+44 800 779 7322
Legal

Data Processing Addendum

Rebasoft Limited

Registered Office: Albany House, 14 Shute End, Wokingham, Berkshire, RG40 1BJ
Company Number: 06914233
Website: www.rebasoft.net
Email: legal@rebasoft.net
Telephone: 0800 779 7322

Data Processing Addendum (DPA)

Version: 4.0
Effective Date: 26 March 2026
Last Reviewed: 26 March 2026
Next Review Date: March 2027

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the agreement between:

  • Rebasoft Limited (“Processor”)

  • The Customer (“Controller”)

(together, the “Parties”).

This DPA applies where Rebasoft processes Personal Data on behalf of the Customer.

This DPA is designed to comply with Article 28 of the UK GDPR and reflects enterprise and regulated-environment requirements.

2. Definitions

“Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, and all other applicable UK data protection laws.

All other terms (Personal Data, Processing, Controller, Processor, Data Subject, Sub-Processor) have the meanings set out in UK GDPR.

3. Roles and Scope

  • The Customer acts as Controller

  • Rebasoft acts as Processor, except were acting as Controller for its own purposes

This DPA applies only to Processing carried out on behalf of the Customer.

4. Processing Instructions

Rebasoft shall:

  • Process Personal Data only on documented instructions

  • Treat the Agreement and Service configuration as such instructions

  • Notify the Customer if an instruction breaches Applicable Law

Rebasoft may process data where required by law and shall notify the Customer unless prohibited.

5. Confidentiality

Rebasoft ensures:

  • Personnel are bound by confidentiality obligations

  • Access is limited to authorised individuals only

6. Security of Processing (Article 32)

Rebasoft implements appropriate technical and organisational measures, including:

  • Encryption (TLS 1.2/1.3, AES-256 or equivalent)

  • Role-Based Access Control (RBAC)

  • Segregation of duties

  • Audit logging and monitoring

  • Secure system architecture

Rebasoft ensures protection against:

  • Unauthorised or unlawful processing

  • Accidental loss, destruction, or damage

Security measures may evolve, provided protection is not materially reduced.

7. Sub-Processing

The Customer provides general written authorisation for Sub-Processors.

Rebasoft shall:

  • Enter into Article 28-compliant agreements

  • Impose equivalent obligations

  • Remain fully liable

Rebasoft shall:

  • Provide ≥14 days’ notice of changes

  • Allow objection on reasonable data protection grounds

Where unresolved:

  • Rebasoft will offer alternatives where feasible

  • Otherwise, contractual remedies apply

8. International Transfers

Rebasoft shall not transfer Personal Data outside the UK unless safeguards are in place:

  • UK IDTA

  • SCCs

  • Adequacy decisions

All transfers are:

  • Risk assessed

  • ICO-aligned

  • Documented

9. Data Subject Rights

Rebasoft shall:

  • Assist the Customer in responding to requests

  • Not respond directly unless legally required

Support is:

  • Included were reasonable

  • Subject to proportionate cost were excessive

10. Personal Data Breach

Rebasoft shall:

  • Notify the Customer without undue delay

  • Provide sufficient information to meet regulatory obligations

  • Cooperate in the investigation and remediation

11. DPIAs and Regulatory Cooperation

Rebasoft shall assist with:

  • DPIAs

  • Regulatory consultations

  • Compliance obligations

Support is:

  • Proportionate

  • Based on available data

  • Subject to agreed cost where applicable

12. Data Return and Deletion

Upon termination:

  • Data will be returned or deleted at Customer request

  • Unless legal retention is required

Data will be:

  • Provided in a structured, machine-readable format

  • Securely deleted with certification upon request

13. Audit and Compliance

Rebasoft shall:

  • Provide evidence of compliance

  • Allow audits no more than once per year, subject to:

    • 30 days’ notice

    • Confidentiality obligations

    • No operational disruption

Rebasoft may satisfy audits via:

  • Independent reports

  • Certifications

  • Security documentation

Customer bears reasonable, pre-agreed audit costs

14. Liability

Each party is responsible for its own compliance.

To the extent permitted by law:

  • Each party is liable for its own breach

  • The responsible party shall indemnify the other

Liability shall:

  • Follow the Agreement; or

  • Be limited to a commercially reasonable and proportionate level

Nothing excludes:

  • Death or personal injury

  • Fraud

  • Non-excludable liability

15. Governing Law and Dispute Resolution

This DPA is governed by England and Wales.

Disputes:

  • Good faith negotiation

  • Escalation

  • Courts of England and Wales (exclusive jurisdiction)

ANNEX 1 — PROCESSING DETAILS (ARTICLE 28(3))

Subject Matter:
Cybersecurity, asset discovery, monitoring, and risk analysis

Duration:
Agreement term + retention period

Nature & Purpose:
Monitoring, analysis, configuration, risk assessment

Data Subjects:
Employees, contractors, system users

Personal Data:

  • Contact data

  • System identifiers

  • Authentication data

  • Technical and operational data

Special Category Data:
Not intentionally processed

Processing Activities:
Collection, storage, analysis, transmission, deletion

ANNEX 2 — TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)

Rebasoft implements:

Security

  • Encryption (in transit & at rest)

  • RBAC and least privilege

  • Network segmentation

Monitoring

  • Logging and alerting

  • Threat detection

Governance

  • Access control policies

  • Change management

  • Security reviews

Resilience

  • Backup and recovery

  • Infrastructure redundancy

ANNEX 3 — SUBPROCESSORS

See: www.rebasoft.net/subprocessors

16. Contact

For all data protection enquiries:

Email: legal@rebasoft.net