Data Processing Agreement (DPA)

"Data Protection Laws" means the EU General Data Protection Regulation 2016/679 ("GDPR"), any supplementary national legislation, and, where applicable, the UK GDPR. "EU SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, as may be amended or replaced. "Sub-processor" means another processor engaged by Stratavor to process Personal Data on behalf of Customer.

2.1 Customer acts as Controller and Stratavor acts as Processor with respect to the Personal Data processed under the MSA and this DPA.

2.2 The subject-matter, nature and purpose of processing, the categories of Personal Data and Data Subjects are described in Annex I.

Stratavor shall: (a) process Personal Data only on documented instructions from Customer, including transfers to a third country; (b) ensure persons authorised to process Personal Data are bound by confidentiality; (c) implement the technical and organisational measures set out in Annex II; (d) notify Customer without undue delay of a Personal Data Breach; (e) assist Customer with Data Subject requests, DPIAs and supervisory-authority consultations; (f) delete or return Personal Data at termination, subject to legal retention obligations; (g) make available information necessary to demonstrate compliance and allow for audits in accordance with clause 7.

4.1 Customer hereby grants general authorisation for Stratavor to engage Sub-processors listed in Annex III. Stratavor shall impose on each Sub-processor the same data-protection obligations as set out in this DPA.

4.2 Stratavor will notify Customer in advance of any intended changes concerning the addition or replacement of Sub-processors, giving Customer ten (10) days to object on reasonable grounds.

Where Stratavor or its Sub-processors process Personal Data outside the EEA, Stratavor shall ensure such processing is subject to a lawful transfer mechanism under Chapter V GDPR, including the EU SCCs.

Liability under this DPA is subject to the limitations set forth in the MSA.

Upon written request no more than once per year, Stratavor shall provide audit summaries. On-site audits may be conducted at Customer's cost with 30 days' notice and subject to confidentiality.

This DPA remains in force for the term of the MSA and so long as Stratavor processes Personal Data for Customer.

Controller: Customer entity identified in Order Form. Processor: Stratavor Limited.

Subject-matter: Ingestion, transformation, aggregation and visualisation of financial and operational data to generate Board-Pack slides/dashboards hosted on the Stratavor SaaS platform.

Nature & Purpose: Cloud storage, computation, analytics, AI-assisted insight generation, and web-based presentation to authorised users.

Categories of Personal Data: Employee identifiers (name, email), customer/vendor contact details, transaction-level meta-data, usage logs, optional HR metrics.

Data Subjects: Customer employees, contractors, customers and suppliers.

Special Categories: None intentionally processed.

Duration: Subscription Term plus 60 days secure retention for export, then deletion.

Access Control: Role-based access, MFA for all admin interfaces. Encryption: AES-256 at rest, TLS 1.2+ in transit. Network Security: Segmented VPC, WAF, continuous vulnerability scanning. Monitoring: 24×7 log aggregation, SIEM alerts, automated anomaly detection. Business Continuity: Daily backups with geo-redundancy; board-pack files replicated across zones. Secure Development: OWASP-aligned SDLC, peer code reviews, dependency scanning. Vendor Management: Sub-processor security due-diligence and annual review. Physical Security: Cloud provider data-centre certified ISO 27001, SOC 2 Type II.

Stratavor's authoritative Sub-processor Register is maintained and published. Material updates are version-controlled and notified in accordance with this DPA. View the current Sub-processor Register on the Trust centre (Sub-processor Register page).