Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of, and is incorporated

by reference into, the Trade-OS Terms of Service

between GECKOSOFTWARE LTD ("Trade-OS", "we", "us") and the

subscriber accepting those Terms ("you", "Subscriber"). By accepting the

Terms of Service at onboarding you also accept this DPA. If there is a

conflict between this DPA and the Terms on the subject of personal data

processing, this DPA prevails to the extent of that conflict.

1. Plain-English summary (not the legal terms)

You run your business in Trade-OS. Some of the information you put in —

your customers' names, addresses, contact details — is their personal

data. **You decide what to collect and why; we just hold and process it

so the platform works for you.** In data-protection language, that makes

you the controller and us your processor for that data. This DPA

sets out, in the way the law requires, how we look after it on your

behalf and what each of us is responsible for. The short version: you

own the relationship with your customers and their data; we secure and

process it strictly to run the service you asked for, and we don't use

it for our own purposes.

The numbered terms below are the legally binding ones.

2. Definitions

Terms not defined here have the meaning given in the Terms of Service.

• UK GDPR — the retained EU General Data Protection Regulation as it

forms part of UK law, read with the Data Protection Act 2018.

• Data Protection Law — UK GDPR, the Data Protection Act 2018, the

Privacy and Electronic Communications Regulations 2003, and any

successor or applicable equivalent legislation.

• **Controller, processor, data subject, personal data, processing,

personal data breach** — as defined in UK GDPR.

• Customer Personal Data — personal data that the Subscriber, acting

as controller, inputs into or generates through Trade-OS relating to

the Subscriber's own customers, prospects, proposal recipients, and

contacts (for example names, addresses, contact details, job notes the

Subscriber chooses to record).

• Subprocessor — a third party engaged by Trade-OS to process

Customer Personal Data on our behalf.

3. Roles of the parties

3.1 For Customer Personal Data, the Subscriber is the controller

and Trade-OS is the processor. Trade-OS processes Customer Personal

Data only on the Subscriber's documented instructions, the primary

documented instruction being the provision of the Trade-OS service in

accordance with the Terms of Service, this DPA, and the Subscriber's

configured use of the product.

3.2 For data Trade-OS processes for its own purposes — Subscriber

account administration, platform security, billing, abuse prevention,

aggregated and de-identified product analytics, and service improvement

— Trade-OS is an independent controller. That processing is governed

by the Trade-OS Privacy Policy, not

by this DPA.

3.3 Proposal recipients. Where a Subscriber sends a proposal to a

recipient (for example a homeowner), the personal content of that

proposal is authored and controlled by the Subscriber. The **Subscriber

is the controller** for that recipient relationship and is responsible

for providing that recipient with any privacy information required by

Data Protection Law. Trade-OS processes only minimal technical metadata

(for example delivery and acceptance status, coarse device class, view

timing) and does so as the Subscriber's processor when surfacing it

back to the Subscriber as business insight. Trade-OS does not use

identifiable recipient data for its own purposes.

4. Subscriber responsibilities (controller)

4.1 The Subscriber warrants that it has a valid lawful basis under Data

Protection Law for all Customer Personal Data it processes through

Trade-OS, and that its instructions to Trade-OS are lawful.

4.2 The Subscriber is solely responsible for the accuracy, content,

quality, and legality of Customer Personal Data and the means by which

it was obtained, **including any personal data the Subscriber chooses to

enter into free-text fields** (for example job descriptions or notes).

Trade-OS does not require, request, or instruct the entry of customer

identifiers into free-text fields, and any such data present there is

processed solely because the Subscriber chose to include it.

4.3 The Subscriber is responsible for providing all required privacy

notices to, and handling the primary data-subject relationship with, its

own customers and proposal recipients. Trade-OS's role is limited to

assisting the Subscriber as set out in clause 7.

5. Trade-OS obligations (processor)

Trade-OS shall:

5.1 process Customer Personal Data only on the Subscriber's documented

instructions, including for international transfers, unless required to

do otherwise by law (in which case, where legally permitted, Trade-OS

will inform the Subscriber first);

5.2 ensure that persons authorised to process Customer Personal Data are

bound by an appropriate duty of confidentiality;

5.3 implement and maintain the technical and organisational measures

described in Annex 2, appropriate to the risk under Article 32 UK

GDPR;

5.4 not engage a Subprocessor except under clause 6;

5.5 taking into account the nature of the processing, assist the

Subscriber by appropriate technical and organisational measures, insofar

as possible, to respond to requests to exercise data-subject rights

under Chapter III UK GDPR;

5.6 assist the Subscriber in ensuring compliance with Articles 32 to 36

UK GDPR (security, breach notification, data protection impact

assessments, and prior consultation), taking into account the nature of

processing and the information available to Trade-OS;

5.7 at the Subscriber's choice, delete or return all Customer Personal

Data at the end of the provision of services, and delete existing copies

unless retention is required by law, subject to the timelines in clause 9;

5.8 make available to the Subscriber information necessary to demonstrate

compliance with Article 28 UK GDPR and allow for and contribute to

audits as set out in clause 8;

5.9 maintain records of processing carried out on behalf of the

Subscriber in accordance with Article 30(2) UK GDPR;

5.10 not sell Customer Personal Data and not use it for Trade-OS's own

purposes, including model training, except in fully aggregated and

de-identified form that does not identify any data subject, Subscriber,

or recipient.

6. Subprocessors

6.1 The Subscriber gives general written authorisation for Trade-OS

to engage Subprocessors. The current Subprocessors are listed at

tradeoshq.com/subprocessors

and summarised in Annex 3.

6.2 Trade-OS will impose data-protection obligations on each Subprocessor

that are, in substance, no less protective than those in this DPA, and

remains liable to the Subscriber for a Subprocessor's failure to meet

those obligations.

6.3 Trade-OS will give notice of any intended addition or replacement of

a Subprocessor by updating the Subprocessors page (and, for material

changes to database, authentication, or AI-inference Subprocessors, a

notice aligned with the Privacy Policy) before that Subprocessor

begins processing Customer Personal Data. The Subscriber may object on

reasonable, data-protection-related grounds within 30 days; the parties

will work in good faith to resolve the objection, failing which the

Subscriber may terminate the affected service.

7. Data-subject requests and cooperation

7.1 If Trade-OS receives a request from a data subject relating to

Customer Personal Data, it will not respond directly (except to confirm

the request should be directed to the Subscriber) and will, without

undue delay, inform the Subscriber.

7.2 Trade-OS will provide reasonable assistance, by appropriate technical

and organisational measures and taking into account the nature of

processing, to enable the Subscriber to fulfil its obligations to

respond to data-subject requests, including access, rectification,

erasure, restriction, portability, and objection.

8. Audit

8.1 Trade-OS will make available, on reasonable written request and no

more than once in any 12-month period (unless required by a supervisory

authority or following a personal data breach), information reasonably

necessary to demonstrate compliance with this DPA.

8.2 To minimise disruption, Trade-OS may satisfy an audit request by

providing relevant third-party certifications, attestations, or reports

held by Trade-OS or its Subprocessors. Any on-site or hands-on audit

must be on at least 30 days' notice, during business hours, subject to

confidentiality, scoped to relevant systems, must not compromise other

customers' data, and the Subscriber bears its own and Trade-OS's

reasonable costs for audits beyond the once-yearly information request.

9. Return and deletion

9.1 On termination or expiry of the Subscriber's account, Trade-OS will,

at the Subscriber's election made within 30 days, make Customer Personal

Data available for export in a commonly used format and/or delete it.

9.2 Absent an election, Trade-OS will delete Customer Personal Data

within a reasonable period not exceeding 90 days, save for copies in

routine backups (which expire on the normal backup cycle) and data

Trade-OS must retain by law, which remains subject to this DPA's security

obligations until deleted.

10. Personal data breach

10.1 Trade-OS will notify the Subscriber without undue delay after

becoming aware of a personal data breach affecting Customer Personal

Data, and will provide information reasonably available to enable the

Subscriber to meet its own breach-notification obligations.

10.2 Notification or response is not, and will not be construed as, an

acknowledgement of fault or liability by Trade-OS.

11. International transfers

11.1 Primary database hosting for Customer Personal Data is UK/EU

aligned. Where a Subprocessor processes Customer Personal Data outside

the UK, Trade-OS relies on an appropriate Article 46 UK GDPR transfer

mechanism — the UK International Data Transfer Agreement (IDTA), or the

EU Standard Contractual Clauses together with the UK Addendum, or a valid

adequacy decision — together with practical data-minimisation measures.

11.2 The Subprocessors page identifies current Subprocessor roles and

the transfer position relied on.

12. Liability

12.1 Each party's liability arising out of or related to this DPA is

subject to the limitations and exclusions of liability in the Terms of

Service, and any reference to a party's liability means aggregate

liability under the Terms and this DPA combined.

12.2 Nothing in this DPA limits either party's liability where it cannot

lawfully be limited.

13. General

13.1 This DPA takes effect on the Subscriber's acceptance of the Terms of

Service and remains in force while Trade-OS processes Customer Personal

Data.

13.2 This DPA is governed by the laws of England and Wales, and the

courts of England and Wales have exclusive jurisdiction, subject to any

non-waivable rights elsewhere.

13.3 If any provision is found unenforceable, the remainder continues in

effect.

Annex 1 — Details of processing

Annex 2 — Technical and organisational measures

These measures reflect the posture described publicly at

tradeoshq.com/security and are

maintained appropriate to the risk. They are not an exhaustive

specification and evolve as the platform matures.

• Encryption of data in transit using current TLS for public endpoints.
• Encryption at rest provided by managed infrastructure providers

(database and storage tiers).

• Authentication via Supabase Auth; session tokens exchanged over

encrypted connections.

• Tenant data isolation in PostgreSQL using Row Level Security policies

restricting each tenant's rows from access via normal authenticated

application paths by other tenants, exercised by an automated

cross-tenant isolation test in the deployment pipeline.

• Least-privilege production access limited to a small group of

authorised operators.

• Infrastructure and hosted observability logging for uptime,

diagnostics, and proportionate security review; business-critical

audit trails retained on server-controlled systems.

• Server-side minimisation controls that exclude structured customer

contact fields from third-party AI-inference prompt assembly; only

data the Subscriber deliberately includes in free-text is processed

by AI-assisted features.

• Vulnerability reporting channel at hello@tradeoshq.com with good-faith

triage.

Trade-OS does not currently hold SOC 2, ISO 27001, Cyber Essentials, or

equivalent certification and does not represent otherwise unless and

until an explicit attestation is published.

Annex 3 — Approved Subprocessors

Current as of the "Last updated" date; the authoritative live list is at

tradeoshq.com/subprocessors.

GECKOSOFTWARE LTD — Company number 16582317

16 Bowes Gate Drive, Lambton Park, Chester-le-Street, DH3 4DS

ICO registration: ZC136332 — hello@tradeoshq.com