Handles Data Protection Policy

DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum ("Addendum") forms part of and is incorporated into the Handles.org Terms of Service (the "Agreement") between Customer (the "Controller") and Handles Group Ltd ("Processor").

This Addendum applies to the extent Processor processes Personal Data (defined below) on behalf of Controller pursuant to the Agreement.

1. Definitions

Terms capitalised but not defined herein have the meaning set out in the Agreement or UK GDPR.

• "Affiliate" means any entity that Controls, is Controlled by, or is under common Control with a party.

• "Applicable Data Protection Laws" means UK GDPR, EU GDPR (where applicable), PECR, and any local laws implementing or supplementing them.

• "Personal Data" means any information relating to an identified or identifiable natural person that Processor Processes on behalf of Controller under the Agreement.

• "Sub‑processor" means any third party engaged by Processor or its Affiliates to Process Personal Data.

2. Roles of the Parties

Controller is the Data Controller and Processor is the Data Processor with respect to Personal Data. Each party shall comply with its obligations under Applicable Data Protection Laws.

3. Processing Details

| Subject‑matter | Provision of the Handles social‑media operating system SaaS and related support services. |
| Nature & Purpose | Hosting, storage, retrieval, transmission, and analysis of Customer‑generated social‑media data to deliver platform functionality; account management; payment processing; security monitoring. |
| Categories of Data Subjects | Customer employees and contractors (Authorised Users); individuals whose data appears in social‑media content managed via the Service. |
| Types of Personal Data | Account data (name, business email, job title, profile photo), system log data (IP address, device IDs), social‑media handle IDs, team chat messages, optional user avatars. No special categories intentionally processed. |
| Duration | For the Subscription Term plus deletion/return period set out in §10. |

Controller warrants that the table above accurately describes the Processing at the Effective Date.

4. Controller Instructions

Processor shall Process Personal Data only on documented instructions from Controller (including those in the Agreement and this Addendum) unless required to do so by UK/EU law. Processor shall promptly inform Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws.

5. Confidentiality

Processor shall ensure that persons authorised to Process Personal Data are bound by confidentiality obligations.

6. Security Measures

Processor implements the technical and organisational measures set out in Annex II (Security Measures) to protect Personal Data. Controller confirms these measures provide a level of security appropriate to the risk.

7. Sub‑processors

1. Authorised Sub‑processors. Controller authorises Processor to engage the Sub‑processors listed in Annex III.

2. Sub‑processor Obligations. Processor shall enter into a written contract with each Sub‑processor containing data‑protection obligations no less protective than those in this Addendum.

3. Changes. Processor will notify Controller at least 30 days in advance of any intended addition or replacement of Sub‑processors, allowing Controller to object on reasonable data‑protection grounds.

8. Data Subject Rights Assistance

Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organisational measures to respond to data‑subject requests under Applicable Data Protection Laws. If a request is made directly to Processor, Processor shall promptly forward it to Controller.

9. Personal‑Data Breach

Processor shall notify Controller without undue delay (and in any event within 24 hours) after becoming aware of a Personal‑Data Breach affecting Controller’s Personal Data, and shall provide reasonable assistance to Controller in compliance with Articles 33–34 UK GDPR.

10. Deletion or Return

Within 30 days after termination of the Agreement, Processor shall, at Controller’s choice, delete or return all Personal Data and delete existing copies, unless retention is required by law. Evidence of deletion shall be provided upon request.

11. Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this Addendum and shall allow for and contribute to audits, including inspections, conducted by Controller or a mandated auditor once per 12‑month period with at least 14 days’ notice, subject to Processor’s confidentiality and security policies.

12. International Transfers

Where Processor transfers Personal Data outside the UK/EEA to a country that has not received an adequacy decision, Processor shall implement a valid transfer mechanism such as the UK Addendum‑approved Standard Contractual Clauses (“SCCs”), UK IDTA, or another lawful transfer tool.

13. Liability & Indemnity

The liability provisions of the Agreement apply to this Addendum. Nothing in this Addendum limits either party’s liability under Applicable Data Protection Laws.

14. Duration & Termination

This Addendum remains in effect for as long as Processor Processes Personal Data on behalf of Controller under the Agreement.

15. Governing Law

This Addendum is governed by the laws of England and Wales, unless required otherwise by Applicable Data Protection Laws.

16. Signatures

This Addendum is deemed executed upon the earlier of (i) Controller’s acceptance of the Agreement, or (ii) the parties’ signature of an Order Form referencing this Addendum.

Annex I – UK GDPR Standard Contractual Clauses (Controller to Processor)

If required for international transfers, the applicable UK Addendum‑approved SCCs are hereby incorporated by reference. The Parties agree the following selections:

• Module 2 (Controller‑to‑Processor) applies.

• Clause 9 (Use of sub‑processors): Option 2, 30‑day notice.

• Clause 11 (Redress): Not optional.

• Clause 17 (Governing law): Law of England & Wales.

• Clause 18 (Choice of forum): Courts of England & Wales.

Annex II – Technical & Organisational Security Measures

1. Encryption – TLS 1.2+ in transit; AES‑256 at rest.

2. Access Control – Role‑based, least privilege; MFA for privileged access.

3. Physical Security – Data centres with ISO 27001 & SOC 2 certifications.

4. Network Security – Firewalls, intrusion detection, regular penetration tests.

5. Operational Security – Vulnerability management, patching within vendor SLAs.

6. Business Continuity – Daily encrypted backups; disaster‑recovery plan with RPO 24 h / RTO 12 h.

7. Monitoring & Logging – Centralised logging with 30‑day hot retention, 12‑month cold storage.

8. Employee Training – Annual security & privacy training, onboarding background checks.

Annex III – Authorised Sub‑processors

Controller may request an up‑to‑date list of Sub‑processors at any time.

© Handles Group Ltd, 2025