Data Processing Agreement

1. Definitions

Terms such as "personal data", "processing", "data subject", "controller", "processor", and "supervisory authority" have the meanings given in the UK GDPR.

"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any other applicable data protection or privacy legislation.

"Sub-processor" means any third party engaged by us to process personal data on your behalf.

2. Roles and Scope

You are the Controller and we are the Processor in respect of personal data processed under the Agreement. Each party will comply with its obligations under Data Protection Laws.

3. Our Role as Controller

We act as an independent Controller (not a Processor) for certain limited personal data, including:

• Account data: names, contact details, and login credentials of your authorised users;
• Billing data: payment method details, billing address, and transaction history;
• Usage data: service logs, activity data, and diagnostic information used to operate, secure, and improve the Service.

We process this data to manage our relationship with you, deliver and secure the Service, prevent fraud and abuse, meet legal and regulatory obligations, and improve the Service. This processing is described in our Privacy Policy.

4. Subject Matter and Details of Processing

• Subject matter: provision of the Service as described in the Agreement.
• Duration: for the term of the Agreement and any period during which we retain personal data thereafter.
• Nature and purpose: discovery, enrichment, scoring, storage, and display of partner and publisher data to support your affiliate and partnership activities.
• Types of personal data: business contact details (name, job title, email address, company, public profile links) and any data you submit to the Service.
• Categories of data subjects: individuals associated with prospective or existing partner businesses, and your own authorised users.

5. Our Obligations

We will:

• Process personal data only on your documented instructions, including as set out in the Agreement, unless required to do otherwise by law;
• Ensure that personnel authorised to process personal data are bound by confidentiality obligations;
• Implement appropriate technical and organisational measures to protect personal data (see Annex 2);
• Assist you, taking into account the nature of the processing, in responding to data subject requests and in meeting your obligations under Articles 32 to 36 of the UK GDPR;
• Notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting your personal data;
• At your choice, delete or return personal data at the end of the Agreement, except where retention is required by law.

6. Your Obligations

You warrant that:

• You have a valid lawful basis under Data Protection Laws for the processing of personal data you submit to or generate through the Service;
• You have provided any notices and obtained any consents required for us to process personal data on your behalf;
• Your instructions to us comply with Data Protection Laws.

7. Sub-processors

You provide a general authorisation for us to engage sub-processors to help deliver the Service. Our current sub-processors are listed in Annex 1.

We will impose data protection obligations on sub-processors that are no less protective than those in this DPA. We remain liable to you for the acts and omissions of sub-processors in respect of their obligations.

We will give you reasonable notice of any intended changes concerning the addition or replacement of sub-processors. If you reasonably object to a new sub-processor on data protection grounds, you may terminate the affected Service by notice to us.

8. International Transfers

Where we transfer personal data outside the UK or European Economic Area to a country without an adequacy decision, we will ensure that an appropriate transfer mechanism is in place. This will typically be the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses, as applicable. On request, we will cooperate in good faith to execute any additional transfer documentation reasonably required by Data Protection Laws.

9. Security

We implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A summary of these measures is set out in Annex 2.

10. Audits

We will make available to you information reasonably necessary to demonstrate compliance with this DPA. Where you reasonably require further information or an audit to fulfil your obligations under Data Protection Laws, we will cooperate in good faith. Any audit will be conducted on reasonable prior notice, during business hours, no more than once per year (except where required by a supervisory authority or following a personal data breach), and at your cost.

11. Data Subject Requests

We will promptly forward to you any request we receive from a data subject relating to personal data processed under this DPA, and will assist you, as reasonably required, to respond to such requests.

12. Data Breach Notification

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting your personal data. Our notification will include the information reasonably available to us to help you meet your obligations under Articles 33 and 34 of the UK GDPR, including the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach. Where not all information is available at the time of notification, it may be provided in phases without undue further delay.

13. Return or Deletion of Data

On termination or expiry of the Agreement, we will delete or, at your written request, return personal data processed under this DPA, unless retention is required by law. Backups will be deleted in line with our standard backup cycles.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.

15. Conflict and Precedence

In the event of a conflict between this DPA and the Agreement in relation to the processing of personal data, this DPA prevails. In all other respects, the Agreement continues to apply.

16. Governing Law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

17. Contact

Data protection queries should be sent to support@argentosearch.com.

Annex 1 - Sub-processors

We engage the following sub-processors to help deliver the Service. We may update this list from time to time.

Annex 2 - Technical and Organisational Security Measures