Data Processing Addendum

Last updated: December 2025

This Data Processing Addendum (DPA) is made available by:

(1) Reward Logic Ltd, a company incorporated in England and Wales with registered number 16637100 and registered office at 71A Broxholm Road, London, England SE27 0BJ (Provider).

This DPA is entered into by each Customer that enters into an Agreement with the Provider for access to, or use of, the Services.

In this DPA, Customer means the legal entity that has entered into the Agreement and on whose behalf the Provider Processes Personal Data as a Processor under the Agreement. If you accept or agree to the Agreement or this DPA on behalf of a legal entity, you represent that you have authority to bind that entity.

This DPA forms part of and is incorporated into the Master SaaS Subscription Agreement and or the Online Terms and Conditions between the parties that govern the Customer's access to and use of the Services, including any trial, pilot, proof of concept, demo, beta, pre-release, or other evaluation access (together, the Agreement). For the purposes of the Agreement, this DPA is the single canonical data processing agreement text that applies whenever the Provider Processes Personal Data on behalf of the Customer as a Processor under the Agreement.

If there is any conflict or inconsistency between this DPA and the remainder of the Agreement in relation to the Processing of Personal Data, this DPA will prevail to the extent required to comply with Data Protection Laws.

1. Definitions

1.1 In this Agreement:

  • Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process and Processing have the meanings given in Data Protection Laws.
  • Customer Data means Customer Data as defined in the Agreement and, for the purposes of this DPA, includes any Personal Data Processed by the Provider on behalf of the Customer under the Agreement.
  • Data Protection Laws means all applicable data protection and privacy laws in the United Kingdom and, where applicable, the European Union and any other jurisdiction in which Personal Data is Processed under the Agreement, including the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR, and any local implementing or supplementary legislation, in each case as amended, superseded or replaced from time to time.
  • Services means the services (or equivalent term) provided by the Provider under the Agreement.
  • Sub processor means another Processor engaged by the Provider to Process Personal Data on behalf of the Customer.

1.2 Capitalised terms not defined in this DPA have the meanings given in the Agreement.

2. Subject matter and duration

2.1 The Provider will Process Personal Data on behalf of the Customer in connection with the provision of the Services, as described in Annex 1 to this DPA.

2.2 The duration of the Processing will be for the term of the Agreement (including any trial or evaluation period) and any additional period during which the Provider Processes Personal Data in accordance with the Agreement, this DPA, the Provider's data retention policies and applicable Data Protection Laws, unless otherwise required by applicable law.

3. Roles and general obligations

3.1 For the purposes of Data Protection Laws and in respect of Customer Data that is Personal Data, the Customer is the Controller and the Provider is the Processor.

3.2 Each party will comply with its respective obligations under Data Protection Laws in relation to Personal Data Processed under this DPA.

4. Controller instructions

4.1 The Provider will Process Personal Data only:

  • on the documented instructions of the Customer, as set out in the Agreement, this DPA and any applicable Order, Order Form, invoice, trial activation, or other order document or written instructions agreed between the parties; or
  • as required by applicable law. In that case the Provider will inform the Customer of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.2 The Customer instructs the Provider to Process Personal Data to:

  • provide, operate, secure, maintain and support the Services,
  • perform the Provider's obligations and exercise its rights under the Agreement, and
  • comply with applicable law.

4.3 If the Provider believes that an instruction from the Customer infringes Data Protection Laws, it will inform the Customer without undue delay and may suspend the relevant Processing until the Customer confirms, amends or withdraws the instruction.

5. Confidentiality

5.1 The Provider will ensure that persons authorised to Process Personal Data are subject to appropriate confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

6. Security

6.1 The Provider will implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction or damage, considering the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks to Data Subjects, as described in Annex 2.

6.2 In assessing and updating its security measures, the Provider will consider the nature of the Processing and the risks to the rights and freedoms of Data Subjects.

7. Sub processors

7.1 The Customer gives a general authorisation to the Provider to appoint Sub processors to Process Personal Data in connection with the Services.

7.2 The Processor will:

  • ensure that any Sub processor is bound by a written contract that imposes obligations that are no less protective of Personal Data than those set out in this DPA; and
  • remain liable to the Customer for the acts and omissions of its Sub processors as if they were the Provider's own.

7.3 The Provider engages the Sub processors listed in Annex 3 to Process Personal Data on behalf of the Customer. The Provider will ensure that all Sub processors are subject to data protection obligations no less protective than those set out in this DPA and will notify the Customer in advance of any intended addition or replacement of Sub processors.

7.4 The Provider will notify the Customer in advance of any intended addition or replacement of a Sub processor that will Process Personal Data. The Customer may object on reasonable grounds relating to data protection within thirty days of such notice. If the parties cannot resolve the objection in good faith within a further thirty days, then:

  • the Provider may choose not to appoint or replace the Sub processor; or
  • the Customer may terminate the affected element of the Services on written notice within thirty days, in which case the Provider will refund any prepaid Fees for the terminated element of the Services for the period after termination.

8. International transfers

8.1 The Provider may Process Personal Data and or permit Sub processors to Process Personal Data in countries outside the United Kingdom and or the European Economic Area, provided that such Processing is carried out in compliance with Data Protection Laws and, where required, one or more of the following applies:

  • the destination country has been recognised as providing an adequate level of protection under Data Protection Laws; or
  • appropriate safeguards are in place, such as standard contractual clauses, an international data transfer addendum or agreement, binding corporate rules or another lawful transfer mechanism approved under Data Protection Laws; or
  • an exemption or derogation applies under Data Protection Laws.

8.2 Where standard contractual clauses, an international data transfer addendum or similar instruments are required, the parties (and, where relevant, the Provider and any Sub processor) will enter into and comply with those documents as required by Data Protection Laws.

8.3 To the extent that any such standard contractual clauses, addendum or similar instruments are entered into under this clause 8, in the event of any conflict between those instruments and this DPA or the Agreement, the relevant instruments will prevail to the extent required by Data Protection Laws.

8.4 The duration of any international transfers will be the same as the duration of the Processing set out in clause 2.2 and Annex 1, subject to any longer period required by applicable law.

9. Assistance and data subject rights

9.1 Taking into account the nature of the Processing and the information available to the Provider, the Provider will assist the Customer, at the Customer's cost, in:

  • responding to requests from Data Subjects to exercise their rights under Data Protection Laws in respect of Personal Data Processed under the Agreement; and
  • ensuring compliance with the Customer's obligations relating to security, Personal Data Breaches, data protection impact assessments and prior consultations with supervisory authorities, in each case solely in relation to the Processing of Personal Data by the Provider and taking into account the nature of the Processing and the information available to the Provider.

9.2 The Customer is responsible for handling and responding to Data Subject requests. If the Provider receives a request directly from a Data Subject that identifies the Customer or clearly relates to the Services, it will, to the extent permitted by law, promptly notify and forward the request to the Customer and will not respond to the request except on the documented instructions of the Customer or as required by law.

10. Personal Data Breaches

10.1 The Provider will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data in Customer Data.

10.2 The notification will describe, to the extent known to the Provider at the time:

  • the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
  • the likely consequences of the Personal Data Breach; and
  • the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Provider will provide further information as it becomes available.

10.3 The Provider will take reasonable steps to mitigate the effects of the Personal Data Breach and to prevent recurrence and, taking into account the nature of the Processing and the information available to it, will assist the Customer, at the Customer's cost, in complying with its obligations under Data Protection Laws in relation to the Personal Data Breach.

11. Audits and information

11.1 The Provider will make available to the Customer such information as the Customer may reasonably require to demonstrate the Provider's compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to the following:

  • any audit will be on at least thirty days' prior written notice to the Provider (except where a competent supervisory authority requires shorter notice),
  • audits will be carried out during normal business hours and in a manner that minimises disruption to the Provider's business,
  • the scope of any audit will be limited to information and systems relevant to the Processing of Personal Data under the Agreement,
  • the Customer may not conduct more than one audit in any twelve month period, except where required more frequently by a competent supervisory authority or following a material Personal Data Breach, and
  • the Customer and its auditors will be bound by reasonable confidentiality obligations and the Provider's security policies and obligations owed to third parties.

11.2 The Customer agrees that its audit rights under this DPA may be satisfied, in whole or in part, by the Provider providing then current third party attestations, certifications or reports (for example, ISO 27001 certificates, SOC 2 reports or summaries of security practices) that cover the relevant scope.

11.3 Nothing in this clause 11 requires the Provider to disclose information that is subject to legal privilege or that would compromise the security of the Provider's or its other customers' data or systems.

11.4 Audits and inspections under this clause 11 will be at the Customer's cost, including the Provider's reasonable costs of supporting the audit.

12. Return and deletion of Personal Data

12.1 Following the end of the provision of the Services relating to the Processing of Personal Data, the Provider will, at the choice of the Customer and subject to the Agreement, either:

  • return all Personal Data to the Customer in a commonly used electronic format; or
  • delete all Personal Data,

and delete existing copies, unless applicable law requires storage of the Personal Data. For the avoidance of doubt, this clause 12.1 does not require the Provider to delete or return any Derived Data or other data that has been irreversibly anonymised or aggregated so that it no longer constitutes Personal Data and no individual or the Customer is identifiable.

12.2 The Customer acknowledges that the Provider's obligations in this clause 12 are subject to the Provider's backup and archival policies and to any retention required under applicable law, provided that any retained Personal Data remains subject to appropriate confidentiality and security measures and is Processed only as necessary for the purposes specified in that law, and the Provider will delete any remaining copies within a reasonable period once such retention is no longer required.

13. Liability

13.1 Any limitations or exclusions of liability in the Agreement apply to this DPA, except to the extent prohibited by Data Protection Laws.

13.2 Neither party limits or excludes any liability that cannot be limited or excluded under Data Protection Laws.

14. Governing law and jurisdiction

14.1 This DPA is governed by the law that governs the Agreement.

14.2 The courts that have jurisdiction under the Agreement will have jurisdiction over any dispute or claim arising out of this DPA.

___________________________________________________________________________________________

Annex 1: Details of Processing

1. Subject matter

Processing of Personal Data in Customer Data in connection with the provision of the Services, being a business-to-business software as a service job evaluation, role profiling and compensation benchmarking platform used to design, manage and analyse job architecture, role evaluations and related HR workflows.

2. Duration

For the term of the Agreement, including any trial or evaluation period, and any additional period reasonably required for export and deletion of Customer Data, including retention in backups in accordance with the Processor's backup and archival policies, unless a longer period is required by law.

3. Nature and purpose of Processing

Hosting, storage, retrieval, transmission, analysis, calculation, scoring, reporting, configuration, workflow management, support, backup and recovery of Customer Data, as necessary to:

  • provide, operate and support the job evaluation, role profiling, grading and compensation benchmarking functionality of the Services;
  • generate dashboards, reports and analytics on roles, grades, ranges and market positioning; and
  • perform the Processor's obligations under, and exercise its rights in, the Agreement.

4. Types of Personal Data

The Personal Data processed typically includes the following types of data, to the extent submitted by or on behalf of the Controller:

  • Identification data, for example name, role or job title, employee ID or similar internal identifier.
  • Contact data, for example work email address and work telephone number.
  • Employment data, for example employing entity, department, business unit, location, manager, organisational hierarchy, grade or level, job family, job architecture attributes, compensation band or range, full time equivalent status and tenure banding.
  • System usage data, for example login times, authentication logs, role and permission assignments, workflow actions, job evaluation actions and changes to records.

No special category Personal Data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life or sexual orientation, or biometric data for identification) is required for, or intended to be processed by, the Services and the Processor does not request such data. Special category Personal Data will only be processed if expressly agreed in writing between the parties, including agreement on appropriate safeguards.

5. Categories of Data Subjects

  • Employees, workers and contractors of the Controller and its group companies.
  • Other individuals whose data the Controller chooses to input to the Services.

6. Processing instructions

  • As described in the Agreement, this DPA and any Order or other order document.
  • Any additional documented instructions that the Controller provides and the Processor agrees to in writing.

___________________________________________________________________________________________

Annex 2: Technical and Organisational Measures

The Processor maintains the following technical and organisational measures in relation to the Services, designed to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction or damage, appropriate to the nature of the Personal Data and the risks associated with a business-to-business job evaluation and compensation benchmarking SaaS platform:

1. Organisation of information security

  • Information security roles and responsibilities defined.
  • Access to production systems limited to authorised personnel.

2. Physical and environmental security

  • Hosting in professionally managed data centres with physical access controls.
  • Data centre environmental controls, including power, cooling and fire suppression.

3. Access control

  • Role based access control.
  • Unique user IDs for all personnel with access to Personal Data.
  • Strong authentication and password policies.
  • Access granted on a least privilege and need to know basis.
  • Regular review of access rights.

4. Data security

  • Encryption of data in transit using industry standard protocols.
  • Encryption of data at rest using industry standard algorithms.
  • Segregation of customer environments at the logical or database level.

5. Operations and change management

  • Change control procedures for application and infrastructure changes.
  • Logging and monitoring of key system events.
  • Regular vulnerability management and patching.

6. Backup and recovery

  • Regular backups of production data.
  • Recovery procedures and periodic testing.

7. Incident management

  • Defined incident response process, including classification and escalation.
  • Processes to detect and respond to security incidents and Personal Data Breaches.

8. Business continuity

  • Business continuity and disaster recovery planning.
  • Use of redundant infrastructure where appropriate.

9. Compliance and testing

  • Periodic internal reviews of security measures.
  • External assessments or certifications where applicable.

___________________________________________________________________________________________

Annex 3 – Sub Processors

The Provider engages the following Sub processors to Process Personal Data on behalf of the Customer in connection with the Services.

Supabase Inc

  • Purpose of processing: Cloud database hosting, authentication services, and file storage supporting core platform functionality
  • Categories of personal data: User account and authentication data, access controls, audit logs
  • Processing location: European Union

Vercel Inc

  • Purpose of processing: Frontend application hosting and delivery, including handling authenticated user sessions and application traffic
  • Categories of personal data: User identifiers, session metadata, IP addresses
  • Processing location: European Union

Railway Corp

  • Purpose of processing: Backend application and API hosting supporting core platform services
  • Categories of personal data: User identifiers and system metadata
  • Processing location: European Union

Resend, Inc

  • Purpose of processing: Transactional email delivery for account invitations, authentication, and system notifications
  • Categories of personal data: Names and email addresses
  • Processing location: European Union