1. Introduction

1.1 This Data Processing Agreement ("DPA") forms part of the agreement between Ambr Technologies Limited ("Supplier") and the customer entity identified in the applicable Order Form ("Customer"), which incorporates by reference the Supplier's Terms and Conditions (the "Agreement"). This DPA sets out the terms on which the Supplier will process Customer Personal Data on behalf of the Customer in accordance with Data Protection Legislation.

1.2 All capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement. In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to data protection matters.

1.3 This DPA is intended to ensure compliance with Data Protection Legislation, including the UK GDPR and Data Protection Act 2018, as well as other applicable laws.

2. Definitions

2.1 "Data Protection Legislation" means all applicable data protection and privacy laws, regulations, and legally binding codes of practice in force from time to time, including the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, each as amended or replaced from time to time.

2.2 "Personal Data" or "Customer Personal Data" means any personal data (as defined under the UK GDPR) that the Supplier processes on behalf of the Customer pursuant to the Agreement.

2.3 "Controller, Processor, Data Subject, Processing, Personal Data Breach" and all related expressions shall have the meanings given to them in the UK GDPR.

2.4 "Sub-Processor" means any third party engaged by the Supplier to process Customer Personal Data on behalf of the Customer.

3. Roles and Scope of Processing

3.1 The parties acknowledge that the Customer is the Controller and the Supplier is the Processor of the Customer Personal Data processed under the Agreement.

3.2 The Supplier shall only process the Customer Personal Data on documented instructions from the Customer, including as set out in the Agreement and this DPA, unless otherwise required by applicable law (in which case the Supplier shall use reasonable efforts to notify the Customer before such processing, unless legally prohibited).

4. Purpose, Nature, and Categories of Data

4.1 Purpose: The Supplier processes the Customer Personal Data solely to provide AI-powered training services (e.g., through simulated conversations, feedback, and progress tracking) as further described in the Agreement and Order Form.

4.2 Nature and Scope of Processing: Processing includes collection, storage, analysis, retrieval, and use of Customer Personal Data to facilitate the Supplier's services and related support.

4.3 Types of Personal Data may include, without limitation:

• Identifiers: Names, email addresses, job titles, departments, usernames

• Voice Data: Voice recordings of simulated conversations

• Transcripts: Transcripts of these simulated conversations

• Performance Data: Performance metrics, feedback data, usage statistics, progress tracking information

• Other Data: IP addresses, self-reported skill levels, organizational role and reporting structure

4.4 Categories of Data Subjects may include:

• Customer's employees, managers, and administrators participating in training

• Contractors or consultants included in the management training program

4.5 The duration of processing shall be for the term set out in the Agreement plus any additional retention period required by applicable law or as necessary to establish, exercise, or defend legal claims.

5. Data Subject Rights and Assistance

5.1 The Supplier shall, taking into account the nature of the processing, implement appropriate technical and organisational measures to assist the Customer in fulfilling its obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Legislation. This assistance (provided at the Customer's cost) includes:

• Promptly notifying the Customer of any Data Subject request received directly (and in any event within five (5) days).

• Not responding to any such request without the Customer's express written approval (unless required by law).
  
  

6. Security Measures and Breach Notification

6.1 The Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

6.2 In the event the Supplier becomes aware of a Personal Data Breach affecting Customer Personal Data, it shall promptly (and in any event within twenty-four (24) hours) notify the Customer and provide all information the Customer reasonably requires to meet its obligations to report or inform Data Subjects of the breach under Data Protection Legislation.

7. Sub-Processors

7.1 The Customer generally authorises the Supplier to engage Sub-Processors to process Customer Personal Data. The Supplier shall:

• Impose on any Sub-Processor data protection obligations that are materially similar to those set out in this DPA.

• Remain liable to the Customer for the performance of Sub-Processors' obligations.

7.2 The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving the Customer the opportunity to object to such changes. Where the Customer objects and cannot demonstrate an actual or likely breach of Data Protection Legislation as a reason for the objection, the Customer shall indemnify the Supplier against all losses arising out of accommodating the objection.

8. International Transfers

8.1 The Supplier may transfer Customer Personal Data outside of the UK and/or the EEA as necessary, provided that all such transfers comply with Data Protection Legislation. This may include entering into the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or other appropriate transfer mechanisms.

8.2 The Customer agrees to cooperate with the Supplier's efforts to implement any required data transfer mechanisms and shall sign additional documents or provide information reasonably requested by the Supplier to effect such mechanisms.

9. Return or Deletion of Data

9.1 Upon termination or expiry of the Agreement, and at the Customer's written direction, the Supplier shall delete (so far as technically possible) or return all Customer Personal Data within thirty (30) days, unless continued storage is required by applicable law. Customer Personal Data shall be considered deleted where it can no longer be used by the Supplier.

10. Liability and Indemnities

10.1 Nothing in this DPA limits any liability which cannot be excluded or limited under applicable law.

10.2 Subject to clause 10.1, the Supplier's total aggregate liability arising under or in connection with this DPA and the Data Protection Legislation, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed £2,000,000.

10.3 The Supplier shall indemnify and keep indemnified the Customer against all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis) arising out of or in connection with any breach by the Supplier of its obligations under this DPA, subject always to the liability cap in clause 10.2.

11. General

11.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

11.2 If any provision of this DPA is found to be invalid or unenforceable, the remainder of the DPA shall remain in full force and effect.

11.3 This DPA may be executed in counterparts, and its provisions are in addition to and not in substitution for any other rights relating to data protection contained in the Agreement.