Data Processing Agreement

Parties

Data Processor: Wood Cyber Security Services Ltd, a company registered in England and Wales (Company No. 17186515) — referred to in this agreement as "the Processor" or "Wood Cyber".

Data Controller: The organisation named in Schedule 1 — referred to in this agreement as "the Controller".

Each a "Party", together the "Parties".

1. Definitions

In this agreement, the following terms have the meanings given below. Capitalised terms not defined here have the meanings given in UK GDPR.

1. "Applicable Data Protection Law" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any subordinate legislation or regulation made under them, as amended from time to time.
2. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller under this agreement.
3. "Processing" has the meaning given in Applicable Data Protection Law and includes any operation performed on Personal Data, whether or not by automated means.
4. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
5. "Sub-Processor" means any third party engaged by the Processor to carry out processing activities on Personal Data on behalf of the Controller.
6. "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
7. "Services" means the cybersecurity services described in Schedule 1 and in the applicable statement of work or services agreement between the Parties.

2. Processing Details

The details of the processing carried out under this agreement are set out in Schedule 1. The Processor shall process Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services.

3. Processor Obligations

The Processor shall, in relation to Personal Data processed on behalf of the Controller:

1. Process Personal Data only on the documented instructions of the Controller, unless required to do otherwise by applicable law. Where the Processor is required by law to process Personal Data other than in accordance with the Controller's instructions, it shall notify the Controller before such processing unless prohibited by law from doing so.
2. Ensure that persons authorised to process Personal Data are subject to binding obligations of confidentiality, whether by contract or statutory duty.
3. Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Schedule 2.
4. Not engage any Sub-Processor without the prior written authorisation of the Controller. Where Sub-Processors are authorised, the Processor shall impose data protection obligations on them equivalent to those set out in this agreement. The Processor shall remain fully liable to the Controller for the acts and omissions of its Sub-Processors. The list of approved Sub-Processors is set out in Schedule 3.
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligations to respond to Data Subject rights requests under Applicable Data Protection Law, including requests for access, rectification, erasure, restriction, portability, and objection.
6. Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to the Processor.
7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Services, and delete existing copies unless storage is required by applicable law.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall inform the Controller immediately if, in its opinion, an instruction given by the Controller infringes Applicable Data Protection Law.

4. Controller Obligations

The Controller warrants and represents that:

1. It has a lawful basis for processing the Personal Data and is entitled to disclose it to the Processor for the purposes described in Schedule 1.
2. It has provided all necessary notices to, and obtained all necessary consents from, Data Subjects where required under Applicable Data Protection Law.
3. It will provide the Processor with clear and documented instructions regarding the processing of Personal Data.
4. It will notify the Processor promptly of any changes to its instructions that may affect the Processor's obligations under this agreement.

5. Security Incidents

1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Security Incident involving Personal Data processed under this agreement.
2. Such notification shall include, to the extent then known: a description of the nature of the Security Incident; the categories and approximate number of Data Subjects concerned; the categories and approximate number of Personal Data records concerned; the likely consequences of the Security Incident; and measures taken or proposed to address it.
3. The Processor shall cooperate with the Controller and take such steps as are reasonably required to assist in the investigation, mitigation, and remediation of each Security Incident.
4. The Processor's obligation to notify under this clause does not constitute an admission of fault or liability.

6. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom without the prior written consent of the Controller, and only where an appropriate transfer mechanism under Applicable Data Protection Law is in place, such as an adequacy decision, standard contractual clauses, or an International Data Transfer Agreement (IDTA).

Where Sub-Processors listed in Schedule 3 are located outside the UK, the Processor confirms that appropriate transfer mechanisms are in place as noted in that Schedule.

7. Incidental Personal Data Encountered During Service Delivery

1. The Parties acknowledge that, in the course of performing vulnerability scanning, authenticated system scanning, and related technical services, the Processor's tools and personnel may incidentally encounter Personal Data stored within the Controller's systems — including but not limited to user account names, email addresses, and personal data present in system logs, file systems, or configuration outputs.
2. The Processor shall apply a principle of data minimisation: it shall not deliberately seek out, extract, copy, or retain such Personal Data beyond what is strictly incidental to the technical assessment.
3. Where Personal Data appears within scan outputs or technical reports, it shall be handled with strict confidentiality and shared only with the Controller.
4. The Processor shall bring to the Controller's attention any significant volumes of Personal Data encountered that appear to be stored insecurely or in a manner inconsistent with good data protection practice, as this may constitute a relevant finding within the scope of the Services.

8. Audit Rights

1. The Processor shall, on reasonable notice (not less than 10 business days except in cases of suspected Security Incident), make available to the Controller such information, and permit and contribute to such audits and inspections, as are reasonably necessary to verify compliance with this agreement.
2. Audits shall be conducted at the Controller's expense, during normal business hours, in a manner that does not unreasonably disrupt the Processor's operations.
3. The Processor may satisfy this obligation by providing up-to-date third-party audit certifications or summary reports where available.

9. Duration and Termination

1. This agreement shall come into force on the date of last signature and shall continue for the duration of the Services.
2. On termination or expiry of the Services, the Processor shall, at the Controller's written election, either securely delete or return all Personal Data processed under this agreement within 30 days, and provide written confirmation of deletion or return upon request.
3. Obligations under this agreement that by their nature should survive termination shall do so, including obligations of confidentiality and those relating to completed processing activities.

10. Liability

Each Party's liability under or in connection with this agreement shall be subject to the limitations and exclusions set out in the main services agreement between the Parties. Nothing in this agreement limits either Party's liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be limited by law.

11. Governing Law and Jurisdiction

This agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The Parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

Signatures

By signing below, each Party agrees to be bound by the terms of this Data Processing Agreement.

Schedule 1 — Processing Details

Complete this schedule for each engagement. Both parties should agree its contents before signing.

Schedule 2 — Technical and Organisational Measures

Wood Cyber implements and maintains the following measures to protect Personal Data processed under this agreement.

Access Control

• Access to client data and deliverables is restricted to personnel directly involved in the engagement
• Strong, unique credentials are used for all systems handling client data
• Multi-factor authentication is applied to cloud services and remote access

Data in Transit

• All client reports and deliverables are transmitted via encrypted channels (TLS/HTTPS or encrypted file transfer)
• Unencrypted email is not used to transmit scan outputs containing Personal Data without the Controller's explicit consent

Data at Rest

• Client data stored on local or cloud systems is held on encrypted storage
• Scan outputs and reports are stored in access-controlled environments for the duration of the retention period

Data Minimisation and Retention

• Personal Data encountered incidentally during scanning is not deliberately extracted or retained beyond what is necessary to produce the agreed deliverables
• Client data is securely deleted at the end of the agreed retention period using appropriate secure deletion methods

Confidentiality

• All personnel involved in service delivery are subject to binding confidentiality obligations
• Client information is not disclosed to third parties except as required to deliver the Services or as required by law

Incident Response

• Procedures are in place to detect, investigate, and report Security Incidents within the timescales set out in this agreement
• Incidents are logged and reviewed to prevent recurrence

Physical Security

• Work involving client data is performed in a physically secure environment with appropriate access controls
• Portable devices used for engagements are encrypted and protected by strong authentication

Schedule 3 — Approved Sub-Processors

The Controller provides general written authorisation for the Processor to engage the following Sub-Processors. The Processor shall notify the Controller of any intended changes (additions or replacements) to this list, giving the Controller the opportunity to object before the change takes effect.

Sub-Processor	Location	Purpose	Transfer mechanism
Microsoft Corporation	USA / EU	Storage and transmission of client reports and correspondence via Microsoft 365	UK adequacy / Microsoft DPA and IDTA-compliant terms