Data Processing Agreement

Processor

TrackZero Labs Ltd, incorporated in England and Wales (company no. 15201624) (“TrackZero”)

Controller

The customer entity named in the TrackZero Order Form or Terms & Conditions (“Customer”)

Effective date

The date the Customer accepts the TrackZero Terms & Conditions, or the date of signature where executed separately

Version

1.0 | 16/06/2026

1. Background
   TrackZero provides a sustainability and ESG data management platform (the “Services”). In providing the Services, TrackZero processes personal data on behalf of the Customer as controller. This agreement governs that processing as required by Article 28 UK GDPR and the Data Protection Act 2018. It is incorporated into and forms part of the TrackZero Terms & Conditions. Where a Customer executes a separate signed copy, that executed version governs.
2. Roles and instructions
   The Customer is the controller of Customer Data. TrackZero is the processor. TrackZero will process Customer Data only on the Customer’s documented instructions as set out in this agreement, the Terms & Conditions, and any configuration the Customer applies within the Services. TrackZero will notify the Customer if it considers an instruction to infringe applicable data protection law, and will not process Customer Data for any purpose other than providing the Services unless required to do so by law.
3. Customer Data
   “Customer Data” means any personal data uploaded to, processed through, or generated within the Services by or on behalf of the Customer. The details of the processing are set out in Schedule 1.
4. Confidentiality
   TrackZero will ensure that personnel authorised to process Customer Data are bound by appropriate confidentiality obligations and that access is limited to those who need it to provide the Services.
5. Security
   TrackZero will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR. TrackZero holds ISO 27001 certification. A summary of TrackZero’s current technical and organisational measures is available on request.
6. Sub-processors
   The Customer provides general authorisation for TrackZero to engage sub-processors. TrackZero’s current sub-processors are listed at trackzero.eco/legal/sub-processors, which is updated when changes occur. TrackZero will notify registered customers of material changes to its sub-processors by email. TrackZero will impose equivalent data protection obligations on each sub-processor by written contract and remains fully liable for their acts and omissions.
7. Data subject rights
   TrackZero will assist the Customer in fulfilling its obligations to respond to data subject requests under Articles 12 to 22 UK GDPR, taking into account the nature of the processing. TrackZero will promptly forward to the Customer any data subject request it receives that relates to Customer Data. TrackZero will not respond to such requests directly except on the Customer’s written instruction or as required by law.
8. Personal data breaches
   TrackZero will notify the Customer without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting Customer Data. The notification will include, to the extent available: the nature of the breach; the categories and approximate number of individuals and records affected; the likely consequences; and the measures taken or proposed. TrackZero will cooperate with the Customer and take reasonable steps to assist in investigating, mitigating and remediating any breach.
9. Audit and assistance
   TrackZero may satisfy audit requests by providing ISO 27001 certification, independent audit reports, security documentation and responses to reasonable questionnaires. On-site audits may only be conducted where such information is insufficient to demonstrate compliance and upon at least 30 days’ written notice.
   
   TrackZero will provide reasonable assistance to the Customer in meeting its obligations under Articles 32 to 36 UK GDPR, taking into account the nature of the processing and the information available to TrackZero, including reasonable assistance with any data protection impact assessment the Customer is required to carry out under Article 35 UK GDPR.
10. International transfers
    TrackZero shall ensure that any international transfer of Customer Data is subject to an appropriate safeguard recognised under UK GDPR, including the UK Addendum to the EU Standard Contractual Clauses, the UK Extension to the EU-US Data Privacy Framework, adequacy regulations, or another lawful transfer mechanism.
11. Retention and deletion
    TrackZero will retain Customer Data for the duration of the Customer’s subscription. Upon termination, the Customer may retrieve and export Customer Data through the export functionality of the Services for 30 days, after which it will be securely deleted from live systems within 60 days, except where retention is required by law. Residual copies in backup systems will be deleted in the ordinary course of backup rotation.
12. General
    This agreement is governed by the laws of England and Wales. It continues for the duration of the Customer’s subscription. Clauses 3 (Confidentiality), 7 (Personal data breaches), 8 (Audit and assistance), and 10 (Retention and deletion) survive termination. TrackZero may update this agreement from time to time to reflect changes in applicable law or its processing activities by posting the updated version at trackzero.eco/legal/dpa. Continued use of the Services constitutes acceptance.
    
    The liability of each party arising out of or in connection with this agreement shall be subject to the exclusions and limitations of liability set out in the Terms & Conditions.