Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between LandTable Cloud Ltd (trading as "LandTable"; "we", "us", or "our"), a company established in the United Kingdom, and the Controller identified above. It supplements the LandTable Terms of Service and governs LandTable's processing of personal data on behalf of the Controller.

Where there is a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA shall prevail.

1. Definitions

In this DPA:

• "Applicable Data Protection Law" means the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and where applicable the EU General Data Protection Regulation (EU) 2016/679 (EU GDPR) and any national implementing legislation, as amended from time to time.
• "Controller" has the meaning given in Applicable Data Protection Law and refers to the customer identified above.
• "Processor" has the meaning given in Applicable Data Protection Law and refers to LandTable Cloud Ltd.
• "Customer Data" means any personal data that the Controller or its authorised users upload, store, or otherwise submit to the Services, including data held within workspaces, bases, tables, records, forms, and file attachments.
• "Services" means the LandTable application accessible at cloud.landtable.io and any related features provided under the Terms of Service.
• "Sub-processor" means any third party engaged by the Processor to carry out processing activities on Customer Data on behalf of the Controller.
• "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.
• All other capitalised terms not defined here have the meanings given in the Terms of Service or in Applicable Data Protection Law.

2. Roles of the parties

The Controller determines the purposes and means of processing Customer Data. LandTable processes Customer Data solely as a Processor, acting on the Controller's instructions and in accordance with this DPA and Applicable Data Protection Law.

Where LandTable processes personal data about the Controller's account holders, billing contacts, or website visitors for its own purposes (such as account management, billing, and security), it does so as a data controller in its own right, as described in the Privacy Policy.

3. Subject matter, duration, and nature of processing

Subject matter: Processing of Customer Data submitted to the Services by or on behalf of the Controller.

Duration: For the term of the Controller's active subscription or account, and thereafter only as strictly necessary to complete deletion in accordance with Section 9 of this DPA.

Nature and purpose: Storage, retrieval, display, organisation, and transmission of Customer Data as necessary to provide the Services, including real-time collaboration, file storage, automation execution, form submission handling, and user-initiated data exports.

Types of personal data: Any personal data that the Controller chooses to store in the Services. This may include, without limitation: names, email addresses, phone numbers, postal addresses, identification numbers, financial data, health data, and any other data fields created by the Controller.

Categories of data subjects: Any individuals whose personal data the Controller uploads to the Services, including the Controller's customers, employees, prospects, partners, or members of the public.

4. Processing on documented instructions

LandTable shall process Customer Data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service, unless required to do so by applicable law. In that case LandTable shall inform the Controller of that legal requirement before processing, unless prohibited by law.

The Controller's use of the Services (including any configuration, automation rules, integrations, or API calls made by the Controller or its users) constitutes documented instructions to LandTable.

If LandTable believes an instruction infringes Applicable Data Protection Law, it shall promptly notify the Controller.

5. Confidentiality of processing

LandTable shall ensure that persons authorised to process Customer Data are subject to appropriate obligations of confidentiality, whether by contract or statutory duty.

6. Security measures

LandTable implements technical and organisational security measures appropriate to the risks presented by the processing, including:

• Encryption in transit: All Customer Data is transmitted over TLS 1.2 or higher.
• Application-level encryption at rest: Sensitive Customer Data fields are encrypted at the application layer using AES-256-GCM with per-record encryption keys before being written to the database.
• Provider-level encryption at rest: Underlying infrastructure providers apply additional encryption at rest for all stored data.
• Access controls: Role-based access control enforced within the application; production infrastructure access is restricted to authorised personnel with multi-factor authentication.
• Monitoring and logging: Application and infrastructure logging is in place to detect anomalous activity and support incident response.
• Vulnerability management: Dependencies are monitored for known vulnerabilities and updated on a regular basis.
• Data isolation: Customer Data is logically isolated per workspace using workspace-scoped access controls.

LandTable will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a confirmed Security Incident affecting Customer Data, providing sufficient information to allow the Controller to meet its own notification obligations under Applicable Data Protection Law.

7. Sub-processors

The Controller grants LandTable general authorisation to engage Sub-processors, subject to the conditions in this Section. LandTable will provide reasonable advance notice (not less than 30 days) of any intended addition or replacement of a Sub-processor. If the Controller objects on reasonable grounds relating to data protection, it must notify LandTable within 14 days; the parties will then work in good faith to resolve the objection.

Where LandTable engages a Sub-processor, it does so under a written contract imposing data protection obligations no less protective than those in this DPA. LandTable remains liable to the Controller for the performance of each Sub-processor's obligations.

Current Sub-processors:

The above list does not include services used solely in LandTable's capacity as a data controller (e.g. internal support tooling that never processes Customer Data).

8. International data transfers

LandTable is established in the United Kingdom. Some Sub-processors are located outside the UK or the EEA. Where Customer Data is transferred to a country without an adequacy decision, LandTable relies on one or more of:

• UK International Data Transfer Agreements (UK IDTA) issued under Section 119A of the Data Protection Act 2018;
• Standard Contractual Clauses adopted by the European Commission (EU SCCs), where applicable to transfers subject to EU GDPR;
• Adequacy regulations or decisions recognised under UK or EU law.

Upon request, LandTable will provide the Controller with copies of or access to the relevant transfer mechanisms in place for each Sub-processor.

9. Return and deletion of Customer Data

Upon termination or expiry of the Controller's account, LandTable permanently deletes all Customer Data immediately. There is no grace period, no recovery window, and no delay — Customer Data is removed from all live systems the moment account closure is processed. Automated backup snapshots that may incidentally contain Customer Data are purged as they expire through the normal rotation cycle (within 30 days of account closure); no Customer Data is accessible or restorable after the point of immediate deletion.

Upon written request submitted before account closure, LandTable will provide the Controller with a machine-readable export of Customer Data in a standard format (e.g. CSV or JSON) to assist with data portability.

LandTable may retain Customer Data for longer where required by applicable law, in which case it will inform the Controller of the legal basis and duration of retention.

10. Assistance to the Controller

LandTable shall provide reasonable assistance to the Controller in fulfilling its obligations under Applicable Data Protection Law, including:

• Responding to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection) where the Controller cannot do so directly through the Services;
• Assisting with data protection impact assessments (DPIAs) and prior consultation with supervisory authorities where required;
• Providing information necessary to demonstrate compliance with this DPA.

LandTable may charge a reasonable fee for assistance that goes beyond what is strictly necessary to comply with Applicable Data Protection Law.

11. Audit rights

LandTable shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits:

• Must be conducted on not less than 30 days' prior written notice;
• May occur no more than once per calendar year, except where required by a supervisory authority or following a confirmed Security Incident;
• Must be conducted during normal business hours, with minimal disruption to LandTable's operations;
• Are subject to the auditor (if a third party) signing an appropriate confidentiality agreement acceptable to LandTable.

The Controller shall bear the reasonable costs of any such audit unless the audit reveals a material breach of this DPA by LandTable, in which case LandTable shall bear the costs.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the extent permitted by Applicable Data Protection Law.

Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be limited or excluded under Applicable Data Protection Law.

13. Updates to this DPA

LandTable may update this DPA from time to time to reflect changes in law, regulatory guidance, or Sub-processor arrangements. Material changes will be notified to the Controller at least 30 days in advance. Continued use of the Services after the effective date of the updated DPA constitutes acceptance of the revised terms.

14. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless the Controller is established in the European Union, in which case the relevant EU Member State courts shall also have jurisdiction with respect to EU GDPR obligations.

15. Contact

For questions about this DPA or to submit an audit request, please contact:

• Email: legal [at] landtable.io
• Subject line: DPA — [Your Company Name]

16. Signatures

By signing below, the parties agree to be bound by this Data Processing Addendum as of the date signed by the Controller.