Keruja Data Processing Addendum

1.1 Processor Details

• Company: Wemoveon Ltd (trading as Keruja)
• Address: 61 Bridge Street, Kington, United Kingdom, HR5 3DJ
• Company number: 10061558
• DPA contact: privacy@keruja.com

1.2 Definitions and Roles

• "Customer" or "Controller": The organisation or individual who subscribes to Keruja and determines the purposes and means of processing Customer Data. This includes tenant administrators and authorised users.
• "Keruja" or "Processor": Wemoveon Ltd, which processes Customer Data on behalf of and under the instructions of the Customer to provide the Keruja service.
• "Sub-processor": A third party engaged by Keruja to process Customer Data in connection with providing the Service.
• "Customer Data": Personal data that Customer uploads, submits, or otherwise provides to the Service, including data relating to staff, clients, applicants, and other data subjects.

For the purposes of UK GDPR and EU GDPR, Customer acts as the Controller of Customer Data, and Keruja acts as the Processor.

1.3 Keruja as Independent Controller

Keruja may also act as an independent data controller for limited purposes that are not performed on behalf of the Customer, including:

• account administration and customer relationship management;
• billing, payments, and subscription management;
• security administration, fraud prevention, and service protection;
• legal, regulatory, and audit compliance;
• internal analytics that are not specific to any individual customer (e.g., aggregate usage trends).

For such processing, Keruja determines the purposes and means independently and is subject to its own obligations as a controller under applicable data protection law.

2.1 This DPA applies to all Customer Data processed by Keruja in connection with providing the Service under the Terms of Service.

2.2 The Service includes all portals and functionality provided by Keruja:

• Tenant Dashboard: Where Customer administrators manage their organisation, staff, clients, events, and settings.
• Staff Portal: Where Customer's workforce accesses schedules, submits timesheets, and manages their profiles.
• Client Portal: Where Customer's clients view events, approve staffing, and access reports.
• API Services: Programmatic access to Service functionality.
• Integrations: Optional connections to third-party services (e.g., accounting software) enabled by Customer.

2.3 Keruja does not determine the purposes or means of processing Customer Data except as necessary to provide the Service. Customer retains full control over what data is uploaded and how it is used within the Service.

4.1 As the data controller, the Customer is responsible for:

• determining and documenting a lawful basis for processing personal data through the Service;
• complying with all applicable data protection laws, including UK GDPR and EU GDPR;
• complying with all applicable employment, tax, immigration, and regulatory obligations;
• ensuring the accuracy, legality, and completeness of all data entered into the Service;
• reviewing and verifying compliance documents, identity documents, and other evidence submitted by data subjects through the Service, and determining whether those documents satisfy the Customer's requirements;
• providing appropriate notices to data subjects regarding the processing of their personal data, including through the Service;
• responding to data subject requests (access, rectification, erasure, portability, restriction, and objection) with Keruja's assistance where necessary;
• configuring retention settings, compliance rules, access controls, and workflow settings appropriately within the Service.

4.2 Keruja does not:

• verify the accuracy, legality, or authenticity of data provided by the Customer or its users;
• determine the purposes or means of processing Customer Data beyond what is necessary to provide the Service;
• act as an employer, employment agency, recruiter, payroll provider, or compliance authority;
• provide legal, tax, financial, or compliance advice.

5.1 The Service may include AI-assisted or rules-based features, such as staff matching suggestions, operational insights, and informational assistance.

5.2 All AI-generated outputs are advisory only and are provided for informational and decision-support purposes. They do not constitute automated decision-making within the meaning of Article 22 of UK GDPR or EU GDPR.

5.3 No decisions with legal or similarly significant effects on data subjects are made solely by automated means through the Service. All outputs require human review and approval by the Customer or its authorised users before any action is taken.

5.4 The Customer remains solely responsible for all decisions made using the Service, including staffing decisions, workforce allocation, compliance decisions, and payroll decisions, regardless of whether AI-assisted features were used in reaching those decisions.

5.5 Where AI features process Customer Data, such processing is performed as part of the Service and subject to the same data protection obligations set out in this DPA.

4.1 Processing Instructions

Keruja shall process Customer Data only in accordance with Customer's documented instructions, which are deemed to include: (a) the Terms of Service; (b) this DPA; (c) Customer's use of Service features and settings; and (d) any additional written instructions agreed between the parties. Keruja shall inform Customer if, in its opinion, an instruction infringes applicable data protection law.

4.2 Confidentiality

Keruja shall ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This includes employees, contractors, and authorised Sub-processors.

4.3 Technical and Organisational Measures

Keruja implements and maintains appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption in transit: All data transmitted between users and the Service is encrypted using TLS 1.2 or higher.
• Access controls: Role-based access control (RBAC) ensures users only access data appropriate to their role. Each tenant's data is logically separated.
• Least privilege: Administrative access to systems is limited to authorised personnel on a need-to-know basis.
• Audit logging: User actions and system events are logged for security monitoring and incident investigation.
• Backups: Regular automated backups are performed to enable data recovery in case of system failure.
• Vulnerability management: Regular security assessments, dependency updates, and patching of known vulnerabilities.
• Incident response: Documented procedures for detecting, responding to, and recovering from security incidents.
• Tenant data separation: Customer Data is logically isolated per tenant with enforced access boundaries.

Keruja reviews and updates its security measures on an ongoing basis. Upon request, Keruja can provide further details of its current security practices.

7.1 Authorisation

Customer provides general authorisation for Keruja to engage Sub-processors to assist in providing the Service. Keruja shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

7.2 Current Sub-processors

Keruja uses Sub-processors in the following categories to provide the Service:

• Cloud hosting and compute: Infrastructure providers for application hosting, API services, and content delivery.
• Database hosting: Managed PostgreSQL database services for primary data storage.
• File and object storage: S3-compatible storage services for documents, evidence files, and uploads.
• Cache and queue infrastructure: In-memory data stores for session management and background job processing.
• Email delivery: Transactional email services for notifications, reminders, and communications.
• Payment and billing: Payment processing services for subscription billing (card details are not stored by Keruja).
• Error monitoring: Application monitoring and error tracking services (with PII redaction).
• File scanning: Malware scanning services for uploaded files.
• AI providers: AI model providers used for advisory dashboard features only (no Customer Data is sent without appropriate safeguards).
• Calendar providers: Calendar connectivity services where enabled by the Customer.

A current list of specific Sub-processors is available upon request by contacting privacy@keruja.com.

7.3 Changes to Sub-processors

Keruja shall notify Customer of any intended changes to Sub-processors (additions or replacements) by updating the Sub-processor list and providing reasonable notice. Customer may object to such changes within 14 days of notification on reasonable grounds related to data protection. If Keruja cannot reasonably accommodate the objection, Customer may terminate the affected Service component.

7.4 Sub-processor Liability

Keruja remains liable to Customer for the performance of its Sub-processors' obligations under this DPA.

8.1 Customer Data may be transferred to and processed in countries outside the United Kingdom and European Economic Area (EEA) where Sub-processors are located.

8.2 For any such transfers, Keruja shall ensure appropriate safeguards are in place, including:

• The UK International Data Transfer Agreement (UK IDTA) for transfers from the UK;
• The EU Standard Contractual Clauses (SCCs) for transfers from the EEA;
• Adequacy decisions by the UK or EU Commission where applicable;
• Other lawful transfer mechanisms as permitted under applicable data protection law.

8.3 Upon request, Keruja shall provide information about the transfer mechanisms in place for specific Sub-processors.

9.1 Technical and Organisational Measures

Keruja shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to:

• Role-based access control (RBAC) to restrict access to authorised users;
• Organisation-level data isolation to prevent cross-tenant access;
• Encryption of data in transit (HTTPS/TLS) and at rest where applicable;
• Audit logging of user actions and system activity;
• Secure file storage with controlled access mechanisms (including signed URLs where applicable);
• Data integrity controls such as validation and hashing;
• Rate limiting and input validation to protect against unauthorised access;
• System monitoring to detect anomalies and failures;
• Regular updates and patching of systems and dependencies.

These measures reflect Keruja's architecture as a multi-tenant SaaS platform. No system can guarantee absolute security, and Keruja does not warrant that its measures will prevent all unauthorised access, human error, or third-party failures. Keruja does not warrant that the Service will be free from security incidents or breaches.

9.2 Personal Data Breach Notification

In the event of a personal data breach affecting Customer Data, Keruja shall:

• notify the Customer without undue delay after becoming aware of the breach;
• provide available information including:

• the nature of the breach;
• the categories of data affected;
• the likely consequences;
• mitigation actions taken or proposed.

Information may be provided in phases as it becomes available.

9.3 Customer Responsibility for Reporting

The Customer acknowledges that:

• the Customer is responsible for determining whether a breach must be reported to supervisory authorities or affected individuals;
• the Customer is responsible for fulfilling any such legal obligations.

9.4 Cooperation

Keruja shall provide reasonable assistance to the Customer in investigating the breach and preparing any required notifications, taking into account the nature of the processing and information available.

9.5 Liability

Liability related to personal data breaches is subject to the limitations set out in the Terms of Service.

10.1 Data Subject Requests

Keruja shall assist Customer in responding to requests from data subjects exercising their rights under applicable data protection law (e.g., access, rectification, erasure, portability, restriction, objection). This includes providing appropriate technical measures and functionality within the Service to enable Customer to respond to such requests.

10.2 Compliance Assistance

Taking into account the nature of processing and information available to Keruja, Keruja shall assist Customer in ensuring compliance with:

• Security obligations;
• Personal Data Breach notification requirements;
• Data Protection Impact Assessments (DPIAs) where reasonably required;
• Prior consultation with supervisory authorities where required.

Keruja may charge a reasonable fee for assistance that is excessive, unfounded, or beyond the scope of normal support.

13.1 Upon termination or expiry of the Terms of Service, Customer may request export of Customer Data in a commonly used, machine-readable format within 30 days of termination.

13.2 Following the export period (or upon Customer's earlier request), Keruja shall delete Customer Data from active systems within 90 days, except where:

• Retention is required by applicable law;
• Retention is necessary for the establishment, exercise, or defence of legal claims;
• Data is retained in anonymised form that no longer constitutes personal data.

13.3 Backup copies containing Customer Data will be deleted in accordance with Keruja's standard backup retention cycle, typically within 90 days of the primary deletion.

13.4 Upon request, Keruja shall provide written confirmation that Customer Data has been deleted.

14.1 Keruja shall make available to Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

12.2 Customer's audit rights may be satisfied through:

• Completion of security questionnaires provided by Customer (once per year or upon material change);
• Review of Keruja's security documentation, policies, and procedures;
• Review of third-party audit reports, certifications, or attestations where available;
• Review of penetration test summaries where available.

12.3 On-site audits shall only be conducted where:

• The information provided above is insufficient to demonstrate compliance;
• A Personal Data Breach has occurred affecting Customer Data;
• Required by a supervisory authority.

12.4 Any on-site audit shall be subject to:

• At least 30 days' prior written notice;
• Reasonable scope and duration;
• Confidentiality obligations protecting Keruja's proprietary information and other customers' data;
• Customer bearing its own costs (Keruja may charge reasonable fees for time spent).

13.1 This DPA forms part of and is incorporated into the Terms of Service.

13.2 In the event of any conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail. In all other respects, the Terms of Service shall prevail.

13.3 The limitations of liability set out in the Terms of Service apply to this DPA. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law.

13.4 Each party shall be liable for any fines, penalties, or claims arising from its own breach of applicable data protection law or this DPA.

14.1 Keruja may update this DPA from time to time to reflect changes in legal requirements, our Sub-processors, or our practices. When we make material changes:

• We will update the "Last updated" date at the top of this DPA;
• We will notify Customer through the Service or by email where appropriate;
• Continued use of the Service after changes become effective constitutes acceptance of the updated DPA.

This DPA shall be governed by and construed in accordance with the laws of England and Wales, subject to the mandatory data protection laws applicable to Customer.