DPA

Last updated: 22/12/25

This Data Processing Agreement ("DPA") forms part of the agreement between Mezze Software Ltd ("Processor") and the customer identified in the applicable order form or agreement ("Controller").
This DPA is entered into to comply with Article 28 of the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (EU GDPR).

1. Definitions
Unless otherwise defined in this DPA, capitalised terms have the meanings given in the GDPR.

"Personal Data" means any personal data processed by the Processor on behalf of the Controller.
"Processing" has the meaning given in Article 4(2) GDPR.
"Sub-processor" means any third party appointed by the Processor to process Personal Data.

2. Scope and Roles
2.1 The Controller appoints the Processor to process Personal Data solely on the Controller’s behalf and in accordance with this DPA.
2.2 The Controller acts as the data controller and Mezze Software Ltd acts as the data processor for the purposes of the GDPR.

3. Subject Matter and Details of Processing
a) Subject matter
Provision of Mezze’s software and related services.
b) Duration
For the term of the services agreement, unless otherwise agreed in writing.
c) Nature and purpose of processing
Hosting, storing, analysing, and otherwise processing Personal Data as necessary to provide the services.
d) Categories of data subjects

Controller’s employees
Controller’s clients and professional contacts
Other individuals whose data is submitted to the services

e) Types of personal data

Names
Business contact details (email address, phone number)
Job title and organisation
Communications and notes entered into the platform
Usage and audit data related to the services

Special category data is not intended to be processed unless expressly agreed in writing.

4. Processor Obligations
The Processor shall:
4.1 Process Personal Data only on documented instructions from the Controller.
4.2 Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.
4.3 Implement appropriate technical and organisational measures to protect Personal Data.
4.4 Not disclose Personal Data to third parties except as permitted under this DPA or required by law.
4.5 Notify the Controller without undue delay if it believes an instruction infringes GDPR.

5. Security Measures
The Processor shall implement appropriate security measures, including:

Logical access controls
Secure hosting infrastructure
Encryption in transit where appropriate
Regular security reviews

Details of security measures may be updated from time to time to reflect industry standards.

6. Sub-processors
6.1 The Controller authorises the use of Sub-processors listed in Schedule 1.
6.2 The Processor shall ensure that Sub-processors are subject to equivalent data protection obligations.
6.3 The Processor shall notify the Controller of any intended changes to Sub-processors, allowing the Controller a reasonable opportunity to object.

7. International Transfers
Where Personal Data is transferred outside the UK or EEA, the Processor shall ensure appropriate safeguards are in place, including:

UK International Data Transfer Agreements (IDTA)
EU Standard Contractual Clauses (SCCs)
Transfers to countries subject to adequacy decisions

8. Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller in responding to requests from data subjects to exercise their rights under GDPR.

9. Personal Data Breaches
9.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.
9.2 The notification shall include all information reasonably required to assist the Controller in meeting its breach notification obligations.

10. Audits and Compliance
The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA and allow audits where required by law, subject to reasonable notice and confidentiality.

11. Return or Deletion of Data
Upon termination of the services, the Processor shall, at the Controller’s choice, delete or return all Personal Data, unless retention is required by law.

12. Liability
Liability under this DPA shall be subject to the limitations set out in the main services agreement, except where prohibited by law.

13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales.

Schedule 1 – Approved Sub-processors
The following Sub-processors may be used to provide the services: