Introduction

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Lokaly Merchant Terms and Conditions (the "Principal Agreement") between:

• Eelavan Ltd (trading as Lokaly), a company registered in England and Wales with registered address at 86-90 Paul Street, London, EC2A 4NE, United Kingdom ("Lokaly", "Processor", "we", "us", or "our"); and
• The Merchant identified in the Principal Agreement ("Merchant", "Controller", "you", or "your").

This DPA sets out the terms on which Lokaly will Process Personal Data on behalf of the Merchant in connection with the provision of the Lokaly loyalty platform services (the "Services").

This DPA is designed to ensure compliance with Article 28 of the UK General Data Protection Regulation (UK GDPR) as incorporated into UK law by the Data Protection Act 2018.

1. Definitions and Interpretation

1.1 Definitions

In this DPA, the following terms shall have the meanings set out below:

• "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Merchant is the Controller.
• "Customer Data" means all Personal Data relating to Customers (as defined in the Principal Agreement) that is Processed by Lokaly on behalf of the Merchant in connection with the Services.
• "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable laws and regulations relating to the Processing of Personal Data and privacy in the United Kingdom, each as amended or replaced from time to time.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "EEA" means the European Economic Area.
• "ICO" means the UK Information Commissioner's Office.
• "International Data Transfer Addendum" or "IDTA" means the UK's International Data Transfer Agreement issued by the ICO under section 119A of the Data Protection Act 2018.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. "Process" and "Processed" shall be construed accordingly.
• "Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, Lokaly is the Processor.
• "Restricted Transfer" means a transfer of Personal Data from the United Kingdom to a country outside the UK which is not covered by an adequacy decision.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international transfers of Personal Data.
• "Sub-processor" means any third party appointed by Lokaly to Process Customer Data on behalf of the Merchant.
• "Supervisory Authority" means the ICO or any other independent public authority responsible for monitoring the application of Data Protection Laws.
• "UK GDPR" means the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

1.2 Interpretation

In this DPA, unless the context otherwise requires: (a) references to clauses and schedules are to the clauses and schedules of this DPA; (b) headings are for convenience only and shall not affect interpretation; (c) words in the singular include the plural and vice versa; (d) a reference to a statute or statutory provision includes any subordinate legislation made under it and any modifications or re-enactments; and (e) terms defined in the UK GDPR shall have the same meaning in this DPA.

2. Scope, Roles and Responsibilities

2.1 Scope

This DPA applies to all Processing of Customer Data by Lokaly in connection with the provision of the Services under the Principal Agreement.

2.2 Roles of the Parties

The parties acknowledge and agree that:

• the Merchant is the Controller in respect of Customer Data;
• Lokaly is the Processor, Processing Customer Data on behalf of the Merchant; and
• Lokaly is an independent Controller in respect of data it collects for its own purposes (e.g., account management, billing, platform operation, and compliance).

2.3 Controller Responsibilities

The Merchant, as Controller, shall:

• ensure it has a lawful basis for Processing Customer Data and for instructing Lokaly to Process such data;
• provide appropriate privacy notices to Data Subjects informing them of the Processing;
• obtain any necessary consents for Processing, where consent is relied upon as the lawful basis;
• ensure that its instructions to Lokaly comply with Data Protection Laws;
• respond to Data Subject requests in accordance with Data Protection Laws; and
• comply with all applicable Data Protection Laws in connection with the Processing of Customer Data.

3. Details of Processing

The details of Processing under this DPA are as follows:

3.1 Subject Matter and Duration

The subject matter of Processing is the provision of the Lokaly digital loyalty platform services. Processing shall continue for the duration of the Principal Agreement, plus any period required for the deletion or return of Customer Data as set out in this DPA.

3.2 Nature and Purpose of Processing

Lokaly will Process Customer Data for the following purposes:

• Enabling Customers to register for and participate in the Merchant's loyalty programme
• Recording and managing loyalty stamps, points and rewards
• Processing Customer check-ins and reward redemptions
• Providing analytics and reporting to the Merchant
• Sending communications on behalf of the Merchant (where instructed)
• Providing customer support
• Maintaining platform security and preventing fraud

3.3 Types of Personal Data

The following categories of Personal Data may be Processed:

• Identity data: name, username, date of birth
• Contact data: email address, telephone number
• Loyalty activity data: stamps collected, rewards earned, redemption history, visit timestamps
• Technical data: device identifiers, IP addresses, app usage data
• Location data: check-in locations (where applicable)
• Communication data: messages, feedback, support enquiries

3.4 Categories of Data Subjects

The Data Subjects are the Merchant's customers who participate in the Merchant's loyalty programme through the Lokaly platform.

4. Processor Obligations

Lokaly shall, in relation to Customer Data:

4.1 Processing Instructions

• Process Customer Data only on the documented instructions of the Merchant, unless Processing is required by applicable law to which Lokaly is subject. In such a case, Lokaly shall inform the Merchant of that legal requirement before Processing, unless that law prohibits such disclosure on important grounds of public interest.
• The Merchant's instructions are set out in this DPA and the Principal Agreement. Additional instructions may be given in writing, including by email.
• Immediately inform the Merchant if, in Lokaly's reasonable opinion, an instruction infringes Data Protection Laws.

4.2 Confidentiality

• Ensure that all personnel authorised to Process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Ensure that access to Customer Data is limited to those personnel who require access to perform the Services.

4.3 Security Measures

Implement and maintain appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as required by Article 32 of the UK GDPR.

Such measures shall include, as appropriate:

• the pseudonymisation and encryption of Personal Data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
• the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

The specific security measures implemented by Lokaly are described in Schedule 2 (Technical and Organisational Measures).

4.4 Sub-processors

• Not engage another Processor (Sub-processor) without prior specific or general written authorisation of the Merchant.
• The Merchant hereby provides general authorisation for Lokaly to engage Sub-processors, subject to the conditions in Clause 5.

4.5 Data Subject Rights

• Taking into account the nature of the Processing, assist the Merchant by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Merchant's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the UK GDPR.
• Promptly notify the Merchant if Lokaly receives a request from a Data Subject in respect of Customer Data, unless prohibited by law.
• Not respond directly to Data Subject requests unless authorised by the Merchant or required by law.

4.6 Compliance Assistance

Taking into account the nature of Processing and the information available, assist the Merchant in ensuring compliance with:

• the obligation to implement appropriate security measures (Article 32 UK GDPR);
• the obligation to notify Personal Data Breaches to the Supervisory Authority (Article 33 UK GDPR);
• the obligation to communicate Personal Data Breaches to Data Subjects (Article 34 UK GDPR);
• the obligation to carry out data protection impact assessments (Article 35 UK GDPR); and
• the obligation to consult with the Supervisory Authority prior to Processing where a data protection impact assessment indicates high risk (Article 36 UK GDPR).

4.7 Audit and Inspection

• Make available to the Merchant all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR.
• Allow for and contribute to audits, including inspections, conducted by the Merchant or another auditor mandated by the Merchant, subject to reasonable notice (not less than 30 days, except in the case of a Personal Data Breach or regulatory investigation) and subject to appropriate confidentiality undertakings.
• The Merchant may satisfy its audit rights by reviewing Lokaly's third-party audit reports (e.g., SOC 2, ISO 27001), certifications, and security documentation upon request.

4.8 Data Deletion and Return

• Upon termination or expiry of the Principal Agreement, at the Merchant's choice, delete or return all Customer Data to the Merchant, and delete existing copies unless applicable law requires storage of the Personal Data.
• The Merchant may request export of Customer Data in a commonly used, machine-readable format for a period of 30 days following termination.
• Lokaly shall complete deletion within 90 days of the termination date, except where retention is required by law.

5. Sub-processors

5.1 Authorised Sub-processors

The Merchant authorises Lokaly to engage the Sub-processors listed in Schedule 3 (List of Sub-processors). Lokaly shall maintain an up-to-date list of Sub-processors at lokaly.co.uk/subprocessors.

5.2 Sub-processor Changes

• Lokaly shall notify the Merchant at least 30 days in advance of any intended changes to Sub-processors, including additions or replacements.
• Notification shall be by email to the Merchant's registered email address and/or by updating the Sub-processors page.
• The Merchant may subscribe to receive email notifications of Sub-processor changes.

5.3 Merchant's Right to Object

• The Merchant may object to the appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Lokaly in writing within 14 days of receipt of notice.
• If the Merchant objects, the parties shall discuss the concerns in good faith with a view to achieving a commercially reasonable resolution.
• If no resolution can be reached, Lokaly shall, at its discretion, either not appoint the new Sub-processor for Processing affecting the Merchant's Customer Data, or the Merchant may terminate the affected Services without penalty.

5.4 Sub-processor Contracts

• Lokaly shall ensure that each Sub-processor is bound by a written contract imposing data protection obligations no less protective than those set out in this DPA.
• Lokaly shall remain fully liable to the Merchant for the performance of each Sub-processor's obligations.

6. Personal Data Breaches

6.1 Notification

Lokaly shall notify the Merchant without undue delay upon becoming aware of a Personal Data Breach affecting Customer Data.

Notification shall be made to the Merchant's designated contact and shall include, to the extent known:

• a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
• the name and contact details of the point of contact;
• the likely consequences of the Personal Data Breach; and
• the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects.

6.2 Assistance

• Lokaly shall co-operate with the Merchant and provide reasonable assistance in relation to the Merchant's obligations under Articles 33 and 34 of the UK GDPR.
• Lokaly shall take reasonable steps to contain and mitigate the effects of the Personal Data Breach.

6.3 Records

Lokaly shall maintain records of all Personal Data Breaches, including the facts, effects and remedial action taken.

7. International Data Transfers

7.1 Data Location

Customer Data shall be stored and Processed within the United Kingdom and/or the European Economic Area, unless otherwise agreed in writing or required by the Services.

7.2 Restricted Transfers

Lokaly shall not make a Restricted Transfer of Customer Data unless appropriate safeguards are in place.

Appropriate safeguards may include:

• transfer to a country covered by an adequacy decision;
• the UK International Data Transfer Addendum (IDTA);
• the Standard Contractual Clauses with the UK Addendum; or
• other appropriate safeguards under Article 46 of the UK GDPR.

7.3 Transfer Impact Assessments

Where required, Lokaly shall conduct and document a transfer impact assessment and implement any additional safeguards necessary to ensure an adequate level of protection for Customer Data.

8. Liability

8.1 Liability Cap

The liability of each party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.

8.2 Indemnification

Each party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including legal fees) arising out of or in connection with any breach of this DPA or Data Protection Laws by that party.

8.3 Apportionment

Where both parties are responsible for damage caused by Processing that infringes Data Protection Laws, each party shall be liable for its share of the damage in accordance with Article 82 of the UK GDPR.

9. General Provisions

9.1 Conflict

In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail to the extent of such conflict in relation to the Processing of Customer Data.

9.2 Amendment

Lokaly may amend this DPA from time to time to reflect changes in Data Protection Laws or Processing activities. Material changes shall be notified to the Merchant at least 30 days in advance.

9.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

9.4 Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

9.5 Term

This DPA shall remain in effect for the duration of Lokaly's Processing of Customer Data on behalf of the Merchant.

Schedule 1: Processing Details

Schedule 2: Technical and Organisational Measures

Lokaly implements the following technical and organisational measures to protect Customer Data:

1. Access Control

• Role-based access control with principle of least privilege
• Multi-factor authentication for administrative access
• Unique user credentials; no shared accounts
• Regular access reviews and prompt revocation upon role changes

2. Encryption

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256 or equivalent
• Secure key management practices

3. Infrastructure Security

• Hosting in ISO 27001 certified data centres
• Network segmentation and firewalls
• Intrusion detection and prevention systems
• DDoS protection

4. Application Security

• Secure software development lifecycle
• Regular vulnerability scanning and penetration testing
• Patch management procedures
• Input validation and output encoding

5. Data Protection

• Password hashing using industry-standard algorithms
• Data minimisation practices
• Secure data deletion procedures
• Automated backup with tested restoration procedures

6. Organisational Measures

• Information security policies and procedures
• Staff data protection and security training
• Confidentiality agreements for all personnel
• Incident response plan and procedures
• Business continuity and disaster recovery planning

7. Monitoring and Logging

• Security event logging and monitoring
• Audit trails for access and changes to Personal Data
• Log retention and review procedures

Schedule 3: Approved Sub-processors

The following Sub-processors are authorised to Process Customer Data. An up-to-date list is maintained at lokaly.co.uk/subprocessors.