Data Processing Agreement

1)DATA PROCESSING AGREEMENT – SUMMARY
By continuing to use Powdr’s services, you (the user) agree that Powdr processes certain personal data (e.g., login credentials, contact details, financial data) as a Data Controller using Amazon Web Services (AWS) for secure hosting in the UK. Powdr may also engage Stripe for payment processing, Xero for accounting, and HubSpot for CRM. Data is retained for up to 5 years for active accounts and 1 year post closure for client model information. We apply encryption to all data entered onto Powdr to enhance security and utilise additional security measures provided by AWS to protect your data. If a breach occurs, we will notify you without undue delay. We will delete data upon request. For more details, please see the full Data Processing Agreement below.

2) Comprehensive Data Processing Agreement (Full Text)

1. Introduction

1.1 Parties
This Data Processing Agreement (“DPA”) is entered into by and between Powdr (“we,” “us,” “our,” or “Powdr”) and any company or individual (“Customer,” “you,” or “your”) that uses or signs up for our services (the “Services”). This DPA governs the processing of Personal Data (as defined below) that you provide to us in connection with your use of Powdr’s platform or services.

1.2 Purpose
This DPA sets out the terms under which Powdr, acting as a Data Controller, engages certain Sub-processors (e.g., AWS, Stripe, HubSpot, and Xero) to process Personal Data on our behalf. This DPA is intended to meet the requirements of Article 28 of the EU General Data Protection Regulation (EU GDPR), the UK GDPR, and any other applicable data protection laws and regulations (“Data Protection Laws”).

1.3 Acceptance
By using Powdr’s Services, clicking on any acceptance button presented with these DPA terms, or otherwise indicating acceptance, you agree to the terms of this DPA. If you do not agree, you must not use or access our Services.

2. Definitions

2.1 “Personal Data” means any information relating to an identified or identifiable natural person processed under this DPA.
2.2 “Processing” (and its variants) means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, or otherwise making available.
2.3 “Data Subject” means the individual to whom the Personal Data relates.
2.4 “Sub-processor” means any third party appointed by or on behalf of Powdr who processes Personal Data under the instruction or authority of Powdr in connection with the Services.
2.5 “Applicable Data Protection Law(s)” includes the GDPR, the UK GDPR, and all other applicable data protection or privacy laws and regulations.

3. Roles and Scope

3.1 Roles of the Parties

• Powdr as Controller: Powdr determines the purpose and means of processing Personal Data we collect or receive from or about you (e.g., your login details, names and contact information of your personnel, or financial information in the system).
• Sub-processors: Powdr may engage third-party providers (e.g., AWS for sign in and hosting, HubSpot for CRM, Stripe for payment processing, Xero for accounting) to process Personal Data on our behalf in accordance with this DPA.

3.2 Subject Matter
This DPA covers all activities where Powdr processes Personal Data provided by you or collected on your behalf in relation to our Services.

3.3 Term
This DPA remains in effect as long as you continue to use the Services or until terminated in writing by the parties, provided that any obligations intended to survive termination (e.g., confidentiality, data return/deletion obligations) shall remain in effect.

4. Data Processing Obligations

4.1 Instructions for Data Processing
Powdr shall process Personal Data only on the basis of documented instructions from you, the Customer, as such instructions are given via the agreement to use our Services and in accordance with this DPA. Powdr will not process Personal Data for any other purpose unless required by law, in which case we will inform you (unless the law prohibits such notice).

4.2 Compliance with Laws
Each party shall comply with its respective obligations under Applicable Data Protection Laws. Powdr will ensure that any person acting under our authority who has access to Personal Data is bound by appropriate obligations of confidentiality.

5. Sub-processors

5.1 Appointment of Sub-processors
You authorize Powdr to engage the following categories (and specific providers) of Sub-processors to process Personal Data in connection with providing the Services:

• Hosting/Infrastructure Providers: Amazon Web Services (AWS), which provides secure cloud hosting in the UK.
• CRM/Marketing/Support Providers: HubSpot, used to store contact information and provide Customer Relationship Management functionality.
• Payment Processing: Stripe, used to securely process payments. All client pay information is managed directly by Stripe and not exported by Powdr.
• Accounting/Financial Software: Xero (or similar third-party app), used for financial data integrations.
• Microsoft: Onedrive is used to store documents provided by clients in support of model builds and order forms. These are managed by a variety of user controls to ensure access is only in place for appropriate individuals depending on the nature of the information.
• Other: Additional or replacement Sub-processors may be engaged from time to time in order to operate and develop the Services.

5.2 Sub-processor Obligations
Powdr shall:

• Enter into a written agreement with each Sub-processor that imposes data protection obligations substantially similar to those in this DPA.
• Remain liable for any breach of the DPA caused by the Sub-processor’s acts or omissions.

5.3 Notification of Sub-processor Changes
Powdr will maintain a list of its current Sub-processors and will provide notice of any intended changes to Sub-processors. If you object to the use of a new Sub-processor, you may choose to discontinue use of the Services that require the involvement of that Sub-processor.

6. Technical and Organizational Measures

6.1 Security Measures
Powdr maintains appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to:

• Encryption of data at rest and in transit.
• Logical access controls on a need-to-know basis.
• Secure hosting environment provided by AWS in the UK, including physical security measures, network firewalls, and intrusion detection.
• Periodic reviews and testing of security controls.
• Incident response procedures designed to handle security breaches promptly.

6.2 Annex A – Details of Technical and Organizational Measures
See Annex A for further details on Powdr’s security measures.

7. Data Subject Rights

7.1 Facilitating Data Subject Requests
If a Data Subject sends Powdr a request to access, rectify, erase, or restrict the processing of Personal Data, or to exercise any other Data Subject rights, Powdr shall promptly notify you (if the request pertains to your data) unless we are legally prohibited from doing so. We will, upon request, provide reasonable assistance in responding to such requests.

8. Personal Data Breaches

8.1 Notification
In the event of a confirmed Personal Data Breach (as defined by Applicable Data Protection Laws), Powdr will, without undue delay, notify you and provide timely information relating to the Personal Data Breach, including the nature of the breach, the categories and approximate number of Data Subjects concerned, and the measures taken or proposed to be taken to address the breach.

9. Data Retention and Deletion

9.1 Data Retention

• Active Customers: Powdr retains Personal Data for as long as you maintain an active account with us, up to 5 years for active customers.
• Post-Closure (Client Model Information): After an account closure, Powdr will retain client model information for 1 year to accommodate any need to revisit the model.
• Post-Closure (Company Info and Emails on OneDrive): Company information and any email attachments or related data stored on OneDrive are held for 3 months after account closure.
• After these periods, data is deleted unless otherwise required by law.

9.2 Deletion Upon Request
At any time, upon your request, Powdr will delete Personal Data to the extent permitted by Applicable Data Protection Laws. Data is only stored virtually. Paper copies are not kept.

10. Cross-Border Transfers

10.1 International Transfers
Powdr restricts data hosting and processing to the UK. If, for any reason, data must be transferred outside the UK (or the EEA), Powdr will ensure that such transfers are made in compliance with Applicable Data Protection Laws (e.g., use of Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms).

11. Liability and Indemnities

11.1 Liability
Liability for any breach of this DPA shall be subject to the limitations set forth in the main Terms of Service between Powdr and the Customer, unless otherwise required by Applicable Data Protection Laws.

12. Governing Law

12.1 Applicable Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws and jurisdiction indicated in the main Terms of Service, or as otherwise mandated by Data Protection Laws.

13. Annexes

• Annex A – Description of Processing and Technical & Organizational Measures
• Annex B – Sub-processors List

ANNEX A – Description of Processing and Security Measures

1. Nature and Purpose of Processing

• Nature: Powdr stores and manages Personal Data (login credentials, contact information, financial details, usage logs) on secure AWS servers (UK region) and uses HubSpot for CRM, Stripe for payments, Xero for accounting, and OneDrive for certain email attachments or shared files.
• Purpose: Provide and improve the Services, maintain user accounts, provide support and maintenance, facilitate communications, process payments, and support financial modeling or accounting functions.

2. Categories of Data Subjects

• Employees or representatives of the Customer using the Powdr platform.
• Any additional Data Subjects whose Personal Data is uploaded or entered into the Powdr platform (e.g., financial contacts, clients).

3. Categories of Personal Data

• Login details (usernames, password hashes).
• Contact information (names, business email addresses, phone numbers).
• Company data (business name, address, corporate details).
• Financial data (accounting figures, budgets, forecasts).
• Payment details processed via Stripe (though payment information is predominantly stored and managed by Stripe).
• Support data (any information submitted via customer support channels).

4. Technical and Organizational Security Measures

• Encryption: Data is encrypted at rest (e.g., AWS EBS encryption, database encryption) and in transit (TLS/SSL).
• Access Controls: Role-based access control (RBAC), multi-factor authentication for administrative access, unique user IDs.
• Physical Security: AWS UK data centers offer industry-standard physical security (24/7 onsite security, access control, CCTV).
• Monitoring and Logging: Activity logging, threat monitoring, and intrusion detection systems.
• Incident Response: Defined processes to detect, respond to, and mitigate security incidents or data breaches, including user notification without undue delay.
• Business Continuity: Regular backups, high availability, and disaster recovery solutions.

ANNEX B – Sub-processors

Powdr may update this list from time to time. Such updates will be posted or made available in a manner that allows customers to remain informed and exercise their rights to object, if applicable.