[Designed for clickwrap acceptance during Portal account registration]

1. Parties and Background

1.1 This Data Processing Agreement (“DPA”) is entered into by and between:

(a) The organisation that registers for and subscribes to the Anonymous Reporting Portal service (the “Controller” or “Subscribing Organisation”); and

(b) [Portal Operator Legal Entity Name], a company incorporated in [Jurisdiction], with its registered office at [Address] (the “Processor” or “Portal Operator”).

1.2 This DPA forms part of, and is incorporated into, the Portal Terms of Service (the “Agreement”). By completing the Portal account registration process and accepting the Agreement, the Controller also accepts this DPA.

1.3 This DPA is entered into to ensure compliance with Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), Article 28 of the UK General Data Protection Regulation (“UK GDPR”), and applicable United States federal and state data protection and privacy laws.

1.4 The Processor provides the Portal, an anonymous reporting platform that enables the Controller’s employees, contractors, vendors, and other third parties to submit reports of potential misconduct, compliance violations, or safety concerns without revealing their identity.

2. Definitions

2.1 In this DPA, unless the context otherwise requires:

• “Applicable Data Protection Law” means the EU GDPR, the UK GDPR and Data Protection Act 2018, the EU Whistleblower Protection Directive (2019/1937) and its national transpositions, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) where applicable, and any other data protection or privacy legislation applicable to the processing of Personal Data under this DPA.
• “Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA. For the avoidance of doubt, this includes individuals named or identifiable in reports but does not include anonymous reporters (whose identity is not collected or processed).
• “Personal Data” means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the Portal, including information contained in report descriptions, follow-up messages, and any metadata associated with such data (excluding data that has been anonymised such that it cannot be attributed to a Data Subject).
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA.
• “Report Data” means all data submitted through the Portal, including report categories, free-text descriptions, approximate dates and time frames, location or business unit information, system-generated reference numbers, submission timestamps, and follow-up messages.
• “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission by Implementing Decision (EU) 2021/914 of 4 June 2021.
• “Special Category Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
• “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Portal.
• “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, as may be revised under Section 18 of the Addendum.

3. Scope of Processing and Roles

3.1 The Controller determines the purposes and means of the processing of Personal Data through its use of the Portal. The Processor processes Personal Data solely on behalf of and under the instructions of the Controller as set out in this DPA, the Agreement, and as documented in Schedule 1 (Details of Processing).

3.2 The details of the processing, including the subject matter, duration, nature and purpose of processing, type of Personal Data, and categories of Data Subjects, are set out in Schedule 1.

3.3 Each party shall comply with its respective obligations under Applicable Data Protection Law in relation to the processing of Personal Data under this DPA.

4. Processor Obligations

4.1 Instructions (a) The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or Member State law or UK law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. (b) The Processor shall immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes Applicable Data Protection Law.

4.2 Confidentiality (a) The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. (b) The Processor shall not disclose Personal Data to any third party except as expressly permitted by this DPA or as required by law.

4.3 Security (a) The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the EU GDPR and UK GDPR. The security measures in place as at the date of this DPA are described in Schedule 2 (Technical and Organisational Measures). (b) The Processor shall regularly test, assess, and evaluate the effectiveness of the technical and organisational measures for ensuring the security of processing.

4.4 Sub-processing (a) The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the conditions set out in this Section 4.4. (b) The Processor shall maintain an up-to-date list of Sub-processors, which shall be made available to the Controller upon request and shall be accessible via the Portal’s administration interface or a designated URL. The current list of Sub-processors as at the date of this DPA is set out in Schedule 3. (c) The Processor shall notify the Controller in writing (including by email to the address associated with the Controller’s Portal account) at least thirty (30) days before engaging any new Sub-processor or replacing an existing Sub-processor. The notification shall identify the Sub-processor, its location, and the processing activities it will perform. (d) The Controller may object to the engagement of a new or replacement Sub-processor on reasonable grounds relating to data protection by notifying the Processor in writing within fifteen (15) days of receipt of the Processor’s notification. If the Controller objects, the parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no resolution can be reached within thirty (30) days of the Controller’s objection, the Controller may terminate the Agreement and this DPA with immediate effect without penalty. (e) The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

4.5 Data Subject Rights (a) Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law. (b) If the Processor receives a request from a Data Subject in respect of Personal Data processed under this DPA, the Processor shall promptly, and in any event within two (2) business days, refer the request to the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller or required by law.

4.6 Personal Data Breach Notification (a) The Processor shall notify the Controller without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. (b) The notification shall include, to the extent available: (i) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the name and contact details of the Processor’s point of contact from whom more information can be obtained; (iii) a description of the likely consequences of the Personal Data Breach; and (iv) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. (c) The Processor shall cooperate with and assist the Controller in investigating, remediating, and mitigating the effects of the Personal Data Breach and in complying with the Controller’s notification obligations under Applicable Data Protection Law.

4.7 Data Protection Impact Assessments and Prior Consultation The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Applicable Data Protection Law, taking into account the nature of the processing and the information available to the Processor.

4.8 Deletion and Return of Personal Data (a) Upon termination or expiry of the Agreement, the Processor shall, at the Controller’s election and within thirty (30) days of receipt of written instructions, either delete or return to the Controller all Personal Data processed under this DPA and delete existing copies, unless European Union or Member State law or UK law requires storage of the Personal Data. (b) If the Controller does not provide instructions within thirty (30) days of termination, the Processor shall delete all Personal Data within sixty (60) days of termination. (c) The Processor shall certify in writing to the Controller that it has complied with this Section 4.8 upon request.

4.9 Audit Rights (a) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Law, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. (b) The Processor shall provide, at least annually and at no additional cost to the Controller, a copy of a current SOC 2 Type II audit report (or equivalent independent third-party audit report) covering the Portal’s security controls. (c) The Controller may, upon thirty (30) days’ prior written notice and no more than once per twelve-month period (unless a Personal Data Breach or regulatory investigation necessitates an additional audit), conduct or commission an on-site or remote audit of the Processor’s processing activities and facilities relevant to the Portal. The audit shall be conducted during normal business hours, shall not unreasonably disrupt the Processor’s operations, and shall be subject to reasonable confidentiality obligations. The Controller shall bear its own costs of conducting the audit. (d) If an audit reveals material non-compliance with this DPA, the Processor shall promptly remediate the non-compliance at its own cost and shall report the remediation measures to the Controller in writing.

5. International Data Transfers

5.1 The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) or the United Kingdom unless appropriate safeguards are in place in accordance with Chapter V of the EU GDPR or UK GDPR.

5.2 Where the processing described in Schedule 1 involves the transfer of Personal Data from the EEA to a country that has not been the subject of an adequacy decision by the European Commission, the parties agree that the SCCs shall apply to such transfers. The SCCs are hereby incorporated by reference into this DPA and shall be deemed completed as follows: Module Two (Controller to Processor) shall apply; Clause 7 (docking clause): included; Clause 9(a) (sub-processor authorisation): Option 2 (General written authorisation) shall apply, with a notification period of thirty (30) days; Clause 11 (redress): the optional language shall not apply; Clause 13(a) (supervision): the supervisory authority of the EU Member State in which the Controller is established, or if the Controller is not established in the EU, the supervisory authority of the EU Member State in which the Controller’s EU representative is established, shall act as the competent supervisory authority; Clause 17 (governing law): Option 1 shall apply; the SCCs shall be governed by the laws of [the EU Member State in which the Controller is established / Ireland]; Clause 18(b) (jurisdiction): disputes shall be resolved before the courts of [the EU Member State identified in Clause 17 / Ireland]; Annex I, Annex II, and Annex III of the SCCs shall be deemed completed with the information set out in Schedule 1, Schedule 2, and Schedule 3 of this DPA, respectively.

5.3 Where the processing involves the transfer of Personal Data from the United Kingdom to a country that has not been the subject of an adequacy regulation under the UK GDPR, the UK Addendum shall apply in addition to the SCCs. The UK Addendum is hereby incorporated by reference. The information required to complete Tables 1–4 of the UK Addendum shall be taken from the corresponding Schedules of this DPA and the SCC provisions set out in Section 5.2 above.

5.4 Where the EU-U.S. Data Privacy Framework (or any successor framework) applies, the Processor may rely on its certification under such framework as an alternative transfer mechanism for transfers of Personal Data from the EEA to the United States, provided that the Processor maintains its certification and the framework remains valid.

5.5 If any transfer mechanism relied upon under this Section 5 is invalidated by a court, supervisory authority, or legislative act, the parties shall cooperate in good faith to implement an alternative lawful transfer mechanism promptly.

6. United States Specific Provisions

6.1 To the extent that the CCPA/CPRA applies to the processing of Personal Data under this DPA, the Processor shall act as a “Service Provider” (as defined in the CCPA/CPRA) and shall: process Personal Data only for the specific business purposes set out in Schedule 1 and as permitted under the Agreement; not sell or share (as those terms are defined in the CCPA/CPRA) the Personal Data; not retain, use, or disclose Personal Data for any purpose other than for the business purposes specified in this DPA, including any commercial purpose other than providing the Portal service; not retain, use, or disclose Personal Data outside of the direct business relationship between the Processor and the Controller; and comply with the CCPA/CPRA and grant the Controller the same level of privacy protection as required by the CCPA/CPRA.

6.2 The Controller has the right to take reasonable and appropriate steps to help ensure that the Processor uses Personal Data in a manner consistent with the Controller’s obligations under the CCPA/CPRA.

6.3 The Processor shall notify the Controller if it determines that it can no longer meet its obligations under the CCPA/CPRA.

6.4 To the extent that any other U.S. state privacy law (including but not limited to the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Texas Data Privacy and Security Act) applies to the processing, the Processor’s obligations under this Section 6 and Schedule 1 shall be interpreted and applied so as to satisfy the processor or service provider requirements of such law.

7. Liability

7.1 Each party’s liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in this DPA or the Agreement shall limit or exclude either party’s liability for: fraud or fraudulent misrepresentation; any liability that cannot be limited or excluded by Applicable Data Protection Law; or the Processor’s breach of Section 4.1 (Instructions) where the Processor processes Personal Data other than on documented instructions of the Controller.

7.2 The Processor shall indemnify and hold harmless the Controller from and against any fines, penalties, losses, costs, claims, or damages arising from the Processor’s material breach of this DPA, except to the extent that such fines, penalties, losses, costs, claims, or damages arise from the Controller’s own breach of this DPA or Applicable Data Protection Law.

8. Term and Termination

8.1 This DPA shall come into effect upon the Controller’s acceptance of the Agreement (including by completing the Portal account registration process) and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Agreement.

8.2 Upon termination or expiry of the Agreement, the provisions of this DPA that by their nature should survive (including Sections 4.6, 4.8, 4.9, 7, and 9) shall continue in full force and effect.

9. General Provisions

9.1 Conflict. In the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail in respect of the processing of Personal Data. In the event of a conflict between this DPA and the SCCs (or the UK Addendum), the SCCs (or the UK Addendum, as applicable) shall prevail.

9.2 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be replaced by a valid and enforceable provision that achieves, to the extent possible, the original intent of the parties.

9.3 Amendments. This DPA may be amended only in writing signed by both parties, except that the Processor may update the technical and organisational measures described in Schedule 2 from time to time, provided that such updates do not materially reduce the overall level of security. The Processor shall notify the Controller of material updates to Schedule 2.

9.4 Governing Law. This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, subject to the mandatory application of Applicable Data Protection Law and the governing law provisions of the SCCs or UK Addendum where applicable.

9.5 Entire Agreement. This DPA, together with the Agreement, the SCCs (where applicable), and the UK Addendum (where applicable), constitutes the entire agreement between the parties with respect to the processing of Personal Data in connection with the Portal and supersedes all prior or contemporaneous agreements, representations, or understandings on the subject matter.

Schedule 1: Details of Processing

(This Schedule also serves as Annex I to the SCCs and the UK Addendum.)

A. List of Parties — Data Exporter / Controller: The Subscribing Organisation, as identified in the Portal account registration and the Agreement. Data Importer / Processor: [Portal Operator Legal Entity Name], as identified in Section 1.1(b) of this DPA.

B. Description of Processing — Subject matter: The provision of an anonymous reporting portal that enables the Controller’s employees, contractors, vendors, and third parties to submit reports of potential misconduct, compliance violations, or safety concerns. Duration of processing: For the term of the Agreement, plus the period necessary to complete the deletion or return of Personal Data as provided in Section 4.8. Nature of processing: Receipt, storage, transmission, retrieval, and deletion of Report Data submitted through the Portal. Facilitation of anonymous two-way communication between reporters and the Controller’s designated reviewers. Purpose of processing: To enable the Controller to receive, review, triage, and investigate reports of potential misconduct, legal violations, or policy breaches; to comply with legal obligations including under the EU Whistleblower Protection Directive, the UK Public Interest Disclosure Act 1998, the Sarbanes-Oxley Act, and the Dodd-Frank Act; and to facilitate anonymous follow-up communication. Types of Personal Data: Personal Data contained in free-text report descriptions and follow-up messages, which may include: names, job titles, and roles of individuals whose conduct is reported; descriptions of conduct, events, or circumstances; dates, times, and locations of reported events. Reports may also contain Special Category Data where reporters describe matters involving, for example, racial or ethnic origin, health conditions, trade union activity, or sexual orientation. Categories of Data Subjects: Individuals identified or identifiable in reports, including the Controller’s employees, officers, directors, contractors, vendors, and other third parties whose conduct is described. Anonymous reporters are not Data Subjects as no personal data about them is collected. Frequency of transfer: Continuous, as reports are submitted through the Portal. Retention period: As determined by the Controller’s retention policy. Default platform retention: twelve (12) months from submission (for reports not under investigation) or twelve (12) months from the date of the last follow-up message.

C. Competent Supervisory Authority — The competent supervisory authority shall be determined in accordance with Section 5.2(e) of this DPA.

Schedule 2: Technical and Organisational Measures

(This Schedule also serves as Annex II to the SCCs and the UK Addendum.)

The Processor implements and maintains the following technical and organisational security measures in connection with the Portal:

Encryption — All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 or equivalent industry-standard encryption. Encryption keys are managed using a dedicated key management service with separation of duties and automatic rotation.

Access Controls — Access to Report Data is restricted to authorised personnel on a need-to-know basis, enforced by role-based access controls (RBAC). The reviewer administration interface requires multi-factor authentication (MFA). Session timeouts and account lockout controls are enforced. Unique user credentials are required for all system access; shared accounts are prohibited.

Network Security — All Portal connections enforce HTTPS with HTTP Strict Transport Security (HSTS) headers. Content Security Policy (CSP) headers prevent execution of unauthorised scripts. No third-party scripts, analytics, advertising code, or tracking pixels are deployed on the Portal. Google reCAPTCHA and any similar third-party identity or behavioural analysis services are not used.

Anonymity by Design — No IP addresses of reporters are logged, stored, or forwarded. No cookies, session identifiers, browser fingerprints, or persistent identifiers are collected from reporters. No device or browser metadata (User-Agent, screen resolution, plugins) is collected from reporters. No location data (GPS, Wi-Fi, or network-derived) is collected from reporters. Periodic technical audits are conducted to verify that no personally identifiable information about reporters is captured.

Infrastructure and Hosting — The Portal infrastructure is hosted in data centres that maintain SOC 2 Type II and/or ISO 27001 certification. Data centres implement physical security controls including access logging, surveillance, and multi-layer perimeter security. System backups are encrypted and tested regularly.

Monitoring and Incident Response — Security event logging and monitoring are in place to detect anomalous access or behaviour. A documented incident response plan addresses identification, containment, eradication, recovery, and post-incident review. Penetration testing and vulnerability assessments are conducted at least annually.

Organisational Measures — All personnel with access to Report Data undergo background checks and receive data protection and security training upon onboarding and annually thereafter. Confidentiality agreements are in place for all personnel who may access Personal Data. Data protection policies and procedures are documented, reviewed, and updated at least annually.

Schedule 3: Sub-processors

(This Schedule also serves as Annex III to the SCCs and the UK Addendum.)

The following Sub-processors are authorised by the Controller as at the effective date of this DPA:

Sub-processor Name | Location | Processing Activities | Transfer Mechanism

[Cloud Hosting Provider] | [Country] | Infrastructure hosting, data storage, and backup services for the Portal. | [Adequacy decision / SCCs / DPF certification]

[Email Delivery Provider] | [Country] | Delivery of report notification emails to the Controller’s designated recipients (report content not included in email body). | [Adequacy decision / SCCs / DPF certification]

[Add additional Sub-processors as applicable] | [Country] | [Description] | [Mechanism]

The Processor shall update this Schedule and notify the Controller in accordance with Section 4.4 of this DPA before engaging any new or replacement Sub-processor.

[End of Data Processing Agreement]