DPA

Updated 4th August, 2025

This Data Protection Agreement (“DPA”) is between Matta Labs Ltd, a limited company registered in England and Wales (Company number 13452862, with registered office address 15 West Street, Brighton, England, BN1 2RL)  ("Matta") and any customer that purchases products or services (“Customer”) from Matta pursuant to a Matta Master Services Agreement (the "Agreement").

1. Definitions

1. Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
2. Data Protection Laws: means (a) to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data; and (b) to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of personal data;
3. EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
4. SCCs: means: (a) Module Four: Transfer processor to controller of the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries set out in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 with Annex 1 to such clauses being set out in Appendix B ("EU SCCs") and with the options to such EU SCCs being set out in Appendix C; and (b) the EU SCCs amended by the International Data Transfer Addendum issued by the UK Information Commissioner’s Office under Section 119A(1) of the UK Data Protection Act 2018, Version B1.0 in force 21 March 2022 with part 1 of such addendum being set out in Appendix B ("UK SCCs").
5. UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

2. Data Protection

1. Both parties will comply with all applicable requirements of the Data Protection Laws. This paragraph ‎2(a) is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Laws.
2. The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller and Matta is the Processor. Appendix A sets out the scope, nature and purpose of processing by Matta, the duration of the processing and the types of Personal Data and categories of Data Subject.
3. Without prejudice to the generality of paragraph 2(a), the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Matta for the duration and purposes of this agreement.
4. Without prejudice to the generality of paragraph 2(a), Matta shall, in relation to any Personal Data processed in connection with the performance by Matta of its obligations under this agreement:
   
   1. process that Personal Data only on the documented written instructions of the Customer unless Matta is required by applicable laws to otherwise process that Personal Data. Where Matta is relying on applicable laws as the basis for processing Personal Data, Matta shall promptly notify the Customer of this before performing the processing required unless applicable laws prohibit Matta from so notifying the Customer;
   2. ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
   3. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
   4. not transfer any Personal Data outside of the UK or EEA unless the following conditions are fulfilled: (a) the Customer or Matta has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; and (c) Matta complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred;
   5. assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
   6. notify the Customer without undue delay on becoming aware of a Personal Data Breach;
   7. at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Agreement unless required by Data Protection Laws to store the Personal Data (and any such return shall be through the process set out in clause 11(d) of the Agreement whereby the Customer may export its Customer Data); and
   8. maintain complete and accurate records and information to demonstrate its compliance with this paragraph 2(d) and allow for audits by the Customer or the Customer's designated auditor and immediately inform the Customer if, in the opinion of Matta, an instruction infringes the Data Protection Laws.
5. The Customer hereby provides its prior, general authorisation for Matta to appoint processors to process the Personal Data, provided that Matta:
   
   1. shall ensure that the terms on which it appoints such processors comply with applicable Data Protection Laws, and are consistent with the obligations imposed on Matta in this paragraph 2;
   2. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of Matta; and
   3. shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to Matta's reasonable satisfaction, that the objection is due to an actual or likely breach of applicable Data Protection Law, the Customer shall indemnify Matta for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection.
6. Matta may only process, or permit the processing, of the Personal Data outside the UK or EEA under the following conditions:
   
   1. Matta is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals; or
   2. Matta participates in a valid cross-border transfer mechanism under the Data Protection Laws, so that Matta (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR; or
   3. the transfer otherwise complies with the Data Protection Laws.
7. If any Personal Data transfer between the Customer and Matta requires execution of SCCs in order to comply with the Data Protection Laws, the parties will complete all relevant details in, and execute, the SCCs contained in Appendix B, and take all other actions required to legitimise the transfer.
8. Matta may, at any time on not less than 30 (thirty) days’ notice, revise Appendix B by replacing it with any applicable controller to processor standard clauses or similar terms adopted under the Data Protection Laws or forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

‍

‍

DPA - APPENDIX A

Processing, Personal Data and Data Subjects

‍

1. Subject matter of the processing:
‍For the provision of services by Matta to the Customer under the Matta Master Services Agreement.

‍

2. Nature of processing:
Collection, accessing, retrieval, recording, adapting, combining, altering and sharing (including disclosure, dissemination, allowing access or otherwise making available).

‍

3. Purpose of processing
For the provision of services by Matta to the Customer under the Matta Master Services Agreement.

‍

4. Duration of the processing
‍For the terms of the Matta Master Services Agreement and any applicable retention periods.

‍

5. Types of Personal Data

• Name;
• Email address;
• Phone numbers;
• Images;
• Job title.

‍

6. Categories of Data Subject

• Customer's staff including volunteers, agents, temporary and casual workers;
• Customer's clients (including their staff);
• Customer's shareholders and officers.

‍

DPA - APPENDIX B

EU SCCs

ANNEX 1

A: LIST OF PARTIES

Data exporter:

‍

Data importer:

‍B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

• As set out in Appendix A

Categories of personal data transferred

• As set out in Appendix A.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• The parties do not expect to transfer sensitive data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• As set out in Appendix A

Nature of the processing

• As set out in Appendix A

Purpose(s) of the data transfer and further processing

• As set out in Appendix A

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

• As required by the data importer’s own legal and regulatory requirements.

UK SCCs

Part 1: Tables

Table 1: Parties

‍

Table 2: Selected SCCs, Modules and Selected Clauses

‍

‍Table 3: Appendix Information

‍

‍Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses

‍

‍

DPA - APPENDIX C

EU SCCs Options

Where an EEA Restricted Transfer is made, the parties agree to the below in relation to the use of the EU SCCs:

• Clause 7 of the EU SCCs – not used;
• Clause 11 of the EU SCCs – the parties agree to delete the optional language;
• Clause 13 of the EU SCCs – is set out in Annex 1 of the DPA;
• Clause 17 of the EU SCCs – the parties agree that the governing law shall be the law of England & Wales;
• Clause 18 of the EU SCCs – the parties agree that the courts of England & Wales shall have jurisdiction
• Annex 2 of the EU SCCs does not need to be completed with details of technical and organisational measures; and
• Annex 3 of the EU SCCs does not need to be completed with details of sub-processors.

‍