Legal

Data Processing Agreement

Effective: 1 June 2025 · Last updated: 1 June 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and Hidbrain Ltd (“Processor”) and satisfies the requirements of UK GDPR Article 28. By accepting the Terms of Service you automatically accept this DPA — no separate signature is required.

Background

Hidbrain Ltd (Company No. 12170656, registered in England & Wales, ICO registration ZA853964) operates SpendToScope, a carbon accounting platform. In the course of providing the Service, Hidbrain Ltd may process personal data on behalf of the Customer. This DPA sets out the terms on which that processing is carried out, as required by Article 28 of the UK General Data Protection Regulation.

1. Definitions

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the Terms of Service.

“Controller” — the Customer, who determines the purposes and means of processing the Shared Personal Data.
“Processor” — Hidbrain Ltd, who processes Shared Personal Data on behalf of the Controller.
“Shared Personal Data” — any personal data within the Customer's ERP or accounting system that is processed by Hidbrain Ltd in the course of providing the Service.
“Data Subject” — an identified or identifiable natural person to whom the Shared Personal Data relates.
“Sub-processor” — any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
“UK GDPR” — the retained EU law version of the General Data Protection Regulation as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018.
“Data Protection Laws” — the UK GDPR, the Data Protection Act 2018, PECR, and any successor legislation.

2. Details of processing (Article 28(3) UK GDPR)

UK GDPR Article 28(3) requires the DPA to specify the following particulars of processing:

Subject matter	Carbon emissions accounting — processing of Customer ERP data to calculate Scope 1, 2 and 3 greenhouse gas emissions.
Duration	For the term of the Customer's Subscription with Hidbrain Ltd, plus up to 30 days post-termination for data export, after which Shared Personal Data is deleted subject to legal retention obligations.
Nature of processing	Collection via OAuth API read access; storage; aggregation; categorisation against emission factor databases; generation of carbon calculation outputs; deletion.
Purpose of processing	Providing the SpendToScope carbon accounting service as described in the Terms of Service. No other purpose.
Types of personal data	Names and contact details of suppliers and their representatives; employee names on expense or travel invoices; payment references; invoice descriptions that may contain personal references. No special category personal data is intentionally collected.
Categories of data subjects	The Controller's suppliers and their employees/representatives; the Controller's own employees whose names appear on expense claims or travel invoices.
Controller's obligations and rights	Set out in Section 4 of this DPA.

3. Processor obligations

3.1 Instructions

The Processor shall process Shared Personal Data only on documented instructions from the Controller, which shall be the performance of the Service as described in the Terms of Service and this DPA, unless required to do so by applicable UK law. If required by law to process data beyond these instructions, the Processor will inform the Controller before doing so unless prohibited by law.

If the Processor believes an instruction infringes Data Protection Laws, it will immediately notify the Controller.

3.2 Confidentiality

The Processor shall ensure that persons authorised to process Shared Personal Data are subject to a binding duty of confidentiality.

3.3 Security

Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational security measures, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Row-level security and access controls on all database tables
Pseudonymisation of personal data where technically feasible and appropriate
Regular testing, assessing and evaluation of the effectiveness of technical and organisational security measures
Ability to restore availability and access to personal data in a timely manner in the event of an incident

3.4 Sub-processors

The Controller grants the Processor general written authorisation to engage sub-processors. The Processor shall:

Maintain and publish the current list of sub-processors (see Schedule 1 below);
Provide the Controller with at least 30 days' prior notice before adding or replacing a sub-processor, by updating the list on this page;
Impose data protection obligations on each sub-processor equivalent to those in this DPA by written contract;
Remain fully liable to the Controller for the performance of any sub-processor's obligations.

If the Controller objects to a new sub-processor on reasonable data protection grounds, it must notify the Processor in writing within 14 days of the notice. The parties shall negotiate in good faith; if no resolution is reached, the Controller may terminate the Subscription with a pro-rated refund.

3.5 Data subject rights assistance

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to data subject rights requests (access, rectification, erasure, restriction, portability, objection) under Data Protection Laws. The Processor shall promptly forward any data subject request it receives relating to Shared Personal Data to the Controller.

3.6 Assistance with compliance obligations

The Processor shall assist the Controller in ensuring compliance with the obligations under Articles 32–36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.

3.7 Data breach notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting Shared Personal Data. Such notification shall include, to the extent then known: (a) description of the nature of the breach; (b) categories and approximate number of data subjects affected; (c) categories and approximate number of personal data records concerned; (d) likely consequences; and (e) measures taken or proposed to address the breach. Further information may be provided in phases as it becomes available.

3.8 Deletion on termination

On termination or expiry of the Terms of Service, the Processor shall, at the Controller's election, securely delete or return all Shared Personal Data within 30 days, and delete existing copies, unless UK law requires storage. The Processor shall certify such deletion to the Controller in writing on request.

3.9 Audit rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, provided that: (a) the Controller gives at least 30 days' written notice; (b) any audit is conducted at the Controller's cost during normal business hours with minimum disruption; and (c) no more than one audit per year unless required following a confirmed breach. The Processor may satisfy this obligation by providing an up-to-date third-party audit report (e.g. SOC 2, ISO 27001) in lieu of direct audit access, where appropriate.

4. Controller obligations

The Controller warrants and represents that:

It has a lawful basis under UK GDPR Article 6 for instructing the Processor to process the Shared Personal Data;
It has provided all necessary privacy notices to data subjects whose personal data is included in the Shared Personal Data, including disclosure of the Controller's use of SpendToScope as a sub-processor;
It has conducted any required Data Protection Impact Assessments (DPIAs) in relation to the processing;
The instructions given to the Processor will at all times comply with Data Protection Laws;
It is responsible for implementing appropriate access controls on its own systems and for the security of credentials used to connect its ERP to the Service.

5. International transfers

Where any transfer of Shared Personal Data from the UK to a country outside the UK (or outside a country benefiting from a UK adequacy decision) is required, the Processor shall ensure that such transfer is made only:

To a country with a UK adequacy decision in force at the time of transfer; or
Subject to a UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) or other appropriate safeguard under Article 46 UK GDPR.

Details of transfer mechanisms used by each sub-processor are available on request from privacy@spendtoscope.com.

6. Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. Where a party is held liable for a Data Protection Law infringement caused by the other party's breach of this DPA, that other party shall indemnify the liable party to the extent the liable party was responsible for the damage.

7. Duration and termination

This DPA shall remain in force for the duration of the Terms of Service and shall automatically terminate on the expiry or termination of the Terms of Service, subject to the survival of obligations under Section 3.8 (deletion).

8. Governing law

This DPA is governed by and shall be construed in accordance with the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 — Approved Sub-processors

The following sub-processors are currently authorised by the Controller under Section 3.4. The Processor will provide 30 days' notice before adding or replacing a sub-processor by updating this list.

Sub-processor	Processing activity	Location	Transfer mechanism
Supabase Inc.	Database hosting, authentication, row-level security	EU (Ireland)	EU SCCs / UK IDTA
Vercel Inc.	Platform hosting, CDN, serverless functions	EU primary; global edge	EU SCCs / UK IDTA
Climatiq GmbH	Emission factor data API — no personal data shared	EU	N/A
Stripe Inc.	Subscription billing and payment processing	US (EU data residency option)	EU SCCs / UK IDTA
Resend Inc.	Transactional and support email delivery	US	EU SCCs / UK IDTA

Schedule 2 — Security measures (Article 32 UK GDPR)

The Processor has implemented and maintains the following technical and organisational security measures:

Category	Measure
Encryption in transit	TLS 1.2 or higher for all data in transit between users, application servers and databases
Encryption at rest	AES-256 encryption for all data stored in the database and backups
Access control	Role-based access control; principle of least privilege; row-level security policies on all database tables
Authentication	Multi-factor authentication available; OAuth 2.0 for ERP integrations (no ERP passwords stored)
Network security	Firewall rules; no direct public database access; API rate limiting
Sub-processor security	Written data processing agreements with all sub-processors; sub-processors assessed for security compliance
Incident response	Documented incident response procedure; breach notification to Controller within 48 hours of discovery
Availability	Database backups; platform hosted on redundant cloud infrastructure; 99.5% monthly uptime target
Personnel	Access to production systems limited to authorised personnel; confidentiality obligations for all staff with data access
Review	Security measures reviewed at least annually or following any material incident

This DPA is governed by the laws of England & Wales. Hidbrain Ltd is registered in England & Wales (Company No. 12170656). ICO registration: ZA853964.
Data protection enquiries: privacy@spendtoscope.com · Legal: legal@spendtoscope.com