Schedule 5: Data Processing Agreement (DPA)

EFFECTIVE DATE: 13th April 2026

This Data Processing Agreement (“DPA”) is an addendum to and incorporated into the Master Services Agreement (MSA) between BatchHeader Ltd t/a EncodeDotHost (“EncodeDotHost”) and you (“Customer”).

In the event of a conflict between this DPA and the MSA (or any Statement of Work/Service Schedule) regarding the processing of Personal Data, the terms of this DPA shall take precedence.

1. Definitions

   • "Customer Data" means data provided by or on behalf of the Customer or Customer End Users via the Services under the account.
   • "Data Controller" means the entity that determines the purposes and means of the processing of Personal Data.
   • “Data Processor” means the entity that processes Personal Data on behalf of the Data Controller.
   • “Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including the UK GDPR and the Data Protection Act 2018.
   • “EEA” means the European Economic Area.
   • “GDPR” means the EU General Data Protection Regulation 2016/679 and its UK equivalent (UK GDPR).
   • “Personal Data” means any Customer Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under the GDPR.
   • “Processing” has the meaning given to it in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly.
   • “Sub-Processor” means any third party authorised under this DPA to have logical access to and process Customer Data to provide parts of the Services.
   • “Services” means any product or service provided to the Customer as described in the MSA, Service Schedules, or Statements of Work.

2. Data Processing Roles & Instructions

   1. When Customer Data is processed by EncodeDotHost, both parties acknowledge and agree that:
      • EncodeDotHost is a Data Processor of Customer Data under the GDPR.
      • The Customer is a Data Controller of Customer Data under the GDPR.
   2. EncodeDotHost will only act and process Customer Data in accordance with the documented instruction from the Customer (the “Instruction”), unless required by law to act without such Instruction.
   3. The Instruction at the time of entering into this DPA is that EncodeDotHost may only process Customer Data with the purpose of delivering Services as described in the MSA and any applicable SOW.
   4. EncodeDotHost will inform the Customer of any instruction that it deems to be in violation of the GDPR and will not execute the instructions until they have been confirmed or modified.

3. Confidentiality

   1. EncodeDotHost shall treat all Customer Data as strictly confidential information. Customer Data may not be copied, transferred, or otherwise processed in conflict with the Instruction from the Customer unless required by law.
   2. EncodeDotHost employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all Customer Data under this DPA with strict confidentiality and only process Customer Data in accordance with the Instruction.

4. Sub-Processing

   1. The Customer authorises EncodeDotHost to engage third parties to process Customer Data (“Sub-Processors”) without obtaining any further written, specific authorisation. EncodeDotHost will restrict Sub-Processor access to Customer Data to what is strictly necessary to provide the Services.
   2. EncodeDotHost shall complete a written agreement with any Sub-Processors containing data protection obligations no less protective than those applicable under this DPA. EncodeDotHost remains accountable for any Sub-Processor in the same way as for its own actions and omissions.
   3. EncodeDotHost will inform the Customer of any new Sub-Processor engagements at least 30 days before the new Sub-Processor processes any Customer Data (via email or control panel notification).
   4. The Customer has the right to object to the use of a new Sub-Processor by terminating this Addendum and the associated Services in accordance with the MSA.

5. Security

   1. EncodeDotHost will implement and maintain technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with GDPR Article 32.
   2. The Customer acknowledges that EncodeDotHost may update or modify the security measures from time to time, provided that such updates do not result in the degradation of the overall security.

6. Data Breach Notifications

   1. If EncodeDotHost becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data on systems managed by EncodeDotHost, EncodeDotHost agrees to notify the Customer without undue delay.
   2. EncodeDotHost will make reasonable efforts to identify the cause of any breach and take necessary steps to prevent such a breach from reoccurring.
   3. Data Breach Notifications will not include unsuccessful attempts or activities that do not compromise the security of Customer Data (e.g., unsuccessful log-in attempts, pings, port scans, denial of service attacks).

7. Data Subject Rights

   1. If EncodeDotHost directly receives a request from a Data Subject to exercise their rights in relation to Customer Data, it will forward the request to the Customer. The Customer must respond to any such request within the timeframes specified by the GDPR.
   2. EncodeDotHost will assist the Customer in fulfilling any obligation to respond to requests by Data Subjects, which may include providing technical controls via the control panel.

8. Compliance and Audit Rights

   1. EncodeDotHost agrees to maintain records of its security standards and, upon written request by the Customer, shall make available all relevant information necessary to demonstrate compliance with this DPA.
   2. The Customer agrees any audit or inspection shall be carried out with reasonable prior written notice of no less than 30 days and shall not be conducted more than once in any 12-month period. If EncodeDotHost declines the request, the Customer is entitled to terminate this DPA and the Services.

9. Return or Deletion of Data

   1. EncodeDotHost only retains Customer Data for as long as required to fulfil the purposes for which it was initially collected.
   2. Termination of this DPA or the Services in line with the MSA will result in all Customer Data being deleted, unless otherwise required by law. For Customer Data archived on back-up systems, EncodeDotHost shall securely isolate and protect it from any further processing until deletion is possible.

10. Limitation of Liability

    1. The total aggregate liability of each party under this DPA shall be strictly subject to the limitation of liability provisions set out in the Master Services Agreement (MSA).
    2. In no instance will EncodeDotHost be liable for any losses or damages suffered by the Customer where the Customer is using the Services in violation of the Acceptable Use Policy (AUP) or MSA.

Annex 1 – Approved Sub-Processors