Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between:

(1) Pendra AI Ltd, a company incorporated in Wales with company number 17052900, whose registered office is at 19 Coedcae, Pontardawe, Swansea, Wales, SA8 4PE (the "Processor", "Pendra", "we", "us"); and

(2) The Customer identified in the Pendra account registration or Order Form (the "Controller", "Customer", "you"),

(together, the "Parties").

This DPA is incorporated into and forms part of the Pendra Terms of Service available at pendra.ai/terms (the "Principal Agreement"). In the event of any conflict between this DPA and the Principal Agreement in respect of the Processing of Personal Data, this DPA shall prevail.

• Pendra provides a managed artificial intelligence inference platform hosted entirely within the United Kingdom (the "Services"), as further described at pendra.ai.
• In the course of providing the Services, Pendra may Process Personal Data on behalf of the Customer.
• This DPA sets out the terms on which Pendra will Process such Personal Data, and is designed to comply with Article 28 of the UK GDPR and the Data Protection Act 2018.

1.1 In this DPA, the following terms shall have the meanings set out below:

"Applicable Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any other data protection or privacy laws applicable to the Processing of Personal Data under this DPA, including any successor legislation and any binding guidance issued by the Information Commissioner's Office ("ICO");

"Customer Personal Data" means any Personal Data Processed by Pendra on behalf of the Customer pursuant to or in connection with the Principal Agreement, as further described in Annex 1;

"Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Controller", "Processor", and "Sub-processor" shall have the meanings given in Applicable Data Protection Laws;

"International Transfer" means a transfer of Personal Data to a country outside the United Kingdom or an onward transfer of such Personal Data;

"Services" means the Pendra managed inference platform and any related services provided under the Principal Agreement;

"Standard Contractual Clauses" or "SCCs" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the ICO under section 119A of the Data Protection Act 2018 (the "UK IDTA"), or any successor mechanism approved by the ICO;

"Sub-processor" means any third party engaged by Pendra to Process Customer Personal Data on its behalf in connection with the provision of the Services.

1.2 Capitalised terms not defined in this DPA shall have the meaning given to them in the Principal Agreement.

2.1 The Parties acknowledge that, in respect of Customer Personal Data: (a) the Customer is the Controller; and (b) Pendra is the Processor.

2.2 Pendra shall Process Customer Personal Data only for the purposes of providing the Services and only in accordance with the documented instructions of the Customer, as set out in the Principal Agreement, this DPA, and any other written instructions agreed between the Parties.

2.3 The Customer warrants that:

1. it has all necessary rights, consents, and lawful bases to provide Customer Personal Data to Pendra for Processing under this DPA;
2. its instructions to Pendra comply with Applicable Data Protection Laws; and
3. the Processing of Customer Personal Data by Pendra in accordance with the Customer's instructions will not cause Pendra to breach Applicable Data Protection Laws.

2.4 Pendra shall notify the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Laws. In such cases, Pendra is entitled to suspend the performance of the relevant instruction until the Customer confirms or modifies it.

3.1 The subject matter, nature, purpose, duration of Processing, the types of Personal Data Processed, and the categories of Data Subjects are set out in Annex 1 (Details of Processing).

3.2 This DPA shall remain in effect for the duration of the Principal Agreement and for so long thereafter as Pendra Processes any Customer Personal Data.

Pendra shall:

4.1 Process Customer Personal Data only on the documented instructions of the Customer, unless required to do otherwise by law (in which case Pendra shall, where legally permitted, inform the Customer of that legal requirement before Processing);

4.2 ensure that persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and have received appropriate training on data protection;

4.3 implement and maintain the technical and organisational security measures set out in Annex 2 (Technical and Organisational Measures) to protect Customer Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure;

4.4 not engage any Sub-processor without complying with the conditions set out in Clause 6 (Sub-processors);

4.5 taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for the exercise of Data Subject rights under Applicable Data Protection Laws (see Clause 7);

4.6 assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of the Processing and the information available to Pendra (see Clause 8);

4.7 at the choice of the Customer, delete or return all Customer Personal Data to the Customer after the end of the provision of the Services, and delete existing copies unless storage is required by law (see Clause 11);

4.8 make available to the Customer all information necessary to demonstrate compliance with Pendra's obligations under this DPA and Article 28 of the UK GDPR, and allow for and contribute to audits as described in Clause 9.

5.1 Pendra shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Processing, including as appropriate the measures referred to in Article 32(1) of the UK GDPR.

5.2 The technical and organisational measures implemented by Pendra are described in Annex 2.

5.3 Pendra may update Annex 2 from time to time provided that any such update does not materially diminish the overall level of security afforded to Customer Personal Data.

5.4 The Parties acknowledge that the technical and organisational measures set out in Annex 2 are applied uniformly to all Customer Personal Data Processed through the Services, irrespective of the category or sensitivity of such data. This reflects Pendra's zero-retention architecture, which does not require, and is not designed to support, category-based differential Processing.

6.1 The Customer provides general written authorisation for Pendra to engage Sub-processors to Process Customer Personal Data, subject to the conditions set out in this Clause 6.

6.2 Pendra maintains a current list of Sub-processors (the "Sub-processor List"), which includes the name, location, and description of the Processing activities of each Sub-processor. The Sub-processor List in force at the Effective Date is set out in Annex 3.

6.3 Pendra shall notify the Customer of any intended changes to the Sub-processor List by updating the Sub-processor List at least thirty (30) days before the new Sub-processor begins Processing Customer Personal Data.

6.4 The Customer may object to any proposed new Sub-processor on reasonable data protection grounds by providing written notice to Pendra within fifteen (15) days of the notification of the change. If the Parties cannot reach a resolution within a reasonable period, the Customer's sole and exclusive remedy is to terminate the Principal Agreement in respect of those Services that cannot be provided without the proposed Sub-processor, with a pro-rata refund of any pre-paid fees for the unused portion of the Services.

6.5 Pendra shall enter into a written agreement with each Sub-processor containing data protection obligations no less protective than those set out in this DPA, and shall remain liable for the acts and omissions of its Sub-processors as if they were its own.

7.1 Pendra shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to enable the Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

7.2 If Pendra receives a request directly from a Data Subject in respect of Customer Personal Data, Pendra shall, without undue delay, forward such request to the Customer and shall not respond to the request itself unless authorised in writing by the Customer or required by law to do so.

7.3 Pendra may charge the Customer a reasonable fee for assistance under this Clause 7 that goes beyond the standard functionality of the Services, provided that Pendra notifies the Customer of any such fee in advance.

8.1 Pendra shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Pendra shall use reasonable endeavours to provide initial notification within seventy-two (72) hours of becoming aware of such Personal Data Breach.

8.2 For the purposes of this Clause 8, Pendra shall be deemed to have "become aware" of a Personal Data Breach when Pendra has confirmed, following a reasonable internal investigation, that a Personal Data Breach has in fact occurred. Pendra shall not be deemed to be aware of a Personal Data Breach solely on the basis of an unverified alert, suspected anomaly, or third-party report that has not been confirmed.

8.3 Such notification shall, where possible and to the extent known to Pendra at the time, include:

1. a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
2. the name and contact details of Pendra's data protection contact from whom more information can be obtained;
3. a description of the likely consequences of the Personal Data Breach; and
4. a description of the measures taken or proposed to be taken by Pendra to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.4 Where, and insofar as, it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

8.5 Pendra shall provide reasonable cooperation and assistance to the Customer in respect of the Customer's obligations to notify the ICO and affected Data Subjects of the Personal Data Breach under Articles 33 and 34 of the UK GDPR.

9.1 Pendra shall make available to the Customer, on request, the following information to demonstrate compliance with this DPA:

1. Pendra's then-current security certifications, attestations, and assessment reports;
2. a summary of Pendra's most recent independent third-party security assessment or penetration test (subject to reasonable confidentiality undertakings); and
3. written responses to reasonable security and data protection questionnaires submitted by the Customer, no more frequently than once per twelve (12) month period (except in the event of a Personal Data Breach affecting the Customer's Personal Data).

9.2 The information provided under this Clause 9 shall be deemed sufficient to enable the Customer to demonstrate compliance with Article 28(3)(h) of the UK GDPR. Enterprise-level audit rights (including on-site inspections and customer-commissioned penetration testing) are available under a Custom DPA negotiated as part of an Enterprise subscription.

9.3 All information disclosed by Pendra under this Clause 9 is confidential and may only be used by the Customer for the purposes of demonstrating compliance with Applicable Data Protection Laws.

10.1 Pendra's primary infrastructure for hosting and Processing Customer Personal Data is located within the United Kingdom. All inference Processing — including the Processing of prompt content and inference responses — takes place exclusively within the United Kingdom.

10.2 Certain ancillary services supporting the Services (such as transactional email delivery and operational monitoring) may involve limited Processing of operational and account-related Personal Data outside the United Kingdom. Such Processing does not include the content of inference requests or responses, and is made only to jurisdictions that benefit from UK adequacy regulations under Article 45 of the UK GDPR or, where no adequacy regulation applies, under an appropriate transfer mechanism recognised by Applicable Data Protection Laws (including the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses).

10.3 If Pendra is required to make any International Transfer of Customer Personal Data not contemplated by Clause 10.2, it shall only do so in accordance with a transfer mechanism recognised under Applicable Data Protection Laws and shall notify the Customer in advance of any such transfer.

10.4 Where Pendra engages a Sub-processor that Processes Customer Personal Data outside the United Kingdom, this shall be clearly identified in the Sub-processor List, together with the jurisdiction and the relevant transfer mechanism.

11.1 Pendra operates the Services on a zero-data-retention basis in respect of inference inputs and outputs: prompts and completions are not retained beyond the duration necessary to provide the immediate response.

11.2 On termination or expiry of the Principal Agreement, Pendra shall, at the Customer's written election made within thirty (30) days of such termination or expiry, either:

1. delete all Customer Personal Data then held by Pendra; or
2. return all Customer Personal Data to the Customer and then delete it,

in each case unless storage is required by Applicable Law, in which case Pendra shall continue to protect such Customer Personal Data in accordance with this DPA for as long as it is retained.

11.3 If the Customer does not make an election within the period specified in Clause 11.2, Pendra shall delete all Customer Personal Data in accordance with its standard data deletion procedures.

11.4 A change in the Customer's subscription tier (including downgrading from a paid tier to a free tier) does not constitute termination of the Principal Agreement for the purposes of this Clause 11. The provisions of this Clause 11 apply only on full termination, expiry, or account closure.

11.5 On request, Pendra shall provide the Customer with written confirmation that deletion has been completed.

12.1 The liability of each Party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.

12.2 Nothing in this DPA shall limit or exclude either Party's liability for: (a) death or personal injury caused by its negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be limited or excluded by Applicable Law.

13.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales.

13.2 Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.

14.1 This DPA, together with the Principal Agreement and its annexes, constitutes the entire agreement between the Parties in respect of the Processing of Personal Data.

14.2 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

14.3 Pendra may amend this DPA from time to time to reflect changes in Applicable Data Protection Laws, new sub-processors, or evolving security practices. Pendra shall provide the Customer with at least thirty (30) days' prior notice of any material changes. The Customer's continued use of the Services after such notice constitutes acceptance of the amended DPA.

This DPA is accepted by the Customer on creation of a Pendra account or execution of an Order Form referencing the Pendra Terms of Service. No signature is required for the Standard DPA to be binding; however, where a Customer requires a signed copy, this may be provided on request to legal@pendra.ai.

For Customers who require a counter-signed copy, the signature blocks below may be completed and returned to legal@pendra.ai. A counter-signed copy is not required for this DPA to be binding.

For questions about this DPA, requests for a signed copy, or to discuss a Custom DPA for an Enterprise subscription, please contact: