Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into between:

This DPA forms part of and is incorporated into the Terms of Service between the parties. In the event of a conflict between this DPA and the Terms of Service on matters relating to data protection, this DPA prevails.

In this DPA, the following terms have the meanings given below.

“Applicable Data Protection Law”

Means, as applicable: (a) the UK GDPR (the retained EU law version of Regulation (EU) 2016/679 as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018); (b) EU GDPR (Regulation (EU) 2016/679), where processing involves personal data of individuals in the EEA; (c) the Data Protection Act 2018; and (d) any successor or amending legislation.

“Controller”

Has the meaning given in Applicable Data Protection Law — the entity that determines the purposes and means of processing. Under this DPA, the Controller is the Customer.

“Processor”

Has the meaning given in Applicable Data Protection Law — the entity that processes personal data on behalf of the Controller. Under this DPA, the Processor is YACOSMART LTD.

“Data Subject”

An identified or identifiable living natural person to whom personal data relates — in practice, the Controller's end-users and customers who submit support tickets.

“Personal Data”

Any information relating to an identified or identifiable natural person, as further described in Annex 1.

“Personal Data Breach”

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed under this DPA.

“Sub-processor”

Any third party engaged by the Processor to carry out processing activities on behalf of the Controller in connection with the Service.

“Standard Contractual Clauses” or “SCCs”

The standard contractual clauses for international transfers approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs, as applicable.

“Service”

The AITicketFlow platform and related services provided by the Processor under the Terms of Service.

2.1 Subject matter. The Processor processes personal data submitted to the Service by or on behalf of the Controller.

2.2 Duration. Processing continues for the duration of the Terms of Service and, thereafter, for the period specified in Clause 8.

2.3 Nature and purpose. The Processor processes personal data to:

• Receive, store, and display support tickets submitted to the Controller's account
• Apply AI and machine learning techniques to classify, route, and prioritise tickets
• Perform sentiment analysis on ticket content to assist the Controller's support agents
• Generate analytics and reporting dashboards for the Controller
• Send transactional notifications related to ticket status
• Maintain the technical operation, security, and integrity of the Service

2.4 Type of processing. Automated processing, including AI/LLM-based classification and routing of ticket content. No solely automated decision-making with legal or similarly significant effects on data subjects is carried out.

3.1 Data subjects whose personal data may be processed include:

• The Controller's end-users and customers who submit or are named in support tickets
• The Controller's support agents who are registered users of the Service

3.2 Categories of personal data that may be processed include:

• Contact information: name, email address, phone number (where included in ticket content)
• Ticket content: the text, subject lines, and attachments of support tickets
• Metadata: timestamps, IP addresses, ticket identifiers, browser or device information
• Agent data: name, email address, role, and routing history
• Any other personal data the Controller or its end-users choose to include in ticket content

3.3 Controller responsibility. The Controller is responsible for ensuring the personal data it submits to the Service is processed lawfully. The Processor does not control what personal data end-users include in ticket content.

3.4 Special category data. The Controller must not submit special categories of personal data (Article 9 UK/EU GDPR — including health, biometric, racial, or religious data) to the Service without first agreeing a supplementary written arrangement with the Processor. The Processor's standard measures are not designed for special category data.

4.1 Instructions. The Processor shall process personal data only on the Controller's documented instructions, as set out in this DPA and the Terms of Service. The Processor will promptly notify the Controller if it believes any instruction infringes Applicable Data Protection Law.

4.2 Confidentiality. The Processor shall ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations, whether contractual or professional.

4.3 Security. The Processor shall implement and maintain the technical and organisational security measures described in Annex 2. These measures may be updated from time to time; no update will materially reduce the level of protection.

4.4 Data subject rights. The Processor shall provide reasonable assistance to the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, and objection). Where the Processor receives a data subject request directly, it shall forward it to the Controller promptly and take no further action without the Controller's instruction.

4.5 Breach notification. The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach. Notification shall include, to the extent available: (a) the nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) the likely consequences; and (d) measures taken or proposed. Where full information is not available within 72 hours, the Processor shall provide available information and supplement it as more becomes known.

4.6 DPIAs and prior consultation. The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and engaging with supervisory authorities, to the extent the Processor holds relevant information.

4.7 Compliance information. The Processor shall make available to the Controller such information as is reasonably necessary to demonstrate compliance with this DPA, subject to the audit provisions in Clause 7.

5.1 General authorisation. The Controller provides general authorisation for the Processor to engage the categories of sub-processor listed in Annex 3. The Processor shall impose data protection obligations on each sub-processor equivalent to those in this DPA and shall remain liable for their acts and omissions.

5.2 New sub-processors. Before engaging a new sub-processor or making material changes to existing arrangements, the Processor shall give at least 14 days' prior written notice by email or in-app notification.

5.3 Right to object. The Controller may object to a new sub-processor on reasonable grounds by notifying the Processor in writing within the 14-day notice period. If the Processor cannot accommodate the objection, the Controller may terminate the Terms of Service without penalty and receive a pro-rated refund of prepaid fees for the unused subscription period.

5.4 Processor liability. The Processor remains liable to the Controller for the acts and omissions of its sub-processors to the same extent it is liable for its own acts under this DPA.

6.1 The Processor shall not transfer personal data outside the UK or EEA unless: (a) the destination country benefits from an adequacy decision under UK GDPR or EU GDPR; (b) appropriate safeguards are in place under Article 46 UK/EU GDPR, including SCCs; or (c) another lawful basis applies.

6.2 Where the Processor or a sub-processor transfers personal data to a third country not covered by adequacy, the Processor shall ensure the transfer is governed by the UK IDTA, the EU SCCs (Module 2 or 3 as applicable), or the UK Addendum to the EU SCCs.

6.3 The Controller acknowledges that sub-processors providing LLM/AI services may be based outside the UK/EEA. The Processor will ensure all such transfers are governed by appropriate transfer mechanisms and will disclose the relevant mechanism in Annex 3.

6.4 Incorporation of SCCs. Where Applicable Data Protection Law requires SCCs or equivalent safeguards for any transfer carried out under this DPA, those clauses are incorporated by reference and form part of this DPA. The Processor acts as data exporter and the relevant sub-processor as data importer where applicable.

7.1 The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.

7.2 The Controller may, on at least 30 days' prior written notice and no more than once per calendar year (unless a Personal Data Breach has occurred), conduct or commission an audit of the Processor's relevant processing activities. Audits shall be conducted at the Controller's cost, during normal business hours, and in a manner that minimises disruption to the Processor's operations.

7.3 The Processor may satisfy the audit obligation by providing a current independent third-party audit report or security certification. Where such a report reasonably addresses the Controller's concerns, no further on-site audit shall be required.

7.4 All information obtained during an audit shall be treated as the Processor's confidential information.

8.1 On termination or expiry of the Terms of Service, the Processor shall, at the Controller's written election within 30 days of the termination date: (a) return all personal data in a commonly used machine-readable format; or (b) securely delete or destroy all personal data. Either action will be completed within 30 days of the election.

8.2 If the Controller does not make an election within 30 days of the termination date, the Processor may delete all personal data without further notice.

8.3 The Processor may retain personal data beyond the deletion period to the extent required by applicable law, processing it solely for that purpose and for no other.

8.4 On request, the Processor shall provide written confirmation that deletion has been completed.

9.1 Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

9.2 The Processor's aggregate liability under this DPA shall not exceed the liability cap in the Terms of Service (total fees paid in the preceding 12 months), except for: (a) wilful misconduct or gross negligence; or (b) liability that cannot be excluded by law.

9.3 Where a data subject brings a claim against the Controller and the Controller pays compensation attributable to the Processor's breach of this DPA, the Processor shall indemnify the Controller for the portion of that compensation corresponding to the Processor's share of responsibility.

9.4 Where both parties contribute to damage suffered by a data subject, liability shall be apportioned according to their respective degree of responsibility.

This DPA is governed by the laws of England and Wales. Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales for any disputes arising under or in connection with this DPA.

The Processor currently maintains the following measures. These may be updated; no update will materially reduce the level of protection.

• Encryption in transit: All data transmitted between clients and the Service uses HTTPS/TLS 1.2 or higher.
• Encryption at rest: Personal data stored in the Processor's systems is encrypted using AES-256.
• Access controls: Access to production systems and customer data is restricted by role. The principle of least privilege is applied. Access permissions are reviewed regularly.
• Personnel obligations: All personnel with access to personal data are subject to confidentiality obligations.
• Hosting: Primary infrastructure is located in the EU/EEA.
• Breach response: The Processor maintains an incident response procedure designed to detect, contain, and notify breaches within the 72-hour window.
• Sub-processor controls: All sub-processors are subject to data processing agreements.

The following categories of sub-processors are currently authorised. The Processor will maintain and publish a current list of named sub-processors and notify the Controller of changes in accordance with Clause 5.2.

Note: Stripe processes billing data only and does not have access to ticket content or end-user personal data submitted through the Service.