Data Processing Agreement

"Data Protection Laws" means all applicable legislation relating to data protection, including the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any successor legislation, as amended from time to time.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Glasshouse on behalf of the Customer through the Service. This includes, but is not limited to, names, addresses, company officer details, directorship records, PSC (Persons with Significant Control) data, and any other data derived from public registers or uploaded by the Customer.

"Processing" means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Sub-processor" means any third party appointed by Glasshouse to process Personal Data on behalf of the Customer in connection with the Service.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

The terms "Controller", "Processor", "Data Subject", "Supervisory Authority", and "Standard Contractual Clauses" shall have the meanings given to them in the Data Protection Laws.

This DPA applies to the processing of Personal Data by Glasshouse on behalf of the Customer in connection with the provision of the Service. The Service provides corporate intelligence capabilities including entity search, graph analysis, entity resolution, risk scoring, sanctions screening, and data aggregation from public registers such as Companies House, HM Land Registry, FCA Register, and PSC Register.

The subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, and the categories of Data Subjects are described in Annex 1 of this DPA, available upon request.

Glasshouse shall process Personal Data only for the purposes described in this DPA and in accordance with the Customer's documented instructions, unless required to do so by United Kingdom law, in which case Glasshouse shall inform the Customer of that legal requirement before processing (unless prohibited from doing so by law).

The Customer warrants that it has a lawful basis for processing Personal Data through the Service, including any data uploaded via CSV import, API submission, or bulk import tools. The Customer is responsible for ensuring that the collection and provision of Personal Data to Glasshouse complies with all applicable Data Protection Laws.

The Customer shall ensure that any instructions given to Glasshouse regarding the processing of Personal Data comply with Data Protection Laws. The Customer shall be solely responsible for determining the purposes and legal basis for processing.

Where the Customer uses the Service to process personal data relating to individuals identified through entity resolution, graph analysis, or risk scoring features, the Customer is responsible for ensuring that such processing is proportionate and lawful, including conducting data protection impact assessments where required.

The Customer shall promptly inform Glasshouse if any instruction given by the Customer would, in Glasshouse's reasonable opinion, infringe Data Protection Laws.

Glasshouse shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data outside the United Kingdom, unless required by applicable law.

Glasshouse shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Glasshouse shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 8 (Security Measures) of this DPA.

Glasshouse shall assist the Customer, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under Data Protection Laws.

Glasshouse shall assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to Glasshouse.

At the choice of the Customer, Glasshouse shall delete or return all Personal Data to the Customer after the end of the provision of the Service, and shall delete existing copies unless United Kingdom law requires storage of the Personal Data.

The Customer provides general authorisation for Glasshouse to engage Sub-processors to process Personal Data on behalf of the Customer. Glasshouse shall maintain an up-to-date list of Sub-processors, which shall be made available to the Customer upon request or via the Glasshouse Trust Centre.

Glasshouse shall notify the Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Customer the opportunity to object to such changes.

If the Customer reasonably objects to a new Sub-processor on legitimate data protection grounds, Glasshouse shall use commercially reasonable efforts to make available an alternative arrangement. If no such alternative is available, the Customer may terminate the affected portion of the Service by providing written notice within 30 days of Glasshouse's notification.

Glasshouse shall impose on each Sub-processor data protection obligations no less protective than those set out in this DPA by way of a written contract. Glasshouse shall remain fully liable to the Customer for the performance of each Sub-processor's obligations.

Glasshouse shall not transfer Personal Data outside the United Kingdom unless it has taken such measures as are necessary to ensure the transfer complies with Data Protection Laws. Such measures may include transferring Personal Data to a recipient in a country that the UK Secretary of State has determined provides an adequate level of data protection, or implementing the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.

Where Personal Data is transferred to a Sub-processor in a country outside the United Kingdom that has not received an adequacy determination, Glasshouse shall ensure that the UK International Data Transfer Agreement or other approved transfer mechanism is in place before any such transfer occurs.

Glasshouse shall conduct transfer risk assessments where required by Data Protection Laws and shall implement supplementary measures where necessary to ensure that the level of protection afforded to Personal Data is not undermined by the transfer.

Glasshouse shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws in relation to Personal Data processed through the Service.

Glasshouse shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to Data Subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection.

Glasshouse shall not respond directly to a Data Subject request unless authorised to do so by the Customer or required by applicable law. Where Glasshouse is legally required to respond, it shall inform the Customer of that legal requirement before responding, unless prohibited by law.

Glasshouse shall implement and maintain appropriate technical and organisational security measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures shall include, as appropriate:

Glasshouse shall regularly review and update its security measures to ensure they remain appropriate to the risks presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

Glasshouse shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.

The notification shall include, to the extent available: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of Glasshouse's data protection contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach and mitigate its effects.

Glasshouse shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

Glasshouse's notification of or response to a Personal Data Breach shall not be construed as an acknowledgement of fault or liability with respect to the breach.

Glasshouse shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

The Customer shall provide Glasshouse with at least 30 days' prior written notice of any audit. Audits shall be conducted during normal business hours, shall not unreasonably interfere with Glasshouse's business operations, and shall be limited to one audit per 12-month period unless required by a Supervisory Authority or following a Personal Data Breach.

Where Glasshouse has obtained relevant third-party certifications or audit reports (such as SOC 2 Type II or ISO 27001), Glasshouse may provide these to the Customer in lieu of an on-site audit, provided they reasonably address the Customer's audit requirements.

The Customer shall bear all costs associated with any audit it initiates, unless the audit reveals a material breach of this DPA by Glasshouse, in which case Glasshouse shall bear the reasonable costs of the audit.

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiry of the Agreement, except to the extent that continued processing of Personal Data is required by applicable law.

Upon termination of this DPA, Glasshouse shall, at the Customer's election, either return all Personal Data to the Customer in a commonly used, machine-readable format or securely delete all Personal Data within 90 days, unless retention is required by applicable law. Glasshouse shall certify the deletion in writing upon the Customer's request.

Any provisions of this DPA that, by their nature, are intended to survive termination (including without limitation provisions relating to confidentiality, liability, and data deletion) shall survive the termination or expiry of this DPA.

Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

The Customer acknowledges that Glasshouse is reliant on the Customer for direction as to the extent to which Glasshouse is entitled to use and process Personal Data. Consequently, Glasshouse shall not be liable for any claim brought by a Data Subject arising from any action or omission by Glasshouse to the extent that such action or omission resulted from the Customer's instructions or the Customer's failure to comply with its obligations under Data Protection Laws.

Nothing in this DPA shall limit or exclude either Party's liability for fraud, death or personal injury caused by negligence, or any other liability that cannot be limited or excluded by law.