Data Processing Agreement

The Customer is the Controller and Votis is the Processor of Customer Data. The details of the processing are set out in Schedule 1.

The Customer shall:

• ensure it has a lawful basis for the processing of Personal Data under this DPA;
• provide documented instructions to Votis regarding the processing of Customer Data;
• ensure that Customer Data provided to Votis is accurate and lawful; and
• comply with its obligations under Applicable Data Protection Law.

Votis shall:

• process Customer Data only on the Customer's documented instructions, unless required to do so by applicable law (in which case Votis shall inform the Customer before processing, unless prohibited by law);
• ensure that persons authorised to process Customer Data are subject to appropriate obligations of confidentiality;
• implement and maintain appropriate technical and organisational security measures as set out in Section 3;
• comply with the subprocessor requirements set out in Section 4;
• taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures in responding to Data Subject requests;
• assist the Customer in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation;
• at the Customer's choice, delete or return all Customer Data upon termination of the Services, and delete existing copies unless applicable law requires retention;
• make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA; and
• not use Customer Data for training or fine-tuning machine learning models, except where data has been anonymised and aggregated in accordance with the Principal Agreement.

This DPA shall remain in effect for the duration of the Principal Agreement and until all Customer Data has been deleted or returned in accordance with Section 8.

Votis shall implement and maintain technical and organisational measures appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing. These measures include:

Technical Measures:

• encryption of Customer Data in transit (TLS 1.2 or above) and at rest (AES-256 or equivalent);
• multi-factor authentication for all administrative and privileged access;
• access controls based on the principle of least privilege;
• regular application of security patches and updates;
• network security controls including firewalls and web application firewalls;
• encrypted backup procedures;
• audit logging of access to Customer Data;
• regular vulnerability assessments; and
• logical tenant isolation ensuring that each customer's data is segregated and inaccessible to other customers.

Organisational Measures:

• documented information security policies and procedures;
• confidentiality obligations for all personnel with access to Customer Data;
• incident response procedures; and
• business continuity and disaster recovery planning.

Votis shall regularly review and, where necessary, update its security measures to ensure they remain appropriate to the risks presented by the processing.

Where Votis obtains relevant security certifications (such as SOC 2 or ISO 27001), it shall make evidence of such certifications available to the Customer upon reasonable request.

The Customer provides general written authorisation for Votis to engage the Subprocessors listed in Schedule 2. Votis shall enter into written agreements with each Subprocessor imposing data protection obligations no less protective than those in this DPA.

Votis shall:

• maintain an up-to-date list of Subprocessors, available at https://www.votis.io/data-processing-agreement or upon request;
• provide the Customer with at least 30 days' prior written notice of any intended addition or replacement of a Subprocessor; and
• give the Customer the opportunity to object to such changes.

If the Customer reasonably objects to a new Subprocessor on data protection grounds, the parties shall discuss the objection in good faith with a view to achieving a resolution. If no resolution can be reached within 30 days, the Customer may terminate the affected Services without penalty.

Votis shall remain fully liable to the Customer for the performance of each Subprocessor’s obligations in respect of Customer Data.

Votis shall not transfer Customer Data outside the United Kingdom or European Economic Area unless:

• the Customer has provided prior written consent to the transfer;
• appropriate safeguards are in place in accordance with Applicable Data Protection Law (such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses); and
• the transfer complies with Chapter V of the UK GDPR or EU GDPR (as applicable).

The Customer acknowledges that certain Subprocessors listed in Schedule 2 process data in the United States. Votis ensures that appropriate transfer mechanisms are in place for each such Subprocessor. Customer Data at rest is hosted in the United Kingdom (AWS eu-west-2, London region).

Where international transfers are authorised, Votis shall provide copies of the relevant safeguards to the Customer upon request.

Votis shall promptly notify the Customer if it receives a request from a Data Subject in respect of Customer Data. Votis shall not respond to such requests directly unless authorised by the Customer.

Votis shall provide reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. Such assistance may be subject to reasonable fees where requests are excessive or complex.

Votis shall notify the Customer without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data Breach affecting Customer Data.

The notification shall include, to the extent reasonably available:

• a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
• the name and contact details of the relevant contact point;
• a description of the likely consequences of the breach; and
• a description of the measures taken or proposed to address the breach and mitigate its effects.

Votis shall cooperate with the Customer in investigating and remediating the breach, take immediate steps to contain and mitigate its effects, and document all breaches and remedial actions taken.

Upon termination of the Principal Agreement, or upon the Customer’s written request, Votis shall:

• cease all processing of Customer Data;
• make Customer Data available for export in a structured, commonly used, machine-readable format for a period of 30 days following the effective date of termination;
• following the 30-day export period, securely delete all active Customer Data within 30 days (i.e. within 60 days of the effective date of termination); and
• provide written confirmation of deletion upon request.

Customer Data shall be removed from backup systems within 90 days of the effective date of termination, in line with standard backup rotation cycles.

Votis may retain Customer Data only to the extent required by applicable law, subject to continued confidentiality and security obligations under this DPA.

Votis shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.

The Customer (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of Votis’s processing activities, subject to the following conditions:

• the Customer shall provide at least 30 days' written notice (except in the case of a suspected breach);
• audits shall be conducted during normal business hours and shall not unreasonably disrupt Votis's operations;
• audits shall be limited to once per calendar year, unless there is reasonable cause for an additional audit; and
• the costs of the audit shall be borne by the Customer, unless the audit reveals material non-compliance by Votis.

Where Votis holds relevant security certifications or audit reports (such as SOC 2 Type II or ISO 27001), the Customer agrees to accept such reports as an alternative to an on-site audit, unless the Customer can demonstrate a reasonable need for an on-site audit.

This DPA may be amended by Votis from time to time to reflect changes in Applicable Data Protection Law, the Services, or Votis’s processing activities. Votis shall notify the Customer of any material changes at least 30 days in advance.

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

In the event of any conflict between this DPA and the Principal Agreement in relation to data protection matters, this DPA shall prevail.

This DPA shall be governed by and construed in accordance with the laws of England and Wales.

This DPA shall continue in force for so long as Votis processes Customer Data on behalf of the Customer.

The provision of the Votis platform, which automates software implementation and configuration through AI-assisted workflows, including:

• configuration template management and data collection;
• AI-assisted conversational guidance for software configuration;
• data transformation, mapping, and export; and
• customer portal access and project management.

• Customer's employees and contractors
• Customer's end-users (i.e., the Customer's own clients or customers who interact with the platform via external portals)

• Identity data: names, job titles, employee or user identifiers
• Contact data: email addresses, telephone numbers
• Employment data: departments, roles, reporting structures
• System data: usernames, access logs, usage analytics
• Configuration data: business data uploaded by or on behalf of the Customer for the purposes of software configuration (which may include financial, payroll, or HR data depending on the Customer’s use case)

The Customer shall not submit special category data (as defined in Article 9 of the UK GDPR) to Votis unless the Customer has obtained Votis’s prior written agreement and ensured that a lawful basis and appropriate safeguards are in place. Where special category data is processed by agreement, the parties shall document the additional safeguards in a separate addendum.

For the term of the Principal Agreement, plus any period required for data return or deletion in accordance with Section 8.

• Collection and storage of Customer Data
• AI/LLM processing for configuration automation (Customer Data may be transmitted to third-party AI providers for real-time processing; it is not retained by such providers beyond the duration of each request)
• Data transformation, mapping, and export
• Access management and authentication
• Backup and disaster recovery
• Technical support and platform maintenance