Last updated 11 May 2026.

This data processing agreement (DPA) forms part of and is incorporated into the DPA entered into between the customer receiving the Services (Customer) and CSCS Holdings Ltd incorporated and registered in England and Wales under company number 12006152 whose registered office is at The Aircraft Factory 2.2, 100 Cambridge Grove, London, United Kingdom, W6 0LE and its Affiliates (Circulor). Each of the Customer and Circulor is a party and together the parties.

(A) Circulor and the Customer have entered into the Agreement in connection with the provision of the Services, which may involve Circulor processing Personal Data on behalf of the Customer (if at all).

(B) This DPA sets out the additional terms, requirements and conditions on which Circulor will process Personal Data when providing services under the Agreement. This DPA applies only to the extent that Circulor processes Personal Data on behalf of the Customer.

(C) This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) and, where applicable, and the General Data Protection Regulation ((EU) 2016/679), for contracts between controllers and processors.

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this DPA.

1.1 Definitions:

Affiliate: in relation to a party, any entity which controls, is controlled by, or is under common control with that party, with “control” having the meaning given in section 1124 of the Corporation Tax Act 2010.

Business Purposes: the processing of Personal Data by Circulor strictly as necessary to provide the Services and any other purpose specifically identified in ANNEX A.

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given in the Data Protection Legislation.

Data Protection Legislation:

(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data;

(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Circulor is subject, which relates to the protection of Personal Data; and

(c) Any other applicable data protection or privacy laws in any relevant jurisdiction to which either party is subject in connection with the processing of Personal Data under this DPA.

DPA 2018: the Data Protection Act 2018.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

EEA: the European Economic Area.

processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third-parties.

Records: has the meaning given in clause 13.1.

Services: the services provided by Circulor to the Customer under the Master DPA (including any services set out in an order form or statement of work entered into under it).

Term: this DPA's term as defined in clause 11.1.

UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.2 This DPA is subject to the terms of the Agreement and is incorporated into the Master DPA. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.

1.3 The Annex forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annex.

1.4 A reference to writing or written excludes fax but not email.

1.5 Circulor may update this DPA from time to time, provided that such updates do not materially reduce the level of protection afforded to Personal Data under this DPA. The latest version of this DPA shall be made available by Circulor to the Customer.

1.6 In the case of conflict or ambiguity between:

(a) any provision contained in the body of this DPA and any provision contained in the Annex, the provision in the body of this DPA will prevail;

(b) the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annex, the provision contained in the Annex will prevail; and

(c) any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail solely in respect of the processing of Personal Data, and only to the extent required to comply with Data Protection Legislation.

2. Personal data types and processing purposes

2.1 The Customer and Circulor agree and acknowledge that for the purpose of the Data Protection Legislation:

(a) the Customer is the Controller and Circulor is the Processor (to the extent that Circulor processes Personal Data in connection with the Services).

(b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Circulor.

(c) ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Circulor may process the Personal Data to fulfil the Business Purposes (it being acknowledged that such processing is limited, incidental and not a core part of the Services).

3. Data model and non-personal data

3.1 The parties acknowledge that the Services are designed primarily to process commercially sensitive data relating to the Customer’s business which does not constitute Personal Data (Raw Data).

3.2 Circulor may use Raw Data to generate aggregated, anonymised or otherwise transformed data, insights and intelligence (Output Data), including by combining Raw Data with data from other customers, provided that such Output Data does not identify the Customer or any Data Subject and does not constitute Personal Data.

3.3 The parties agree that:

(a) Raw Data shall remain the property of the Customer (or its licensors);

(b) Circulor shall use Raw Data only to the extent necessary to provide the Services and generate Output Data in accordance with this clause; and

(c) Circulor shall not disclose Raw Data to third parties except as permitted under the DPA or the Agreement.

3.4 Circulor shall be entitled to retain, use and commercialise Output Data for its own business purposes, including following termination of the DPA, provided always that such Output Data does not contain Personal Data or enable the identification of the Customer or any Data Subject.

3.5 The parties acknowledge that the Services are not intended to involve the routine processing of Personal Data. To the extent that Circulor processes Personal Data in connection with the Services, such processing shall be limited, incidental and governed exclusively by this DPA.

4. Circulor’s obligations

4.1 Circulor will only process the Personal Data (if and to the extent such Personal Data is processed) to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. Circulor will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. Circulor must promptly notify the Customer if, in its reasonable opinion, the Customer's instructions do not comply with the Data Protection Legislation.

4.2 Circulor must comply promptly with any Customer written instructions requiring Circulor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

4.3 Circulor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this DPA specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Commissioner). If a domestic or EU law, court or regulator (including the Commissioner) requires Circulor to process or disclose the Personal Data to a third-party, Circulor must use reasonable endeavours to first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.

4.4 Circulor will reasonably assist the Customer, to the extent required and proportionate taking into account the limited nature of the processing and the information available to Circulor, with meeting the Customer's compliance obligations under the Data Protection Legislation, and may charge reasonable costs for such assistance where it goes beyond standard support, including in relation to Data Subject rights, data protection impact assessments (or equivalent risk assessments) and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.

4.5 Circulor must notify the Customer where reasonably necessary of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting Circulor's performance of the Agreement or this DPA.

5. Circulor’s employees

5.1 Circulor will ensure that all of its employees (to the extent they have access to Personal Data):

(a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;

(b) have undertaken appropriate and proportionate training on the Data Protection Legislation relevant to their role and involvement with the Personal Data and how it relates to their handling of the Personal Data and how it applies to their particular duties; and

(c) are aware both of Circulor's duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

6. Security

6.1 Circulor must at all times implement appropriate and proportionate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data taking into account the limited nature, scope and purposes of the processing.

6.2 Circulor must implement such measures to ensure a level of security appropriate to the risk involved, having regard to the nature of the Services and the likelihood and severity of risk to individuals, including as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures where proportionate to the processing undertaken.

7. Personal data breach

7.1 Circulor will without undue delay notify the Customer in writing if it becomes aware of:

(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. Circulor will use reasonable endeavours to restore such Personal Data where reasonably practicable as soon as possible.

(b) any accidental, unauthorised or unlawful processing of the Personal Data; or

(c) any Personal Data Breach.

7.2 Where Circulor becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information to the extent such information is reasonably available to Circulor:

(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;

(b) the likely consequences; and

(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

7.3 Following any material accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, Circulor will reasonably co-operate with the Customer to the extent proportionate to the nature of the processing and the incident, and may charge reasonable costs where such co-operation goes beyond standard support including but not limited to:

(a) assisting with any investigation;

(b) providing the Customer with reasonable access (during normal business hours and on reasonable written notice) to any facilities and operations affected;

(c) facilitating appropriate personnel discussions where reasonably necessary;

(d) making available relevant and proportionate records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

7.4 Circulor will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, unless required to do so by domestic or EU law or where notification is made to Circulor’s professional advisers or insurers on a confidential basis.

7.5 Circulor agrees that the Customer has the sole right to determine:

(a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and

(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

7.6 Circulor will cover all reasonable expenses associated with the performance of the obligations under clause 7.1 to clause 7.3 to the extent the relevant incident is caused by Circulor’s breach of this DPA or failure to comply with Data Protection Legislation unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this DPA, in which case the Customer will cover all reasonable expenses.

8. Transfers of personal data

Circulor (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or, the EEA without obtaining the Customer's prior written consent such consent not to be unreasonably withheld or delayed where appropriate safeguards are in place in accordance with Data Protection Legislation.

9. Subcontractors

9.1 Circulor may appoint third-party subcontractors to process Personal Data on its behalf, provided that such processing is limited to the extent necessary for the provision of the Services.

9.2 Circulor shall maintain an up-to-date list of its subcontractors and make such list available to the Customer on request or via a publicly accessible webpage.

9.3 Circulor shall ensure that each subcontractor is subject to written contractual obligations that provide a level of protection for Personal Data that is no less protective than those set out in this DPA, taking into account the nature of the processing.

9.4 Circulor shall remain responsible for the acts and omissions of its subcontractors in relation to such processing.

10. Complaints, data subject requests and third-party rights

10.1 Circulor must, to the extent required and proportionate taking into account the limited nature of the processing, take such technical and organisational measures as may be appropriate, and provide reasonable assistance and information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

(a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

(b) information or assessment notices served on the Customer by the Commissioner or other relevant regulator under the Data Protection Legislation.

10.2 Circulor must notify the Customer without undue delay in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

10.3 Circulor must notify the Customer within a reasonable period if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

10.4 Circulor will give the Customer reasonable co-operation and assistance, and may charge reasonable costs where such assistance goes beyond standard support, in responding to any complaint, notice, communication or Data Subject request.

10.5 Circulor must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer's written instructions, or as required by domestic [or EU] law.

11. Term and termination

11.1 This DPA will remain in full force and effect so long as:

(a) the Agreement remains in effect; or

(b) Circulor retains any of the Personal Data related to the Agreement in its possession or control (for so long as such retention is necessary for the purposes of this DPA) (Term).

11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect the Personal Data will remain in full force and effect.

11.3 Circulor's failure to comply with the terms of this DPA is a material breach of the Agreement where such failure is material having regard to the nature of the processing and its impact on Personal Data. In such event, the Customer may terminate the Agreement on written notice, provided that (where the breach is capable of remedy) Circulor has failed to remedy such breach within a reasonable period without further liability or obligation of the Customer.

11.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within a reasonable period, either party may terminate the Agreement on written notice to the other party.

12. Data return and destruction

12.1 At the Customer's request, Circulor will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control to the extent reasonably practicable and in a commonly used format.

12.2 On termination of the Agreement for any reason or expiry of its term, Circulor will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this DPA in its possession or control, except to the extent that Circulor is required to retain such Personal Data to comply with applicable law or for legitimate internal record-keeping purposes, in which case such Personal Data shall be retained only for so long as necessary and subject to appropriate safeguards.

12.3 If any law, regulation, or government or regulatory body requires Circulor to retain any documents, materials or Personal Data that Circulor would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, to the extent permitted by law.

12.4 Circulor will on written request certify in writing to the Customer that it has deleted or destroyed the Personal Data within a reasonable period after completing such deletion or destruction.

13. Records

13.1 Circulor will keep appropriate and proportionate records regarding any processing of the Personal Data, including a general description of the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in clause 6 (Records).

13.2 Circulor will ensure that the Records are sufficient, taking into account the limited nature of the processing, to enable the Customer to verify Circulor's compliance with its obligations under this DPA and the Data Protection Legislation and Circulor will provide the Customer with relevant extracts of the Records upon request.

13.3 The Customer and Circulor must review the information listed in ANNEX A periodically on a reasonable basis to confirm its current accuracy and update it when required to reflect current practices.

14. Audit

14.1 Circulor will, on reasonable written request, make available information reasonably necessary to demonstrate its compliance with this DPA, including relevant summaries of its security measures and, where available, third-party certifications or audit reports.

14.2 The Customer may, where it reasonably believes Circulor is in material breach of this DPA or following a Personal Data Breach, request an audit of Circulor’s relevant processing activities, subject to:

(a) reasonable prior written notice;

(b) such audit taking place during normal business hours;

(c) the audit being limited to matters relevant to the alleged breach; and

(d) the parties agreeing appropriate confidentiality protections.

14.3 Circulor may satisfy audit requests by providing up-to-date third-party audit reports or certifications (such as ISO 27001) where these adequately address the Customer’s concerns.

14.4 Each party will bear its own costs in relation to any audit, save where a material breach by Circulor is identified, in which case Circulor shall bear the Customer’s reasonable audit costs.

15. Warranties

15.1 Circulor warrants and represents that:

(a) its employees, agents and any other person or persons accessing the Personal Data on its behalf are appropriately vetted and reliable and trustworthy and have received appropriate and proportionate training on the Data Protection Legislation relevant to their role;

(b) it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation in all material respects and other applicable laws;

(c) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Agreement's contracted services; and

(d) considering the current technology environment and implementation costs, it will take appropriate and proportionate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:

(i) the harm that might result from such accidental, unauthorised or unlawful processing and loss or damage;

(ii) the nature of the Personal Data protected; and

(iii) comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in Clause 6.

15.2 The Customer warrants and represents that Circulor's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

16. Indemnification

16.1 Circulor agrees to indemnify the Customer against direct losses, costs, claims, damages or expenses reasonably incurred by the Customer to the extent arising from Circulor’s material breach of this DPA or failure to comply with Data Protection Legislation, including any acts or omissions of its employees, subcontractors or agents.

16.2 The indemnity at clause 16.1 shall be subject to the limitations and exclusions of liability set forth in the Agreement.

17. Notice

17.1 Any notice given to a party under or in connection with this DPA shall be in writing and shall be:

(a) delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case);

(b) sent by email to an address specified by the Customer, and in the case of Circulor, to privacy@circulor.com

17.2 Any notice shall be deemed to have been received:

(a) if delivered by hand, at the time the notice is left at the proper address;

(b) if sent by pre-paid first-class post or other next working day delivery service, at 9:00am on the second Business Day after posting; or

(c) if sent by email, at the time of transmission, or, if this time falls outside Business Hours in the place of receipt, when Business Hours resume.

17.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

This DPA is incorporated into and forms part of the Agreement and shall be deemed effective from the date on which the Customer first accepts or enters into the Agreement.

Personal Data processing purposes and details

Subject matter of processing: Provision of the Services under the Agreement, noting that the Services are not designed to require the routine processing of Personal Data and any such processing is incidental.

Duration of Processing: For the duration of the Services and for any period thereafter during which Circulor retains Personal Data in accordance with the DPA.

Nature of Processing: Processing may include the collection, storage, organisation, retrieval and deletion of Personal Data, but only to the extent such Personal Data is made available to Circulor in connection with the Services on an incidental basis.

Business Purposes: To provide and support the Services, including system operation, maintenance, support, troubleshooting and related administrative purposes.

Personal Data Categories: The parties do not anticipate the routine processing of Personal Data. To the extent Personal Data is processed, it may include limited business contact data (such as names, email addresses and contact details) or other Personal Data contained within materials submitted to or generated through the Services.

Data Subject Types: The parties do not anticipate the routine processing of Personal Data. To the extent Personal Data is processed, data subjects may include the Customer’s personnel, business contacts or other individuals whose Personal Data is included in materials processed through the Services.