PLAIN-LANGUAGE SUMMARY

This summary is for convenience only and does not form part of the legal terms.

Topic	Summary
What this is	A legally binding addendum that governs how Adema processes personal data on your behalf, as required by UK GDPR Article 28.
When it applies	When you (the customer) are a data controller and Adema processes personal data on your instructions via the Platform.
Our obligations	Process only on your instructions, keep data secure, assist with your GDPR obligations, notify breaches within 48 hours, delete/return data on termination.
Sub-processors	We use approved sub-processors (cloud, AI, payments). We maintain a list, notify you of changes, and give you the right to object.
International transfers	Protected by UK IDTA, SCCs, or adequacy decisions.
Audits	You have the right to audit our compliance (with reasonable notice).

1. Definitions and Interpretation

1.1. In this Data Processing Addendum ("DPA"):

Term	Meaning
Applicable Data Protection Law	UK GDPR (the UK General Data Protection Regulation as retained under the Data Protection Act 2018) and any successor legislation.
Controller	The Customer, as identified in the Order Form, who determines the purposes and means of processing Personal Data.
Data Subject	An identified or identifiable natural person to whom Personal Data relates.
IDTA	The UK International Data Transfer Agreement issued under Section 119A of the Data Protection Act 2018.
Order Form	An order form, statement of work, or similar document executed between the parties under the Platform License Agreement.
Personal Data	Any information relating to a Data Subject processed by the Processor on behalf of the Controller in connection with the Platform.
Personal Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
Principal Agreement	The Adema Terms of Service, Platform License Agreement, and any Order Form between the parties.
Processor	SH Proptech Limited (trading as Adema), the entity that processes Personal Data on behalf of the Controller.
Processing	Any operation performed on Personal Data (collection, recording, storage, retrieval, use, disclosure, erasure, destruction, etc.).
Sub-processor	Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
Supervisory Authority	The Information Commissioner's Office (ICO) or any successor authority.

1.2. Capitalised terms not defined here have the meanings given in UK GDPR or the Principal Agreement.

1.3. This DPA supplements and forms part of the Principal Agreement. In the event of conflict, this DPA prevails with respect to data protection matters.

2. Scope and Application

2.1. This DPA applies where the Controller is a data controller under Applicable Data Protection Law and Adema processes Personal Data on the Controller's behalf in connection with the Platform.

2.2. This DPA does not apply to processing where Adema is the data controller (e.g., account management, billing). Such processing is governed by the Adema Privacy Policy.

2.3. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex A.

3. Controller Obligations

3.1. The Controller warrants that:

It has a lawful basis under Applicable Data Protection Law for each category of Personal Data it instructs the Processor to process.
It has provided all required notices and obtained all necessary consents from Data Subjects.
Its processing instructions comply with Applicable Data Protection Law.
It will not instruct the Processor to process special category data unless expressly agreed in the Order Form with appropriate safeguards.

3.2. The Controller is responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

4. Processor Obligations

4.1 Processing instructions

4.1.1. The Processor shall process Personal Data only on the Controller's documented instructions, unless required by law to do otherwise (in which case the Processor shall notify the Controller before processing, unless prohibited by law).

4.1.2. The Controller's initial instructions are set out in the Principal Agreement and this DPA. Additional instructions may be given in writing. The Processor shall inform the Controller if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law.

4.2 Confidentiality

The Processor shall ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations (contractual or statutory).

4.3 Security (Article 32)

4.3.1. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (as appropriate):

Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Role-based access control with principle of least privilege.
Multi-factor authentication for staff accessing Personal Data.
Regular vulnerability assessments and penetration testing (at least annually).
Documented incident response procedures.
Business continuity and disaster recovery measures.
Logging and monitoring of access to Personal Data.

4.3.2. The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and document the results.

4.4 Assistance with Controller obligations

The Processor shall assist the Controller (taking into account the nature of processing and information available) with:

Responding to Data Subject rights requests (Articles 15-22) within reasonable timeframes.
Data protection impact assessments (Article 35) and prior consultation with the Supervisory Authority (Article 36), where the Controller reasonably requests such assistance.
Compliance with obligations under Articles 32-36 (security, breach notification, DPIAs).

The Processor may charge a reasonable fee for assistance beyond the scope of the Principal Agreement.

5. Sub-processors

5.1 General authorisation

The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the requirements of this clause 5.

5.2 Current Sub-processors

5.2.1. The current list of Sub-processors is set out in Annex B and is also available on request from dpo@adema.ai.

5.2.2. The Controller confirms acceptance of the Sub-processors listed in Annex B as at the Effective Date.

5.3 Changes to Sub-processors

5.3.1. The Processor shall notify the Controller in writing at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor.

5.3.2. The notice shall include the Sub-processor's name, location, and the processing activities to be performed.

5.3.3. The Controller may object to a new Sub-processor on reasonable data protection grounds by notifying the Processor in writing within 14 days of receipt of the notice.

5.3.4. If the Controller objects, the parties shall discuss the objection in good faith. If they cannot resolve the objection within 30 days, the Controller may terminate the affected processing activities (or the entire DPA) on written notice without penalty.

5.4 Sub-processor obligations

The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. The Processor remains fully liable to the Controller for the acts and omissions of its Sub-processors.

6. International Data Transfers

6.1. The Processor shall not transfer Personal Data outside the United Kingdom unless:

The destination country has an adequacy decision from the UK Secretary of State; or
The transfer is subject to the UK IDTA or UK Addendum to EU SCCs; or
An appropriate derogation under Article 49 of UK GDPR applies.

6.2. Where the IDTA or UK Addendum is required, it is deemed incorporated into this DPA by reference.

6.3. The Processor shall implement supplementary measures (encryption, pseudonymisation, access controls) where required by the Transfer Impact Assessment to ensure an essentially equivalent level of protection.

7. Personal Data Breach

7.1. The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach.

7.2. The notification shall include (to the extent known):

A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected.
The name and contact details of the Processor's data protection contact.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach, including measures to mitigate adverse effects.

7.3. Where full information is not available within 48 hours, the Processor shall provide initial notification and supplement it as information becomes available.

7.4. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

7.5. The Processor shall document all Personal Data Breaches, including the facts, effects, and remedial actions taken (Article 33(5)).

8. Audit Rights

8.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

8.2. The Processor shall allow and contribute to audits and inspections conducted by the Controller or a qualified third-party auditor mandated by the Controller, subject to:

Reasonable written notice (at least 30 days, except in the case of a suspected breach).
Audits conducted during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations.
The auditor agreeing to reasonable confidentiality obligations.
No more than one audit per 12-month period (unless required by the Supervisory Authority or a breach has occurred).

8.3. As an alternative to on-site audit, the Processor may provide the Controller with: (a) a copy of a recent SOC 2 Type II report or equivalent independent audit report; or (b) completion of a detailed data protection questionnaire. The Controller may still require an on-site audit where the alternative is insufficient.

8.4. The Controller shall bear its own costs of conducting an audit unless the audit reveals a material breach of this DPA by the Processor.

9. Data Return and Deletion

9.1. On termination of the Principal Agreement or this DPA (whichever is earlier), the Processor shall, at the Controller's election:

Return all Personal Data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV); or
Delete all Personal Data and certify deletion in writing.

9.2. The Controller must make its election within 30 days of termination. If no election is made, the Processor shall delete the Personal Data.

9.3. The Processor may retain Personal Data to the extent required by law (e.g., tax records) and shall notify the Controller of any such retention, specifying the data retained and the legal basis.

9.4. Deletion shall be carried out within 30 days of the Controller's instruction (or the expiry of the 30-day election period). The Processor shall ensure that Sub-processors also delete or return the data.

10. Liability

10.1. Each party's liability under this DPA is subject to the limitations and exclusions in the Principal Agreement, except that neither party excludes or limits liability for breaches of Applicable Data Protection Law caused by its own wilful default or gross negligence.

10.2. The Processor shall indemnify the Controller against losses arising from the Processor's breach of this DPA or Applicable Data Protection Law, to the extent that the Controller is not responsible for the processing that caused the loss.

11. Term and Termination

11.1. This DPA takes effect on the Effective Date and continues for the duration of the Principal Agreement.

11.2. Obligations that by their nature should survive termination (clauses 4.2, 7, 8, 9, 10) shall survive termination of this DPA.

11.3. Either party may terminate this DPA if the other party is in material breach and fails to remedy the breach within 30 days of written notice.

12. Governing Law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction, without prejudice to the rights of Data Subjects under Applicable Data Protection Law to bring proceedings in other jurisdictions.

Annex A - Processing Details

Complete this Annex for each Controller engagement (may be incorporated by reference in the Order Form).

Field	Description
Subject matter of processing	Provision of AI-powered property intelligence and data analytics services via the Adema Platform.
Duration of processing	Duration of the Principal Agreement (including any Order Form term) plus the post-termination deletion/return period.
Nature of processing	Collection, storage, retrieval, analysis (including AI processing), display, and deletion of Personal Data submitted by or on behalf of the Controller.
Purpose of processing	To deliver Platform features requested by the Controller, including AI-generated property reports, analytics, and data visualisations.
Categories of Personal Data	Name, email, business contact details, property addresses, search queries, AI prompts/outputs, IP address, usage/session data.
Categories of Data Subjects	Controller's employees, agents, clients, and end users who access the Platform under the Controller's account.
Special category data	None, unless expressly agreed in the Order Form with appropriate safeguards.

Annex B - Approved Sub-processors

Current as at 28 February 2026. Updated list available on request from dpo@adema.ai.

Sub-processor	Location	Processing activity
Amazon Web Services (AWS)	UK / EU (primary); US (failover)	Cloud infrastructure, hosting, storage, compute
Google Cloud Platform (GCP)	UK / EU	AI model hosting, compute (where applicable)
Stripe, Inc.	US (UK IDTA in place)	Payment processing, fraud prevention
OpenAI, Inc.	US (UK IDTA / DPA in place)	AI model inference (query processing)
Anthropic, Inc.	US (UK IDTA / DPA in place)	AI model inference (query processing)
Google DeepMind / Vertex AI	UK / EU	AI model inference (where applicable)
SendGrid / Resend	US (UK IDTA in place)	Transactional email delivery
PostHog / Mixpanel	EU (where applicable)	Product analytics (anonymised where possible)
[Additional sub-processors]	[Location]	[To be updated as engaged]

The Processor will notify the Controller 30 days before adding or replacing any Sub-processor (clause 5.3).

Annex C - Technical and Organisational Security Measures

Measure	Detail
Encryption in transit	TLS 1.2+ for all API and web traffic. HSTS enforced.
Encryption at rest	AES-256 (or equivalent) for databases, backups, and object storage.
Access control	Role-based access (RBAC), principle of least privilege, MFA for all staff.
Authentication	Bcrypt-hashed passwords, optional MFA for users, API key rotation policy.
Network security	WAF, DDoS protection, private VPC, firewall rules, intrusion detection.
Vulnerability management	Automated scanning, dependency auditing, annual penetration test by independent firm.
Logging and monitoring	Centralised logging, real-time alerting, audit trail for data access.
Incident response	Documented plan, designated incident commander, 48-hour Controller notification.
Business continuity	Automated backups (daily), cross-region replication, tested recovery procedures.
Staff training	Annual data protection training, onboarding security awareness, background checks.
Physical security	Cloud-hosted (AWS/GCP data centre certifications: ISO 27001, SOC 2).
Data minimisation	Collection limited to what is necessary. Anonymisation applied where feasible.

This DPA is entered into and becomes binding on the Effective Date stated above, or on the date of the applicable Order Form, whichever is later.

	Controller	Processor (Adema)
Authorised signatory	____________________________	____________________________
Name	____________________________	____________________________
Title	____________________________	____________________________
Date	____________________________	____________________________
Email	____________________________	dpo@adema.ai

End of Adema Data Processing Addendum (v1.0, 28 February 2026)