Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Cirquto Terms of Service and governs the processing of personal data by Cirquto on behalf of the customer.

1. Definitions

• Customer — the organisation that has agreed to the Cirquto Terms of Service and uses the Cirquto platform.
• Cirquto — Cirquto Ltd, acting as data processor.
• Personal Data — any information relating to an identified or identifiable natural person processed through the platform.
• Sub-processor — a third party engaged by Cirquto to assist in processing personal data.

2. Roles and Responsibilities

The customer acts as the Data Controller. The customer determines the purposes and means of processing personal data stored in the Cirquto platform.

Cirquto acts as the Data Processor. Cirquto processes personal data only on documented instructions from the customer, except where required by applicable law.

3. Scope of Processing

Cirquto processes personal data solely to provide the platform services described in the Terms of Service, including:

• Case and client management
• Document storage
• Workflow automation
• Communication features
• AI assisted suggestions

4. Categories of Data

Personal data processed may include:

• Names and contact details
• Email addresses and phone numbers
• Client identifiers and reference numbers
• Documents uploaded by the customer
• Communication records

The specific categories of data are determined by the customer based on how they use the platform.

5. Security Measures

Cirquto implements appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit
• Role-based access controls
• Infrastructure monitoring and alerting
• Audit logging of system events
• Regular security reviews

6. Sub-processors

Cirquto may engage sub-processors to assist in delivering the service. A current list of sub-processors is maintained at /subprocessors.

Cirquto will notify customers of material changes to sub-processors and provide a reasonable objection period.

Cirquto ensures that sub-processors are bound by obligations no less protective than those in this DPA.

7. Data Subject Rights

Cirquto will assist the customer in responding to data subject requests, including requests for access, rectification, erasure, restriction and portability, to the extent technically feasible.

8. Data Breach Notification

In the event of a personal data breach, Cirquto will notify the customer without undue delay and provide information necessary to enable the customer to meet its notification obligations under applicable law.

9. International Transfers

Where personal data is transferred outside the United Kingdom, Cirquto implements appropriate safeguards such as standard contractual clauses or equivalent mechanisms recognised under applicable data protection law.

10. Data Retention and Deletion

Upon termination of the service or at the customer’s request, Cirquto will delete or return customer personal data where feasible, unless retention is required by applicable law.

11. Audits

Cirquto will make available to the customer information necessary to demonstrate compliance with this DPA and permit and contribute to audits conducted by the customer or an appointed auditor, subject to reasonable notice and scope.

12. Duration

This DPA remains in effect for the duration of the customer’s use of the Cirquto platform and for as long as Cirquto processes personal data on behalf of the customer.