Data Processing Agreement

1. Introduction and incorporation

This Data Processing Agreement ("DPA") sets out the terms on which Valix Digital Ltd ("Valix", "we", "us", "Processor") processes Personal Data on behalf of its clients ("Client", "you", "Controller") in connection with the services Valix provides under any engagement letter, statement of work, master services agreement, or other written agreement between the parties (the "Services Agreement").

This DPA forms part of, and is incorporated by reference into, the Services Agreement. By entering into or continuing to receive Services under the Services Agreement, the Client agrees to be bound by this DPA. Where the Services Agreement expressly references this DPA, or refers to "the DPA published at valix.digital/dpa" (or equivalent wording), this version of the DPA applies as in force at the time of the relevant Processing.

This DPA is drafted to comply with the requirements of Article 28 of the UK GDPR. Where the Client is subject to the EU GDPR in respect of any Personal Data processed under the Services Agreement, this DPA applies on equivalent terms in relation to that Personal Data.

If there is any conflict between this DPA and the Services Agreement, this DPA prevails in relation to matters concerning Personal Data, except where the Services Agreement expressly states otherwise.

2. Definitions

In this DPA, capitalised terms have the following meanings. Terms not defined here take the meaning given to them in the UK GDPR.

"AI System" means any artificial intelligence service, large language model, generative AI tool or machine-learning system used by Valix to provide the Services, including hosted services provided by third parties.

"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025 (as it amends the foregoing), the Privacy and Electronic Communications (EC Directive) Regulations 2003, and, where applicable to the relevant Processing, the EU GDPR and any equivalent legislation in any other jurisdiction.

"Client Personal Data" means Personal Data that Valix processes on behalf of the Client in the course of providing the Services.

"International Transfer" means a transfer of Personal Data from the United Kingdom or the European Economic Area to a third country, or onward transfer, within the meaning of Applicable Data Protection Law.

"Personal Data Breach" has the meaning given in the UK GDPR.

"Restricted Country" means any country, territory or sector that is not the subject of a current adequacy decision under the UK GDPR or, where relevant, the EU GDPR.

"Sub-processor" means any third party engaged by Valix to process Client Personal Data in the course of providing the Services.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

"UK IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner.

"UK GDPR" has the meaning given in the Data Protection Act 2018 (as amended).

The terms "Controller", "Processor", "Personal Data", "Processing", "Special Category Data" and "Data Subject" have the meanings given to them in Applicable Data Protection Law.

3. Roles of the parties

The parties acknowledge and agree that, in relation to Client Personal Data processed under the Services Agreement, the Client is the Controller and Valix is the Processor.

Where the Client itself acts as a Processor on behalf of a further Controller (for example, where the Client is itself an agency or service provider), Valix acts as a Sub-processor and references in this DPA to the "Client" and "Controller" apply accordingly, and the Client warrants that it has the necessary authorisations from the relevant Controller to engage Valix on the terms set out in this DPA.

Each party will comply with its respective obligations under Applicable Data Protection Law.

4. Scope and details of Processing

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Schedule 1 (Details of Processing).

The Client is responsible for:

• determining the lawful basis for the Processing;

• providing all required information and obtaining all necessary consents from Data Subjects;

• maintaining its own records of processing under Article 30 of the UK GDPR; and

• the accuracy, quality, integrity and legality of Client Personal Data and the means by which the Client acquired it.

Valix is not responsible for determining whether the Client's instructions comply with Applicable Data Protection Law, but will inform the Client if, in Valix's opinion, an instruction infringes Applicable Data Protection Law (see clause 5.2).

5. Valix's obligations as Processor

5.1 Processing on documented instructions

Valix will process Client Personal Data only on the Client's documented instructions, including with regard to International Transfers, unless required to do otherwise by law applicable to Valix. Where Valix is so required, Valix will inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

The Client's instructions are set out in the Services Agreement, this DPA, and any further written instructions given by the Client from time to time (which must be consistent with the scope of the Services). The Client's use of the Services (including configurations and choices made within the relevant platforms) also constitutes documented instructions.

5.2 Instructions that infringe the law

If Valix considers, in its reasonable opinion, that a Client instruction infringes Applicable Data Protection Law, Valix will inform the Client without undue delay. Valix may suspend performance of the relevant instruction (without liability) until the Client confirms in writing that the instruction should proceed or amends it.

5.3 Confidentiality

Valix will ensure that any person it authorises to process Client Personal Data is bound by appropriate written obligations of confidentiality or is under an appropriate statutory obligation of confidentiality.

5.4 Security

Valix will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of Data Subjects, as required by Article 32 of the UK GDPR.

A summary of the technical and organisational measures Valix maintains is set out in Schedule 2 (Technical and Organisational Measures). Valix may update Schedule 2 from time to time, provided the updated measures provide at least an equivalent level of protection.

5.5 Sub-processors

The Client provides general written authorisation for Valix to engage Sub-processors to process Client Personal Data in connection with the Services. A current list of Valix's Sub-processors is published at valix.digital/sub-processors ("Sub-processor List") and is incorporated into this DPA by reference. Valix will provide at least fourteen (14) days' prior notice of the addition or replacement of any Sub-processor by updating the Sub-processor List (and, where the Client has subscribed to update notifications, by email).

The Client may object to a new Sub-processor on reasonable data-protection grounds by notifying Valix in writing within fourteen (14) days of being notified of the change. If the Client objects, the parties will work in good faith to find a workable alternative. If no alternative is reasonably available, either party may terminate the affected part of the Services on written notice without further liability, save for accrued obligations.

Valix will:

enter into a written contract with each Sub-processor on terms which impose data protection obligations no less protective than those set out in this DPA; and

remain fully liable to the Client for the acts and omissions of its Sub-processors in respect of Client Personal Data, as if those acts or omissions were Valix's own.

5.6 Use of AI Systems

Valix uses AI Systems in the provision of the Services, including for content drafting, audit and review of marketing assets, data analysis, automation, and quality assurance. Where AI Systems process Client Personal Data, they do so as Sub-processors and are listed on the Sub-processor List.

When using AI Systems, Valix will:

Purpose limitation. Use AI Systems only for the purposes of providing the Services in accordance with the Client's instructions, and not for any independent purpose of Valix;

No training on Client data. Only use AI Systems on terms that contractually prohibit the AI System provider from using Client Personal Data to train, fine-tune, or improve its underlying models, save where the Client has given specific, separate written consent. Where this is not contractually available with a given AI System provider, Valix will not use that provider to process Client Personal Data unless the provider provides consent;

Input minimisation. Apply data minimisation when providing inputs to AI Systems, and not knowingly input Special Category Data, criminal-offence data, or directly identifying contact data (such as customer email lists) into a general-purpose AI System unless the Client has expressly instructed Valix to do so or such input is necessary to perform the Services and is covered by an appropriate processor relationship;

Human oversight. Maintain meaningful human review of AI System outputs before they are delivered to the Client or deployed on the Client's behalf;

No automated decision-making with legal or similarly significant effects. Not use AI Systems to make solely automated decisions concerning Data Subjects that produce legal or similarly significant effects, unless expressly instructed by the Client in writing and a lawful basis is in place;

Records. Maintain reasonable records of the AI Systems used in providing the Services, sufficient to support the Client's accountability obligations; and

DPIA support. Provide reasonable information and assistance to the Client in connection with any data protection impact assessment that the Client carries out in relation to Valix's use of AI Systems (see clause 5.9).

Nothing in this clause obliges Valix to disclose proprietary information about the internal workings, model weights, or training data of third-party AI Systems beyond what is reasonably necessary for the Client to meet its compliance obligations.

5.7 Assistance with Data Subject rights

Taking into account the nature of the Processing, Valix will assist the Client by appropriate technical and organisational measures, insofar as is reasonably possible, to enable the Client to fulfil its obligations to respond to requests by Data Subjects to exercise their rights under Chapter III of the UK GDPR.

If Valix receives a request directly from a Data Subject in relation to Client Personal Data, Valix will not respond to the request (other than to acknowledge receipt and direct the Data Subject to the Client) and will forward the request to the Client without undue delay.

Where Valix's assistance under this clause requires more than de minimis effort, Valix may charge the Client reasonable costs on a time-and-materials basis at its then-current rates.

5.8 Personal Data Breach

Valix will notify the Client of any Personal Data Breach affecting Client Personal Data without undue delay, and in any event within seventy-two (72) hours of becoming aware of it. The notification will include, to the extent then known:

• the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;

• the likely consequences of the Personal Data Breach;

• the measures taken or proposed to address it and to mitigate possible adverse effects; and

• the name and contact details of Valix's relevant contact for further information.

Valix will provide reasonable assistance to the Client in connection with the Client's own notification obligations to supervisory authorities and Data Subjects.

5.9 DPIAs and prior consultation

Taking into account the nature of the Processing and the information available to Valix, Valix will provide reasonable assistance to the Client with any data protection impact assessment, and any prior consultation with a supervisory authority, that the Client is required to carry out under Applicable Data Protection Law in connection with the Services.

5.10 Audit rights

Valix will make available to the Client, on reasonable written request, the information necessary to demonstrate compliance with its obligations under Article 28 of the UK GDPR and this DPA. This may include responses to reasonable security and compliance questionnaires, copies of relevant policies, and summaries of relevant certifications or audit reports held by Valix or its Sub-processors.

The Client may, no more than once in any twelve (12) month period (or more frequently if required by a supervisory authority or following a material Personal Data Breach), conduct an audit of Valix's compliance with this DPA. Audits will be:

conducted on reasonable prior written notice (not less than thirty (30) days, except in the case of a material Personal Data Breach);

• carried out during normal business hours;

• subject to reasonable confidentiality obligations;

• conducted in a manner that does not unreasonably interfere with Valix's business; and

• limited to information, systems and personnel relevant to the Processing of Client Personal Data.

The Client will bear its own costs and Valix's reasonable costs in connection with any audit, save where the audit reveals a material breach of this DPA by Valix, in which case Valix will bear its own costs.

5.11 Return or deletion

On termination or expiry of the Services Agreement, or earlier on the Client's written request, Valix will (at the Client's choice) delete or return all Client Personal Data to the Client and delete existing copies, unless Applicable Data Protection Law requires storage of the Personal Data.

Valix may retain Client Personal Data:

• to the extent required by Applicable Data Protection Law or other applicable law;

• in routine backups, which will be deleted in accordance with Valix's backup-retention policy and will not be actively processed during that retention period; and

• as anonymised data which cannot reasonably be linked to a Data Subject.

Where return is requested, Valix will return the Personal Data in a commonly used electronic format. Where deletion is requested, Valix will, on written request, certify to the Client in writing that deletion has been carried out.

6. International Transfers

Valix may transfer Client Personal Data to a Restricted Country, or authorise a Sub-processor to do so, only where appropriate safeguards are in place in accordance with Applicable Data Protection Law. These may include:

• a current adequacy decision under the UK GDPR (or, where relevant, the EU GDPR);

• the UK IDTA;

• the EU Standard Contractual Clauses as supplemented by the UK Addendum; or

• another transfer mechanism permitted under Applicable Data Protection Law.

In assessing the level of protection in the destination country, the parties will apply the "not materially lower" test introduced by section 85 of the Data (Use and Access) Act 2025, and act reasonably and proportionately. Where required, Valix will carry out, or assist the Client to carry out, a transfer risk assessment.

Where the Client makes an International Transfer to Valix and the UK IDTA or UK Addendum is required, the parties agree that this DPA (together with the Services Agreement and the relevant Schedules) is deemed to incorporate the UK IDTA or UK Addendum (as applicable) by reference, with Valix as the data importer and the Client as the data exporter, and that the information required to complete the relevant tables is taken from the Services Agreement and the Schedules to this DPA.

7. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Services Agreement. Nothing in this DPA excludes or limits any liability that cannot be excluded or limited under Applicable Data Protection Law.

8. Term and termination

This DPA takes effect on the effective date of the Services Agreement and continues for the duration of the Services Agreement. Clauses that by their nature should survive termination (including clauses 5.11, 6, 7, and 9) will so survive.

9. General

9.1 Updates to this DPA

Valix may update this DPA from time to time to reflect changes in law, the Services, its Sub-processors, or its security or governance practices. Valix will give the Client reasonable notice of material changes, typically by updating this page. Updates that are purely administrative, or required to comply with applicable law, may take effect immediately on publication.

Continued use of the Services after a material update takes effect constitutes acceptance of the updated DPA. If the Client does not accept a material update, it may terminate the affected Services in accordance with the Services Agreement.

9.2 Governing law

This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, save where the governing law or jurisdiction clause of the Services Agreement provides otherwise.

9.3 Contact

For any data protection matter under this DPA, please contact: tim (at) valix (dot) digital

Schedule 1 — Details of Processing

Subject matter

The provision by Valix to the Client of digital marketing, email marketing, conversion-rate optimisation, audit, consultancy, training and related services as described in the Services Agreement.

Duration

For the term of the Services Agreement, plus any post-termination retention period required by law or permitted under clause 5.11.

Nature and purpose of Processing

Valix will process Client Personal Data for the purposes of providing the Services, which may include:

• planning, building, sending and analysing email and SMS marketing campaigns and automated flows;

• segmentation and list management;

• A/B testing and performance analysis;

• onsite conversion-rate optimisation (forms, sign-up units, landing pages);

• audit and review of marketing assets, templates and programmes;

• data hygiene activities (including list validation and suppression);

• consultancy, reporting, and account management; and

• internal record-keeping, billing and account administration.

Types of Personal Data

The Personal Data Processed may include:

• identification and contact data (name, email address, postal address, telephone number);

• account data (username, customer ID, marketing consent status, preferences);

• transactional data (order history, purchase value, products purchased);

• behavioural and engagement data (email opens, clicks, web events, page views, abandoned cart data);

• device and technical data (IP address, device type, browser, location at city level);

• demographic data, where collected by the Client; and

• any other Personal Data that the Client uploads, configures, or makes available to Valix in connection with the Services.

Categories of Data Subjects

The Data Subjects may include the Client's:

• customers and prospective customers;

• newsletter subscribers and marketing contacts;

• website visitors;

• event attendees and competition entrants; and

• such other Data Subjects whose Personal Data the Client provides to Valix.

Special Category Data and criminal-offence data

Valix does not request or require the input of Special Category Data or criminal-offence data into the Services. If the Client provides any such data, it does so on its own instruction and confirms that an appropriate lawful basis and Article 9/10 condition applies. Special Category Data will not be input into general-purpose AI Systems (see clause 5.6).

Frequency

Continuous, throughout the term of the Services Agreement.

Schedule 2 — Technical and Organisational Measures

Valix maintains appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including the following (which Valix may update from time to time, provided protection is not materially reduced):

Access control

• Role-based access to Client environments on a least-privilege basis;

• Unique user accounts for all personnel; no shared credentials;

• Multi-factor authentication required for access to all systems holding or accessing Client Personal Data;

• Quarterly access reviews and prompt revocation of access on role change or departure;

• Strong password policies enforced via password management tooling.

Device and endpoint security

• Full-disk encryption on all devices used to access Client Personal Data;

• Up-to-date operating systems and security patches;

• Endpoint protection / anti-malware software on all devices;

• Automatic screen lock and remote-wipe capability for mobile devices.

Network and transmission security

• Encrypted (TLS) transmission of Personal Data in transit;

• Secure file transfer for any bulk data exchange;

• No transmission of Client Personal Data over personal email or unencrypted channels.

Storage

• Reputable cloud-hosted services with appropriate security accreditations;

• Encryption at rest where supported by the underlying service;

• Logical separation of Client environments.

Personnel

• Written confidentiality obligations for all personnel;

• Data protection and security training for personnel on induction and refreshed periodically;

• Background checks proportionate to role, where lawful.

Operational measures

• Documented information security and data protection policies;

• Incident response procedures, including for Personal Data Breaches;

• Sub-processor due diligence prior to engagement and on an ongoing basis;

• Maintenance of a register of Sub-processors and AI Systems used in the Services;

• Periodic review of technical and organisational measures.

Business continuity

• Backups of Valix's operational systems; client production data remains within client-controlled platforms;

• Documented procedures for restoration following a disruption.

• Data minimisation

• Only the Personal Data necessary for the Services is requested or processed;

• Avoidance of Personal Data input into general-purpose AI Systems where not necessary for the Services.

Schedule 3 — Sub-processors

A current list of Sub-processors is maintained at valix.digital/sub-processors and is incorporated by reference into this DPA on this page.

The specific Sub-processors actually engaged depend on the Services agreed with the Client.

End of Data Processing Agreement.