Data Processing Agreement

This DPA governs the processing of personal data by Threadsovereign as a data processor acting on behalf of the Customer (data controller) in connection with the provision of the Threadsovereign Platform.

Both parties agree to comply with all applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any successor legislation.

Terms not defined here have the meanings given in the Terms of Service or UK GDPR:

• “Controller” — the Customer, who determines the purposes and means of processing
• “Processor” — DORSET CREATIVE LTD, who processes personal data on behalf of the Controller
• “Data Subject” — the individual whose personal data is processed (e.g. project team members, residents, contractors)
• “Personal Data” — any information relating to an identified or identifiable natural person
• “Processing” — any operation performed on personal data
• “Sub-processor” — any third party engaged by Threadsovereign to process personal data
• “Security Incident” — any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data

The parties acknowledge that:

• The Customer is the Data Controller for personal data relating to the Customer's employees, sub-contractors, residents, clients and any other third parties whose personal data the Customer uploads or generates in the Platform
• Threadsovereign is the Data Processor for such personal data
• Threadsovereign is a Data Controller in its own right for personal data processed for its own legitimate business purposes (account management, billing, security) — see the Privacy Policy

The following table sets out the details of processing as required by UK GDPR Article 28(3):

Threadsovereign will:

• Process personal data only on the documented instructions of the Controller, unless required by law
• Ensure that all persons authorised to process personal data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 8)
• Not engage any sub-processor without prior consent (general authorisation as set out in Section 7)
• Assist the Controller in fulfilling its obligations regarding Data Subject rights requests (see Section 10)
• Assist the Controller with security, breach notification, DPIAs and prior consultation as required
• Delete or return personal data at the end of the contract, subject to mandatory retention (see Section 12)
• Make available to the Controller all information necessary to demonstrate compliance with this DPA
• Notify the Controller immediately if any instruction would violate applicable data protection law

The Customer is responsible for:

• Ensuring a lawful basis exists for all personal data uploaded to the Platform
• Providing appropriate privacy notices to all data subjects whose personal data is entered into the Platform
• Ensuring that personal data is accurate, adequate and not excessive
• Not uploading special category personal data without Threadsovereign's prior written consent
• Complying with all applicable data protection law in its capacity as data controller

The Customer provides general authorisation for Threadsovereign to engage sub-processors, subject to the conditions below. Threadsovereign's current authorised sub-processors are:

Threadsovereign will provide at least 14 days' prior written notice of any intended change to the list of sub-processors. The Customer may object in writing within 14 days. If the Customer objects and the parties cannot agree, the Customer may terminate the Agreement with 30 days' notice without penalty.

Threadsovereign will ensure all sub-processors are bound by data processing obligations equivalent to those in this DPA before processing commences.

Threadsovereign implements the following technical and organisational measures to ensure an appropriate level of security (UK GDPR Article 32):

• Encryption in transit: TLS 1.2+ for all data in transit
• Encryption at rest: AES-256 encryption via Supabase/Vercel infrastructure
• Access controls: Role-based access control (RBAC) with Row Level Security (RLS) at the database level
• Authentication: Multi-factor authentication available; account lockout after 5 failed login attempts
• Audit logging: Immutable audit logs of all significant actions (insert-only, no update or delete permitted)
• Data minimisation: Access to personal data is limited to personnel who require it for service delivery
• Incident response: Documented security incident response procedure
• Security headers: HTTP security headers (HSTS, CSP, X-Frame-Options) on all responses
• Vulnerability management: Regular dependency updates and security assessments

In the event of a Security Incident involving personal data processed under this DPA, Threadsovereign will:

• Notify the Customer without undue delay and, where feasible, within 48 hours of becoming aware of the incident
• Provide sufficient information to enable the Customer to meet its own 72-hour ICO notification obligation
• Include in the notification: the nature of the incident; categories and approximate number of records affected; likely consequences; measures taken or proposed
• Co-operate with the Customer to investigate and mitigate the incident

Notification should be sent to the Customer's designated contact. Breach notifications from Threadsovereign will be sent from security@threadsovereign.io.

Where Threadsovereign receives a request directly from a data subject relating to personal data processed under this DPA, Threadsovereign will:

• Forward the request to the Customer within 3 business days
• Not respond to the data subject directly except as instructed by the Customer
• Assist the Customer by providing technical means to extract, correct, restrict or delete data as instructed

The Customer is responsible for responding to data subject rights requests within the statutory time limit (30 calendar days). Threadsovereign will provide reasonable technical assistance at no additional charge unless the request is disproportionately burdensome.

Note: Certain data (audit logs, Gateway submissions, Golden Thread documents) cannot be deleted due to mandatory BSA 2022 retention requirements. Threadsovereign will provide a written explanation of what data cannot be deleted and the legal basis.

Transfers of personal data to sub-processors outside the UK are covered by the safeguards detailed in Section 7. Threadsovereign will not transfer personal data to any country or territory outside the UK unless an appropriate transfer safeguard is in place (adequacy decision, UK–US Data Bridge or UK International Data Transfer Agreement/SCCs).

On expiry or termination of the Terms of Service, Threadsovereign will (at the Customer's choice):

• Export all Customer Data in a structured, machine-readable format within 30 days; or
• Confirm secure deletion of all Customer Data within 90 days of termination

Exception — mandatory BSA 2022 retention: Building safety records for Higher-Risk Buildings (Gateway submissions, Golden Thread documents, audit logs, competency declarations, Safety Cases) will be retained for a minimum of 15 years from the date of last Gateway submission or completion, regardless of contract termination. Threadsovereign will maintain these records securely and will make them accessible to the Customer or the Building Safety Regulator upon lawful request.

The Customer has the right to audit Threadsovereign's compliance with this DPA. Threadsovereign will:

• Provide all information reasonably requested to demonstrate compliance
• Allow audits by the Customer or their appointed auditor, subject to reasonable notice (at least 10 business days), confidentiality obligations, agreement on scope, and reasonable cost-sharing
• In lieu of a full audit, Threadsovereign may provide a current SOC 2 report or equivalent security certification as evidence of compliance

Threadsovereign's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

Where a data subject brings a claim for compensation and both parties are responsible for the same damage, each party is responsible for the part of the damage it caused. Either party may claim against the other for contribution in proportion to their respective responsibility.

This DPA terminates automatically on expiry or termination of the Terms of Service, subject to Section 12 (retention of mandatory BSA 2022 records) and any provisions that expressly survive termination.