Data Processing Agreement

In this Data Processing Agreement, the following terms have the meanings set out below:

The Controller and Processor agree that, in connection with the provision of the Services:

• The Controller is the business customer who deploys or uses the Dunefox platform on or in connection with their website, messaging channels, or business operations;
• The Processor is Dunefox (Sucetas Technologies UK Ltd, company number 16984447), which processes Personal Data solely on documented instructions from the Controller;
• The Controller determines the purposes and means of processing (e.g. what data to collect from visitors, what the AI chatbot is trained on, and how leads are managed);
• Dunefox processes such data only to the extent necessary to provide the Services and does not process it for its own independent purposes.

Dunefox undertakes, as Processor, to:

1. Process only on instructions: Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by UK law, in which case Dunefox will inform the Controller of that legal requirement before processing, unless prohibited by law.
2. Confidentiality: Ensure that all persons authorised to process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory).
3. Security: Implement and maintain appropriate technical and organisational security measures in accordance with Article 32 UK GDPR (see Section 6 below).
4. Sub-processors: Not engage any sub-processor without prior general or specific written authorisation of the Controller. Where general authorisation is given, Dunefox will inform the Controller of any intended changes to sub-processors and provide the Controller an opportunity to object (see Section 7).
5. Assist with data subject rights: Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to respond to requests from Data Subjects exercising their rights under UK GDPR (Articles 15–22).
6. Assist with compliance: Assist the Controller in ensuring compliance with Articles 32–36 UK GDPR (security, breach notification, DPIAs, prior consultation).
7. Deletion or return: At the Controller's choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless retention is required by UK law.
8. Audit cooperation: Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits or inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
9. Notify Controller of unlawful instructions: Immediately inform the Controller if, in Dunefox's opinion, an instruction infringes the UK GDPR, DPA 2018, or other applicable data protection law.

The Controller confirms and undertakes that:

1. It has a lawful basis for each processing activity carried out via the Dunefox platform and has complied with all applicable transparency obligations (e.g. privacy notices to Data Subjects);
2. It will not instruct Dunefox to process Personal Data in a manner that would violate the UK GDPR or any other applicable data protection law;
3. It is responsible for configuring the Dunefox platform in accordance with applicable data protection requirements;
4. It will obtain all necessary consents from Data Subjects where required by applicable law before their data is processed via the Dunefox platform;
5. It will inform Dunefox promptly if any of its instructions change.

Dunefox implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

Dunefox may update these measures over time to reflect improvements in industry practice. We will never reduce the overall level of protection provided.

The Controller grants Dunefox general authorisation to engage sub-processors, subject to the conditions in this Section. Dunefox currently uses the following sub-processors in connection with the Services:

Dunefox will notify the Controller of any intended addition or replacement of sub-processors by updating this DPA and providing at least 30 days' notice via email or in-app notification. The Controller may object to the appointment of a new sub-processor within 14 days of notification by notifying Dunefox in writing. If the Controller objects and Dunefox cannot accommodate the objection, the Controller may terminate the Services in relation to the processing that cannot be performed without the objected-to sub-processor.

Dunefox shall impose data protection obligations on each sub-processor equivalent to those in this DPA, and remains liable to the Controller for the acts or omissions of its sub-processors.

Where Dunefox transfers Personal Data outside the UK, it will do so only:

1. To countries that have been granted an adequacy regulation by the UK Secretary of State;
2. Subject to appropriate safeguards, including the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) supplemented where necessary by a Transfer Risk Assessment; or
3. In reliance on a derogation under Article 49 UK GDPR.

The current international transfers and applicable safeguards are set out in Section 7 above and in our Privacy Policy — Section 5.

In the event of a confirmed or reasonably suspected Security Incident affecting Personal Data processed under this DPA, Dunefox will:

1. Notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the incident;
2. Provide the Controller with sufficient information to comply with its own breach notification obligations to the ICO (which must be made within 72 hours under UK GDPR Article 33) and, where required, to affected Data Subjects;
3. Cooperate with the Controller in investigating the incident, taking remedial action, and preventing recurrence.

The notification will include: (a) the nature of the incident; (b) categories and approximate number of Data Subjects affected; (c) categories and approximate number of records concerned; (d) likely consequences; (e) measures taken or proposed to address the incident.

Breach notifications should be directed to the Controller's designated security contact. Dunefox's DPO can be reached at sanket@sucetastech.co.uk.

Where a processing activity is likely to result in a high risk to the rights and freedoms of natural persons (as contemplated by Article 35 UK GDPR), Dunefox will cooperate with the Controller in carrying out a Data Protection Impact Assessment and, where required, in any prior consultation with the ICO under Article 36 UK GDPR.

The Controller is responsible for determining whether a DPIA is required for its specific use of the Dunefox platform. Dunefox will provide such information as it reasonably holds to assist in that determination.

Dunefox will assist the Controller in responding to requests from Data Subjects exercising rights under UK GDPR (e.g. access, rectification, erasure, portability, restriction, objection). Upon receiving a data subject rights request that relates to data processed on behalf of a Controller, Dunefox will:

1. Promptly forward the request to the Controller's designated contact;
2. Not respond to the Data Subject directly unless instructed to do so by the Controller;
3. Provide the Controller with assistance, information, and tools to fulfil the request within the UK GDPR's one-month response deadline.

If a Data Subject contacts Dunefox directly about data processed on behalf of a Controller, Dunefox will refer them to the Controller without undue delay.

The Controller has the right to audit Dunefox's compliance with this DPA, subject to the following conditions:

• The Controller provides Dunefox with at least 30 days' written notice of an intended audit;
• Audits are conducted during normal business hours and do not unreasonably disrupt Dunefox's operations;
• Audits are conducted no more than once per calendar year, unless there is a suspected or confirmed Security Incident;
• Any third-party auditor appointed by the Controller must enter into an appropriate confidentiality agreement with Dunefox before the audit;
• The Controller bears the costs of the audit unless the audit reveals a material non-compliance by Dunefox, in which case Dunefox will bear reasonable costs.

As an alternative to a direct audit, Dunefox may provide relevant third-party audit reports, certifications, or security questionnaire responses to satisfy the Controller's compliance verification requirements.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Where both parties are responsible for damage caused by a breach of this DPA or applicable data protection law, each party shall be held liable only for the damage caused by that party's own breach.

Nothing in this DPA limits either party's liability to Data Subjects or to regulatory authorities under applicable data protection law.

This DPA is effective from the date the Controller first accepts the Terms of Service and remains in force for the duration of the Services agreement. It terminates automatically upon expiry or termination of the Terms of Service.

Upon termination, Dunefox will, within 30 days of the Controller's written request, either securely delete or return to the Controller all Personal Data processed under this DPA, together with a written confirmation of deletion, unless UK law requires continued retention.

This DPA is governed by the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Business customers wishing to execute a signed version of this DPA for their own compliance records may request one by emailing sanket@sucetastech.co.ukwith the subject line "DPA Request — [Your Company Name]".