Data Processing Agreement (DPA)

Effective date: 15 January 2026

Version 2.0

This Data Processing Agreement (“DPA”) sets out the terms under which Ground Truth Labs Ltd (“GTL”, “Processor”) processes certain personal data on behalf of its business customers (“Controller”) in connection with GTL's website and application and related basic services (the “Services”).

This DPA is intended to meet the requirements of UK GDPR and, where applicable, the EU GDPR.

1. Priority and relationship to customer agreements

  1. Superseding terms. Where GTL and a Controller have entered into a written agreement (including a Platform Services Agreement, Master Services Agreement, Statement of Work, or customer-specific DPA) that governs data processing for the Services, that agreement will take precedence over this public-facing DPA to the extent of any conflict.
  2. Purpose of this public DPA. This DPA applies where (a) a customer uses the Services without a separately signed data processing agreement, or (b) for portions of the Services not covered by a signed customer DPA.

2. Roles of the parties

  1. Controller. The Controller determines the purposes and means of processing of personal data submitted to or generated through the Services for the Controller's business use.
  2. Processor. GTL processes personal data only on documented instructions from the Controller, including as necessary to provide the Services, support, and maintain security.
  3. GTL as an independent controller for its own data. To the extent GTL processes personal data for its own purposes (for example, website analytics for GTL, sales/marketing communications, billing, fraud prevention, and security logging), GTL acts as an independent controller and such processing is governed by GTL's Privacy Policy, not this DPA.

3. Scope of processing

  1. Services in scope. This DPA covers personal data processed in connection with:
    1. visiting GTL's website;
    2. use of GTL's application (including user accounts); and
    3. service delivery, support, and communications related to the Services.
  2. Data minimisation. The Services are designed to operate using low-sensitivity business data only, as described in Section 4.
  3. Explicit exclusion of patient/clinical data. The Services under this public DPA are not intended for the processing of identifiable patient data, PHI, or other information that would constitute special category health data relating to an identifiable individual. The Controller must not provide such data to GTL under this public DPA.

4. Categories of data, data subjects, and processing details

  1. Categories of data subjects.
    1. users authorised by the Controller (e.g., employees, contractors); and
    2. business contacts interacting with GTL (e.g., prospective customers, partners) where processed on the Controller's behalf.
  2. Types of personal data (low sensitivity).
    1. Name;
    2. business email address;
    3. job title/role;
    4. employer/company affiliation;
    5. basic account and authentication data (e.g., username, hashed credentials, access tokens);
    6. usage data and device/technical identifiers generated through use of the Services (e.g., log entries, IP address, user-agent, feature usage, timestamps), to the extent this is personal data.
  3. Nature and purpose of processing. Provision of the Services, including:
    1. user account provisioning and access management;
    2. enabling core app functionality;
    3. customer support and communications;
    4. security monitoring, abuse prevention, troubleshooting, and service improvement (as instructed by the Controller for in-scope processing).
  4. Duration. For the term the Controller uses the Services, plus retention as described in Section 10.

5. Processor obligations

  1. Instructions. GTL will process personal data only on documented instructions from the Controller, unless required to do so by applicable law (in which case GTL will inform the Controller unless legally prohibited).
  2. Confidentiality. GTL will ensure persons authorised to process personal data are subject to confidentiality obligations.
  3. Security. GTL will implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. GTL is certified to ISO 27001 and SOC2 Type II.
  4. Assistance. Taking into account the nature of the processing, GTL will provide reasonable assistance to the Controller to:
    1. respond to data subject requests (Section 7);
    2. meet obligations relating to security and breach notification; and
    3. provide information reasonably required for DPIAs, where relevant to the Services.

6. Sub-processors

  1. Authorisation. The Controller authorises GTL to engage sub-processors to support delivery of the Services.
  2. Flow-down. GTL will impose data protection obligations on sub-processors that are no less protective than those in this DPA.
  3. Sub-processor transparency. GTL maintains a list of sub-processors used for the Services. GTL will provide reasonable notice of material changes to sub-processors where practicable.

7. Data subject requests

  1. Referral. Where GTL receives a request from a data subject relating to personal data processed on behalf of the Controller, GTL will (unless legally prohibited) direct the data subject to the Controller and notify the Controller where appropriate.
  2. Assistance. GTL will provide reasonable assistance to the Controller to fulfil applicable data subject rights, taking into account the Controller's instructions and the technical nature of the Services.

8. International data transfers

  1. Transfer safeguards. Where personal data is transferred outside the UK and/or EEA, GTL will ensure such transfers are made in accordance with applicable law, including through appropriate safeguards such as the UK IDTA or UK Addendum to the EU SCCs, and/or other lawful transfer mechanisms.

9. Personal data breach notification

  1. Notification. GTL will notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA and will provide information reasonably required for the Controller to meet its breach notification obligations.

10. Return and deletion

  1. At termination. Upon termination of the Controller's use of the Services, and on written request where applicable, GTL will delete or return personal data processed under this DPA, unless retention is required by law or necessary for the establishment, exercise, or defence of legal claims.
  2. Backups. Personal data may remain in backups for a limited period consistent with GTL's backup retention policies, and will be deleted in the ordinary course.

11. Compliance information

  1. Demonstration of compliance. GTL will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.

12. Contact

  1. Enquiries. Questions about this DPA may be directed to security@groundtruthlabs.com.