis and suitable safeguards are in place.

The parties acknowledge and agree that:

• The Controller determines the purposes and means of processing personal data through the platform.
• The Processor processes personal data only on behalf of and in accordance with the documented instructions of the Controller.
• The Controller is responsible for ensuring that the processing of personal data through the platform has a lawful basis under Applicable Data Protection Law.
• The Controller is responsible for providing any required notices and obtaining any necessary consents from Data Subjects in connection with the processing.

The Processor shall:

• Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited from doing so).
• Ensure that persons authorised to process personal data are subject to the confidentiality obligations described in Section 6.
• Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 7 and Annex 2.
• Assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to Data Subject rights requests.
• Assist the Controller in ensuring compliance with the obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, where reasonably required.
• At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless retention is required by applicable law, as described in Section 13.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits and inspections as described in Section 12.
• Maintain appropriate records of processing activities carried out on behalf of the Controller.
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law.

The Processor shall ensure that access to personal data is limited to those personnel who need access to perform the services under the agreement, and that all such personnel:

• Are informed of the confidential nature of the personal data.
• Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Have received appropriate training in data protection.

These confidentiality obligations shall survive the termination of this DPA and the underlying agreement.

The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

The specific measures currently in place are described in Annex 2. Full details of the platform's security architecture are available in the Security Overview.

The Processor shall regularly assess the effectiveness of these measures and make adjustments as necessary to address evolving risks. Any changes to the measures shall not materially diminish the overall level of protection afforded to personal data.

The Controller provides general authorisation for the Processor to engage Subprocessors to assist in providing the platform, subject to the following conditions:

• The Processor shall impose data protection obligations on any Subprocessor by way of a written contract that provides at least the same level of protection for personal data as this DPA.
• The Processor shall remain fully liable to the Controller for the performance of each Subprocessor's obligations.
• The Processor shall notify the Controller of any intended changes to the list of Subprocessors, giving the Controller a reasonable opportunity (not less than 30 days) to object to the appointment of a new Subprocessor.
• If the Controller raises a reasonable objection to a new Subprocessor, the Processor shall use reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, either party may terminate the affected services by providing written notice.

The Processor shall maintain a current list of Subprocessors, which shall be made available to the Controller upon request.

Personal data processed under this DPA is primarily hosted on infrastructure located in the United Kingdom or the European Union.

To the extent that the processing of personal data involves a transfer to a country outside the United Kingdom or the European Economic Area, the Processor shall ensure that appropriate safeguards are in place, including:

• The UK International Data Transfer Addendum to the EU Standard Contractual Clauses, as issued by the Information Commissioner's Office, where the transfer originates from the United Kingdom.
• The EU Standard Contractual Clauses (SCCs) adopted by the European Commission, where the transfer originates from the European Economic Area.
• An adequacy decision by the relevant authority, where applicable.

The Processor shall ensure that any Subprocessor engaged in accordance with Section 8 that processes personal data outside the United Kingdom or the European Economic Area is subject to equivalent transfer safeguards.

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

Where the Processor receives a request directly from a Data Subject, it shall promptly notify the Controller and shall not respond to the request unless authorised to do so by the Controller or required to do so by applicable law.

The Processor shall provide reasonable technical and organisational assistance to enable the Controller to respond to Data Subject requests within the time limits prescribed by Applicable Data Protection Law.

The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting personal data processed under this DPA.

Such notification shall include, to the extent reasonably available:

• A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and personal data records concerned.
• The name and contact details of the point of contact within the Processor from whom further information may be obtained.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall provide supplementary information to the Controller as it becomes available.

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide reasonable prior written notice (not less than 30 days) of any intended audit.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
• Any third-party auditor shall be required to enter into appropriate confidentiality arrangements before accessing any information.
• The Controller shall bear the costs of any such audit, unless the audit reveals a material breach of this DPA by the Processor.

The Processor may satisfy audit requests by providing relevant certifications, audit reports, or summaries prepared by independent third-party auditors, where such reports reasonably address the Controller's audit requirements.

Upon termination of the agreement between the Controller and the Processor, the Processor shall, at the choice of the Controller:

• Delete all personal data processed on behalf of the Controller, and delete existing copies, unless retention is required by applicable law; or
• Return all personal data to the Controller in a commonly used, machine-readable format.

Deletion or return of personal data shall be completed within a reasonable timeframe following termination, and in any event within 90 days unless otherwise agreed in writing.

Where the Processor is required by applicable law to retain any personal data, it shall inform the Controller of the relevant legal requirement and shall limit processing to the extent necessary for compliance with that requirement.

Each party's liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service.

Nothing in this DPA shall limit either party's liability for breaches of Applicable Data Protection Law to the extent that such limitation is not permitted by law.

This DPA shall come into effect on the date the Controller enters into an agreement with the Processor for the use of the platform, and shall remain in effect for as long as the Processor processes personal data on behalf of the Controller.

The obligations of the Processor under this DPA shall survive the termination of the underlying agreement to the extent necessary for the Processor to complete the deletion or return of personal data in accordance with Section 13, and for the continuing obligations of confidentiality under Section 6.

This DPA shall be governed by and construed in accordance with the laws of England and Wales.

Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Where a conflict exists between this DPA and the Terms of Service, this DPA shall prevail to the extent of any inconsistency relating to the processing of personal data.