Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the CultureTest Terms of Service (the "Agreement") between Sapien Labs Ltd, registered in England and Wales (company no. 14900100), trading as "CultureTest" and having its registered office at 73 Cornhill, London, EC3V 3QQ ("CultureTest", "we", "us") and the legal entity or person that has accepted the Agreement ("Customer", "you").

By creating an account or otherwise using the Services, you agree that this DPA governs CultureTest’s Processing of Customer Personal Data on your behalf. Capitalised terms not defined here have the meanings set out in the Agreement or applicable Data Protection Laws.

1. Scope

This DPA applies to CultureTest’s Processing of Customer Personal Data (defined below) as Processor on behalf of Customer (acting as Controller) in the course of providing the Services. The parties agree that the Agreement serves as your written instructions for all Processing, unless you provide additional instructions in writing.

2. Definitions

“Customer Personal Data” means any Personal Data that Customer uploads to or generates in the Services and that CultureTest Processes on Customer’s behalf.

“Data Protection Laws” means the UK GDPR, the EU General Data Protection Regulation (EU) 2016/679, and all other laws applicable to CultureTest’s Processing of Customer Personal Data.

“Standard Contractual Clauses” or “SCCs” means the EU SCCs (Commission Decision 2021/914) and/or the UK International Data Transfer Agreement or Addendum, as applicable.

Other terms such as Personal Data, Controller, Processor, Process/Processing, and Sub‑processor have the meanings given in Data Protection Laws.

3. CultureTest’s Responsibilities as Processor

1. Processing on documented instructions. CultureTest will Process Customer Personal Data only on Customer’s documented instructions and as necessary to provide and improve the Services, unless required to Process by law.
2. Confidentiality. CultureTest ensures that persons authorised to Process Customer Personal Data are subject to appropriate confidentiality obligations.
3. Security Measures. CultureTest implements the technical and organisational measures described in Appendix 2 ("Security Measures") and will maintain them throughout the term.
4. Personal Data Breaches. CultureTest will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide timely information to enable Customer to meet its breach‑notification obligations.
5. Assistance. Taking into account the nature of the Processing, CultureTest will assist Customer in fulfilling its obligations (a) to respond to requests from Data Subjects and (b) under Articles 32–36 of the EU/UK GDPR (security, breach notification, DPIA, prior consultation).
6. Deletion or Return. Upon termination of the Agreement, CultureTest will, at Customer’s choice, delete or return Customer Personal Data (unless law requires storage). Customer can export or delete data at any time via the admin interface.
7. Audit. CultureTest will make available information necessary to demonstrate compliance with this DPA (e.g., SOC 2 or ISO 27001 reports) and allow for audits or inspections in accordance with the “Audit” section of the Agreement.

4. Customer Obligations

1. ensuring that the lawful basis, notices, and consents required under Data Protection Laws for CultureTest’s Processing are obtained;
2. not instructing CultureTest to Process Customer Personal Data in a manner that violates Data Protection Laws;
3. the accuracy and legality of Customer Personal Data.

5. Sub‑processors

1. Authorised Sub‑processors. Customer grants CultureTest a general authorisation to engage the Sub‑processors listed in Appendix 1.
2. Sub‑processor Conditions. CultureTest will:
   • impose data‑protection obligations on Sub‑processors equivalent to those in this DPA;
   • remain liable for any acts or omissions of Sub‑processors that cause CultureTest to breach this DPA; and
   • notify Customer of any intended changes at least 15 days in advance, giving Customer the right to object on reasonable data‑protection grounds.

6. International Data Transfers

When Customer Personal Data is transferred outside the UK or EEA to a country without an adequacy decision, the SCCs and/or the UK IDTA/Addendum automatically apply and are incorporated by reference. Execution of the Agreement constitutes execution of the SCCs. If the SCCs are replaced or updated, the parties will cooperate in good faith to implement the updated transfer mechanism.

7. Details of Processing

8. Limitation of Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement, except that no limitation applies to breaches of Data Protection Laws resulting in administrative fines that are attributable to that party.

9. Conflict of Terms

If this DPA conflicts with any other part of the Agreement, this DPA shall prevail with respect to the Processing of Customer Personal Data.

10. Contact

Questions about this DPA or our privacy practices? Email [email protected].

Appendix 1 – Current Sub‑processors (as at 29 July 2025)

Appendix 2 – Technical and Organisational Security Measures

1. Information Security Programme. Documented policies reviewed annually.
2. Access Controls. Role‑based access; MFA for privileged accounts; least‑privilege principle.
3. Encryption. TLS 1.2+ in transit; AES‑256 at rest.
4. Network Security. Firewalling, intrusion detection, DDoS protection via Cloudflare.
5. Business Continuity & Back‑ups. Encrypted back‑ups stored in a separate region; disaster‑recovery tests at least annually.
6. Vulnerability Management. Automated scanning; third‑party penetration testing; patching within SLAs based on severity.
7. Employee Training. Mandatory security and privacy training upon hire and annually thereafter.
8. Vendor Management. Security and privacy due‑diligence for all vendors and Sub‑processors.