Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Epic Software Labs Ltd ("Processor", "we", "us") and the organisation subscribing to TitanCard services ("Controller", "you", "Client") for the provision of digital business card and contact management services (the "Services").

This DPA sets out the terms on which the Processor will process Personal Data on behalf of the Controller in connection with the Services, in compliance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679).

This DPA should be read alongside our Privacy Policy and Terms and Conditions.

2. Definitions

In this DPA, the following terms have the meanings set out below:

3. Scope and Purpose of Processing

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the TitanCard digital business card and contact management Services, which includes:

• creating and managing digital business card profiles for the Controller's team members;
• storing and displaying contact information on digital business cards;
• enabling sharing of business cards via NFC, QR codes, and direct links;
• providing analytics on card views, shares, and saves;
• scanning and digitising physical business cards;
• managing the Controller's team and user accounts;
• processing payments and subscriptions.

4. Categories of Personal Data Processed

The Processor may process the following categories of Personal Data on behalf of the Controller:

• Employee names and display names
• Email addresses
• Phone numbers
• Job titles and roles
• Company and organisation information
• Profile photographs
• Social media profile links
• Physical business addresses
• Scanned business card images and extracted text
• Usage analytics data (card views, shares, saves)

No special category data (as defined in Article 9 of the UK GDPR) is processed under this DPA.

5. Duration of Processing

The Processor shall process Personal Data for the duration of the Controller's subscription to the Services. Upon termination of the subscription, the provisions of Section 14 (Deletion and Return of Data) shall apply.

6. Processor Obligations

The Processor shall:

• process Personal Data only on documented instructions from the Controller, unless required to do so by United Kingdom or European Union law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited from doing so);
• ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Section 10 of this DPA;
• assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under the UK GDPR (see Section 12);
• notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach (see Section 11);
• assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor;
• at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data (see Section 14);
• make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (see Section 15).

7. Controller Obligations

The Controller shall:

• ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents, notices, and permissions have been obtained or given;
• provide the Processor with documented instructions regarding the processing of Personal Data;
• ensure that the Personal Data provided to the Processor is accurate and up to date;
• comply with its obligations under the UK GDPR, including responding to Data Subject requests and cooperating with the Information Commissioner's Office;
• notify the Processor without undue delay of any changes to applicable data protection laws that may affect the Processor's obligations under this DPA.

8. Sub-processing

The Controller provides general written authorisation for the Processor to engage sub-processors to assist in providing the Services. A current list of approved sub-processors is maintained on our Sub-Processors page.

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. Notification of sub-processor changes will be published on the Sub-Processors page. Controllers may subscribe to change notifications by emailing info@epicsoftwarelabs.com.

Where the Processor engages a sub-processor, the Processor shall impose on that sub-processor the same data protection obligations as set out in this DPA by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

The Processor shall remain fully liable to the Controller for the performance of any sub-processor's obligations.

9. International Data Transfers

Some of our sub-processors are located outside the United Kingdom and the European Economic Area. Where Personal Data is transferred internationally, the Processor shall ensure that appropriate safeguards are in place, including:

• the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU SCCs, as approved by the Information Commissioner's Office, for transfers from the UK;
• the European Commission's Standard Contractual Clauses (SCCs) for transfers from the EEA, where applicable;
• an adequacy decision by the UK Secretary of State or the European Commission, where available;
• any other lawful transfer mechanism recognised under applicable data protection law.

Details of sub-processor locations are available on our Sub-Processors page.

10. Security Measures

The Processor implements and maintains appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption in transit: All data transmitted between users and the platform is encrypted using TLS (Transport Layer Security).
• Secure authentication: User authentication is managed through Clerk, providing industry-standard security including multi-factor authentication, OAuth 2.0, and secure session management.
• Access controls: Role-based access controls ensure that only authorised personnel can access Personal Data. Team administrators control user permissions within their organisation.
• Infrastructure security: The platform is hosted on Vercel and Convex, both of which maintain SOC 2 compliance and implement comprehensive security controls.
• Regular backups: Automated backups are performed to prevent data loss.
• Monitoring: Systems are monitored for security incidents and anomalous activity.

11. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. Such notification shall include:

• a description of the nature of the Personal Data breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
• the name and contact details of the Processor's data protection contact;
• a description of the likely consequences of the breach;
• a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each such breach.

12. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under the UK GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Where the Processor receives a request directly from a Data Subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's prior written instructions, unless required to do so by applicable law.

13. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Article 35 or Article 36 of the UK GDPR, taking into account the nature of the processing and the information available to the Processor.

14. Deletion and Return of Data

Upon termination or expiry of the Services agreement, or upon the Controller's written request, the Processor shall, at the Controller's choice:

• return all Personal Data to the Controller in a commonly used, machine-readable format; or
• delete all Personal Data and confirm such deletion in writing to the Controller.

The Processor shall complete such deletion or return within 30 days of the request, unless applicable law requires continued storage of the Personal Data, in which case the Processor shall inform the Controller of any such requirement and shall ensure the confidentiality of such data.

15. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, subject to:

• reasonable prior written notice (at least 30 days);
• audits being conducted during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations;
• the Controller bearing the costs of any such audit, unless the audit reveals material non-compliance by the Processor;
• any third-party auditor entering into appropriate confidentiality obligations.

16. Liability

Each party's liability under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the main Services agreement between the parties.

Nothing in this DPA shall limit either party's liability for any matter for which liability cannot be excluded or limited under applicable law.

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

18. Contact Details

For any queries regarding this DPA or data protection matters, please contact:

• Company: Epic Software Labs Ltd
• Address: 85 Great Portland Street, First Floor, London, W1W 7LT
• Email: info@epicsoftwarelabs.com
• Company Number: 16576534 (England and Wales)