Data Processing Agreement – EU/UK

EU GDPR & UK GDPR Compliant Edition

Updated: January 2025

SaaSrooms Ltd & SaaSrooms Europe Limited
308 High Street, Croydon, Surrey, CR0 1NG, United Kingdom

Processor	SaaSrooms Europe Limited and SaaSrooms Ltd (collectively “SaaSrooms”)
Registered Office	308 High Street, Croydon, Surrey, CR0 1NG, United Kingdom
Company No.	SaaSrooms Europe Limited: 14170299 (England & Wales) \| SaaSrooms Ltd: 14011278 (England & Wales)
Governing Law	EU GDPR (Regulation (EU) 2016/679) and UK GDPR (UK Data Protection Act 2018)
Data Location	AWS eu-west-1 — Republic of Ireland (EEA) \| No US transfer
Transfer Mechanism	EU Standard Contractual Clauses (2021/914) + UK ICO Addendum (IDTA)
Contact	support@saasrooms.com
DPA Contact	Philip Allouche, CEO — philip.allouche@saasrooms.com Sreeram Venkitakrishnan, CTO — sreeram@saasrooms.com

Applicable Regulations This DPA is designed to comply with both: • EU GDPR — Regulation (EU) 2016/679 of 27 April 2016 • UK GDPR — as retained in UK law by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 Where these regulations differ, specific provisions for each jurisdiction are noted. A UK ICO International Data Transfer Addendum (IDTA) is incorporated in Schedule 2 to provide full UK GDPR compliance.

1. Parties

This Data Processing Agreement (“DPA”) is entered into by and between:

1.1 The Controller (Client)

The Client entity as identified in the applicable Subscription Agreement or Order Form entered into with SaaSrooms Europe Limited and/or SaaSrooms Ltd (together “SaaSrooms”). The Client acts as the Data Controller for the personal data it provides to SaaSrooms for processing.

1.2 The Processor (SaaSrooms)

Company Name	SaaSrooms Europe Limited and SaaSrooms Ltd (together “SaaSrooms”)
Registered Address	308 High Street, Croydon, Surrey, CR0 1NG, United Kingdom
Company No.	SaaSrooms Europe Limited: 14170299 \| SaaSrooms Ltd: 14011278 (both England & Wales)
DPA Contact	Philip Allouche, CEO philip.allouche@saasrooms.com +44 7766070164
DPA Contact	Sreeram Venkitakrishnan, CTO / DPO sreeram@saasrooms.com
Compliance Email	support@saasrooms.com

SaaSrooms Europe Limited and SaaSrooms Ltd (together “SaaSrooms”) act jointly as the Data Processor in respect of all personal data provided by the Controller under the Agreement. SaaSrooms LLC (a separate US entity) is not a party to this DPA and is not engaged in the processing of EU or UK Client personal data.

2. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the EU GDPR or UK GDPR as applicable, or in the Agreement.

Agreement	The Subscription Agreement and/or Order Form between SaaSrooms Europe Limited and/or SaaSrooms Ltd and the Client, incorporating these terms.
Controller	The natural or legal person who determines the purposes and means of processing personal data. In this DPA, the Controller is the Client.
Processor	The natural or legal person who processes personal data on behalf of the Controller. In this DPA, the Processor is SaaSrooms Europe Limited and SaaSrooms Ltd (together “SaaSrooms”).
Personal Data	Any information relating to an identified or identifiable natural person (‘data subject’) as defined in Article 4(1) GDPR.
Special Category Data	Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for identification purposes), health data, or data concerning sex life or sexual orientation, as defined in Article 9 GDPR.
Processing	Any operation performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure or destruction.
Sub-processor	Any processor engaged by SaaSrooms (SaaSrooms Europe Limited and/or SaaSrooms Ltd) to carry out processing activities on the Controller’s personal data.
Data Breach	A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
EU GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
UK GDPR	EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
DPA 2018	The Data Protection Act 2018 (United Kingdom).
EU SCCs	The standard contractual clauses for the transfer of personal data to processors in third countries, pursuant to Commission Implementing Decision (EU) 2021/914.
UK IDTA	The International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the UK Information Commissioner’s Office under s.119A of the DPA 2018, Version B1.0, in force 21 March 2022.
EEA	The European Economic Area, comprising EU Member States plus Iceland, Liechtenstein and Norway.
ICO	The UK Information Commissioner’s Office.
DPDI Act	The Data Protection and Digital Information Act (if and when enacted), as applicable.
Services	The SaaS spend management platform and related services provided by SaaSrooms under the Agreement.

3. Purpose and Scope

3.1. This DPA governs the processing of personal data by SaaSrooms (SaaSrooms Europe Limited and SaaSrooms Ltd) as Processor on behalf of the Client as Controller, in connection with the provision of the Services under the Agreement. 3.2. This DPA applies to processing of personal data subject to EU GDPR and/or UK GDPR. Where the Client is established in the UK and is subject to UK GDPR, the UK-specific provisions of this DPA (including Schedule 2) apply in addition to the EU GDPR provisions. 3.3. If there is any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail in respect of data protection matters. 3.4. SaaSrooms Europe Limited and SaaSrooms Ltd are the contracting Processor entities for all EU and UK clients. No personal data of EU or UK clients is processed by SaaSrooms LLC (the US entity).

4. Personal Data Processed

4.1 Categories of Data Subjects

Processing under this DPA is limited to the following categories of data subject:

Authorised users of the Services employed or engaged by the Client
Named contacts within vendor or supplier organisations managed through the platform on behalf of the Client

4.2 Categories of Personal Data

The categories of personal data processed are limited to those necessary for the provision of the Services, as set out below. The Controller determines which specific fields are populated.

Category	Fields
Identity	Name (first, last), job title, username, user ID
Contact	Email address, telephone number, business address
Professional	Employer / organisation, department, language preference
Platform	Profile image (optional, user-uploaded), related URLs, related persons (business context only)
Technical	IP address (for security/audit logging only), session tokens

Data Minimisation: SaaSrooms operates on a data minimisation basis. Only the fields strictly necessary to deliver the contracted Services are actively collected and processed. The categories above represent the contractual maximum; not all fields are collected from all clients.

4.3 Special Category Data

No Special Category Data Collected SaaSrooms does not collect, process or store any Special Category data as defined in Article 9 GDPR (EU or UK). This includes, but is not limited to: • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Genetic data • Biometric data (for the purpose of uniquely identifying natural persons) • Health or medical data • Data concerning sex life or sexual orientation Gender, where collected, is used solely for platform personalisation (e.g. salutation preference) and does not constitute Special Category data under Article 9 GDPR. If the Controller’s use case would require processing of Special Category data, the Controller must notify SaaSrooms in writing before any such data is submitted, and a separate data processing addendum must be agreed.

4.4 Frequency and Duration of Processing

Frequency: Continuous — data is processed on an ongoing basis for the duration of the Agreement.
Duration: Personal data is processed for the duration of the Agreement and deleted in accordance with Section 10 of this DPA.

4.5 Purpose of Processing

Personal data is processed solely for the following purposes, which are directly connected to the provision of the Services:

Providing and operating the SaaSrooms platform, including user authentication and access management
Enabling the Client to manage SaaS and cloud software contracts, spend, and vendor relationships
Delivering contract management, savings identification, and reporting functionality
Providing customer support, account management, and professional services
Security monitoring, audit logging, and incident response
Fulfilling legal and regulatory obligations

Anonymised Analytics: SaaSrooms may produce anonymised, aggregated, non-personal statistics derived from platform usage data. This activity uses data that has been irreversibly anonymised and is therefore outside the scope of GDPR. No client-identifiable or individual-identifiable data is ever included in such statistics. This is disclosed in SaaSrooms’ Privacy Policy and authorised under this DPA.

5. Processor Obligations

5.1. SaaSrooms shall process personal data only on documented instructions from the Controller, including as set out in this DPA and the Agreement, unless required to do so by applicable law (in which case SaaSrooms shall inform the Controller of that legal requirement before processing, unless prohibited by law on grounds of public interest). 5.2. SaaSrooms shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law. 5.3. SaaSrooms shall ensure that all personnel authorised to process personal data have committed themselves to confidentiality obligations and have received appropriate data protection training. 5.4. SaaSrooms shall implement and maintain appropriate technical and organisational measures as described in Annex II (Schedule 1) to protect personal data against unauthorised or unlawful processing and accidental loss, destruction or damage. 5.5. SaaSrooms shall assist the Controller, taking into account the nature of processing and information available to SaaSrooms, in fulfilling the Controller’s obligations in relation to: (a) data subject rights requests; (b) Data Protection Impact Assessments (DPIAs); (c) prior consultations with supervisory authorities; and (d) security breach notifications. 5.6. SaaSrooms shall not engage any new Sub-processor without prior written consent of the Controller, provided that general written authorisation is hereby given in respect of Sub-processors listed in Annex III (Schedule 1), subject to SaaSrooms providing 30 days’ advance written notice of any intended changes. 5.7. SaaSrooms shall make available to the Controller all information necessary to demonstrate compliance with its obligations under this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor, subject to 15 days’ prior written notice. The Controller bears the reasonable costs of any audit. 5.8. SaaSrooms shall not transfer or permit the transfer of personal data outside the EEA except as expressly authorised under Section 8 of this DPA.

6. Controller Obligations

6.1. The Controller warrants that it has a lawful basis for providing personal data to SaaSrooms for the processing activities described in this DPA, including any necessary data subject consents. 6.2. The Controller shall provide appropriate privacy notices to data subjects informing them of the processing activities described in this DPA. 6.3. The Controller shall promptly notify SaaSrooms in writing if it receives: (a) any complaint, enforcement notice or investigation from a supervisory authority; (b) any data subject request or enquiry relating to personal data processed by SaaSrooms; (c) any request from a law enforcement or government body for access to personal data. 6.4. The Controller shall not instruct SaaSrooms to process personal data in a manner that would breach applicable data protection law. 6.5. The Controller is responsible for ensuring that no Special Category data is submitted to the SaaSrooms platform without prior written agreement as described in Section 4.3.

7. Data Subject Rights

7.1. Upon receiving notice from the Controller of a data subject rights request, SaaSrooms shall provide reasonable technical assistance to help the Controller respond within the statutory timeframe. SaaSrooms shall not respond directly to data subjects on behalf of the Controller unless expressly authorised to do so. SaaSrooms supports the Controller in fulfilling the following data subject rights under EU and UK GDPR:

Right of Access (Art. 15)	SaaSrooms can provide a report of personal data held for a given user on request.
Right to Rectification (Art. 16)	SaaSrooms can correct inaccurate personal data on Controller instruction.
Right to Erasure (Art. 17)	SaaSrooms can delete personal data on Controller instruction, subject to Section 10.
Right to Restriction (Art. 18)	SaaSrooms can restrict processing to storage only on Controller instruction.
Right to Portability (Art. 20)	SaaSrooms can provide a machine-readable export of personal data on Controller instruction.
Right to Object (Art. 21)	The Controller is responsible for assessing and responding to objections; SaaSrooms will assist technically.
Rights re. Automated Decisions (Art. 22)	SaaSrooms does not make automated decisions with legal or similarly significant effects about data subjects.

8. International Data Transfers

8.1 Data Residency

All EU and UK Client personal data is hosted exclusively on Amazon Web Services (AWS) eu-west-1 infrastructure located in the Republic of Ireland (EEA). Personal data does not leave the EEA at any point during normal processing operations. SaaSrooms Europe Limited and SaaSrooms Ltd do not transfer EU or UK Client personal data to the United States or any other third country as part of routine processing.

8.2 Transfer Mechanisms

In the event that any transfer of personal data outside the EEA is required (e.g. for emergency support purposes), such transfer shall only take place under one of the following lawful mechanisms:

EU Standard Contractual Clauses (Module 2: Controller to Processor) pursuant to European Commission Implementing Decision (EU) 2021/914, incorporated in Schedule 1 of this DPA
UK ICO International Data Transfer Addendum (IDTA) to the EU SCCs, incorporated in Schedule 2 of this DPA, for transfers from the UK
An adequacy decision by the European Commission or the UK Secretary of State in respect of the destination country

8.3 UK Transfers

The UK is not a third country for the purposes of EU GDPR. For transfers from the UK to the EEA (including AWS eu-west-1 Ireland), no transfer mechanism is required as the UK recognises EEA countries as providing adequate protection. The UK ICO IDTA incorporated in Schedule 2 applies to any transfers from the UK to countries not covered by a UK adequacy decision.

8.4 Canadian Data

Where the Controller or its data subjects are located in Canada, SaaSrooms notes that: (a) all personal data is held within the EEA (Ireland); (b) the GDPR-aligned processing framework satisfies the ‘comparable protection’ standard required under PIPEDA and Quebec Law 25 (Law 64) for international transfers; (c) SaaSrooms can provide a written data residency confirmation letter upon request for the Controller’s Canadian compliance records.

9. Sub-processors

9.1. The Controller provides general written authorisation for the engagement of Sub-processors listed in Annex III (Schedule 1). SaaSrooms shall impose data protection obligations on all Sub-processors equivalent to those in this DPA and shall remain fully liable to the Controller for any failure by a Sub-processor to fulfil its data protection obligations (Article 28(4) GDPR). 9.2. SaaSrooms shall notify the Controller at least 30 calendar days in advance of any addition or replacement of Sub-processors, giving the Controller a reasonable opportunity to object. If the Controller objects on reasonable data protection grounds, the parties shall work in good faith to resolve the concern. 9.3. The current list of Sub-processors is set out in Annex III (Schedule 1). As of the date of this DPA, SaaSrooms (SaaSrooms Europe Limited and SaaSrooms Ltd) engages a single Sub-processor for processing EU/UK Client personal data:

Sub-processor	Amazon Web Services EMEA SARL
Processing	Hosting of the SaaSrooms production environment
Location	AWS eu-west-1, Republic of Ireland (EEA)
Data Transfer	No transfer outside the EEA
AWS Privacy Info	https://aws.amazon.com/privacy/

Note on AI Tools: SaaSrooms does not use AI-based processing tools as Sub-processors in connection with EU or UK Client personal data. Any AI functionality within the SaaSrooms platform is operated on SaaSrooms’ own infrastructure hosted on AWS eu-west-1.

10. Data Retention and Deletion

10.1 Retention During the Agreement

Personal data is retained for the duration of the Agreement and for the period necessary to fulfil the purposes described in Section 4.5. SaaSrooms does not retain personal data beyond what is strictly necessary for the performance of the Services.

10.2 Deletion Upon Termination

Upon termination or expiry of the Agreement, SaaSrooms shall, within 30 days of the later of: (a) the end of the Agreement; or (b) receipt of written instruction from the Controller:

Return to the Controller all personal data in a commonly used, machine-readable format; or
Permanently delete all personal data including all copies and back-ups held by SaaSrooms and its Sub-processors

The Controller shall specify in writing which option it requires. If no instruction is received within 30 days of termination, SaaSrooms shall delete the personal data.

10.3 Legal Retention Requirements

SaaSrooms may retain personal data beyond the periods described above where required by applicable law. In such cases, SaaSrooms shall notify the Controller of the legal basis and the period of retention, and shall ensure that access to such data is restricted to those with a strict need for it.

10.4 Anonymised Data

Anonymised, aggregated data that cannot reasonably be used to re-identify any individual is not personal data and falls outside the scope of this DPA. SaaSrooms may retain and use such data without restriction.

11. Personal Data Breach Notification

11.1. SaaSrooms shall maintain documented incident response procedures and shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware, of a Personal Data Breach that is likely to result in a risk to the rights and freedoms of natural persons. 11.2. Notification to the Controller shall include, to the extent available at the time: (a) a description of the nature of the breach including the categories and approximate number of data subjects and records concerned; (b) the name and contact details of SaaSrooms’ DPA contact; (c) a description of the likely consequences; (d) a description of measures taken or proposed. Information may be provided in phases if not all details are immediately available. 11.3. SaaSrooms shall provide reasonable assistance to the Controller in: (a) notifying the relevant supervisory authority (ICO for UK data, the competent EU authority for EU data) where required; and (b) notifying affected data subjects where required. 11.4. SaaSrooms’ notification of a breach is not an acknowledgement of fault or liability.

12. Security

SaaSrooms implements and maintains the technical and organisational security measures described in Annex II (Schedule 1). These measures include:

ISO/IEC 27001:2022 certified Information Security Management System (Certificate No. IC-IS-2504148, valid to April 2028, issued by INTERCERT)
SOC 2 Type II audit — zero exceptions (Accorp Partners, 2025, Reference: WKOCU-BIJED-9VCAB-A9NYX)
Independent GDPR audit — 100% compliant across 55 controls (Scrut Automation, January 2025)
Multi-factor authentication for all platform access
Role-based access control on a least-privilege basis
HTTPS/TLS encryption for all data in transit
Encryption at rest on AWS infrastructure
Regular penetration testing and vulnerability management
Disaster recovery with multi-availability zone replication
Annual third-party risk assessments

Full details of technical and organisational measures are set out in Annex II (Schedule 1) and in SaaSrooms’ Information and Application Security Policy, available on request.

13. Audit Rights

13.1. Upon the Controller’s reasonable request, SaaSrooms shall provide documentation demonstrating compliance with this DPA and applicable data protection law, including making available its SOC 2 Type II Report, ISO 27001 Certificate, and GDPR Audit Report. 13.2. The Controller may conduct, or commission a mandated third-party auditor to conduct, an on-site audit of SaaSrooms’ data processing facilities, subject to: (a) at least 15 business days’ prior written notice; (b) the audit being conducted during normal business hours and not unreasonably disrupting SaaSrooms operations; (c) the auditor executing a reasonable confidentiality agreement. 13.3. The Controller shall bear the reasonable costs of any audit unless the audit reveals material non-compliance, in which case SaaSrooms shall bear its own costs. 13.4. Audit rights shall not extend to systems or facilities not used in the processing of the Controller’s personal data, or to information that would breach confidentiality obligations to other clients.

14. Liability

14.1. Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Agreement. SaaSrooms’ aggregate liability to the Controller in connection with this DPA shall not exceed the total fees paid by the Controller in the 12 months immediately preceding the event giving rise to the claim. 14.2. Nothing in this DPA limits either party’s liability: (a) for death or personal injury caused by negligence; (b) for fraud or fraudulent misrepresentation; (c) to the extent liability cannot lawfully be limited or excluded under applicable law. 14.3. Each party shall be liable to the other for damages caused by any breach of this DPA attributable to that party. SaaSrooms shall not be liable for processing carried out on the documented instructions of the Controller where those instructions caused the breach. 14.4. In accordance with Article 82 GDPR, where both parties are responsible for damage caused by a breach, both are jointly liable and the Controller may seek full compensation from SaaSrooms, which may then seek contribution from the Controller proportionate to its responsibility.

15. Duration and Termination

15.1. This DPA shall commence on the date of execution of the Agreement and shall remain in force for the duration of the Agreement. 15.2. This DPA shall automatically terminate upon the termination or expiry of the Agreement, subject to the survival of provisions that by their nature should continue, including Sections 10 (Retention and Deletion), 11 (Breach Notification), and 14 (Liability). 15.3. Either party may terminate this DPA immediately on written notice if the other party commits a material breach of this DPA that is not remedied within 30 days of written notice.

16. Governing Law and Jurisdiction

16.1. This DPA is governed by the laws of England and Wales. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, save that either party may seek interim injunctive relief in any court of competent jurisdiction. 16.2. To the extent this DPA is subject to EU GDPR, it shall be interpreted and applied in accordance with EU law. To the extent it is subject to UK GDPR and the DPA 2018, it shall be interpreted in accordance with the law of England and Wales. 16.3. The parties agree that the EU SCCs incorporated in Schedule 1 and the UK IDTA incorporated in Schedule 2 shall be interpreted in accordance with their respective governing law provisions.

17. General

17.1. This DPA, together with the Schedules and Annexes, constitutes the entire agreement between the parties in relation to the processing of personal data under the Agreement and supersedes all prior agreements and understandings on this subject. 17.2. Any amendment to this DPA must be made in writing and signed by both parties. 17.3. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. 17.4. This DPA may be executed in counterparts, including by electronic signature. 17.5. Notices under this DPA shall be given in writing to the addresses set out in Section 1.2 (Processor) and the applicable Order Form (Controller).

Signatures

By signing below, each party confirms that it has read, understood and agrees to be bound by this DPA.

PROCESSOR SaaSrooms Europe Limited and SaaSrooms Ltd Full Name: Philip Allouche Title: CEO Signature: ___________________________ Date: ___________________________

CONTROLLER (CLIENT) [Client Company Name] Full Name: ___________________________ Title: ___________________________ Signature: ___________________________ Date: ___________________________

SCHEDULE 1 EU Standard Contractual Clauses & Annexes

These clauses are entered into pursuant to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries (Module 2: Controller to Processor). Where data does not leave the EEA, these clauses apply as the overarching data processing contractual framework. For any transfer from the EEA to a third country, Module 2 of the 2021/914 SCCs applies in full.

ANNEX I — Description of Processing

A. List of Parties

Data Exporter (Controller): The Client as identified in the applicable Order Form. Role: Controller. Data Importer (Processor): SaaSrooms Europe Limited and SaaSrooms Ltd, both at 308 High Street, Croydon, Surrey, CR0 1NG. Contact: Philip Allouche (philip.allouche@saasrooms.com) / Sreeram Venkitakrishnan (sreeram@saasrooms.com). Role: Processor.

B. Description of Transfer

Data Subjects	Authorised users of the Controller’s account; named vendor/supplier contacts managed by the Controller through the platform.
Personal Data Categories	Identity (name, username, user ID, job title); Contact (email, phone, address); Professional (organisation, department); Platform (profile image — optional; related URLs — optional); Technical (IP address for security logging only).
Special Category Data	None collected or processed.
Transfer Frequency	Continuous (ongoing during the Agreement).
Purpose of Transfer	Provision of SaaS spend management services as described in the Agreement, including platform access, contract management, vendor management, reporting, support, and security.
Retention Period	Duration of the Agreement, plus up to 30 days for deletion processing. Personal data is deleted in full upon termination as per Section 10 of this DPA.
Sub-processor Transfers	As per Annex III. All processing within the EEA.

C. Competent Supervisory Authority

For EU data subjects: the competent supervisory authority is determined by application of Clause 13 of the EU SCCs, based on the Controller’s establishment in the EEA. For UK data subjects: the competent supervisory authority is the UK Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. ico.org.uk

ANNEX II — Technical and Organisational Measures (TOMs)

The following measures are implemented by SaaSrooms (SaaSrooms Europe Limited and SaaSrooms Ltd) to ensure an appropriate level of security for the personal data processed under this DPA. These measures are subject to ongoing review and improvement.

1. Information Security Management

SaaSrooms holds ISO/IEC 27001:2022 certification (Certificate No. IC-IS-2504148, issued by INTERCERT, valid to April 2028), demonstrating a certified Information Security Management System (ISMS).
Information security policies are reviewed and approved by management at least annually.
An independent third party conducts an annual risk assessment of all systems containing personal data.
A formal risk treatment programme including penetration testing, vulnerability management and patch management is maintained.
Incident management procedures are in place, including root cause analysis and corrective action processes.
SaaSrooms has achieved SOC 2 Type II certification with zero exceptions (Accorp Partners, 2025).
SaaSrooms has achieved 100% compliance across 55 GDPR controls in an independent GDPR audit (Scrut Automation, January 2025).

2. Personnel Security

All personnel with access to personal data are subject to appropriate background screening (employment history, criminal records) to the extent permitted by applicable law.
All personnel execute a confidentiality agreement at time of hire.
Personnel receive regular privacy and security training appropriate to their role.
Termination procedures include immediate revocation of access rights.
Personnel handling personal data are prohibited from processing it without authorisation.

3. Access Controls

Formal access management processes govern the request, review, approval and provisioning of access rights.
All platform access requires Multi-Factor Authentication (MFA) or Single Sign-On (SSO).
Access is granted on a least-privilege and need-to-know basis.
Access rights are reviewed periodically and revoked immediately upon role change or termination.
Strong password policies including complexity, expiry, lockout and reuse restrictions are enforced.
All access to systems is logged to maintain an audit trail.

4. Data Centre and Infrastructure Security

All EU/UK Client data is hosted on Amazon Web Services eu-west-1 infrastructure located in the Republic of Ireland (EEA).
Multi-Availability Zone (Multi-AZ) deployment provides redundancy and resilience.
Server hardening practices are applied to all production infrastructure.
A code review process is applied to all software deployed in the production environment.
Disaster recovery plans are documented, regularly tested and include data replication across multiple systems.
Security logging is enabled across all infrastructure components.
AWS Security Groups (virtual firewalls) are configured to restrict external attack surface.

5. Data Transmission Security

All data in transit is protected using HTTPS/TLS encryption (minimum TLS 1.2).
Certificates are issued by trusted Certificate Authorities and are subject to regular renewal and monitoring.
Production environment transmissions use Internet standard protocols with enforced encryption.

6. Data Storage, Isolation and Destruction

Data is stored in a logically isolated, multi-tenant environment on AWS infrastructure.
Customer data is logically segregated at the application layer to prevent cross-customer access.
Data is replicated between multiple AWS availability zones for resilience.
Secure data destruction processes are applied upon deletion, including cryptographic erasure where applicable.
Backups are protected with equivalent security controls to production data.

7. Vulnerability Management

Regular vulnerability scans are conducted across all infrastructure components.
Penetration testing is conducted at least annually by an independent third party.
Critical, High and Medium severity vulnerabilities are remediated as soon as commercially practicable following discovery.
A patch management process ensures timely application of security updates.

8. Incident Response

Documented incident management and escalation procedures are in place.
Multiple monitoring channels are used to detect security incidents.
Security personnel respond promptly to suspected or confirmed incidents.
Personal Data Breaches are notified to the Controller within 24 hours of detection in accordance with Section 11 of this DPA.

ANNEX III — List of Sub-processors

The following Sub-processors are authorised as of the date of this DPA. Changes will be notified to the Controller with at least 30 calendar days’ notice.

Sub-processor	Processing Activity	Location	Data Transfer to Third Country
Amazon Web Services EMEA SARL (AWS)	Hosting of SaaSrooms production environment (compute, storage, networking)	Republic of Ireland (AWS eu-west-1, EEA)	No — data remains in the EEA

SCHEDULE 2 UK ICO International Data Transfer Addendum (IDTA) Version B1.0 | In force 21 March 2022

UK GDPR Specific Provisions This Schedule 2 constitutes the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner’s Office under s.119A(1) Data Protection Act 2018, incorporated into and forming part of this DPA. It applies to transfers of UK personal data subject to UK GDPR.

Part 1 — Tables

Table 1: Parties

Exporter (Controller)	The Client as identified in the applicable Order Form. Role: Controller Address: as per Order Form Contact: as per Order Form
Importer (Processor)	SaaSrooms Europe Limited and SaaSrooms Ltd 308 High Street, Croydon, Surrey, CR0 1NG Philip Allouche, CEO — philip.allouche@saasrooms.com Role: Processor

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs	The EU Standard Contractual Clauses incorporated in Schedule 1 of this DPA
Selected SCCs Module	Module 2 (Controller to Processor)
Clause 7	Optional docking clause does not apply
Clause 11	Optional redress mechanism does not apply
Clause 9(a)	Option 2 (General Written Authorisation) applies
Clause 9(a) Period	30 calendar days
Clause 13(a)	UK ICO is the competent supervisory authority
Clause 17	Governed by the law of England and Wales
Clause 18(b)	Courts of England and Wales

Table 3: Appendix Information

The information required for Annex I, Annex II, and Annex III of the Addendum EU SCCs is set out in Annex I, Annex II, and Annex III of Schedule 1 to this DPA respectively, which are hereby incorporated into this Schedule 2.

Table 4: Ending this Addendum when the Approved Addendum Changes

Neither the Importer nor the Exporter may end this Addendum when an Approved Addendum change is made, as permitted under Section 19 of the IDTA. Instead, the parties agree to review and, where necessary, update the terms in good faith.

Part 2 — Mandatory Clauses

The Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A(1) Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, shall apply to this DPA. These Mandatory Clauses are available in full at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf Amendments to Approved Addendum: Where any provision of this Schedule 2 conflicts with the Mandatory Clauses, the Mandatory Clauses shall prevail.

UK GDPR — Additional Specific Provisions

Data Subject Rights under UK GDPR / DPA 2018

In addition to the rights described in Section 7 of this DPA, the following UK-specific rights are acknowledged:

Right to be informed (UK GDPR Art. 13–14): SaaSrooms will provide the Controller with information sufficient to discharge its transparency obligations to data subjects.
Automated decision-making (UK GDPR Art. 22): SaaSrooms does not subject data subjects to automated decisions with legal or similarly significant effects.
ICO complaints: Data subjects in the UK have the right to lodge a complaint with the ICO (ico.org.uk / 0303 123 1113).
Law Enforcement Processing: This DPA does not cover processing for law enforcement purposes under Part 3 of the DPA 2018.
National Security: This DPA does not cover processing for national security purposes under Part 4 of the DPA 2018.

UK Representative

SaaSrooms Europe Limited and SaaSrooms Ltd are both established in the United Kingdom and are directly subject to UK GDPR. No separate UK representative is required.

Registration

SaaSrooms Europe Limited and SaaSrooms Ltd are both registered with the UK Information Commissioner’s Office as required under the DPA 2018. Document Information

Document Title	Data Processing Agreement — EU GDPR & UK GDPR Compliant Edition
Issued By	SaaSrooms Europe Limited & SaaSrooms Ltd
Version	2.0
Effective Date	January 2025
Review Date	April 2026 (effective 1 May 2026)
Governing Law	England and Wales
Questions	support@saasrooms.com

CONFIDENTIAL — This document contains confidential and proprietary information. Unauthorised reproduction, distribution or disclosure is strictly prohibited. SaaSrooms Europe Limited (Co. 14170299) and SaaSrooms Ltd (Co. 14011278), both at 308 High Street, Croydon, Surrey, CR0 1NG.