Data Processing Agreement

The terms below carry the meanings given to them in Article 4 of the EU General Data Protection Regulation (GDPR) and equivalent provisions of the UK GDPR. Capitalised terms not defined here have the meaning set out in the Collecta master subscription agreement.

• Controller — the entity that determines the purposes and means of the Processing of Personal Data. Under this DPA, the Controller is the Customer.
• Processor — the entity that Processes Personal Data on behalf of the Controller. Under this DPA, the Processor is Collecta.
• Personal Data — any information relating to an identified or identifiable natural person that is Processed by Collecta on the Customer's behalf under the Agreement.
• Processing — any operation performed on Personal Data, whether automated or not, including collection, storage, retrieval, use, disclosure, erasure and destruction.
• Subprocessor — any third party engaged by Collecta to Process Personal Data on the Customer's behalf.
• Data Subject — the identified or identifiable natural person to whom Personal Data relates.
• Standard Contractual Clauses (SCCs) — the clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries.

The parties acknowledge that, for the purposes of Data Protection Laws, the Customer is the Controller and Collecta is the Processor. Collecta Processes Personal Data only to provide and support the Collecta platform under the Agreement, and only on the Customer's documented instructions. The details of the Processing are as follows:

• Subject matter — provision of the Collecta multi-tenant operations platform (custom modules, automation, AI agent, reporting and related services).
• Duration — for the term of the Agreement, plus the return and deletion period described in Section 10.
• Nature & purpose — hosting, storage, structuring, analysis and transmission of Customer data to deliver the contracted services.
• Types of Personal Data — account and contact details, authentication data, and any Personal Data the Customer or its users choose to enter into custom module records (which the Customer defines and controls).
• Categories of Data Subjects — the Customer's employees, contractors, customers, suppliers and other individuals whose data the Customer elects to store in the platform.

Collecta shall:

• Process Personal Data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do otherwise by applicable law (in which case Collecta will inform the Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest);
• ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement and maintain the technical and organisational measures set out in Section 5; and
• immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

The Customer provides general authorisation for Collecta to engage Subprocessors to support the delivery of the platform. Collecta imposes data protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains fully liable for the performance of its Subprocessors. The current Subprocessors are:

• Anthropic — AI model processing for the Collecta AI agent (United States).
• Stripe — payment and subscription processing (United States).
• Cloud hosting provider — application and database hosting (EU / United States, with an EU data-residency option per Section 11).
• Email delivery provider — transactional and notification email delivery.

Collecta will give the Customer prior notice of any intended changes concerning the addition or replacement of Subprocessors, giving the Customer a reasonable opportunity to object on legitimate data protection grounds.

Collecta maintains technical and organisational measures appropriate to the risk, as required by Article 32 GDPR. These are described in detail on the security page and include:

• Tenant isolation — PostgreSQL row-level security (RLS) enforcing strict separation of each tenant's data at the database layer;
• Encryption at rest — AES-256-GCM encryption for sensitive stored data;
• Encryption in transit — TLS for all data transmitted between clients and the platform;
• Authentication — short-lived JWT access tokens with refresh-token rotation, TOTP-based two-factor authentication, and SSO support;
• Access controls — role- and capability-based access control, with field- and record-level permissions;
• Auditability — a tamper-evident audit log of user and configuration actions; and
• Resilience — encrypted, scheduled backups with defined retention.

Taking into account the nature of the Processing, Collecta provides the Customer with self-service export and deletion tooling and reasonable assistance by appropriate technical and organisational measures, insofar as this is possible, to help the Customer fulfil its obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability and objection).

Collecta will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Collecta provides reasonable assistance to support the Customer's own notification obligations to supervisory authorities and affected Data Subjects.

Taking into account the nature of Processing and the information available to it, Collecta provides reasonable assistance to the Customer with any data protection impact assessments and any prior consultation with supervisory authorities that the Customer is required to carry out under Articles 35 and 36 GDPR in connection with its use of the platform.

Collecta makes available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including relevant audit reports and security documentation. Where this is insufficient, Collecta will allow for and contribute to reasonable on-site audits and inspections, conducted by the Customer or an independent auditor mandated by the Customer, on reasonable prior notice, during normal business hours, and subject to appropriate confidentiality obligations and minimisation of disruption to Collecta's operations.

On termination or expiry of the Agreement, the Customer may export its Personal Data using the platform's export tooling. At the Customer's choice, Collecta will then delete the Customer's Personal Data within a defined window after the effective date of termination, unless retention is required by applicable law. Backups containing Personal Data are deleted in the ordinary course in line with the backup retention period.

Where Collecta transfers Personal Data outside the EEA or the UK to a country without an adequacy decision, such transfers are governed by the Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum where applicable), together with appropriate supplementary measures. Customers requiring data to remain in the European Union may elect the EU data-residency option for hosting. More detail is available on our GDPR page.

This DPA forms part of and is subject to the Agreement. To the extent of any conflict or inconsistency between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails. The liability of each party under and in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

This DPA takes effect on the date the Customer accepts the Agreement and remains in force for as long as Collecta Processes Personal Data on the Customer's behalf. Provisions that by their nature should survive termination — including those relating to confidentiality, deletion and liability — survive accordingly.

Questions about this DPA or our data protection practices can be directed to our Data Protection Officer at dpo@collecta.app, or via our contact page.