Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Altrera Industries ("Processor") and the customer ("Controller") for the use of Lustre. It governs the processing of personal data by Altrera Industries on behalf of the Controller.

Terms used in this DPA have the meanings given in the UK GDPR and the Data Protection Act 2018:

• —"Personal Data" — any information relating to an identified or identifiable natural person
• —"Processing" — any operation performed on personal data
• —"Data Subject" — the individual to whom personal data relates
• —"Supervisory Authority" — the relevant national data protection authority

Altrera Industries shall:

• —Process personal data only on documented instructions from the Controller
• —Ensure that persons authorised to process data are bound by confidentiality
• —Implement appropriate technical and organisational security measures
• —Assist the Controller in responding to Data Subject rights requests
• —Delete or return all personal data upon termination, at the Controller's election
• —Make available information necessary to demonstrate compliance with this DPA

The Controller warrants that it has a lawful basis under the UK GDPR and the Data Protection Act 2018 for the personal data provided to the Service, and that its instructions comply with applicable data protection law.

The Controller authorises the use of sub-processors listed on our Subprocessors page. Altrera Industries will notify the Controller of any intended changes and provide 30 days to object before engaging a new sub-processor.

Altrera Industries maintains the technical and organisational measures described in our Security page. We will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach.

Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA), as approved by the Secretary of State, or another mechanism approved by the ICO.

Altrera Industries will provide all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Controller or a mandated auditor, subject to reasonable notice and confidentiality obligations.

This DPA remains in force for the duration of the main service agreement. Upon termination, Altrera Industries will delete or return personal data within 90 days.

To execute a signed DPA or for questions, contact legal@altrera.com.