1. RuleUp Ltd, a company incorporated in England under registration number 16083033, whose registered office is at 128 City Road, London, United Kingdom, EC1V 2NX (the “Supplier”); and
2. Customers of RuleUp Ltd, as identified in agreements for the provision of services (“Customer”).

1. The Supplier provides data processing services (“Services”) to its Customers.
2. The Parties entered into an agreement for the provision of Services on the date the Customer registered for an account with the Supplier (“Agreement”).
3. This Data Processing Agreement (“DPA”) governs the Supplier’s Processing of Personal Data in the provision of Services, supplementing the Agreement.

In this DPA:

• Addendum: The International Data Transfer Addendum to the New Standard Contractual Clauses, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as updated.
• Affiliate: Any entity controlling, controlled by, or under common control with another entity, where “control” means direct or indirect ownership of more than 50% of voting interests.
• Data Protection Law: Applicable data protection and privacy laws, including:
  • GDPR (Regulation (EU) 2016/679 and the UK GDPR).
  • Laws of the European Union, EEA member states, Switzerland, and the United Kingdom.
  • Any applicable privacy laws of other jurisdictions.
• GDPR: The EU General Data Protection Regulation and the UK GDPR.
• New Standard Contractual Clauses: The European Commission’s Implementing Decision (EU) 2021/914 standard clauses for transferring personal data to third countries, as updated.
• Personal Data: As defined in Data Protection Law.
• Processing: Any operation performed on Personal Data, including collection, storage, and destruction.
• Sub-processor: Any entity engaged by the Supplier to process Personal Data on behalf of the Customer.
• Supervisory Authority: The competent regulatory body under Data Protection Law.
• Personal Data Breach: A breach of security leading to unauthorized access, loss, or disclosure of Personal Data.

Other terms shall have the meanings given in Data Protection Law.

1. The Customer is the Controller, and the Supplier is the Processor for Personal Data processed under this DPA.
2. The Supplier will:
   • Comply with all applicable Data Protection Law.
   • Process Personal Data solely on documented Customer instructions, unless required by law (in which case, the Supplier will notify the Customer unless prohibited).
   • Ensure all Personnel with access to Personal Data maintain confidentiality and process data only for authorized purposes.

• The Supplier will implement technical and organizational measures to protect Personal Data, ensuring:
  • Pseudonymization and encryption, where appropriate.
  • Resilience of processing systems.
  • Data recovery capabilities in the event of incidents.
  • Regular testing of security measures.
• Security measures shall be detailed in Schedule 2 and updated as necessary to ensure effectiveness.

• The Supplier may engage Sub-processors only with prior notification to the Customer.
• The Supplier will:
  • Conduct due diligence on Sub-processors.
  • Ensure Sub-processors agree to obligations no less stringent than this DPA.
  • Remain fully liable for Sub-processor actions.
• Customers may object to Sub-processor appointments within 30 days of notification. If unresolved, the Customer may terminate affected services.

• The Supplier will assist the Customer in responding to Data Subject requests, including access, correction, and deletion requests.
• The Supplier shall notify the Customer promptly (within 24 hours) of any Data Subject request received and assist in fulfilling it.

• The Supplier will notify the Customer without undue delay (within 72 hours) of any Personal Data Breach.
• The Supplier will provide:
  • A description of the breach and its likely consequences.
  • Measures taken to mitigate risks.
• The Supplier will assist the Customer in breach response, including communication with Supervisory Authorities and affected Data Subjects.

• The Supplier will assist the Customer with data protection impact assessments and consultations with Supervisory Authorities as required.

• Upon termination of the Agreement, the Supplier will, at the Customer’s choice, return or delete all Personal Data within 30 days, unless retention is required by law.
• The Supplier will certify deletion upon request.

• The Supplier will provide information necessary to demonstrate compliance with this DPA.
• The Customer may conduct audits annually, providing reasonable notice, and avoiding disruption to the Supplier’s business.
• Audit costs shall be borne by the Customer unless breaches are identified.

• Restricted Transfers will be governed by the New Standard Contractual Clauses and Addendum.
• The Supplier will ensure Restricted Transfers comply with Data Protection Law.

• Neither Party excludes liability for death, personal injury, or fraud.
• Liability for non-compliance with this DPA is subject to limitations set forth in the Agreement.

• This DPA is coterminous with the Agreement unless expressly stated otherwise.
• Variations to this DPA must be agreed upon in writing by both Parties.
• This DPA is governed by the laws of England and Wales, with disputes subject to the exclusive jurisdiction of its courts.

• Subject Matter and Duration
  Processing relates to the provision of Services under the Agreement and continues for its duration.
  Nature and Purpose of Processing
  Processing includes collection, storage, retrieval, and deletion of Personal Data to deliver Services.
  Types of Personal Data
  • Personal details (e.g., names, contact information)
  • Employment information
  • Payment information
  • Technical data (e.g., IP addresses, device identifiers)

  Categories of Data Subjects

  • Customers and their employees.
  • End users of the Customer’s services.

  Obligations and Rights
  The Customer determines the extent of data processing. The Supplier acts on documented instructions.

• Appointment of a Data Protection Officer.
• Data encryption in transit and at rest.
• Regular vulnerability assessments and penetration testing.
• Access controls to ensure authorized use only.
• Incident response plan to address data breaches.
• Staff training on data protection compliance.

• Name: [Insert Name]
• Contact Details: [Insert Details]
• Sub-contracted Activities: [Insert Activities]