Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person that you submit to the Platform, including but not limited to: worker names, contact information, facility personnel records, and any other data that constitutes personal data under applicable Data Protection Laws.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of personal data, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, and any national implementing legislation.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, or destruction, whether automated or manual.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller. "Reasonable grounds" for objection under Section 4 means a documented data-protection concern (e.g., adequacy, regulatory finding, demonstrated security incident).

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

You are the Controller of the Personal Data you submit to the Platform. TraceLoom is the Processor, processing Personal Data solely on your behalf and in accordance with your documented instructions.

The categories of Personal Data processed include: worker names and roles, facility contact information, personnel headcounts by department, incident records (aggregated, no individual health data), and user account information (name, email, role). The data subjects include your employees, contractor personnel, and facility staff whose data you submit to the Platform.

The purpose of processing is to provide the supply chain intelligence services described in the Terms of Service, including emissions tracking, compliance scorecards, quality monitoring, worker welfare reporting, and automated alerts.

TraceLoom shall:

1. Process Personal Data only on your documented instructions, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law — in which case we shall inform you of that legal requirement before processing, unless the law prohibits such disclosure.
2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256), row-level security isolating tenant data, access controls and authentication mechanisms, regular testing and assessment of security measures, and pseudonymisation where appropriate.
4. Not engage another processor (Sub-processor) without your prior written authorisation. Where general authorisation is granted, we shall inform you of any intended changes to Sub-processors, giving you the opportunity to object.
5. Taking into account the nature of the processing, assist you by appropriate technical and organisational measures in fulfilling your obligation to respond to data subject access requests and other rights under Data Protection Laws.
6. Assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
7. At your choice, delete or return all Personal Data upon termination of the service, and delete existing copies unless storage is required by applicable law. We provide a 30-day data export window following account termination.
8. Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by you or an auditor mandated by you, subject to the audit provisions in Section 8.

You provide general authorisation for TraceLoom to engage the Sub-processors listed below. We shall notify you at least 30 days before adding or replacing a Sub-processor, giving you the right to object. If you object on reasonable grounds relating to data protection, and we cannot resolve the objection, you may terminate the affected services.

Current sub-processors

Each Sub-processor is bound by a data processing agreement imposing obligations no less protective than those set out in this DPA. TraceLoom remains fully liable to you for the performance of each Sub-processor's obligations.

Personal Data may be transferred to and processed in the United States, where our primary infrastructure is hosted. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not deemed to provide an adequate level of data protection, we rely on the following transfer mechanisms:

Standard Contractual Clauses (SCCs): We incorporate the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) into this DPA by reference. The applicable SCCs are available on request to legal@traceloom.com.

Supplementary measures: In addition to the SCCs, we implement supplementary technical measures including end-to-end encryption, access controls limiting data access to authorised personnel, and tenant isolation at the database level.

We shall promptly notify you if we become aware that we can no longer meet our obligations under the applicable transfer mechanism, and shall work with you to identify an alternative lawful basis for transfer or, if none is available, cease processing.

In the event of a Data Breach affecting Personal Data processed under this DPA, TraceLoom shall:

1. Notify you without undue delay and in any event within 72 hours of becoming aware of the breach, providing: the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
2. Cooperate with you and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
3. Not notify any third party of the breach without your prior written consent, unless required by applicable law.

Notifications will be sent to the primary account email address and to the designated Data Protection contact, if one has been configured in your organisation settings.

TraceLoom shall, taking into account the nature of the processing, assist you by appropriate technical and organisational measures in responding to requests from data subjects exercising their rights under Data Protection Laws, including the rights of access, rectification, erasure, restriction, portability, and objection.

If TraceLoom receives a request directly from a data subject regarding Personal Data processed under this DPA, we shall promptly redirect the data subject to you and notify you of the request, unless otherwise required by law. We shall not respond to the request ourselves without your prior authorisation, except to confirm that the request relates to your account.

TraceLoom provides self-service data export functionality (JSON and CSV formats) within the Platform to assist you in fulfilling data portability requests.

You have the right to audit TraceLoom's compliance with this DPA. TraceLoom shall make available all information reasonably necessary to demonstrate compliance and shall allow for and contribute to audits.

Audit procedures:

1. You shall provide at least 30 days' written notice of any audit request.
2. Audits shall be conducted during normal business hours, no more than once per calendar year, unless a Data Breach or regulatory investigation necessitates an additional audit.
3. You may appoint a qualified independent third-party auditor, subject to reasonable confidentiality obligations. TraceLoom may object to an auditor if there are reasonable grounds (e.g., a competitor).
4. TraceLoom may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2 Type II), or completed security questionnaires, where these adequately address the audit scope.
5. Each party shall bear its own costs in connection with any audit, unless the audit reveals a material breach of this DPA by TraceLoom, in which case TraceLoom shall bear reasonable audit costs.

TraceLoom shall process Personal Data for the duration of the service agreement. Upon termination or expiry of your subscription:

1. We provide a 30-day data export window during which you may export all Personal Data in structured, machine-readable formats (JSON, CSV).
2. After the export window, we shall delete all Personal Data within 30 additional days, unless retention is required by applicable law or regulation.
3. We shall provide written confirmation of deletion upon your request.
4. Anonymised, aggregated data that cannot be used to identify any individual or organisation may be retained for product improvement purposes.
5. Backup copies are automatically purged within 90 days of the deletion date through our standard backup rotation schedule.

This DPA shall remain in effect for the duration of your use of the TraceLoom platform and shall automatically terminate when all Personal Data has been deleted or returned in accordance with Section 9.

Sections 6 (Data Breach Notification), 8 (Audit Rights), and 9 (Data Retention and Deletion) shall survive termination of this DPA.

The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA shall limit either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted under applicable law.

This DPA shall be governed by and construed in accordance with the laws stated in the Terms of Service, except where Data Protection Laws require the application of the law of the EU member state or UK in which the Controller is established.

For questions about this DPA or to exercise your rights under it, contact the controller: