Data Processing Agreement

A. The Controller is an FCA-authorised firm that provides financial advisory services to its clients and processes personal data in connection with those services.

B. The Processor provides AI-powered meeting transcription, summarisation, and compliance documentation services under the trading name "TakeNote" (the "Services").

C. In the course of providing the Services, the Processor will process personal data on behalf of the Controller.

D. The Parties wish to enter into this Data Processing Agreement to ensure that such processing complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection legislation.

E. This Agreement supplements and forms part of the principal service agreement between the Parties (the "Principal Agreement").

This Agreement sets out the terms on which the Processor shall process Client Data on behalf of the Controller in connection with the provision of the Services.

The Processor shall process Client Data only for the purposes described in this Agreement and the Principal Agreement, and shall not process Client Data for any other purpose unless required to do so by Applicable Data Protection Law.

The Processor acknowledges that the Controller is an FCA-authorised firm and that Client Data may include sensitive financial information and records subject to regulatory retention requirements under MiFID II and FCA rules.

The Processor shall implement and maintain technical and organisational security measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data Breach affecting Client Data.

The notification shall include:

• • A description of the nature of the breach, including categories and approximate number of Data Subjects concerned
• • The name and contact details of the Processor's data protection officer or other contact point
• • A description of the likely consequences of the breach
• • A description of the measures taken or proposed to address the breach

The Processor shall not transfer Client Data outside the United Kingdom.

All processing, storage, and backup of Client Data shall take place exclusively within Microsoft Azure UK South. In the exceptional circumstance that a transfer of Client Data outside the United Kingdom becomes necessary, the Processor shall obtain prior written consent of the Controller and ensure appropriate safeguards in accordance with Chapter V of the UK GDPR.

The Controller shall:

• • Ensure it has a lawful basis for processing personal data and for instructing the Processor
• • Provide appropriate privacy notices to Data Subjects informing them of the processing through the Services
• • Obtain any necessary consents from meeting participants for recording and processing of personal data
• • Ensure that its Processing Instructions comply with Applicable Data Protection Law
• • Inform the Processor without undue delay if any Processing Instruction infringes Applicable Data Protection Law

The Controller may audit the Processor's compliance with this Agreement by:

• • Requiring the Processor to provide evidence of compliance on request
• • Reviewing SOC 2 Type II audit reports (provided under NDA)
• • Conducting on-site audits with reasonable notice (at least 30 days)
• • Engaging independent auditors at the Controller's expense