Data Processing Addendum

1. Purpose and Scope

This DPA forms part of the agreement between Flair Technologies Ltd ("Processor", "we", "us") and the customer using LUPO ("Controller", "you").

It governs our processing of personal data on your behalf in connection with the LUPO software and related services ("Services").

2. Definitions

Terms such as personal data, processing, data subject, controller, and processor have the meanings set out in the UK GDPR and the Data Protection Act 2018.

3. Roles of the Parties

• You act as Data Controller for the personal data you provide or generate through LUPO.
• Flair Technologies Ltd acts as Data Processor, processing such data only under your documented instructions.

4. Processor Obligations

We shall:

1. process personal data solely to provide and maintain the Services;
2. implement appropriate technical and organisational security measures to protect data from unauthorised access, alteration, disclosure or loss;
3. ensure all personnel with access to data are bound by confidentiality obligations;
4. assist you in fulfilling data-subject requests where technically possible;
5. notify you without undue delay of any confirmed personal-data breach affecting your data;
6. upon termination of the Services, delete or return personal data as instructed, unless retention is required by law.

5. Sub-processors

We may engage trusted sub-processors to support core functionality (for hosting, analytics, transcription, or compute).

All sub-processors operate under written agreements imposing equivalent data-protection obligations.

A current list of processing categories is available on request.

You authorise such engagements; we will notify you of any material change.

6. International Transfers

Where processing involves data transfer outside the UK, we rely on adequate-country decisions or Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

Equivalent safeguards apply to all transfers.

7. Security Measures

Flair Technologies maintains industry-standard security including encryption in transit and at rest, access control, logging, and routine review of infrastructure and data-access policies.

8. Assistance and Audit

We will provide reasonable cooperation and documentation needed to demonstrate compliance with this DPA.

On reasonable written notice, you may perform (or appoint an independent auditor to perform) a confidential audit once per year, limited to verifying compliance with this Addendum.

9. Data Subject Rights

If we receive a request directly from a data subject regarding their personal data, we will refer the request to you and provide reasonable assistance for response or deletion.

10. Liability

Each party's total liability under this DPA is limited to the amounts and exclusions set forth in the main Terms of Service.

11. Duration

This DPA remains in effect for as long as we process personal data on your behalf under the Terms of Service.

12. Governing Law

This DPA and any dispute arising from it are governed by the laws of England and Wales.

The courts of England and Wales have exclusive jurisdiction.

13. Contact

Data Protection Officer (or Privacy Lead): privacy@lupolabs.ai

Postal Address: Flair Technologies Ltd, 45 Fitzroy St, Fitzrovia, London W1T 6EB, United Kingdom

This Addendum is automatically incorporated into every business subscription or pilot of LUPO and requires no separate signature unless requested by the Controller.