Version 1.1 – Date of release: 5 January 2026

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement (or equivalent "Principal Agreement") between Bonnard Ltd. ("Processor" or "Bonnard") and the Customer ("Controller") and is subject to the terms of that Principal Agreement. The parties to this DPA are the same individuals/entities as in the Principal Agreement.

Definitions

Capitalized terms not otherwise defined in this DPA have the meaning given in the Principal Agreement. For the purposes of this DPA:

"Applicable Data Protection Laws" means, as applicable to each party: the EU General Data Protection Regulation (EU) 2016/679 ("GDPR") and its national implementations (including UK GDPR as applicable in the United Kingdom after 31 December 2020); and any other data protection laws in Europe (e.g., the UK Data Protection Act 2018).

"Controller's Personal Data" means any Personal Data that Bonnard processes on behalf of the Controller under the Principal Agreement.

"Personal Data" has the meaning set out in Article 4(1) of the GDPR (and corresponding definitions under UK GDPR).

"Processing", "Processor", "Controller", "Data Subject", "Personal Data Breach", "Sub-processor", etc., have the meanings set out in Article 4 of the GDPR (and corresponding definitions under UK GDPR).

"Services" means the CRM-related services (campaign meta-data processing, web analytics, financial data insights, etc.) that Bonnard provides to the Controller under the Principal Agreement.

1. Compliance with Applicable Data Protection Laws

1.1 Both Bonnard and the Controller shall comply with all applicable provisions of the Applicable Data Protection Laws in connection with the Processing of Controller's Personal Data. Each party shall ensure that its employees, agents or Sub-processors (where permitted) abide by the requirements of this DPA and Applicable Data Protection Laws.

2. Details and Scope of Processing

2.1 Subject matter and duration

Subject matter: Bonnard will process Controller's Personal Data solely to provide the Services described in the Principal Agreement (i.e., CRM campaign meta-data, web analytics and financial data processing to generate insights).
Duration: the duration of the Processing shall be the term of the Principal Agreement, including any renewals, plus any additional period required by law for retention in order to comply with Controller's legal obligations.

2.2 Nature and purpose of Processing

Bonnard will Process Personal Data as strictly necessary to:

provide and maintain the Services;
detect, prevent and resolve technical or security issues;
respond to Controller's support requests; and
comply with any other documented instructions from the Controller that are lawful and within the scope of the Principal Agreement.

2.3 Categories of Personal Data

The Controller determines which Personal Data it uploads or transmits to Bonnard's platform. Typical categories include, but are not limited to:

Names (e.g., customer name, lead name)
Email addresses
Telephone numbers
IP addresses and device identifiers

2.4 Categories of Data Subjects

Employees, contractors or affiliates of Controller (to the extent their data is processed for CRM or analytics)

2.5 Controller's Instructions

Bonnard shall Process Personal Data only on documented instructions of the Controller (including via API, control panel or written order).

If Bonnard believes any Controller instruction conflicts with Applicable Data Protection Laws or this DPA, Bonnard shall inform Controller without undue delay and may defer processing until such instructions are clarified or amended.

2.6 Controller Responsibilities

Controller is responsible inter alia for:

ensuring it has a valid legal basis for Processing the Personal Data (e.g., consent, contract performance, legitimate interests, etc.);
providing accurate instructions and verifying that data is lawfully collected;
notifying Data Subjects of any risks when transmitting Personal Data through non-encrypted channels, if applicable;
limiting the scope of data uploaded to what is necessary for the Services; and
encrypting any Personal Data before transmission if required by Applicable Data Protection Laws (e.g., PGP, S/MIME, HTTPS).

3. Controller and Processor Roles

3.1 Role Assignment

For all Processing under this DPA, Controller is the Data Controller and Bonnard is the Data Processor.

If the Controller acts as Processor in any context, Bonnard becomes a Sub-processor for that activity.

3.2 Processor Contact Point

Bonnard's designated Data Protection contact: Email: privacy@bonnard.ai

4. Confidentiality

Bonnard shall ensure that any person it authorises to Process Controller's Personal Data (including employees or Sub-processors) is under a binding confidentiality obligation (contractual or statutory).

All personnel involved shall receive appropriate training on security and data protection.

5. Technical and Organizational Measures

Bonnard has implemented appropriate technical and organizational measures to protect Controller's Personal Data. These measures are documented internally and updated as needed. They include (without limitation):

1. Access Control

Role-based access controls with quarterly reviews

2. Authentication & Passwords

Passwords of at least 12 characters, hashed and salted
Multi-Factor Authentication (MFA) for all administrative access

3. Encryption

All in-transit data encrypted via TLS 1.2 or higher
All data at rest encrypted using AES-256 or equivalent

4. Vulnerability Management

Weekly automated vulnerability scans
High/critical patches applied within 30 days of release

5. Backup & Recovery

Daily incremental backups, weekly full backups

6. Incident Detection & Monitoring

Continuous logging and monitoring of platform events
Endpoint Detection & Response (EDR) on all server environments

7. Physical Security

Data centers located in EU/EEA member states with strict access controls
Redundant power and environmental controls

8. Data Retention & Minimization

Minimize Personal Data collected to only what is necessary for Services
Automated data deletion 90 days after account termination unless Controller requests return before then

Bonnard shall, upon reasonable request and at Controller's expense, provide additional information or documentation to assist the Controller in meeting its own data protection obligations.

6. Sub-processing

6.1 General Authorization

Controller hereby authorises Bonnard to appoint Sub-processors to provide parts of the Services, subject to the conditions below.

6.2 Existing Sub-processors

The Controller acknowledges and agrees that Bonnard currently uses the following Sub-processors:

Third Party Sub-Processors

Third Party Entity	Hosting Location	Service	Activity	Notes
Supabase, Inc.	EU	Database Services	Database and backend services	Backend-as-a-Service platform
Vercel Inc.	EU	Hosting Services	Application hosting and deployment	Frontend cloud platform
Amazon Web Services (Anthropic via Bedrock)	EU	AI Data Services	Machine Learning and AI Processing	Generative AI capabilities via Amazon Bedrock
Clerk, Inc.	US (DPF Approved)	Authentication	User authentication and identity management	Authentication platform
Functional Software, Inc. d/b/a Sentry	EU	Monitoring Services	Error tracking	Application monitoring platform
Posthog, Inc	EU	Product Analytics	Product insights and A/B testing tools	Product analytics platform

Bonnard Ltd Entities

Entity	Hosting Location	Service	Activity	Notes
Bonnard Ltd (UK)	UK	AI Data Services	Service Provisioning, Development, Support	Primary service delivery

For questions about sub-processors or data protection: privacy@bonnard.ai

6.3 Notice and Objection

Bonnard will notify Controller at least 14 days in advance of any new Sub-processor appointment or replacement via email to the Controller's designated contact.
Controller may object in writing to a proposed Sub-processor within 10 business days on reasonable grounds relating to data protection. If Controller objects and the parties cannot reach agreement within a reasonable period (not to exceed 30 days), either party may terminate the Principal Agreement for cause.

6.4 Flow-down Requirements

Bonnard will impose on any Sub-processor data protection obligations at least as stringent as those in this DPA and Applicable Data Protection Laws.
Bonnard remains fully liable to the Controller for any acts or omissions of its Sub-processors.

7. Data Subject Rights

7.1 If Bonnard receives a request directly from a Data Subject relating to Controller's Personal Data (e.g., access, rectification, erasure, portability, restriction, objection), Bonnard will promptly (within 5 business days) forward such request to Controller's designated contact.

7.2 Bonnard shall provide reasonable assistance (at Controller's expense) to help Controller respond to Data Subject requests, including by retrieving or erasing data, exporting data in a structured, commonly used, machine-readable format, or other tasks necessary to comply with Applicable Data Protection Laws.

8. Personal Data Breaches

8.1 Bonnard shall notify Controller without undue delay—and in any event within 48 hours—after becoming aware of any Personal Data Breach affecting Controller's Personal Data. Such notification shall include, as known at that time:

description of the nature of the breach (e.g., categories of data and data subjects affected);
likelihood and severity of any risk to Data Subjects;
proposed measures taken or to be taken to mitigate any adverse effects; and
any other information reasonably necessary to fulfill Controller's breach-notification obligations under Applicable Data Protection Laws.

8.2 Bonnard shall reasonably cooperate with Controller (at Controller's expense) regarding Controller's obligations to notify supervisory authorities or Data Subjects, including providing any additional information or documentation requested.

9. Data Protection Impact Assessments ("DPIAs") and Prior Consultations

If Controller determines that a DPIA or prior consultation with a supervisory authority is required under Applicable Data Protection Laws, Bonnard shall provide reasonable assistance (at Controller's expense) with the preparation of that DPIA or consultation, based on the information available to Bonnard.

10. Audits and Inspections

10.1 Compliance Documentation

Bonnard shall make available to Controller, upon reasonable request and at Controller's expense, information necessary to demonstrate compliance with this DPA (e.g., summary of security policies, third-party audit reports).

10.2 On-site or Third-party Audits

Controller or its authorised independent auditor may, once per calendar year and upon at least 30 days' written notice, conduct an on-site audit (or remote review) of Bonnard's facilities and operations insofar as they relate to Processing of Controller's Personal Data.
The scope of any audit shall be limited to what is reasonably necessary to verify Bonnard's compliance with this DPA and Applicable Data Protection Laws.
Controller shall bear all costs associated with such an on-site audit unless Bonnard has failed to provide sufficient evidence of compliance (e.g., current independent third-party audit reports, SOC 2 or equivalent), in which case Bonnard shall bear reasonable costs.

11. Return or Deletion of Personal Data

11.1 Controller Instruction upon Termination

Before or within 30 days after the termination or expiration of the Principal Agreement, Controller may request (in writing) that Bonnard return all copies of Controller's Personal Data in electronic format or securely delete such data (including from backups), except where retention is required by EU/UK law.

11.2 Processor Obligations

If Controller requests return of its Personal Data, Bonnard shall provide a copy in a commonly used, machine-readable format and delete all remaining copies within 90 days of Controller's written request or termination date.
If Controller does not request return, Bonnard may securely delete all Personal Data 90 days after termination.
Controller agrees that any additional cost for data return (e.g., data export fees) is borne by Controller.

12. International Data Transfers

12.1 No Data Transfers Outside EU/EEA (Unless Explicitly Agreed)

Bonnard will store and Process Controller's Personal Data exclusively within the EU/EEA/UK. Bonnard shall not transfer any Controller Personal Data to locations outside the EU/EEA/UK.

12.2 Cross-Border Transfers

If Controller explicitly instructs any cross-border transfer (outside EU/EEA), Bonnard shall only do so on the basis of:

Controller providing documented instructions and Controller obtaining any required Data Subject consents; and
Bonnard and Controller entering into appropriate Standard Contractual Clauses (SCCs) or other EU/UK-approved transfer mechanisms before any data leaves the EU/EEA.

13. Governing Law and Jurisdiction

13.1 This DPA (excluding any Standard Contractual Clauses, if incorporated under Section 12.2) and all disputes arising from it are governed by and construed in accordance with the laws of England and Wales.

13.2 Any dispute under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless otherwise stipulated in the Principal Agreement.

14. Order of Precedence

If there is any conflict between this DPA and any other agreement relating to the subject matter (including the Principal Agreement), this DPA shall prevail unless the parties explicitly agree in writing to vary a specific clause.

15. Severability

If any provision of this DPA is held to be invalid or unenforceable by a court of competent jurisdiction, that provision shall be amended to achieve as closely as possible the original intent, and the remainder of this DPA shall remain in full force and effect.

16. Termination

This DPA shall terminate automatically when the Principal Agreement terminates. Sections 11 (Return/Deletion), 12 (International Transfers), 13 (Governing Law), 14 (Order of Precedence), and 15 (Severability) shall survive expiration or termination.

Annex 2: Technical and Organizational Security Measures

Bonnard's current measures—including access controls, encryption, vulnerability management, backup, monitoring, physical security, data minimization, and retention—are summarized below. Controller may request further details at any time.

1. Access Controls

Role-based access to production systems; quarterly access reviews.
Deactivation of inactive user accounts after 90 days.

2. Authentication & Passwords

Passwords (min. 12 characters), hashed (bcrypt or similar).
Multi-Factor Authentication (MFA) for all administrative access.

3. Encryption

Data in transit: TLS 1.2+ on all endpoints.
Data at rest: AES-256 (or equivalent) on databases and backups.

4. Vulnerability Management

Weekly automated vulnerability scans on infrastructure.
Patches applied within 30 days for high/critical issues.
Annual external penetration tests with remediation of all critical/high findings.

5. Backup & Recovery

Daily incremental, weekly full backups.
Quarterly restoration tests for critical systems; annual tests for others.

6. Monitoring & Incident Detection

24/7 logging, monitoring of anomalous activities.
Endpoint Detection & Response (EDR) on servers and critical machines.

7. Physical Security

EU/EEA data centers with strict badge controls, CCTV, environmental controls.
Redundant power supplies and fire suppression systems.

8. Data Retention & Minimization

Personal Data collected only as necessary for Services.
Automated deletion 90 days post-contract termination or upon Controller request.

9. Accountability & Governance

Documented internal data protection policies and procedures.

10. Data Subject Rights Assistance

Procedures in place to promptly notify Controller of direct Data Subject requests.

Last Updated: 2026-01-05