1. Introduction
1.1 This Data Processing Agreement ("DPA") governs the processing of Personal Data by HyperionWave Limited ("Processor", "we", "us", "our") when providing the HyperionWave and UnaGo services under the HyperionWave Terms and Conditions ("Principal Agreement").
1.2 This DPA applies where we process Personal Data on behalf of the customer ("Controller") in connection with the Services. It sets out the parties' rights and obligations under Article 28 of the UK GDPR and, where applicable, Article 28 of the EU GDPR.
1.3 This DPA forms part of, and is incorporated into, the Principal Agreement. If there is any conflict between this DPA and the Principal Agreement in relation to data protection or the processing of Personal Data, this DPA will prevail.
1.4 By creating an account, accessing or using the Services, the Controller agrees to be bound by this DPA. If you are acting on behalf of a company or organisation ("Organisation"), you represent and warrant that:
(a) you have authority to bind that Organisation to this DPA;
(b) you have read and understood this DPA; and
(c) you agree to this DPA on behalf of that Organisation.
1.5 This DPA is published at https://unago.ai/dpa and is incorporated by reference into the Principal Agreement pursuant to clause 10.3 of the Principal Agreement.
2. Definitions
In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the Principal Agreement.
"Authorised Users" means the individuals authorised by the Controller to use the Services, as further described in the Principal Agreement.
"Controller" has the meaning given in the UK GDPR.
"Customer" means the Controller.
"Customer Data" means all data, information, files, content and materials that you or your Authorised Users submit, upload, transmit or otherwise provide to or through the Services.
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including: (a) the UK GDPR and the Data Protection Act 2018; (b) the EU GDPR (Regulation (EU) 2016/679) to the extent applicable; (c) the Privacy and Electronic Communications Regulations 2003; and (d) any successor legislation or implementing regulations, in each case as amended or replaced from time to time.
"Data Subject" has the meaning given in the UK GDPR.
"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
"Personal Data" has the meaning given in the UK GDPR.
"Personal Data Breach" has the meaning given in the UK GDPR.
"Processing" (and related terms such as "process" and "processed") has the meaning given in the UK GDPR.
"Processor" has the meaning given in the UK GDPR.
"Restricted Transfer" means a transfer of Personal Data to a country or territory outside the United Kingdom (or, where the EU GDPR applies, outside the European Economic Area) that is not subject to an adequacy decision.
"Standard Contractual Clauses" or "SCCs" means: (a) the International Data Transfer Agreement ("IDTA") approved by the UK Information Commissioner's Office for transfers from the United Kingdom; and/or (b) the standard contractual clauses adopted by the European Commission under Decision 2021/914/EU, as applicable.
"Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller in connection with the Services.
"UK GDPR" means Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
3. Scope and Role of the Parties
3.1 The parties acknowledge that, in relation to Personal Data contained within Customer Data: (a) the Controller is the data controller; and (b) the Processor is the data processor acting on the Controller's behalf.
3.2 The Processor shall process Personal Data only in accordance with the Controller's documented instructions, as set out in this DPA and the Principal Agreement, unless required to process for a different purpose by applicable law (in which case the Processor shall, where permitted by law, notify the Controller before such processing).
3.3 Schedule 1 sets out the subject matter, nature, purpose and duration of the processing, the types of Personal Data processed, and the categories of Data Subjects.
4. Controller's Obligations
4.1 The Controller represents and warrants that:
(a) it has a lawful basis for processing the Personal Data it provides to the Processor;
(b) it has provided all required privacy notices to Data Subjects and obtained all necessary consents where required;
(c) its instructions to the Processor comply with Data Protection Laws;
(d) it has the right to transfer the relevant Personal Data to the Processor for processing in accordance with this DPA; and
(e) it will comply with its obligations as data controller under Data Protection Laws.
4.2 The Controller shall promptly inform the Processor if any instruction given to the Processor would, in the Controller's opinion, violate Data Protection Laws.
5. Processor's Obligations
5.1 The Processor shall:
(a) process Personal Data only on documented instructions from the Controller (including as set out in this DPA and the Principal Agreement), and not for any other purpose;
(b) ensure that all personnel who process Personal Data are subject to binding confidentiality obligations;
(c) implement appropriate technical and organisational measures to protect Personal Data, as set out in Schedule 2;
(d) not engage Sub-processors without the Controller's prior written authorisation (general authorisation is given in clause 7 of this DPA);
(e) assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligations to respond to Data Subject requests under Data Protection Laws;
(f) assist the Controller in ensuring compliance with its obligations under Articles 32-36 of the UK GDPR (security, breach notification, DPIAs, and prior consultation), taking into account the nature of processing and information available to the Processor;
(g) at the Controller's election, delete or return all Personal Data to the Controller within 30 days upon termination or expiry of the Principal Agreement, and delete existing copies unless applicable law requires continued storage;
(h) make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws, and allow for and contribute to audits conducted by the Controller or a mandated auditor (subject to clause 9);
(i) maintain records of processing activities carried out on behalf of the Controller in accordance with Article 30 of the UK GDPR, and make such records available to the Controller upon reasonable request;
(j) process Personal Data on a data minimisation basis, collecting and processing only the Personal Data necessary for the provision of the Services; and
(k) cooperate with the Controller and relevant supervisory authorities in connection with any investigation, inquiry, or audit relating to the processing of Personal Data under this DPA.
5.2 AI processing obligations. In addition to the obligations in clause 5.1, where the Processor processes Personal Data using artificial intelligence or large language model (LLM) systems:
(a) the Processor shall not use Personal Data processed on behalf of the Controller to train, fine-tune or improve its foundation AI models or platform-level AI capabilities without the Controller's prior explicit written consent;
(b) the Processor shall comply with applicable obligations under the EU AI Act (Regulation (EU) 2024/1689) to the extent it applies to the Processor's role in providing AI-assisted automation services, including obligations relating to transparency, human oversight and risk management for high-risk AI systems; and
(c) the Processor shall maintain records of processing activities involving AI systems to the extent required by applicable AI legislation and as reasonably requested by the Controller.
The parties acknowledge that the Controller may itself have obligations under the EU AI Act as a deployer of AI systems. The Processor shall provide reasonable cooperation and information to assist the Controller in meeting those obligations, insofar as such assistance relates to the Processor's systems and services.
5.3 EU Representative. Where required under Article 27 of the EU GDPR, the Processor shall appoint an EU representative and notify the Controller of their contact details. The Processor shall promptly inform the Controller of any changes to such appointment.
6. Security Measures
6.1 The Processor shall implement and maintain the technical and organisational security measures set out in Schedule 2, which the Processor considers appropriate to protect Personal Data against the risks presented by the processing, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.
6.2 The Processor may update the security measures set out in Schedule 2 from time to time, provided that any updates do not materially reduce the overall level of protection afforded to Personal Data.
7. Sub-processors
7.1 The Controller grants the Processor general written authorisation to engage Sub-processors, subject to the conditions in this clause 7.
7.2 The Processor shall maintain and make available to the Controller a current list of Sub-processors at https://unago.ai/subprocessors ("Sub-processor List").
7.3 The Processor shall provide the Controller with at least 30 days' prior written notice before adding or replacing a Sub-processor. The Controller may object to a new or replacement Sub-processor on reasonable data protection grounds by notifying the Processor in writing within 30 days of receipt of notice.
7.4 If the Controller raises a reasonable objection and the parties cannot resolve the matter within 30 days of the objection, the Controller may terminate the affected Services without penalty and shall receive a pro-rata refund of any prepaid fees for the unused portion of the Subscription Term.
7.5 Where the Processor engages a Sub-processor, it shall enter into a written agreement with that Sub-processor imposing data protection obligations no less protective than those in this DPA.
7.6 The Processor remains fully liable to the Controller for the acts and omissions of its Sub-processors in relation to the processing of Personal Data.
8. International Data Transfers
8.1 The Processor shall not carry out a Restricted Transfer of Personal Data unless it has implemented an appropriate transfer mechanism under Data Protection Laws, including:
(a) for transfers from the United Kingdom: the IDTA, the UK Addendum to the EU SCCs approved by the UK ICO, or an alternative transfer mechanism approved by the UK ICO; and
(b) for transfers from the European Economic Area: the EU SCCs (Module 2: Controller to Processor) adopted under Commission Decision 2021/914/EU.
8.2 Where SCCs apply to a Restricted Transfer, those SCCs (as applicable) are incorporated into this DPA by reference and shall take precedence over this DPA to the extent of any conflict in relation to that transfer.
8.3 The Processor shall promptly notify the Controller if it has reason to believe that any applicable law prevents it from complying with the terms of the applicable transfer mechanism, or materially affects its ability to comply with its obligations under this DPA.
8.4 The Processor's primary infrastructure is hosted on Google Cloud Platform in the eu-west2 (London) region. Personal Data processed within this region does not constitute a Restricted Transfer.
8.5 Transfer Impact Assessment. The Processor shall conduct a Transfer Impact Assessment for each Restricted Transfer and shall provide a summary to the Controller upon reasonable request. The Processor shall promptly notify the Controller if any law or government action prevents it from complying with the applicable transfer mechanism or if the transfer mechanism is suspended, invalidated, or subject to legal challenge that materially affects its validity.
8.6 Onward transfers to Sub-processors. Where the Processor engages a Sub-processor outside the United Kingdom or European Economic Area, the Processor shall ensure that an appropriate transfer mechanism (including, where applicable, SCC Module 3: Processor to Processor) is in place for the onward transfer.
9. Audits and Inspections
9.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA.
9.2 The Processor shall allow the Controller (or a mandated third-party auditor that is not a competitor of the Processor) to conduct audits of the Processor's processing activities under this DPA, subject to:
(a) reasonable prior written notice of not less than 30 days;
(b) audits being conducted during normal business hours and no more than once per calendar year (unless a Personal Data Breach has occurred);
(c) the Controller and its auditor entering into a confidentiality undertaking acceptable to the Processor before the audit commences; and
(d) the Controller bearing all costs of any such audit, provided that where the audit identifies a material breach of this DPA by the Processor, the Processor shall bear the reasonable costs of such audit.
10. Personal Data Breaches
10.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Controller Personal Data.
10.2 The notification shall include, to the extent then available:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) the name and contact details of the Processor's Data Protection Officer or other relevant contact point;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
10.3 Where it is not possible to provide full information within 72 hours, the Processor shall provide available information and supplement it as further details become known.
10.4 The Processor shall reasonably cooperate with and assist the Controller in meeting any obligations to notify the ICO (or other applicable supervisory authority) and affected Data Subjects.
10.5 The Processor's notification of a Personal Data Breach is not an acknowledgment of fault or liability.
10.6 The Processor shall retain records of Personal Data Breaches and related investigations for a minimum of 2 years following resolution of the incident.
11. Data Subject Rights
11.1 The Processor shall, upon receiving a request from a Data Subject or instruction from the Controller, provide all reasonable assistance to enable the Controller to respond to Data Subject rights requests, including requests for:
(a) access to Personal Data;
(b) rectification or erasure of Personal Data;
(c) restriction of processing;
(d) data portability; and
(e) objection to processing.
11.2 Where the Processor receives a Data Subject request directly, it shall promptly forward it to the Controller and shall not respond to the request without the Controller's prior written instruction, except to confirm that the request has been received and forwarded.
12. Data Protection Impact Assessments and Prior Consultation
12.1 The Processor shall provide the Controller with reasonable assistance in carrying out data protection impact assessments and, where required, prior consultation with a supervisory authority, insofar as such assistance is reasonably within the Processor's capabilities and relates to the Personal Data processed under this DPA. The Processor shall notify the Controller if it identifies that a processing activity is likely to result in high risk to Data Subjects.
13. Return and Deletion of Personal Data
13.1 Upon termination or expiry of the Principal Agreement, or upon the Controller's written request at any time, the Processor shall (at the Controller's election):
(a) return to the Controller all Personal Data in a commonly used machine-readable format; and/or
(b) securely delete or destroy all Personal Data.
13.2 The Processor shall certify in writing that deletion or return has been completed within 30 days of the termination date or request.
13.3 The Processor may retain Personal Data beyond this period only to the extent required by applicable law, in which case the Processor shall notify the Controller and shall continue to protect that data in accordance with this DPA.
14. Data Protection Officer
14.1 The Processor has appointed a Data Protection Officer who can be contacted at: dpo@unago.ai.
15. Liability
15.1 Each party's liability under this DPA is subject to the limitations and exclusions set out in the Principal Agreement, except:
(a) to the extent that applicable Data Protection Laws impose stricter or non-excludable liability; or
(b) in respect of liability that cannot be limited under applicable law.
15.2 Each party shall be responsible for any fines, penalties, or regulatory sanctions imposed on it to the extent caused by its own breach of Data Protection Laws or this DPA. Where a fine or penalty is imposed on one party as a result of the other party's breach, the breaching party shall indemnify the non-breaching party for the reasonable costs of such fine or penalty.
15.3 The Processor shall maintain appropriate cyber liability and data protection insurance coverage commensurate with the nature and scale of processing, and shall provide evidence of such coverage upon reasonable request.
16. Term and Termination
16.1 This DPA shall remain in force for the duration of the Principal Agreement.
16.2 This DPA shall automatically terminate upon termination or expiry of the Principal Agreement, subject to clause 13 (data deletion/return) and any obligations that survive by nature or by law.
17. General
17.1 Precedence. In the event of conflict between this DPA and the Principal Agreement on data protection matters, this DPA shall prevail. In the event of conflict between this DPA and applicable Data Protection Laws, Data Protection Laws shall prevail.
17.2 Governing Law. This DPA is governed by and construed in accordance with the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.
17.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force.
17.4 Entire Agreement. This DPA, together with the Principal Agreement and any applicable SCCs, constitutes the entire agreement between the parties in respect of the processing of Personal Data.
17.5 Amendments. Any amendment to this DPA must be agreed in writing by both parties, except that the Processor may update Schedule 2 (Security Measures) in accordance with clause 6.2 and the Sub-processor List in accordance with clause 7.
17.6 Electronic Signatures. This DPA may be executed in counterparts and by electronic signature, which shall have the same legal effect as handwritten signatures.
18. Acknowledgement
18.1 This Data Processing Agreement forms part of the Agreement between HyperionWave Limited and the Customer. By accepting the Terms and Conditions, Privacy Policy and this Data Processing Agreement during account registration or by continuing to use the Services, the Customer agrees to be bound by the terms of this Data Processing Agreement.
Schedule 1 - Details of Processing
Item | Details
● Subject matter of processing: Processing of Personal Data as necessary to provide the Services under the Principal Agreement, including AI-assisted automation, data analytics, workflow processing and related functions.
● Nature of processing: Collection, storage, use, transmission, retrieval, deletion and other processing operations necessary to provide the Services.
● Purpose of processing: To provide, maintain and support the Services; to comply with legal obligations; and as otherwise instructed by the Controller.
● Duration of processing: For the term of the Principal Agreement and thereafter in accordance with clause 13 and applicable law.
● Types of Personal Data: May include: names, email addresses, job titles, employer details, contact information, usage data, and any other Personal Data submitted by the Controller or Authorised Users through the Services.
● Categories of Data Subjects: Controller's employees, contractors and Authorised Users; and any other individuals whose Personal Data is submitted by the Controller through the Services.
● Special category data: The Services are not intended for processing special category data. If the Controller intends to submit special category data, it must notify HyperionWave in advance at dpo@unago.ai.
Schedule 2 - Technical and Organisational Security Measures
Access Controls
(a) Role-based access control (RBAC) limiting access to Personal Data to authorised personnel on a need-to-know basis.
(b) Multi-factor authentication (MFA) for access to production systems.
(c) Privileged access management for administrative accounts.
(d) Regular review and revocation of access rights upon role changes or termination.
Encryption
(a) Encryption of Personal Data in transit using TLS 1.2 or higher.
(b) Encryption of Personal Data at rest using AES-256 or equivalent.
(c) Encryption key management procedures.
Pseudonymisation
(a) Where technically feasible and appropriate to the processing, Personal Data is pseudonymised to reduce the risk of identification.
(b) Pseudonymisation keys are stored separately from the pseudonymised data and access is restricted to authorised personnel only.
Network Security
(a) Firewalls, intrusion detection and prevention systems.
(b) Network segmentation separating production and non-production environments.
(c) DDoS protection measures.
Vulnerability and Patch Management
(a) Regular vulnerability scanning and penetration testing (at least annually).
(b) Timely application of security patches and updates.
(c) Secure software development lifecycle (SDLC) practices.
Incident Response
(a) Documented Personal Data Breach detection, reporting and response procedures.
(b) Designated incident response team.
(c) Post-incident review process.
Business Continuity and Disaster Recovery
(a) Regular backups of Customer Data with tested restoration procedures.
(b) Business continuity and disaster recovery plans.
Personnel Measures
(a) Mandatory data protection and security training for all personnel with access to Personal Data.
(b) Background checks for personnel in roles with access to Personal Data.
(c) Binding confidentiality obligations for all relevant personnel.
Physical and Infrastructure Security
(a) Personal Data is processed in Google Cloud Platform (GCP) data centres in the eu-west2 (London) region, which hold ISO 27001 certification and SOC 2 Type II attestation.
(b) GCP data centres implement appropriate physical access controls, CCTV surveillance, and environmental protections.
(c) Data remains within the United Kingdom unless a Restricted Transfer is effected in accordance with clause 8 of this DPA.
Audit and Monitoring
(a) Audit logging of access to and processing of Personal Data.
(b) Regular internal reviews of security measures.
(c) Third-party security assessments.
Schedule 3 - Approved Sub-processors
The current, up-to-date list of approved Sub-processors is maintained online at https://unago.ai/subprocessors and is updated in accordance with clause 7 of this DPA.
Customers will be notified of any changes in accordance with clause 7.3.
Additional Sub-processors may be added in accordance with clause 7. The full list is maintained at the URL above.
Schedule 4 - Agent Ownership and Usage Policy
4.1 Purpose and Scope
This Schedule sets out the rights and obligations of the parties in respect of Custom Agents created by the Controller within the Services. This Schedule forms a binding part of this DPA and the Principal Agreement.
4.2 Ownership of Custom Agents
(a) All Custom Agents created by the Controller (or its Authorised Users) within the Services – including their configuration, logic, prompts, orchestration graphs, decision trees, workflow sequences and behavioural patterns – are and remain the exclusive Intellectual Property of the Controller ("Controller Agent IP").
(b) HyperionWave Limited makes no claim of ownership over Controller Agent IP. No right, title or interest in Controller Agent IP is transferred to HyperionWave Limited by virtue of it being created, stored or operated within the Services.
(c) For the avoidance of doubt, Controller Agent IP includes: (i) internal operational logic and process automation specific to the Controller's business; (ii) proprietary decision-making workflows and rules; (iii) custom prompt engineering, agent instructions and system configurations; (iv) orchestration graphs and multi-agent architectures reflecting the Controller's internal strategy or operations; and (v) any other configuration that embeds the Controller's competitive or operational know-how.
4.3 Prohibition on Reuse, Resale and Marketplace Listing
(a) HyperionWave Limited shall not, without the Controller's prior explicit written consent: (i) reuse, repurpose, copy or adapt Controller Agent IP for any other customer, user or purpose; (ii) list, offer or make available Controller Agent IP (in whole or in part) in any agent marketplace, template library, app store or equivalent; (iii) share Controller Agent IP with any third party; or (iv) use Controller Agent IP as the basis for developing standardised templates, features or product capabilities.
(b) The default position is: private by default, shared only by explicit written consent. Any consent given by the Controller under this clause must be: (i) in writing; (ii) specific as to the Custom Agent(s) covered; and (iii) revocable on reasonable notice (save where the Controller Agent IP has already been incorporated into a published template with the Controller's consent).
4.4 No Learning from Controller Agent IP
(a) HyperionWave Limited shall not use Controller Agent IP – including orchestration logic, workflow graphs, prompt structures, agent configurations or behavioural patterns – to train, fine-tune, improve or develop: (i) HyperionWave's AI models or algorithms; (ii) any generalised platform features or capabilities; or (iii) products or services offered to any other customer.
(b) This prohibition applies regardless of whether the Controller Agent IP is processed in identifiable or anonymised/abstracted form, to the extent that it reflects or could be used to reconstruct the Controller's proprietary operational logic or strategy.
(c) HyperionWave Limited shall implement and maintain technical controls to enforce the restrictions in this clause 4.4, including logical separation of Controller Agent IP from platform-level training pipelines. HyperionWave Limited shall not rely solely on contractual restrictions where technical separation is reasonably achievable.
(d) Upon written request, HyperionWave Limited shall provide the Controller with a summary description of the technical and organisational measures in place to enforce these restrictions.
4.5 Separation of Layers
(a) HyperionWave Limited maintains a clear separation between: (i) the Platform Layer – the underlying platform software, AI models, APIs, and standard features owned by HyperionWave Limited; (ii) Controller Agent IP – custom agents, workflows and configurations created by the Controller; and (iii) Platform Templates – generic, non-client-specific agent templates created by HyperionWave Limited and made available to all users.
(b) HyperionWave Limited shall not migrate content from the Controller Agent IP layer to the Platform Templates or Platform Layer without the Controller's prior explicit written consent.
(c) Where HyperionWave Limited develops new Platform Templates or Platform Layer features, it represents that such development is based on its own independent work or the Platform Layer, and not on Controller Agent IP.
4.6 Agent Marketplace (Future)
(a) If HyperionWave Limited introduces an agent marketplace or equivalent feature in the future, only the following may be listed or shared without the Controller's consent: (i) agents that are fully developed by HyperionWave Limited using Platform Layer capabilities only; or (ii) generic templates that do not incorporate any Controller Agent IP.
(b) Controller Agent IP may only be listed in any marketplace: (i) with the Controller's prior explicit written consent; and (ii) subject to licence terms agreed with the Controller, including any applicable revenue sharing arrangements.
(c) The Controller may withdraw consent for marketplace listing at any time on reasonable written notice, provided that existing licences already granted to third parties prior to withdrawal are not affected unless the Controller and HyperionWave Limited agree otherwise.
4.7 HyperionWave Limited Representations
HyperionWave Limited represents and warrants to the Controller that:
(a) it does not and will not use the Controller's internal workflows, agent logic or operational patterns to benefit other customers or to develop competing capabilities;
(b) the Controller's Custom Agents and the operational know-how embedded within them are treated as Confidential Information under the Principal Agreement; and
(c) HyperionWave Limited personnel are trained on and bound by these restrictions.
4.8 Audit Rights (Agent IP)
In addition to the audit rights in clause 9 of this DPA, the Controller may, on reasonable written notice of not less than 30 days and no more than once per calendar year, request that HyperionWave Limited provide written confirmation that:
(a) no Controller Agent IP has been used in contravention of this Schedule; and
(b) the technical separation measures described in clause 4.4(c) remain in place.
HyperionWave Limited shall respond to such requests within 30 days.
4.9 Remedies
(a) Without prejudice to any other rights or remedies, the parties agree that a breach of this Schedule 4 by HyperionWave Limited may cause irreparable harm to the Controller for which damages alone may not be an adequate remedy. In such circumstances, the Controller may seek injunctive or other relief without the need to demonstrate actual damages as a precondition.
(b) The liability limitations in clause 15 of this DPA and in the Principal Agreement apply to claims under this Schedule 4, except in respect of: (i) wilful or deliberate breach by HyperionWave Limited; or (ii) breach of confidentiality obligations under the Principal Agreement.
Schedule 5 - International Data Transfer Mechanisms
Transfers from the United Kingdom
Where the Processor transfers Personal Data outside the United Kingdom to a country not subject to UK adequacy regulations, the parties agree that such transfers are subject to the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office (as amended from time to time), which is incorporated into this DPA by reference. Alternatively, the UK Addendum to the EU Standard Contractual Clauses, as issued by the UK ICO, may be used.
Transfers from the European Economic Area
Where the Processor transfers Personal Data outside the EEA to a country not subject to an EU adequacy decision, the parties agree that such transfers are subject to the EU Standard Contractual Clauses (Module 2: Controller to Processor), adopted by the European Commission under Decision 2021/914/EU, which are incorporated into this DPA by reference, with the following selections:
(a) Clause 7 (Docking clause): Optional - not included.
(b) Clause 9 (Sub-processors): Option 2 - General written authorisation with 30 days' prior notice.
(c) Clause 11 (Redress): Optional language - not included.
Onward Transfers to Sub-processors
Where the Processor engages a Sub-processor outside the United Kingdom or EEA, the EU Standard Contractual Clauses (Module 3: Processor to Processor) shall apply to the onward transfer, incorporated into this DPA by reference.
HyperionWave Limited | 5-7 The Crescent, Newquay, Cornwall, TR7 1DT | Registered in England and Wales | Company number 16645022 | dpo@unago.ai