Data Processing Agreement

DATA PROCESSING AGREEMENT

This Data Processing Agreement ("Agreement") is entered into between (1) VETTEDBUILDER LTD (the "Company"), a company incorporated in England and Wales (company number 17041601) with its registered office at 69 Stokoe Avenue, Altrincham, WA14 4LF and (2) the Client identified in or accepting the Terms. This Agreement forms part of and is incorporated into the Marketplace Terms and Conditions (Services) (the "Terms") for the Company's platform and marketplace (the "Platform"). For processing where the Company acts as an independent Controller, that processing is governed by the Company's applicable privacy notice(s) (including the Privacy Policy referenced in the Terms) and this Agreement does not modify the Company's Controller obligations.

This Agreement is incorporated into and forms part of the Marketplace Terms and Conditions (the "Terms") for the Platform. This Agreement constitutes the data processing agreement and data processing addendum referenced in the Terms and applies mandatorily to all processing of Protected Data through the Platform where the Company acts as a Processor. By accepting the Terms, whether by clicking "I accept" or a similar button or by accessing or using the Platform, Client explicitly agrees to be bound by this Agreement. This Agreement is deemed to be an integral part of the Terms entered into between the Company and the Client and shall take precedence over any general data processing provisions in the Terms to the extent of any inconsistency.

Under this Agreement, Company acts as a Processor and processes Personal Data on behalf of Client, which acts as the Controller, in connection with Client's use of the Platform. Company may also act as an independent Controller only where and to the extent it processes Personal Data for its own legitimate business purposes that are separate from providing the Platform to Client (for example, billing, payments, account administration, service communications, trust and safety, fraud prevention, security monitoring, and compliance), in each case in accordance with Applicable Privacy Laws and Company's applicable privacy notice(s).

DEFINITIONS

For the purposes of this Agreement, the terms: "Controller", "Data Subject", "Joint Controllers", "Personal Data", "Personal Data Breach", "Processing", "Processor", "Special Categories of Personal Data", and "Sub-Processor" shall have the meanings given to them in the UK GDPR and the Data Protection Act 2018. The following additional terms shall have the meanings:

1. Client means the entity or person that has agreed to the Terms to use the Platform.

2. Company means VETTEDBUILDER LTD, a company incorporated in England and Wales with company number 17041601 and its registered office at 69 Stokoe Avenue, Altrincham, WA14 4LF

3. Applicable Privacy Laws means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended ("PECR"); and, where applicable to the relevant Processing, Regulation (EU) 2016/679 (General Data Protection Regulation) (the "EU GDPR"); and the guidance and codes of practice issued by the Information Commissioner (ICO) (or any successor supervisory authority) and which are applicable to a party.

4. Protected Data means the Personal Data which is uploaded to, generated within, transmitted through, or accessed via the Platform and processed by Company in its capacity as Processor on behalf of Client (acting as Controller) in connection with Client's use of the Platform, including any Personal Data transferred through third-party integrations enabled by or on behalf of Client, and including voice data processed via third-party AI services (including large language models). For the avoidance of doubt, Protected Data as defined herein constitutes "Client Data" as that term is used in the Security section of the Terms.

Any other capitalised terms in this Agreement, not defined herein, shall have the meanings set out in the Terms.

1. Scope of this Agreement

For the purposes of this Agreement and the Terms, the parties acknowledge and agree that:

(a) This Agreement applies to all Personal Data processed by the Company through the Platform on behalf of the Client, including data accessed through applications, web portals, APIs, and third-party integrations, which shall be processed in compliance with the Applicable Privacy Laws.

(b) Independent Controllers. This Agreement does not apply to the parties' respective obligations as independent Controllers of Personal Data. Company and the Client operate as separate Controllers in respect of the Personal Data either party may independently process in connection with the performance of obligations under the Terms or otherwise, and each party is independently responsible for its compliance as Controller for such Processing.

• the Company shall be deemed a separate Controller for any Personal Data it Processes for billing, payments, account administration, service communications, trust and safety, fraud prevention, security monitoring, product improvement (using aggregated and/or anonymised data where feasible), and compliance with law in connection with the provision and administration of the Platform.
• Client shall be deemed a separate Controller for Personal Data it submits to the Platform and determines the purposes and means of Processing for, including Personal Data relating to its employees, contractors, clients, end users, and other individuals.
• The parties hereby undertake to comply with Applicable Privacy Laws which apply to them as separate Controllers and to be liable separately for their own obligations and responsibilities when acting as separate Controllers.

2. Roles of the Parties

The parties agree that this Agreement shall only apply to processing activities whereby:

(a) The Protected Data is processed by Company on behalf of Client in connection with the performance of the Company's obligations to provide the Platform under the Terms.

(b) The Company acts as a Processor for Protected Data processed through the Platform on Client's behalf, and acts as an independent Controller only for the limited purposes described in Section 1(b) above.

Nothing in this Agreement relieves either party of any of their respective responsibilities or liabilities under the Applicable Privacy Laws.

3. Client's Compliance with Applicable Privacy Laws

When acting as Controller, Client shall at all times comply with all Applicable Privacy Laws. Client shall ensure that all instructions given by it to the Company in respect of Protected Data (including the terms of this Agreement) shall at all times be in accordance with Applicable Privacy Laws. Client shall be solely responsible for:

(a) ensuring that it has a lawful basis for processing all Personal Data submitted to the Platform, including establishing appropriate lawful bases under UK GDPR Article 6 for standard Personal Data and (where applicable) the required condition(s) under Article 9 for Special Categories of Personal Data;

(b) ensuring that any Personal Data it submits to or makes available via the Platform is adequate, relevant and limited to what is necessary for the Client's purposes (data minimisation) and is accurate and kept up to date where required;

(c) obtaining all applicable consents where consent is the lawful basis for processing (including for any direct marketing communications sent by Client and any use of cookies/trackers by Client outside the Company's control);

(d) providing all advance notice and information of the processing contemplated hereunder to Data Subjects as required under Articles 13-14 UK GDPR, including where Client uses the Platform to communicate with consumers, request/receive leads, provide quotes, or otherwise process consumer or end-user Personal Data for Client's own purposes; and

(e) ensuring it has all necessary rights, permissions and notices in place to upload, share or otherwise make available Personal Data via the Platform (including any photos, documents or free-text content containing third-party Personal Data).

4. Company's Compliance with Applicable Privacy Laws

Company shall process Protected Data (including Special Categories of Personal Data where applicable) in compliance with the obligations placed on it under Applicable Privacy Laws and the terms of this Agreement. Where Company processes Special Categories of Personal Data (for example, to the extent biometric data is processed for identification purposes by an identity verification provider, or where such data is otherwise uploaded to the Platform by or on behalf of Client), Company shall: (i) implement technical and organisational measures appropriate to the sensitivity of such data; (ii) ensure that personnel accessing such data are subject to confidentiality obligations and appropriate training; and (iii) process such data only to the extent necessary to provide the Platform in accordance with Client's documented instructions and this Agreement.

5. Instructions

Company shall only process (and shall ensure that its personnel and Sub-Processors only process) the Protected Data in accordance with the Client's documented instructions as set out in Part A of this Agreement, the Terms (to the extent they describe the Processing), and the terms of this Agreement, except to the extent: (a) that alternative processing instructions are agreed between the parties in writing; or (b) otherwise required by Applicable Privacy Laws (in which case, the Company shall inform Client of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). If the Company believes that any instruction received by it from the Client is likely to infringe the Applicable Privacy Laws, the parties shall discuss and agree on appropriate amended instructions which are not infringing.

6. Security

To protect the Protected Data (including Special Categories of Personal Data) against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access, the Company shall implement and maintain appropriate technical and organisational measures in accordance with Article 32 of the UK GDPR, as further described in Part B of this Agreement. Where the Platform processes Special Categories of Personal Data (for example, to the extent biometric data is processed for identification purposes), Company shall implement security measures appropriate to the heightened risks associated with such data, and shall review and update such measures as appropriate taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing and the risk to individuals' rights and freedoms arising from unauthorised access or disclosure.

7. Sub-processing

The Company's current list of Sub-Processors is set forth in Part C. The Company shall maintain an up-to-date list of Sub-Processors and shall notify Clients of any intended changes concerning the addition or replacement of Sub-Processors by email (or via the Platform) at least thirty (30) days in advance. Client may object to such changes on reasonable grounds relating to data protection within fourteen (14) days of receiving notice. If Client objects and Company cannot reasonably accommodate Client's objection (including by providing the relevant service without the proposed Sub-Processor, where commercially and technically feasible), then Company may suspend or terminate only the affected services upon written notice, and Client's sole remedy in respect of such change shall be such suspension or termination of the affected services. Company shall ensure that its Sub-Processors are subject to written obligations no less protective than those set out in this Agreement and Company shall remain fully liable to Client for the performance of its Sub-Processors' obligations in relation to the Protected Data.

8. Data Subjects Rights

(a) The Company shall, taking into account the nature of the Processing, assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligation to respond to requests for exercising the Data Subjects' rights under Chapter III of the UK GDPR (and any similar obligations under Applicable Privacy Laws) in respect of any Protected Data. The Company shall also assist the Client in ensuring compliance with the Client's obligations pursuant to Articles 32 to 36 of the UK GDPR (and any similar obligations under Applicable Privacy Laws), taking into account the nature of the Processing and the information available to the Company. To the extent permitted under the Terms, the Company may charge the Client for reasonable costs incurred in providing assistance which is beyond the assistance required by Article 28(3) UK GDPR.

(b) Client shall promptly notify the Company if it receives a request from a Data Subject or a competent authority under Applicable Privacy Laws in respect of Protected Data. The Company shall not respond to any such request except on the documented instructions of the Client or as required by applicable laws to which the Company is subject, in which case the Company shall, to the extent permitted by applicable laws, inform the Client of that legal requirement before responding to the request.

9. International Transfers

Company shall not transfer Protected Data to countries outside the UK (and, where applicable, outside the EEA) except where such transfer is made in compliance with Applicable Privacy Laws, including where appropriate safeguards are in place through the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (as implemented and completed in accordance with applicable UK requirements), an adequacy regulation, or other approved transfer mechanism under UK GDPR. Where required by Applicable Privacy Laws and having regard to ICO guidance, Company shall carry out and document an appropriate transfer risk assessment and implement supplementary measures as necessary. Company shall maintain a record of applicable international transfers involving Protected Data. If a transfer is required by law, Company will inform the Client of the legal requirement before such transfer, unless prohibited by law.

10. Audits and Processing

The Company shall, in accordance with Applicable Privacy Laws, make available to the Client such information as is necessary to demonstrate the Company's compliance with its obligations under this Agreement and Article 28 of the UK GDPR, including providing (on request) relevant policies, summaries of third-party security/audit reports where available, and responses to reasonable information security questionnaires. The Company shall allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose, provided that:

(a) audits shall be limited to one (1) audit in any twelve (12) month period unless required by a competent supervisory authority or following a Personal Data Breach affecting Protected Data;

(b) audits shall be conducted on reasonable prior written notice, during normal business hours, and in a manner that minimises disruption to the Company's business;

(c) audits shall be subject to appropriate confidentiality obligations and shall not require disclosure of information that would compromise the security, confidentiality, or privacy of other customers; and

(d) Client shall bear its own costs and the Company's reasonable costs of providing assistance for the audit, unless the audit identifies a material breach by Company of this Agreement.

11. Personal Data Breach

Company shall notify the Client without undue delay and in any event within 24 hours after becoming aware of any Personal Data Breach affecting the Protected Data, and shall provide sufficient information to allow the Client to meet its obligations under Articles 33 and 34 of the UK GDPR (as applicable), including to report the breach to the Information Commissioner's Office. The notification shall include, to the extent known at the time: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate number of Personal Data records concerned; (d) likely consequences of the breach; and (e) measures taken or proposed to address the breach. Company shall cooperate with the Client and take all reasonable steps to investigate, mitigate and remediate each such Personal Data Breach, and shall provide updates without undue delay as further information becomes available.

12. Deletion/Return

(a) Upon termination or expiry of the Terms (or upon Client's written request where required by Applicable Privacy Laws), Company shall, at Client's choice, delete or return the Protected Data to Client, and delete existing copies, unless Applicable Privacy Laws require storage of the Personal Data. Company shall provide Client with the ability to export the Protected Data through available export functionality (or, where not available, upon reasonable request) in a commonly used machine-readable format for a period of thirty (30) Business Days following termination or expiry. After that period, Company shall securely delete the Protected Data from its production systems and, to the extent the Protected Data is stored in backups, delete it in accordance with Company's backup deletion and retention cycles, except where required by applicable law to retain such data. Company shall provide written confirmation of deletion upon Client's request.

(b) Notwithstanding the foregoing, Company may retain and use anonymised and aggregated data derived from Client's use of the Platform, provided that such data does not constitute Personal Data and cannot be used to identify (directly or indirectly) any individual Data Subject, Client, or Client's clients, and such anonymisation is performed in accordance with ICO guidance on anonymisation. Such anonymised data may be used for platform improvements, statistical analysis, and service optimisation.

13. Additional Processing Activities

(a) Company may process certain Personal Data as an independent Controller strictly limited to: (1) billing and account administration; (2) payments processing; (3) service communications; (4) platform security monitoring, fraud prevention, abuse detection, and trust and safety; (5) compliance, legal, and regulatory purposes; (6) product and service improvement using aggregated and/or anonymised data where feasible; (7) marketing and promotional communications to Client's authorised users and/or business contacts regarding Company's products and services (where permitted); and (8) processing voice data via third-party AI services (including large language models) to convert speech to text and to train and improve AI modules for Service Providers using voice-enabled features. Such processing will be governed by Company's applicable privacy notice(s) and conducted in accordance with Applicable Privacy Laws.

(b) Each party will provide a compliant data privacy notice to individuals where required under Applicable Privacy Laws for Personal Data it processes as a Controller, informing such individuals of that party's identity, the purposes for which their Personal Data will be processed, and any other information required to ensure fair and transparent processing.

14. Liability

Each party shall be responsible for and shall bear liability for any breach of Applicable Privacy Laws to the extent arising from its own acts or omissions, including: (a) Client's determination of the lawful basis, transparency, and legality of its instructions and Processing as Controller; and (b) Company's compliance with its obligations as Processor under this Agreement. Any liability between the parties arising out of or in connection with this Agreement (whether in contract, tort (including negligence), breach of statutory duty, or otherwise) shall be subject to the limitations and exclusions of liability set forth in the Terms. Nothing in this Agreement limits or excludes either party's liability to the extent it cannot be limited or excluded under applicable law.

15. General Terms

(a) Confidentiality. The confidentiality provisions in the Terms shall apply to all information and data processed under this Agreement. Company shall ensure that all personnel with access to Protected Data are bound by appropriate confidentiality obligations and have received adequate data protection training.

(b) Notices. All notices and communications given under this Agreement must be in writing and will be delivered in accordance with the notice provisions set out in the Terms.

(c) Governing Law and Jurisdiction. This Agreement shall be governed by and construed in accordance with the governing law provisions set out in the Terms. Any dispute arising in connection with this Agreement shall be subject to the jurisdiction provisions set out in the Terms, provided that this does not affect the jurisdiction, powers, or enforcement rights of the Information Commissioner's Office or other relevant supervisory authorities under Applicable Privacy Laws.

Part A: Processing Activities

Processing of the Protected Data by Company under this Agreement and the Terms shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in this Part A, in accordance with UK GDPR and the Data Protection Act 2018 (and, where applicable, the EU GDPR).

1. Subject-matter of Processing

To enable Client's use of the Platform to operate and manage the Client's interactions with consumers and other users via the marketplace features under the Terms, including: (i) creating and administering user and business accounts and profiles; (ii) enabling in-app messaging and communications between users; (iii) enabling lead, enquiry and quote workflows (including sharing of project details, addresses where works are to be carried out, photos and documents where provided); (iv) enabling publication and management of reviews/ratings and related trust and safety workflows; (v) facilitating payments and billing via Stripe where enabled for the relevant feature(s); (vi) enabling identity verification via a third-party identity verification provider where offered or required; (vii) processing voice data (including voice commands and audio recordings) via third-party AI services (including large language models) to convert speech to text, enable voice-based interaction with the Platform, and train and improve AI modules for Service Providers using voice-enabled features; (viii) hosting, storing, organising, retrieving, transmitting and otherwise processing content and Personal Data submitted to or generated within the Platform as initiated, configured and controlled by Client and its authorised users; and (ix) providing support, security and operational functionality necessary to provide the Platform.

2. Duration of the Processing

For the duration of the Terms, and thereafter for the period set out in Section 12 (Deletion/Return).

3. Nature and Purpose of the Processing

To process Personal Data (including Special Categories of Personal Data where applicable) as necessary to provide the Platform under the Terms, including: (i) providing access to and operation of the Platform features used by Client; (ii) enabling Client to receive, manage and respond to leads/enquiries, issue and manage quotes, and communicate with other users via in-app messaging; (iii) processing voice data (including voice commands and audio recordings) for Service Providers using voice-enabled features via third-party AI services (including large language models) to convert speech to text, enable voice-based interaction with the Platform, and train and improve AI modules; (iv) hosting, storing and transmitting content and Personal Data submitted to the Platform by or on behalf of Client (including free-text, photos and documents, where used); (v) facilitating billing and payments via Stripe where enabled for the relevant feature(s); (vi) enabling identity verification via a third-party provider where offered or required; (vii) providing customer support and responding to service requests; (viii) monitoring performance and maintaining the security, availability, and resilience of the Platform; and (ix) creating backups and disaster recovery copies consistent with Company's backup practices.

4. Type of Personal Data

Personal Data may include (to the extent uploaded to or otherwise processed via the Platform by or on behalf of Client):

(a) Standard Personal Data: names, contact details (email, telephone), account access details (e.g., login credentials where applicable), account/profile information (including business name, trade details, service categories and other profile fields), addresses and location information where provided (including addresses where works are to be carried out), project/job details and related notes, photos/documents uploaded by users, quotes and related transaction/workflow data, communications (including in-app messages and support communications), reviews/ratings and feedback, voice data (including voice commands and audio recordings where used for voice-enabled features), technical/usage data and audit logs; and

(b) Special Categories of Personal Data (where applicable and lawful): biometric data to the extent processed for identification purposes in connection with identity verification (for example, facial matching from a selfie/video), voice data to the extent it constitutes biometric data when processed via third-party AI services (including large language models) for speech-to-text conversion and AI training, and any other Special Categories of Personal Data that a user may upload or share through the Platform (for example, within free-text, photos or documents), in each case only to the extent processed to provide the Platform in accordance with Client's documented instructions and Applicable Privacy Laws.

5. Categories of Data Subjects

Individuals whose Personal Data is processed through the Platform on Client's behalf, including: (i) consumers/customers who create accounts, submit enquiries or project details, message with service providers, request/receive quotes, and post reviews/ratings; (ii) service providers/builders/tradespeople (and their personnel) who create accounts and profiles, respond to leads/enquiries, provide quotes, message with customers, and receive reviews/ratings; (iii) Client's authorised users, administrators and representatives who access and use the Platform; and (iv) any other individuals whose Personal Data is included in content uploaded to or generated within the Platform by or on behalf of Client (for example, where a user shares third-party contact details within an enquiry or message).

Part B: Minimum Technical and Organisational Security Measures

In accordance with Applicable Privacy Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Protected Data to be carried out under or in connection with the Terms, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Company shall implement and maintain appropriate technical and organisational security measures proportionate to the risk, which shall be reviewed and updated at least annually and upon material changes to the security infrastructure. Such measures shall include, as appropriate:

(a) access controls designed to ensure that only authorised personnel can access Protected Data (including role-based access controls and multi-factor authentication where appropriate);

(b) encryption of Protected Data in transit and at rest where appropriate;

(c) logging and monitoring of access to and activity within systems processing Protected Data;

(d) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

(e) measures to restore availability and access to Protected Data in a timely manner in the event of a physical or technical incident (including backup and disaster recovery processes);

(f) regular testing, assessing, and evaluating of the effectiveness of technical and organisational measures for ensuring the security of the Processing; and

(g) personnel confidentiality obligations and security awareness training. Further details (where applicable) may be made available to Client upon written request, subject to reasonable confidentiality and security restrictions.

Part C: Company's Authorised Sub-Processors and International Data Transfers

The Client authorises the Company to engage the following Sub-Processors in connection with the Processing of Protected Data under this Agreement. The Company shall ensure that each Sub-Processor is subject to written contractual obligations that are no less protective than those set out in this Agreement and in compliance with Article 28 UK GDPR.

1. Hosting and Infrastructure

Google Cloud Platform (UK region & Belgium)

Provider: Google Cloud EMEA Limited

Purpose of Processing: Cloud hosting, database storage, application infrastructure, backups, and system resilience.

Location of Processing: United Kingdom (primary region) & secondary region Belgium for internal portal, test harness, AI agents to run the support incidents and ticket management).

Safeguards: Data processed in UK data centres. Where remote support or transfers occur outside the UK, transfers are subject to appropriate safeguards including UK International Data Transfer Agreement (IDTA), UK Addendum to EU Standard Contractual Clauses, or adequacy regulations as applicable.

2. Payment Processing

Stripe Payments Europe Ltd

Purpose of Processing: Processing subscription fees, per-lead fees, payment authentication, fraud detection and prevention.

Location of Processing: UK / EEA / United States (as applicable).

Safeguards: Transfers outside the UK are subject to appropriate safeguards including UK IDTA, UK Addendum to EU SCCs, or adequacy decisions. The Company does not store full card details.

Note: Stripe may act as an independent Controller for certain payment-related processing under its own privacy policy.

3. Identity Verification Provider

Veriff & Didit

Purpose of Processing: Identity verification of Service Providers and, where applicable, Customers (including document verification and biometric matching where required).

Categories of Data: Identity documents, facial image data, verification results.

Location of Processing: UK / EEA / as specified by provider.

Safeguards: Appropriate safeguards implemented for any international transfers in accordance with UK GDPR.

Where biometric data is processed for identification purposes, processing is carried out in accordance with Article 9 UK GDPR and subject to enhanced security measures.

4. AI and Voice Processing Providers

OpenAI LLC & Google Gemini AI

Purpose of Processing:

• Conversion of voice recordings to text
• Enabling voice-based interaction within the Platform
• Improving platform functionality
• Training and optimisation of AI modules (where data is anonymised)

Categories of Data: Voice recordings, speech-to-text outputs, usage metadata.

Location of Processing: UK / EEA / United States (as applicable).

Safeguards:

• Sub-Processor subject to written data processing terms.
• Personal Data is not used to train general-purpose AI models unless anonymised in accordance with ICO guidance.
• International transfers are subject to UK IDTA, UK Addendum to EU SCCs, adequacy regulations, or equivalent lawful transfer mechanisms.
• Transfer Risk Assessments (TRAs) are conducted where required.

5. Communications and Email Delivery

[Insert Email Service Provider -- e.g. Brevo, SendGrid / Mailgun / Amazon SES]

Purpose of Processing: Delivery of transactional emails, service notifications, and account communications.

Location of Processing: UK / EEA / United States (as applicable).

Safeguards: Transfers protected by appropriate safeguards under Applicable Privacy Laws.

6. Analytics Providers (Where Enabled by Client Configuration)

Google Analytics (Google Ireland Limited)

Purpose of Processing: Platform usage analytics, performance monitoring.

Location: UK / EEA / United States.

Safeguards: IP anonymisation enabled (where applicable), standard contractual safeguards in place.

Note: Analytics processing is subject to end-user consent mechanisms implemented by the Company in accordance with PECR and UK GDPR.