Data Processing Addendum

1. Parties

This Addendum is entered into between Sifotech UK Ltd(a company incorporating in England & Wales (May 2026), registered office in Dewsbury, West Yorkshire; Companies House number on request once issued) (“Sifotech”, the Processor) and the customer identified in the applicable Order Form (the Controller, together the Parties).

2. Scope

This Addendum applies where Sifotech processes personal data on behalf of the Controller in connection with the Services. It is intended to satisfy Article 28 UK GDPR and any equivalent obligations under the Data Protection Act 2018.

In the event of a conflict between this Addendum and the underlying agreement, this Addendum prevails for matters relating to the processing of personal data.

3. Definitions

Capitalised terms not defined here have the meaning given in UK GDPR. For convenience:

• UK GDPR means the United Kingdom General Data Protection Regulation as it forms part of retained EU law.
• DPA 2018 means the Data Protection Act 2018.
• Personal Data, Controller, Processor, Data Subject, Processing, Personal Data Breach and Supervisory Authority have the meanings given in UK GDPR.
• Services means the software, platforms, subscriptions or professional services delivered by Sifotech to the Controller under the underlying agreement.
• Subprocessor means a third party engaged by Sifotech to process Personal Data on behalf of the Controller.

4. Roles of the Parties

The Controller determines the purposes and means of processing. Sifotech acts as Processor and processes Personal Data only on documented instructions from the Controller, including with regard to transfers, unless required to do otherwise by UK or EU law (in which case Sifotech will inform the Controller of that legal requirement before processing, unless that law prohibits such disclosure on important grounds of public interest).

Where Sifotech engages Subprocessors, Sifotech remains liable to the Controller for their acts and omissions in respect of their processing obligations.

5. Subject-matter and nature of processing

Subject-matter: provision and operation of the Services and related support, security, hosting, billing and communications.

Duration: for the duration of the underlying agreement, plus any retention period mandated by law or expressly agreed in writing.

Nature and purpose: storage, hosting, retrieval, consultation, transmission, structured analysis, backup, deletion and other operations strictly necessary to deliver the Services.

6. Categories of personal data

The categories depend on the Services purchased and the Controller’s configuration. Typical categories include:

• Identification & contact data (name, email address, phone number, postal address, job title).
• Account & authentication data (hashed passwords, MFA tokens, session identifiers, IP address, user agent).
• Operational data (records, transactions, logs, uploaded documents).
• Optional, configuration-driven categories such as health, accessibility or sensitive metadata only where the Controller explicitly enables a feature requiring it and on documented instructions.

Sifotech does not request or knowingly process special-category data unless the Controller has expressly enabled a feature that requires it and an appropriate lawful basis is in place.

7. Data subjects

Data subjects typically include the Controller’s personnel, customers, suppliers, end users, patients (in healthcare contexts) and other individuals whose data the Controller submits to the Services.

8. Security measures

Sifotech implements appropriate technical and organisational measures under Article 32 UK GDPR, including:

• Encryption in transit (TLS 1.2 or higher, HSTS).
• Encryption at rest (AES-256 on volumes and backups).
• Role-based access control with least-privilege and row-level security on multi-tenant tables.
• Mandatory multi-factor authentication for production access.
• Audit logging of all data mutations (actor, timestamp, source IP, payload diff) retained for a minimum of 90 days.
• Vulnerability management, dependency scanning and a documented patch cadence.
• Encrypted, regularly tested backups with documented restore procedures.
• Personnel confidentiality undertakings and security-awareness training.

Full details are published in the Information Security Policy.

9. Subprocessors

The Controller authorises Sifotech to engage the Subprocessors listed below. Sifotech will give the Controller at least thirty (30) days’ prior notice of any addition or replacement, during which the Controller may object on reasonable data-protection grounds.

10. International transfers

By default, Personal Data is processed in the United Kingdom or the European Economic Area. Sifotech does not transfer Personal Data outside the UK/EEA except:

• to a country covered by a UK adequacy regulation under Article 45 UK GDPR; or
• under appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum.

Where AI processing is performed by a US-based Subprocessor, a zero-day data-retention contract is in place and only data strictly necessary for the inference task is transmitted.

11. Personal data breach

Sifotech will notify the Controller of any confirmed Personal Data Breach affecting the Controller’s data without undue delay and in any event within seventy-two (72) hours of becoming aware. The notification will include, to the extent known, the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed to address it.

Sifotech will cooperate with the Controller in fulfilling its own notification obligations to the ICO and to affected data subjects under Articles 33 and 34 UK GDPR.

12. Audit rights

On reasonable notice and not more than once per twelve (12) month period (or more frequently following a confirmed Personal Data Breach or where required by a Supervisory Authority), the Controller may request an audit of Sifotech’s compliance with this Addendum. Sifotech will respond to written audit questionnaires and, where appropriate, provide independent attestation reports once available.

On-site audits, if conducted, will take place during normal UK business hours, will not unreasonably interfere with Sifotech’s operations, and will not compromise the security or confidentiality of other customers’ data.

13. Liability

Each Party’s liability under this Addendum is subject to the limitations and exclusions set out in the underlying agreement. Nothing in this Addendum limits any liability that cannot be limited under UK law (including for death, personal injury, fraud or fraudulent misrepresentation).

14. Term and termination

This Addendum remains in force for as long as Sifotech processes Personal Data on the Controller’s behalf. On termination, Sifotech will (at the Controller’s choice) return or delete all Personal Data and confirm in writing, save where applicable law requires continued storage.

15. Contact

Data-protection enquiries and requests under this Addendum should be sent to dpo@sifotech.co.uk. A signed counterpart of this Addendum is available on request.