Data Processing Agreement

1. Roles

Customer is the data controller. SustainMetrics AI acts as data processor in respect of personal data contained in workspace data, and as data controller for account-administration data.

2. Subject matter & duration

Processing covers the provision of the SustainMetrics AI service for the term of the customer's subscription, plus a 30-day return / deletion window.

3. Nature & purpose

Hosting, storage, transmission, AI-assisted carbon analysis, report generation, support.

4. Categories of data subjects

Customer's employees and authorised users; suppliers and third parties named in financial / energy data the customer uploads.

5. Sub-processors

We maintain a current list of sub-processors and provide reasonable advance notice of changes. Customers may object on reasonable grounds.

6. Security measures

• TLS 1.2+ in transit, AES-256 at rest.
• Role-based access control with least privilege.
• Audit logging and continuous monitoring.
• Regular vulnerability scanning and patching.

7. International transfers

UK IDTA / EU SCCs apply where personal data leaves the UK / EEA.

8. Personal data breach

We notify the customer without undue delay (and within 72 hours where practicable) of becoming aware of a confirmed personal data breach affecting their workspace data.

9. Return & deletion

On termination we return or delete workspace data within 30 days, unless retention is required by law.