Data Processing Agreement.

This DPA is entered into between Montford Orbis Limited ("Montford Orbis", "Processor") and the Customer ("Controller"). It reflects the parties’ agreement with regard to the processing of personal data in connection with the CalBrix OS service (the "Service") and is intended to satisfy the requirements of Article 28 of Regulation (EU) 2016/679 (the "GDPR") and, where applicable, the United Kingdom’s equivalent data-protection legislation.

In case of conflict between this DPA and the Terms of Service, Order, or Master Services Agreement, the provisions of this DPA prevail solely with respect to the processing of personal data.

"Applicable Data-Protection Law"

the GDPR, the UK GDPR, the Data Protection Act 2018, and any other data-protection or privacy law applicable to the processing of personal data under this DPA.

"Controller" / "Processor" / "Sub-processor" / "Data Subject" / "Personal Data" / "Processing" / "Personal Data Breach"

have the meanings given to them in the GDPR.

"Customer Personal Data"

Personal Data processed by Montford Orbis on behalf of Customer in connection with the Service.

"Standard Contractual Clauses" or "SCCs"

the standard contractual clauses approved by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021, as amended from time to time, and, where applicable, the UK International Data Transfer Addendum.

The parties acknowledge and agree that, with respect to Customer Personal Data, Customer is the Controller and Montford Orbis is the Processor acting on Customer’s documented instructions. Each party shall comply with its respective obligations under Applicable Data-Protection Law.

Customer is solely responsible for (a) the lawfulness of the Personal Data it uploads or causes to be processed through the Service, (b) providing any required notices and obtaining any required consents from Data Subjects, and (c) the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired such data.

• Subject matter — the processing of Customer Personal Data by Montford Orbis as necessary to provide the Service in accordance with the Terms of Service or applicable MSA.
• Duration — for the term of the subscription and any contractual wind-down, return, or deletion period following termination.
• Nature — hosting, storage, transmission, backup, logging, security monitoring, and support processing required to deliver the Service.
• Purpose — to perform the Service as described in the documentation and Customer’s instructions.

• Categories of Data Subjects — Customer’s Users (employees, contractors, agents), Customer’s own customers or calibration clients identified in Customer Data, and any other natural persons whose data Customer chooses to process through the Service.
• Categories of Personal Data — identification and contact data (name, work email, role), authentication data (credentials in hashed form), operational records entered by Users, audit trails and usage telemetry, and communications with Customer support personnel.
• Special categories — the Service is not intended for and should not be used to process special categories of Personal Data within the meaning of Article 9 GDPR unless otherwise agreed in writing.

Montford Orbis shall process Customer Personal Data only on documented instructions from Customer, including with regard to transfers to a third country or an international organisation, unless required to do so by a law to which Montford Orbis is subject (in which case Montford Orbis will inform Customer of that legal requirement before processing, unless such law prohibits such information on important grounds of public interest). The Terms of Service, this DPA, and the applicable Order constitute Customer’s complete and final instructions at the time of execution. Additional instructions outside this scope require prior written agreement and may be subject to reasonable fees.

Montford Orbis shall promptly inform Customer if, in its opinion, an instruction infringes Applicable Data-Protection Law.

Montford Orbis shall ensure that persons authorised to process Customer Personal Data are subject to an appropriate statutory or contractual obligation of confidentiality and are trained on their responsibilities.

Montford Orbis shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. A summary of these measures is published at /security and includes:

• encryption of Personal Data in transit using TLS 1.2 or higher, and encryption at rest at the storage-volume level;
• role-based access control with the principle of least privilege, multi-factor authentication for administrative access, and audited break-glass procedures;
• network segmentation, firewalling, a web application firewall, rate limiting, and abuse protection;
• vulnerability management including dependency auditing, secret scanning, and automated patching of the operating system;
• centralised logging, security monitoring, alerting, and a documented incident-response procedure;
• encrypted backups, periodic restore testing, and defined recovery-time and recovery-point objectives.

Montford Orbis may update these measures from time to time provided that they continue to provide at least an equivalent level of protection.

Customer grants Montford Orbis a general authorisation to engage Sub-processors for the purpose of providing the Service, subject to the following conditions:

• Montford Orbis maintains an up-to-date list of Sub-processors, which is provided on request and, for enterprise Customers, is annexed to the signed DPA.
• Montford Orbis enters into a written agreement with each Sub-processor imposing data-protection obligations substantially equivalent to those set out in this DPA.
• Montford Orbis will notify Customer at least thirty (30) days in advance of any intended addition or replacement of a Sub-processor that materially affects the processing. Customer may object to such change on reasonable data-protection grounds; if the parties cannot agree on a remedy, Customer may terminate the affected portion of the subscription on written notice without penalty for unused pre-paid fees.
• Montford Orbis remains fully liable to Customer for the performance of each Sub-processor’s obligations.

Where processing of Customer Personal Data involves a transfer to a country outside the European Economic Area, the United Kingdom, or another region recognised as providing adequate protection, Montford Orbis shall ensure that such transfer is subject to appropriate safeguards, including the Standard Contractual Clauses (EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021). The applicable module is Module Two (controller-to-processor) where Customer is the data controller and Montford Orbis is the processor; Module Three (processor-to-processor) applies only to onward transfers between Montford Orbis and its Sub-processors. For transfers from the United Kingdom, the UK International Data Transfer Addendum to the SCCs (issued under section 119A of the Data Protection Act 2018, version B1.0) is incorporated and applies in conjunction with the SCCs. The parties agree that the SCCs and, where applicable, the UK Addendum are hereby incorporated into this DPA and that their provisions prevail in the event of conflict for transfers to which they apply.

By default, Customer Personal Data is hosted in data centres located within the European Union. Backups, security telemetry, and operational metadata may be processed in additional regions where required to provide the Service, subject to the safeguards described in the International transfers section above. Customer may, on enterprise plans, request a specific data-residency region; any agreed region will be set out in the applicable Order or MSA.

• Data-subject requests — taking into account the nature of the processing, Montford Orbis shall assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer’s obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR. Where a Data Subject addresses a request directly to Montford Orbis, Montford Orbis will refer the Data Subject to Customer without undue delay.
• Security, impact assessments, and consultations — Montford Orbis shall provide reasonable assistance to Customer in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to Montford Orbis.

Montford Orbis shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include, to the extent available, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed, and a point of contact for further information. Montford Orbis will cooperate with Customer and take reasonable steps to mitigate the effects of, and minimise any damage resulting from, the breach.

Notification of or response to a Personal Data Breach shall not be construed as an acknowledgement by Montford Orbis of any fault or liability.

Montford Orbis shall make available to Customer, upon reasonable written request and no more than once per twelve (12) month period (save where required by a supervisory authority or following a Personal Data Breach), information necessary to demonstrate compliance with this DPA, including in the form of (a) the most recent security documentation, (b) the most recent penetration-test attestation letter, and (c) where available, any third-party attestation reports (for example SOC 2, ISO 27001) and bridge letters.

Customer may conduct an on-site audit where the preceding information is insufficient to demonstrate compliance, subject to (i) reasonable written notice, (ii) execution of a mutually acceptable confidentiality agreement, (iii) performance during business hours in a manner that does not interfere with Montford Orbis’s operations or the security of other customers, and (iv) bearing its own costs and the reasonable costs of Montford Orbis. Audits may not extend to information of other customers or to Montford Orbis’s proprietary source code, security vulnerabilities, or commercially sensitive information.

Upon termination or expiry of the subscription, and at Customer’s written choice, Montford Orbis shall delete or return all Customer Personal Data, and delete existing copies, unless storage is required by applicable law. Backups will age out within the retention window published at /privacy. Customer will be provided with a reasonable export period (by default, thirty (30) days after termination) during which Customer may retrieve Customer Personal Data in a structured, commonly used, and machine-readable format.

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Terms of Service or applicable MSA, and any reference to the liability of a party means the aggregate liability of that party and its affiliates under that agreement and this DPA together.

This DPA is effective for so long as Montford Orbis processes Customer Personal Data on behalf of Customer. The provisions of this DPA that by their nature are intended to survive termination (including those relating to confidentiality, security, return and deletion, liability, and governing law) shall survive.

In the event of any conflict or inconsistency between this DPA and any other agreement between the parties, the provisions of this DPA shall prevail with respect to the parties’ data-protection obligations. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail for transfers to which they apply.

This DPA is governed by the laws of the Republic of Ghana, being the place of incorporation of Montford Orbis Limited, in alignment with the Terms of Service or applicable MSA, and without prejudice to the governing law of the Standard Contractual Clauses where they apply. The parties submit to the courts of the Republic of Ghana for disputes arising out of or related to this DPA, except where the SCCs specify otherwise.