Data Processing Agreement

1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the subscription agreement between ICS Ops ("Processor") and the subscribing organisation ("Controller"). It governs the processing of personal data carried out by ICS Ops on behalf of the Controller in connection with the ICS platform.

ICS Ops acts solely as a data processor. The Controller determines the purposes and means of processing, and ICS Ops processes personal data only to provide the contracted services. This DPA is incorporated by reference into the Terms of Service and applies automatically upon subscription.

2. Definitions

In this DPA, the following terms have the meanings set out below, consistent with UK GDPR and the Data Protection Act 2018:

• Personal Data: any information relating to an identified or identifiable natural person.
• Processing: any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
• Data Subject: the natural person to whom personal data relates.
• Controller: the subscribing organisation that determines the purposes and means of processing.
• Processor: ICS Ops, which processes personal data on behalf of the Controller.
• Subprocessor: a third party engaged by ICS Ops to process personal data in connection with the services.

3. Processing Instructions

ICS Ops processes personal data only on documented instructions from the Controller, including instructions given through configuration and use of the platform. Processing is limited to the purposes described in this DPA and the Terms of Service.

If ICS Ops determines that an instruction would infringe UK GDPR or any other applicable data protection law, it will promptly inform the Controller. ICS Ops will not carry out any instruction it considers unlawful. Except where required by law, ICS Ops will notify the Controller before complying with any legal obligation to disclose personal data.

4. Data Details

• Subject matter: provision of the ICS parts inventory, orders, accounts, jobs, invoicing, and related operational management services.
• Duration: for the term of the subscription, and as set out in Section 11 (Term and Termination) regarding retention after termination.
• Nature and purpose: storage, retrieval, display, and structured management of operational business data on behalf of the Controller.
• Types of personal data: contact names, email addresses, phone numbers, postal addresses, job titles, account reference details, IP addresses, and session data (for authenticated users).
• Categories of data subjects: employees and staff of the Controller, customers, suppliers, and other contacts managed within the platform.

5. Processor Obligations

ICS Ops commits to the following obligations:

• Confidentiality: all personnel authorised to process personal data are bound by confidentiality obligations.
• Security measures: ICS Ops implements and maintains the technical and organisational measures described in Section 6.
• Subprocessor management: subprocessors are engaged under written contracts that impose equivalent data protection obligations. See Section 7.
• Data subject rights (DSR): ICS Ops will assist the Controller in responding to data subject requests under Articles 15-22 of UK GDPR, by providing appropriate tooling and cooperation.
• Breach notification: ICS Ops will notify the Controller of a personal data breach in accordance with Section 10.
• Deletion or return: on termination, ICS Ops will return or delete personal data as described in Section 11.
• Audit rights: ICS Ops will provide information necessary to demonstrate compliance and permit audits or inspections by the Controller or a mandated auditor, upon 30 days written notice and no more than once per calendar year, subject to reasonable confidentiality arrangements.
• DPIAs: ICS Ops will assist the Controller in carrying out data protection impact assessments where required.

6. Security Measures

ICS Ops implements the following technical and organisational measures to protect personal data:

• AES-256 encryption at rest for all stored data.
• TLS in transit with HSTS enforced for all web and API communication.
• Row-Level Security (RLS) enforcing strict tenant isolation at the database layer.
• Role-Based Access Control (RBAC) with a five-tier permission model limiting data access to authorised users.
• Cognito-managed authentication requiring a minimum 12-character password.
• Parameterised database queries throughout, preventing SQL injection.
• AWS WAF, rate limiting, and VPC network isolation for infrastructure protection.
• Secrets Manager with automatic credential rotation.
• 35-day automated database backups with point-in-time recovery.
• Comprehensive audit logging of all create, update, and delete operations.
• 1,400+ automated tests, including multi-tenancy isolation tests, run against production infrastructure.

7. Subprocessors

The Controller grants general authorisation to ICS Ops to engage the subprocessors listed at /legal/subprocessors. All subprocessors are engaged under written data processing agreements that impose equivalent protections to this DPA.

ICS Ops will give the Controller at least 30 days written notice before adding or replacing a subprocessor. The Controller has the right to object to such a change during the notice period. If a reasonable objection cannot be resolved, the Controller may terminate the relevant services on written notice.

8. International Transfers

All primary data storage and processing takes place within AWS EU-West-2 (London), in the United Kingdom. No personal data is routinely transferred outside the UK except to PostHog, whose analytics infrastructure is hosted in the EU (Frankfurt, Germany).

The UK's adequacy regulations in respect of the European Economic Area are renewed to 27 December 2031, covering transfers to PostHog. For any transfer to a country without a UK adequacy decision, ICS Ops will rely on the UK International Data Transfer Agreement (IDTA) or equivalent safeguards.

9. Data Subject Rights

ICS Ops will assist the Controller in fulfilling its obligations under Articles 15-22 of UK GDPR, including the rights of access, rectification, erasure, restriction, data portability, and objection.

If ICS Ops receives a request directly from a data subject, it will notify the Controller promptly and will not respond to the data subject directly unless instructed to do so by the Controller or required to by law.

10. Breach Notification

ICS Ops will notify the Controller of any personal data breach without undue delay and in any event within 48 hours of becoming aware of it. Notification will include, to the extent then known:

• The nature of the breach, including categories and approximate numbers of data subjects and records affected.
• The name and contact details of the data protection contact at ICS Ops.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate its effects.

The 48-hour notification window is designed to give the Controller sufficient time to meet its own 72-hour obligation to notify the Information Commissioner's Office (ICO) where required.

11. Term and Termination

This DPA is effective for the duration of the subscription. On expiry or termination of the subscription:

• The Controller may export its data in CSV format at any time during the subscription or within a 30-day grace period following termination.
• After the 30-day grace period, all personal data will be deleted from live systems.
• Automated backups containing personal data rotate and are deleted within 35 days of their creation.
• ICS Ops will provide written confirmation of deletion on request.
• Anonymised or aggregated data that cannot identify any individual may be retained for product improvement and analytics purposes.

12. Governing Law

This DPA is governed by the laws of Scotland. Any dispute arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the Scottish courts, without prejudice to any mandatory consumer protection rights that may apply.