Data Processing Agreement

This Data Processing Agreement ("DPA") applies where TeZe Ltd (company no. 17137231, trading as Rotapulse, "Processor", "we", "us") processes personal data on behalf of the Customer ("Controller", "you") in the course of providing the Rotapulse service. It reflects the requirements of Article 28 of the UK GDPR and, where applicable to you, the EU GDPR.

Acceptance. This DPA is incorporated by reference into the Rotapulse Terms of Service. By accepting the Terms of Service, or by using Rotapulse, you accept this DPA. For a separately signed copy, email compliance@rotapulse.co.uk.

• Customer Personal Data means personal data that we process on your behalf in connection with the Rotapulse service.
• Applicable Data Protection Law means the UK GDPR, the Data Protection Act 2018 (including amendments under the Data (Use and Access) Act 2025), the EU GDPR where it applies to you, and any related law.
• Sub-processor means any third party we engage to process Customer Personal Data.
• UK IDTA means the UK International Data Transfer Agreement.
• EU SCCs means the EU Standard Contractual Clauses approved by Commission Decision (EU) 2021/914.

• Subject matter: processing of workforce scheduling data to produce fatigue risk scores.
• Duration: for the term of the subscription, plus up to 30 days post termination for export or deletion.
• Nature: storage, computation of derived scores, display in the user interface, and export back to the Controller.
• Purpose: enabling the Controller to assess and manage workforce fatigue risk.

• Data subjects: the Controller's employees and contractors whose shifts are scored.
• Categories of data: identifier (name or initials), job type, shift start and end, break minutes, and derived fatigue scores. No special category data is required. The Controller will not provide special category or criminal-offence data unless we have agreed in writing.

We will:

• Documented instructions. Process Customer Personal Data only on the Controller's documented instructions. The Terms of Service, your in-product configuration, and the normal operation of Rotapulse together constitute documented instructions. We will inform you immediately if we believe an instruction infringes the Applicable Data Protection Law.
• Confidentiality and training. Ensure personnel authorised to process Customer Personal Data are bound by confidentiality obligations and receive regular data protection training.
• Security. Implement appropriate technical and organisational measures in line with Article 32 of the UK GDPR, as described on the /security page and Annex 2 below.
• Data subject rights. Assist the Controller in responding to data subject requests within 5 business days of a documented request.
• Articles 32 to 36 assistance. Assist the Controller in meeting its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, DPIA, prior consultation).
• Sub-processors. Engage Sub-processors only in line with Section 6.
• Direct contact with data subjects. We do not respond to data subjects directly regarding their rights. We forward any direct contact to the Controller and act on the Controller's instructions.
• Return or deletion. Delete or return Customer Personal Data at the Controller's choice at the end of the agreement, as set out in Section 10.
• Article 30 records. Maintain records of our processor activities under UK GDPR Article 30(2) and make them available to the Controller or a regulator on reasonable request.
• Insurance. Maintain professional indemnity insurance and cyber liability insurance at levels appropriate to the nature and scale of the Services. A redacted certificate is available on reasonable written request.

No use for our own purposes. We will not process Customer Personal Data for our own purposes, including without limitation: developing or improving our products (except as strictly necessary to provide the Services to you), marketing, profiling, analytics beyond your instructed use, or onward sale, licensing, or transfer to any third party other than authorised Sub-processors.

No AI training. We will not, and we will procure that our Sub-processors do not, use Customer Personal Data to train, fine-tune, or otherwise improve any artificial intelligence, machine learning, or generative model. Rotapulse today does not use AI inference on Customer Personal Data; if that ever changes, we will notify you in advance and the zero-training commitment will remain.

No joint controllership. Nothing in this DPA or the Terms of Service creates a joint controller relationship under Article 26 of the UK GDPR or EU GDPR. If a proposed change to your use of the Services would, in our reasonable view, create joint controllership, we will discuss it with you in good faith before implementing it.

The Controller provides general authorisation for the Processor to engage the Sub-processors listed at /legal/subprocessors. That list, together with the location, purpose, and transfer mechanism for each Sub-processor, is incorporated into this DPA by reference.

We will give at least 30 days' notice of any addition or replacement of a Sub-processor. The Controller may object on reasonable grounds related to the protection of Personal Data; if we cannot resolve the objection within 30 days, the Controller may terminate the affected Services without penalty for early termination.

We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. We remain fully liable to the Controller for each Sub-processor's performance.

Customer Personal Data is hosted in the United Kingdom. Where a Sub-processor is established outside the UK, transfers are carried out under the UK IDTA where the UK GDPR applies, or the EU SCCs (Module 2 controller-to-processor or Module 3 processor-to-processor as applicable) with the UK Addendum where the EU GDPR also applies. The UK IDTA and EU SCCs are incorporated into this DPA by reference and the corresponding details are populated from this DPA and the Sub-processors page.

Transfer Impact Assessment. We have conducted, and maintain throughout the term, a Transfer Impact Assessment for each transfer of Customer Personal Data to a Sub-processor outside the UK or EEA, in line with Schrems II and ICO and EDPB guidance. The assessment considers the laws and practices of the destination country (in particular those relating to public-authority access) and the supplementary measures we apply to ensure essentially equivalent protection. We will share the assessment in summary form on reasonable written request.

EU GDPR coverage. Where the Controller is established in the EU or EEA, or otherwise subject to the EU GDPR, the EU GDPR applies alongside the UK GDPR for the purposes of this DPA. References to the ICO are read as references to the competent EU supervisory authority where the EU GDPR is the applicable regime.

We will notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any personal data breach affecting Customer Personal Data. Our notification will include the nature and scope of the breach, the likely consequences, measures taken or proposed, and contact details for further information (compliance@rotapulse.co.uk).

Our status page at /status carries the public-facing incident record where applicable. We will not publicly disclose any breach affecting the Controller's data without the Controller's prior written consent, except where required by law or by a supervisory authority.

Within 30 days of termination, or at any earlier point on the Controller's documented request, we will, at the Controller's choice:

• delete Customer Personal Data from live systems, with encrypted backup copies purged in line with backup rotation (typically within 30 to 90 days thereafter); or
• return Customer Personal Data in a structured, commonly-used, machine-readable format and then delete all copies.

We will respond to a documented deletion or export request within 5 business days except where retention is required by law. Written confirmation of deletion is available on request.

On reasonable prior written notice (and no more than once in any 12-month period unless the Controller has reasonable grounds to suspect non-compliance), we will:

• make available the information reasonably necessary to demonstrate compliance with this DPA, including any then-current certifications, our security summary at /security, and the most recent assessment or audit report;
• allow for and contribute to audits or inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality obligations.

Audits must take place during normal business hours, with reasonable advance notice, and in a manner that does not unreasonably disrupt our operations or the security of other customers' data. The Controller bears our reasonable costs for any audit beyond a once-yearly desktop review.

Updates. We may update this DPA from time to time. Any change that materially reduces the rights of the Controller or our obligations will be notified at least 30 days in advance. The Controller may object on reasonable grounds; if we cannot resolve the objection within 30 days, the Controller may terminate the affected Services without penalty. Changes that improve protection or are required by law take effect on publication.

Notices. For data protection notices, write to compliance@rotapulse.co.uk. Notices by email are deemed received at transmission, provided the sender has not received a non-delivery message. We will acknowledge substantive notices within 5 business days.

Conflict. In case of conflict between this DPA, the Terms of Service, and any other document, the order of precedence is: (i) the UK IDTA / EU SCCs, (ii) this DPA, (iii) the Terms of Service, (iv) any other document.

Governing law. This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction, subject to any mandatory provisions of the UK IDTA or EU SCCs.

The current list is maintained at /legal/subprocessors. This list forms part of the DPA and is updated as described in Section 7.

Full detail is at /security. In summary:

• Data hosted in the UK (eu-west-2 London database, lhr1 London application).
• Postgres Row Level Security enforcing tenant isolation on every table.
• TLS 1.2+ in transit, AES-256 at rest.
• Role-based access control inside the customer workspace and inside Rotapulse.
• Multi-factor authentication enforced on every administrative system.
• Append-only platform audit log for operator actions, tenant audit log for workspace actions.
• Backups with point-in-time recovery up to 7 days, daily snapshots.
• Documented Information Security Management System (information security, acceptable use, access control, retention, incident response, risk register), reviewed at least annually.
• ICO registration ZC134108. Cyber Essentials certification in progress.
• Personnel training on data protection on joining and at least annually.