Data Processing Agreement

Customer Personal Data

Personal data processed by Aventine Consultancy Limited on Customer's behalf in connection with the Service.

Data Protection Laws

Applicable privacy and data protection laws, including the UK GDPR, EU GDPR, the Data Protection Act 2018, and laws implementing or supplementing them.

Restricted Transfer

A transfer of Customer Personal Data that requires an approved transfer mechanism under Data Protection Laws.

Subprocessor

A third party engaged by Aventine Consultancy Limited to process Customer Personal Data on Customer's behalf.

• Customer acts as controller, or as a processor with authority to appoint Spotless as a subprocessor, for the Customer Personal Data covered by this DPA.
• Customer is responsible for the lawfulness of its instructions, the accuracy of Customer Personal Data, and providing any notices and obtaining any consents required by Data Protection Laws.
• Customer will not instruct Spotless to process Customer Personal Data in a way that would violate Data Protection Laws.
• Customer remains responsible for reviewing its own configuration choices, user permissions, retention settings, and third-party integrations.

• Spotless will process Customer Personal Data only on Customer's documented instructions, including the instructions described in the Terms, this DPA, and Customer's use of the Service, unless applicable law requires otherwise.
• Spotless will promptly inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
• Spotless will ensure persons authorized to process Customer Personal Data are subject to confidentiality obligations.
• Spotless will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature of the processing and the information available to Spotless.
• Spotless will assist Customer, taking into account the nature of the processing, with responding to requests from data subjects and with Customer's obligations relating to security, breach notifications, impact assessments, and supervisory authority consultations.
• Spotless will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data.
• Spotless will make available information reasonably necessary to demonstrate compliance with this DPA and the applicable controller-processor contract requirements under Data Protection Laws.

• Customer provides general written authorization for Spotless to use the Subprocessors listed in Schedule 3.
• Spotless will impose data protection obligations on each Subprocessor that are no less protective than the obligations in this DPA, as applicable to the services provided by that Subprocessor.
• Spotless remains responsible for its Subprocessors' performance of the relevant processing obligations.
• Spotless may update its Subprocessors from time to time. Material updates will be reflected on this page or otherwise communicated through the Service.

Customer may also choose to connect third-party platforms, including HubSpot, to the Service. Those third-party platforms remain subject to Customer's own relationship with the relevant provider. This DPA governs Spotless's processing of data received through those customer-authorized integrations.

• Where a Restricted Transfer is required, the parties agree to cooperate in good faith to implement a lawful transfer mechanism.
• For transfers subject to the EU GDPR, the European Commission's controller-to-processor or processor-to-processor Standard Contractual Clauses adopted under Implementing Decision (EU) 2021/914 are incorporated by reference as needed, with the module determined by the parties' roles.
• For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses is incorporated by reference as needed.
• Schedules 1, 2, and 3 of this DPA provide the relevant description of the processing, security measures, and Subprocessors for those transfer mechanisms.

• Spotless will return or delete Customer Personal Data at Customer's choice upon termination or expiry of the Services, unless applicable law requires retention.
• Spotless may retain limited Customer Personal Data for security, billing, fraud prevention, legal compliance, or dispute resolution purposes for the period required by applicable law or reasonably necessary for those purposes.
• Certain workspace outputs in Spotless are subject to configurable retention settings made available in the product.

• On reasonable written request, Spotless will provide current information reasonably necessary to demonstrate compliance with this DPA, including high-level descriptions of its security controls.
• Where Customer cannot reasonably satisfy its audit requirements through documentation, the parties will cooperate on a proportionate additional audit process, subject to confidentiality, security, and operational safeguards.
• Unless a confirmed security incident or supervisory authority request requires otherwise, any audit should occur no more than once in a twelve-month period and on reasonable prior notice.

Except where Data Protection Laws require otherwise, each party's liability under this DPA is subject to the exclusions and limitations of liability in the applicable Services agreement. This DPA does not restrict either party's ability to comply with binding legal obligations under Data Protection Laws.

Spotless may update these measures from time to time, provided the overall security posture for Customer Personal Data is not materially diminished.

This schedule reflects the standard Spotless Subprocessors as of April 1, 2026.