Data Processing Agreement

Version 1.0.1 · Effective 11 May 2026

This Data Processing Agreement (the "DPA") forms part of, and is incorporated by reference into, the Master Subscription Agreement ("MSA") between Monosphere Ltd (the "Processor") and the Customer (the "Controller"). Terms used but not defined here have the meanings given in the MSA or in the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Law").

This DPA satisfies Article 28(3) UK GDPR. Where there is a conflict between this DPA and the MSA in respect of personal data, this DPA prevails.

1. Scope and roles

1.1 In respect of Customer Personal Data (defined in section 2.1), the Customer is the controller and Monosphere is the processor.

1.2 Monosphere will only process Customer Personal Data on the documented instructions of the Customer. Those instructions are set out in: (a) the MSA; (b) this DPA; (c) the configuration choices the Customer makes in the Service; and (d) any further written instructions agreed between the parties.

1.3 If Monosphere believes any instruction is unlawful, it will inform the Customer and may suspend processing of the relevant data until the instruction is amended.

2. Subject matter and details of processing

2.1 "Customer Personal Data" means personal data processed by Monosphere on behalf of the Customer through the Service.

2.2 Subject matter: provision of the Comnly platform.

2.3 Duration: for the term of the MSA and a reasonable period afterwards as set out in section 9.

2.4 Nature and purpose: hosting, transmission, organisation, retrieval, display, push and email notification, search, indexing, security, support and storage of Customer Personal Data, as required to operate the Service.

2.5 Categories of data subjects: the Customer's administrators, members, prospective members and (where uploaded by the Customer) third parties whose data the Customer chooses to record.

2.6 Categories of personal data: identity and contact data; organisational membership and role data; profile and preference data; date of birth; photographs (where uploaded); communications data (posts, replies, polls, RSVPs, acknowledgements and document uploads); device and notification data; technical and log data.

2.7 Special categories of data: not intended. Monosphere does not solicit special-category data. The Customer is responsible for ensuring that special-category data is not entered into free-text or upload fields without an appropriate lawful basis under Article 9 UK GDPR.

3. Processor obligations

Monosphere will:

(a) process Customer Personal Data only on the Customer's documented instructions, including transfers under section 7;

(b) ensure that personnel authorised to process Customer Personal Data are subject to a duty of confidentiality;

(c) implement and maintain appropriate technical and organisational security measures (see Annex II) to ensure a level of security appropriate to the risk, taking into account the nature, scope, context and purposes of processing and the risks to data subjects' rights and freedoms;

(d) only engage sub-processors in accordance with section 4;

(e) taking into account the nature of the processing, assist the Customer with appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligations to respond to requests from data subjects exercising their rights under UK GDPR;

(f) assist the Customer in ensuring compliance with its obligations under Articles 32–36 UK GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to Monosphere;

(g) at the Customer's choice, delete or return all Customer Personal Data after the end of the provision of services relating to processing, and delete existing copies, unless retention is required by UK or EU law (see section 9);

(h) make available to the Customer the information necessary to demonstrate compliance with its obligations under Article 28 UK GDPR, and allow for and contribute to audits and inspections in accordance with section 8.

4. Sub-processors

4.1 The Customer provides general written authorisation for Monosphere to engage sub-processors to process Customer Personal Data. The current list of sub-processors is set out in Annex III and is also available on request from privacy@monosphere.co.uk.

4.2 Monosphere will: (a) impose, by written contract, data protection obligations on each sub-processor that are equivalent to those set out in this DPA; and (b) remain liable to the Customer for the performance of each sub-processor's obligations under that contract.

4.3 Monosphere will give the Customer at least 30 days' prior written notice of any addition or replacement of a sub-processor processing Customer Personal Data. The Customer may object to a proposed change on reasonable data-protection grounds within 30 days. If the parties cannot resolve the objection in good faith, the Customer may terminate the affected portion of the Service on written notice to Monosphere, with Monosphere refunding any unused prepaid fees relating to that portion on a pro-rata basis.

5. Personal data breach

5.1 Monosphere will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data.

5.2 The notice will, to the extent known and within the law, describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed to be taken, and the contact details for further information.

5.3 Monosphere will reasonably cooperate with the Customer in the Customer's investigation and any required notifications to the Information Commissioner's Office or affected data subjects.

6. Data subject rights and assistance

6.1 If Monosphere receives a request from a data subject relating to Customer Personal Data, Monosphere will (where lawful and practicable) refer the request to the Customer and not respond to the data subject directly except as permitted by the Customer.

6.2 Taking into account the nature of the processing, Monosphere will assist the Customer to respond to data subject requests, including by providing self-service tools in the Service for the Customer to access, correct, export or delete Customer Personal Data.

7. International data transfers

7.1 Monosphere will not transfer Customer Personal Data outside the United Kingdom except where the transfer is to a country covered by adequacy regulations made by the UK Government, or where the transfer is protected by an appropriate transfer mechanism under Article 46 UK GDPR (such as the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses).

7.2 The current sub-processor list (Annex III) identifies the country in which each sub-processor processes Customer Personal Data and the applicable transfer mechanism, where relevant.

8. Audits

8.1 Monosphere will, on reasonable prior written notice of at least 30 days, make available to the Customer (or a mutually-agreed independent auditor bound by confidentiality) information necessary to demonstrate compliance with this DPA.

8.2 Audits are limited to information directly relevant to the Customer's compliance, must take place during business hours, must minimise disruption to Monosphere's other customers, and must not give the Customer access to other customers' data, Monosphere's commercially sensitive information or systems beyond what is necessary.

8.3 The Customer bears the costs of audits, save where the audit reveals a material breach by Monosphere, in which case Monosphere will bear its own audit-cooperation costs.

8.4 As an alternative to an on-site audit, Monosphere may satisfy its obligations under this section by providing the latest available third-party audit reports or compliance certifications.

9. Return or deletion of Customer Personal Data

9.1 On termination of the MSA the Customer can export Customer Content (including Customer Personal Data within it) for 30 days through the Service's available export tools.

9.2 After that period, Monosphere will delete or anonymise Customer Personal Data within a reasonable period, save where retention is required by law (e.g. financial records) or for the establishment, exercise or defence of legal claims, in which case the data is locked down and retained for the minimum necessary period.

10. Liability

10.1 Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the MSA. Nothing in this DPA limits any party's liability where it cannot lawfully be limited.

11. Conflict and term

11.1 In case of conflict, the order of precedence is: (a) UK Data Protection Law; (b) this DPA; (c) the MSA.

11.2 This DPA is effective from the date the Customer accepts the MSA and remains in force for the duration of the MSA and any survival period.

12. Governing law

12.1 This DPA is governed by, and to be construed in accordance with, the laws of England and Wales.

Annex I — Description of processing

Subject matter, duration, nature and purpose, categories of data subjects and personal data: as set out in section 2.

Frequency: continuous, for the duration of the MSA.

Annex II — Technical and organisational security measures

Monosphere implements (without limitation) the following measures, and will continue to develop them in line with industry standards:

1. Encryption in transit (TLS 1.2+) for all client-server connections. 2. Encryption at rest for the hosted database (PostgreSQL on Supabase) and object storage. 3. Authentication and access control: passwords stored using a strong password-hashing algorithm; role-based access control enforced via row-level security in the database; principle of least privilege for staff access. 4. Network and application security: hardened cloud-hosted infrastructure; signed webhook payloads; CSRF and XSS protections in web frontends; rate limiting on sensitive endpoints; parameterised queries to prevent injection. 5. Software development practices: code review, automated tests, separation of development, staging and production environments, secure secret management. 6. Operational security: audit logging of administrative actions; monitoring of error and security signals; backup of databases. 7. Personnel: confidentiality obligations for staff with access to Customer Personal Data; training on UK Data Protection Law and security. 8. Incident response: documented procedure for detection, containment and notification of personal data breaches in accordance with section 5 of this DPA. 9. Sub-processor controls: contractual data protection obligations equivalent to this DPA imposed on every sub-processor. 10. Data retention and deletion: data deletion procedures aligned with section 9 of this DPA and with the Privacy Policy.

Annex III — Authorised sub-processors

The current list of authorised sub-processors processing Customer Personal Data on behalf of Monosphere is as follows. The Customer is asked to review this list in conjunction with section 4.

The list above may be updated from time to time in accordance with section 4 of this DPA. The current authoritative list is available from privacy@monosphere.co.uk.