Data Processing Addendum

    Scaled – Data Processing Addendum

    Last updated: 14 August 2025

    This Data Processing Addendum ("DPA") reflects the agreement between GET SCALED LIMITED ("we", "us", "our" or "the Company") and any client ("you" or "the Client") with respect to the Processing of Personal Data by us on your behalf in connection with the Services.

    1. Separate Data Processing Addendum

    If the Client has entered into a separate written Data Processing Addendum with the Company, the terms of that separate addendum will apply and the terms of this DPA will not apply.

    2. Relationship to Other Agreements

    This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement or an Order Form. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

    The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning set forth in the Agreement.

    3. Definitions

    1. "Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws; in each case as amended, repealed, consolidated or replaced from time to time.
    2. "Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
    3. "European Data" means Personal Data that is subject to the protection of European Data Protection Laws.
    4. "Instructions" means the written, documented instructions issued by a Data Controller to a Data Processor, directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalising, blocking, deletion, making available).
    5. "Partners" means any third party who may employ Staff Member(s) as part of the delivery of the Services.
    6. "Personal Data" means any data or information provided by you to, or collected by us in the course of providing the Services, that relates to a living individual who can be identified from that data, but excludes Aggregated Research Data and Benchmarking.
    7. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Products and/or Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
    8. "Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms "Process", "Processes" and "Processed" will be construed accordingly.

    4. Client Responsibilities

    Within the scope of the Agreement and in your use of the Services, you will be responsible for complying with all requirements that apply to you under applicable Data Protection Laws and any Instructions you issue to us. In particular, you acknowledge and agree that you will be solely responsible for:

    • The accuracy, quality, and legality of the means by which you acquired Personal Data.
    • Complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorisations.
    • Ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the Agreement (including this DPA).
    • Ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws.
    • Complying with all applicable laws (including Data Protection Laws).

    You will inform us without undue delay if you are not able to comply with your responsibilities under this section.

    The Parties agree that the Agreement (including this DPA), together with your use of the Services in accordance with the Agreement, constitute your complete and final Instructions to us in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement.

    5. Company Responsibilities

    We will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law.

    If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will:

    • Promptly notify you of that legal requirement, to the extent permitted by law; and
    • Where necessary, cease all Processing until such time as you issue new Instructions with which we are able to comply.

    We will implement and maintain an effective information security program that shall include at minimum:

    • Taking reasonable steps to ensure the reliability of Staff Member(s) having access to the Personal Data.
    • Implementing and maintaining reasonable training of Staff Member(s) accessing Personal Data.

    We will ensure that any Staff Member(s) with access to Process Personal Data is subject to appropriate confidentiality obligations.

    We will delete or return all Company Property, including Personal Data (including copies thereof) Processed pursuant to this DPA, on your written instruction, except where we are required by law to retain some or all of it, or where it is archived on back-up systems — in which case it will be securely isolated and deleted in accordance with our deletion practices.

    If requested, we will provide reasonable assistance to you, and within timescales reasonably requested by you, with any data protection impact assessments to the extent required by European Data Protection Laws.

    6. Partners

    You agree that we may engage with Partners who may be the employers of Staff Member(s) or may provide other Services under the Agreement. Those Partners may process Personal Data on your behalf. Where we engage Partners, we will impose data protection terms that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Partners.

    By engaging our services without a separate written Data Processing Addendum, you confirm your acceptance of this DPA.