Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Voov Digital Limited T/A BeansSuite ("Processor") and the subscribing organisation ("Controller") for use of the BeansSuite platform ("Service").

By accessing or using the Service, the Controller agrees to the terms of this DPA. No countersignature is required — acceptance is self-service and takes effect on first use.

This DPA is designed to satisfy the requirements of Article 28 of UK GDPR and Article 28 of EU GDPR (Regulation 2016/679).

1. Definitions

• "Controller" — the subscribing organisation that determines the purposes and means of processing personal data using the Service
• "Processor" — Voov Digital Limited T/A BeansSuite (Company No. 08871876)
• "Personal Data" — any information relating to an identified or identifiable natural person processed through the Service
• "Data Subject" — the individual to whom Personal Data relates
• "Processing" — any operation performed on Personal Data
• "Sub-processor" — any third party engaged by the Processor to process Personal Data
• "Applicable Law" — UK GDPR, the UK Data Protection Act 2018, and EU GDPR where applicable

2. Subject matter, nature and purpose of processing

The Processor processes Personal Data solely to provide the Service to the Controller, including:

• Storing and retrieving CRM records (people, organisations, leads, deals, activities)
• Generating and delivering quotes, estimates and signed documents
• Processing e-signatures including OTP verification and document hashing
• Storing files in the Controller's configured cloud storage (Google Drive)
• Sending transactional email notifications on the Controller's behalf
• Maintaining audit trails of data access and modification

3. Types of personal data

• Names, email addresses, phone numbers, postal addresses
• Organisation names and job titles
• Geographic location data (latitude/longitude, What3Words references)
• Financial information included in quotes and payment records
• E-signature data: name, IP address, timestamp, OTP confirmation record
• Platform user credentials (hashed passwords, session data, 2FA records)
• User-uploaded files and documents

4. Categories of data subjects

• The Controller's customers, leads, prospects and contacts
• The Controller's employees and team members using the platform
• Third parties referenced in CRM records, notes, or documents

5. Duration of processing

Processing continues for the duration of the Controller's active subscription. On termination or expiry, the Processor will delete or return Personal Data in accordance with clause 12 below.

6. Controller's obligations

The Controller warrants and represents that:

• It has a valid lawful basis under Applicable Law for all Personal Data entered into the Service
• It has provided all required notices to Data Subjects and obtained any necessary consents
• Its instructions to the Processor comply with Applicable Law
• It is responsible for the accuracy and legality of Personal Data it submits

7. Processor's obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by law
• Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations
• Implement and maintain the technical and organisational measures described in clause 8
• Assist the Controller in fulfilling its obligations regarding Data Subject rights (clause 10)
• Notify the Controller promptly of any Personal Data breach in accordance with clause 11
• Make available all information necessary to demonstrate compliance with this DPA
• Delete or return Personal Data on termination in accordance with clause 12
• Not engage new sub-processors without notifying the Controller in accordance with clause 9

8. Security measures

The Processor implements the following technical and organisational measures:

• TLS encryption for all data in transit
• Encrypted storage at rest for database and file storage
• Passwords stored exclusively as bcrypt hashes (never plain text)
• Two-factor authentication (2FA) available for all platform users
• Role-based access controls with per-module, per-brand permission boundaries
• Comprehensive audit trail logging all data access and modification events
• Concurrent session limits and automatic session invalidation
• SHA-256 document hashing for signed contracts
• Regular security reviews and dependency updates

The Processor may update security measures over time provided the overall level of protection is not reduced.

9. Sub-processors

The Controller grants general authorisation to the Processor to engage the sub-processors listed at beanssuite.com/legal/sub-processors.

The Processor shall:

• Update the sub-processors page before engaging any new sub-processor
• Notify the Controller of material changes by email at least 14 days in advance where reasonably practicable
• Impose data protection obligations on sub-processors that are no less protective than this DPA
• Remain liable to the Controller for the acts and omissions of its sub-processors

The Controller may object to a new sub-processor by contacting privacy@beanssuite.com within 14 days of notification.

10. Data subject rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Law (access, rectification, erasure, restriction, portability, objection). The Processor will:

• Forward any Data Subject requests received directly to the Controller within 5 business days
• Provide reasonable technical assistance to the Controller in fulfilling requests
• Process verified erasure requests within 30 days

Audit trail entries referencing an erased individual are anonymised rather than deleted to preserve record integrity, in accordance with the Processor's Privacy Policy.

11. Personal data breaches

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware
• Provide sufficient information to allow the Controller to meet its own notification obligations to supervisory authorities and Data Subjects
• Take reasonable steps to contain and remediate the breach
• Cooperate with the Controller's investigation

Breach notifications should be sent to the Controller's registered email address. Controllers should notify the Processor of security concerns at privacy@beanssuite.com.

12. Return and deletion of data

On termination or expiry of the Controller's subscription, the Processor shall:

• Provide the Controller with a data export in a structured, machine-readable format upon request
• Permanently delete all Personal Data within 90 days of subscription end, unless a legal hold applies
• Confirm deletion in writing upon request

Signed document archives subject to a legal retention obligation will be retained for the applicable statutory period and then deleted.

13. International data transfers

Where Personal Data is transferred outside the UK or EEA, the Processor ensures appropriate safeguards:

• UK transfers: International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU SCCs
• EU transfers: Standard Contractual Clauses (SCCs) as approved under EU GDPR

Details of transfer mechanisms for each sub-processor are listed on the Sub-processors page.

14. Audits and compliance

The Processor shall make available all information reasonably necessary to demonstrate compliance with this DPA. Where the Controller (or its appointed auditor) requests an audit, the parties shall agree the scope, timing and cost in advance. Audits shall not unreasonably disrupt the Processor's operations.

15. Liability and indemnity

Each party's liability under this DPA is subject to the limitations set out in the main subscription agreement. The Processor shall not be liable for Personal Data breaches caused by the Controller's failure to comply with its obligations under clause 6.

16. Governing law

This DPA is governed by the laws of England and Wales. For EU-based Controllers, where EU GDPR applies, the parties agree that EU law governs to the extent required for compliance with EU GDPR obligations.

17. Changes to this DPA

The Processor may update this DPA to reflect changes in Applicable Law or processing activities. The "Last updated" date will be updated accordingly. Continued use of the Service constitutes acceptance. Material changes will be notified by email.

18. Contact

Voov Digital Limited T/A BeansSuite
Registered in England & Wales — Company No. 08871876
Email: privacy@beanssuite.com