Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between Clinstead Ltd (“Clinstead”, “Processor”) and the Customer identified in the order form (“Customer”, “Controller”) for the provision of the Clinstead platform (the “Service”).

It records the parties' obligations under UK GDPR, EU GDPR, and other applicable data-protection laws in respect of Customer Personal Data processed by Clinstead on behalf of the Customer.

Capitalised terms have the meanings given in UK GDPR / EU GDPR unless defined here. In particular:

• Customer Personal Data means Personal Data uploaded to, or generated within, the Service by or on behalf of Customer.
• Sub-processor means a third party engaged by Clinstead to process Customer Personal Data.
• Applicable Lawmeans UK GDPR, EU GDPR, the UK Data Protection Act 2018, and any other privacy laws applicable to a given Customer or study.
• Standard Contractual Clauses (SCCs)means the EU Commission's 2021/914 module-2 (controller to processor) clauses, and the UK International Data Transfer Addendum where applicable.

The Customer is the Controller of Customer Personal Data; Clinstead processes it as Processor strictly on documented instructions from the Customer, including those embedded in standard Service configuration.

Clinstead will:

• Process Customer Personal Data only on the Customer's documented instructions;
• Ensure personnel authorised to process Customer Personal Data are bound by confidentiality;
• Implement the technical and organisational measures described in our security overview;
• Assist the Customer with data-subject rights requests insofar as reasonably possible;
• Assist the Customer with data-protection impact assessments and prior consultations where required;
• On termination or expiry, delete or return Customer Personal Data on the schedule defined below;
• Make available all information necessary to demonstrate compliance with this DPA, and allow for audits as set out in Audits.

Clinstead will notify the Customer immediately if, in its opinion, an instruction infringes Applicable Law.

The Customer authorises Clinstead to engage Sub-processors. Our current list of platform Sub-processors is maintained below and updated when changes occur:

Clinstead will give the Customer at least 30 days' advance notice of any new or replacement Sub-processor. Customers may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Service for material breach.

Clinstead remains liable for the acts and omissions of its Sub-processors as if they were its own.

Where Customer Personal Data is transferred outside the UK or EEA, the parties incorporate the EU Standard Contractual Clauses and the UK International Data Transfer Addendum by reference, with Clinstead as data importer and Customer as data exporter. Module 2 (controller-to-processor) applies as default.

Where Sub-processors involve onward transfers, Clinstead enters into back-to-back SCCs and supplementary measures consistent with the EDPB's guidance, including encryption and pseudonymisation where appropriate.

Clinstead implements appropriate technical and organisational measures (Article 32 GDPR), including:

• Encryption in transit (TLS 1.3) and at rest (AES-256-GCM);
• Hardware-backed MFA and least-privilege access controls;
• Continuous monitoring, SIEM-based detection, and 24/7 on-call;
• Independent penetration testing at least annually;
• Audit trails with reason-for-change capture on regulated entities;
• Tested backup and disaster-recovery procedures.

Full details are set out in our security overview, which forms part of this DPA.

Clinstead provides Customer-facing tooling to fulfil data-subject rights requests (access, rectification, erasure, restriction, portability) directly within the Service.

Where Clinstead receives a request directed at Customer Personal Data, it will redirect the data subject to the Customer and promptly notify the Customer. Clinstead will not respond to such requests directly except on the Customer's instruction.

If Clinstead becomes aware of a Personal Data Breach affecting Customer Personal Data, Clinstead will notify the Customer without undue delay and within 72 hours of establishing the facts. The notification will include, to the extent then known:

• The nature of the breach and the categories and approximate number of data subjects and records affected;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and mitigate its effects;
• The name and contact details of Clinstead's data-protection lead.

Clinstead will make available, on request, the documents needed to demonstrate compliance with this DPA, including the latest SOC 2 Type II report, ISO 27001 statement of applicability, and penetration-test summary.

Where these documents do not satisfy a regulatory or supervisory audit requirement, Clinstead will reasonably cooperate with an on-site or remote audit, subject to:

• Reasonable advance notice (no less than 30 days);
• Mutually agreed scope, timing, and conduct that does not unreasonably interfere with Clinstead operations;
• The auditor being bound by appropriate confidentiality obligations;
• The Customer bearing its own audit costs (Clinstead's reasonable costs of facilitation will be reimbursed except where the audit reveals a material breach by Clinstead).

On termination of the agreement or earlier on Customer's written request, Clinstead will:

• Make Customer Personal Data available for export in a structured machine-readable format for a period of 30 days; then
• Securely delete Customer Personal Data from production systems within 30 days of the export period ending;
• Securely delete Customer Personal Data from backups in accordance with the backup rotation schedule, after which deletion is certified in writing on request.

Clinstead may retain Customer Personal Data to the extent and for so long as required by Applicable Law, in which case it will remain protected by this DPA.

Each party's liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the main agreement. Nothing in this DPA limits a data subject's rights under Applicable Law.

If there is a conflict between this DPA and the main agreement, this DPA prevails on data-protection matters. Clinstead may update this DPA where required to reflect changes in Applicable Law or its Sub-processor list; substantive changes will be notified to the Customer at least 30 days in advance.

DPA queries, signed copies, or redline requests: dpo@clinstead.com. We typically turn requests around within two business days.