Data Processing Agreement

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

Processor: TMI Systems Limited (company number 06667738), trading as Verto, of Beechey House, 87 Church Street, Crowthorne, Berkshire, RG45 7AW (“Verto” or “Processor”).

Controller: The Client identified in the Quote or Statement of Work entered into with Verto (“Controller”).

This DPA forms part of and is incorporated into the Agreement between the parties (comprising the Quote, Terms of Service, Statement of Work and Service Level Agreement, as applicable). In the event of conflict between this DPA and any other part of the Agreement, this DPA shall prevail in respect of data protection matters.

2. Definitions

In this DPA, the following terms have the meanings given below. Capitalised terms not defined here have the meanings given to them in the Agreement or in applicable Data Protection Legislation.

“Data Protection Legislation” means the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and any regulations or codes of practice made under them, as amended or replaced from time to time.

“Personal Data” has the meaning given in the UK GDPR, and means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller under the Agreement.

“Processing”, “Processor”, “Controller”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority” have the meanings given to them in the UK GDPR.

“Sub-processor” means any third party engaged by the Processor to carry out processing activities on behalf of the Controller in connection with the Agreement.

“Technical and Organisational Measures” or “TOMs” means the security measures set out in Schedule 2 of this DPA.

3. Scope and Nature of Processing

The Processor shall process Personal Data only in connection with the provision of the Verto Service and/or Consultancy Services under the Agreement. The subject matter, nature, purpose, and duration of the processing, and the categories of Personal Data and Data Subjects, are set out in Schedule 1 to this DPA.

The Processor shall not process Personal Data for any purpose other than as set out in Schedule 1 and as instructed by the Controller in writing from time to time. If the Processor is required by applicable law to process Personal Data other than as instructed, it shall inform the Controller of that requirement before processing, unless prohibited by law.

4. Processor Obligations

4.1 Processing on Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law.

4.2 Confidentiality

The Processor shall ensure that persons authorised to process the Personal Data are subject to appropriate obligations of confidentiality, whether by contract or by operation of law.

4.3 Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of natural persons, the Processor shall implement and maintain the Technical and Organisational Measures set out in Schedule 2 to this DPA, and shall ensure a level of security appropriate to the risk.

4.4 Sub-processors

The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the following conditions:

The Processor shall maintain an up-to-date list of Sub-processors (“Sub-processor List”), set out in Schedule 3 to this DPA and available at https://vertocloud.co.uk/sub-processors or upon written request to support@vertocloud.co.uk
The Processor shall give the Controller at least 30 days’ prior written notice of any intended changes to the Sub-processor List, including additions or replacements.
The Controller may object to any new Sub-processor on reasonable grounds relating to data protection within 14 days of receiving notice. In such case, the parties shall work in good faith to resolve the objection. If the objection cannot be resolved, either party may terminate the Agreement on 30 days’ written notice without liability.
Where the Processor engages a Sub-processor, it shall impose data protection obligations equivalent to those set out in this DPA on that Sub-processor by way of a written contract. The Processor remains fully liable to the Controller for the performance of the Sub-processor’s obligations.

4.5 Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligations to respond to requests by Data Subjects exercising their rights under Data Protection Legislation (including rights of access, rectification, erasure, restriction, portability, and objection).

The Processor shall promptly notify the Controller, and in any event within 5 Business Days, if it receives a request from a Data Subject in respect of Personal Data processed under this DPA. The Processor shall not respond to such a request except on documented instructions from the Controller or as required by applicable law.

4.6 Personal Data Breach

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach involving Personal Data processed under this DPA. The notification shall include, to the extent available at the time:

a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
the name and contact details of the Processor’s data protection contact;
a description of the likely consequences of the breach;
a description of the measures taken or proposed to address the breach and mitigate its effects.

The Processor shall cooperate with the Controller and take such reasonable steps as the Controller directs to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

4.7 Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and, where required, prior consultations with the Supervisory Authority, in each case to the extent the assessment or consultation relates to processing under this DPA and the Processor holds information relevant to it.

4.8 Return and Deletion of Personal Data

On expiry or termination of the Agreement, the Processor shall, at the Controller’s election:

return to the Controller all Personal Data processed under this DPA (in a structured, commonly used and machine-readable format); or
securely delete or destroy all Personal Data processed under this DPA, and certify in writing to the Controller that deletion has been completed.

The Processor shall comply with the Controller’s election within 30 days of the Termination Date. The Processor may retain Personal Data to the extent required by applicable law, provided it continues to process such data only for the purposes required by law and subject to appropriate safeguards. The data return and deletion provisions of Clause 17.1.3 of the Terms of Service shall apply.

4.9 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor appointed by the Controller, subject to the following:

The Controller shall give at least 15 Business Days’ prior written notice of any audit.
Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor’s operations.
The Controller shall bear the costs of any audit unless the audit reveals a material breach of this DPA, in which case the Processor shall bear its own reasonable costs.
The Controller shall treat all information obtained during an audit as Confidential Information in accordance with the Agreement.

The Processor may satisfy audit requests by providing the Controller with a current third-party security certification (such as Verto's current ISO 27001:2022 certification or Cyber Essentials Plus) in lieu of an on-site audit, where the Controller agrees.

5. Controller Obligations

The Controller warrants and represents that:

it has a lawful basis for processing Personal Data under Data Protection Legislation and has complied with all applicable requirements in relation to the collection of Personal Data prior to disclosing it to the Processor;
it has provided all necessary privacy notices to Data Subjects as required by Data Protection Legislation;
the instructions it gives to the Processor regarding the processing of Personal Data comply with Data Protection Legislation;
it will not instruct the Processor to process Personal Data in a manner that would cause the Processor to be in breach of Data Protection Legislation.

6. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom without the prior written consent of the Controller, except where:

the transfer is to a country or territory that has been assessed as providing an adequate level of protection for Personal Data by the UK Government; or
appropriate safeguards are in place in accordance with UK GDPR Article 46, such as UK International Data Transfer Agreements (IDTAs) or UK Addenda to EU Standard Contractual Clauses.

As at the date of this DPA, all Personal Data processed under the Agreement is stored and processed within the United Kingdom on Microsoft Azure UK-based infrastructure. The Processor shall notify the Controller in writing if this position changes.

7. Liability

Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions set out in the Agreement (Clause 15 of the Terms of Service). Nothing in this DPA limits either party’s liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded or limited by law.

Where a Data Subject brings a claim against the Controller or the Processor in connection with processing under this DPA, the parties shall cooperate in good faith to establish responsibility between them in accordance with Data Protection Legislation.

8. Term and Termination

This DPA shall come into force on the Agreement Start Date and shall remain in force for the duration of the Agreement. It shall terminate automatically on expiry or termination of the Agreement, subject to the survival of obligations expressly stated to survive termination, including obligations relating to the return or deletion of Personal Data and confidentiality.

9. General

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for all disputes arising from or in connection with this DPA.
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the processing of Personal Data under the Agreement.
Any amendment to this DPA must be made in writing and signed by both parties.

Schedule 1 Details of Processing

The following table sets out the subject matter, nature, purpose, duration, categories of personal data, and categories of data subjects for the processing carried out by Verto as Processor on behalf of the Controller.

Category of Personal Data	Data Subjects	Purpose of Processing	Retention Period
Project team member identity and contact data (name, job title, email address, telephone number)	Client employees, contractors and partner organisation staff involved in project delivery	User account creation and authentication; assignment of tasks, risks, issues and actions within the platform	Duration of the Agreement plus 3 months post-termination (pending deletion)
Project management data (task assignments, progress updates, comments, document uploads)	Client employees and authorised Users	Delivery of the Verto Service — portfolio, programme and project management	Duration of the Agreement plus 3 months post-termination
Financial and resource data (budget entries, cost allocations, timesheet data where used)	Client employees and project team members	Financial tracking and resource management functionality within the platform	Duration of the Agreement plus 3 months post-termination
Platform usage and access data (login timestamps, IP addresses, user activity logs)	All Users	Security, audit trail, SLA compliance monitoring, platform improvement	Duration of the Agreement plus 3 months post-termination
Support and communications data (email content, support ticket content)	Client employees and administrators	Provision of helpdesk support and client communications	2 years from date of creation

Note: The categories and volume of Personal Data processed will depend on the specific configuration and use of the Verto Service by the Controller. The Controller is responsible for ensuring that only Personal Data necessary for the purposes above is uploaded to or processed through the platform.

Schedule 2 Technical and Organisational Measures (TOMs)

Verto implements the following technical and organisational security measures to protect Personal Data processed under this DPA:

Access Control

Role-based access controls limiting access to Personal Data to authorised personnel only.
Multi-factor authentication (MFA) enforced for administrative access to platform infrastructure.
Regular review of access rights; immediate revocation on change of role or departure.
Unique user credentials; shared accounts prohibited.

Encryption

All data encrypted in transit using TLS 1.2 or higher.
All data encrypted at rest using AES-256 or equivalent.
Encryption keys managed in accordance with industry best practice.

Infrastructure and Hosting

Platform hosted on Microsoft Azure UK-based data centres. All data stored and processed within the United Kingdom.
Azure infrastructure SLA-backed with 99.9% uptime commitment.
Network segmentation, firewall controls and intrusion detection in place.

Backup and Recovery

Automated nightly backups with 90-day retention period.
Backup integrity tested regularly. Disaster recovery procedures documented and tested annually.
Recovery time objective (RTO): 4 hours. Recovery point objective (RPO): 24 hours.

Vulnerability Management

Regular vulnerability scanning of platform infrastructure and application code.
Security patches applied within defined timeframes based on severity classification.
Annual penetration testing by qualified third-party security specialists.

Organisational Measures

Information security policies reviewed and updated annually.
All staff with access to personal data subject to mandatory data protection and security training.
Vetting and background checks conducted on staff with access to personal data.
Supplier and sub-processor due diligence carried out before engagement.
Incident response plan documented and tested. Personal data breach notification procedure in place consistent with Clause 4.6 of this DPA.

Information Security Standards

Verto is certified to ISO 27001:2022. The platform and supporting infrastructure are maintained in accordance with the requirements of this standard. Certification details are available upon request.

Cyber Essentials certified

Execution

This DPA is entered into as of the Agreement Start Date and is executed by duly authorised representatives of each party.

For and on behalf of Verto (TMI Systems Limited)	For and on behalf of the Controller
Signature: ___________________________	Signature: ___________________________
Name: ________________________________	Name: ________________________________
Title: _______________________________	Title: _______________________________
Date: ________________________________	Date: ________________________________

Focus, collaborate, deliver with confidence