Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Zindex Ltd, a company registered in England and Wales (company number: 09390031) trading as Unibound.ai ("Processor" or "Unibound.ai") and the entity using Unibound.ai's services ("Controller" or "Customer"). This DPA supplements the Terms of Service and governs the processing of personal data in compliance with UK GDPR and other applicable data protection laws. In the event of a conflict between this DPA and the Terms of Service, the terms of this DPA shall prevail.

1. Definitions

1.1 "Personal Data" means any information relating to an identified or identifiable natural person as defined under UK GDPR.

1.2 "Processing" means any operation performed on Personal Data, including collection, storage, and transfer.

1.3 "Controller" means the entity that determines the purposes and means of Processing Personal Data.

1.4 "Processor" means Unibound.ai, which processes Personal Data on behalf of the Controller.

1.5 "Sub-processor" means any third party engaged by Unibound.ai to process Personal Data.

1.6 "UK GDPR" refers to the retained EU law version of the General Data Protection Regulation (Regulation (EU) 2016/679) as applicable in the UK.

1.7 "EEA" means the European Economic Area.

1.8 "Data Transfer" means any transfer of Personal Data outside of the UK or EEA.

1.9 "Contracted Processor" means a Sub-processor engaged by the Processor.

2. Roles and Responsibilities

2.1 Controller Responsibilities: The Controller is responsible for ensuring that Personal Data provided to Unibound.ai complies with applicable laws and that data subjects have been informed and, where required, have given consent for processing.

2.2 Processor Responsibilities: Unibound.ai shall:

• Process Personal Data only as instructed by the Controller.
• Implement appropriate security measures to protect Personal Data.
• Ensure that personnel authorised to process Personal Data are subject to confidentiality obligations.
• Provide assistance to the Controller in fulfilling its obligations regarding data subject rights and regulatory compliance.

3. Scope of Data Processing

3.1 Nature and Purpose: Unibound.ai processes Personal Data for the sole purpose of providing AI-driven automation services.

3.2 Types of Data Processed: Unibound.ai processes any data provided by the Controller or through integrations with third-party CRM and ATS systems. This may include:

• Names, email addresses, job titles.
• Contact details and business-related information.
• AI-driven insights and analytics data.

3.3 Processing Instructions: Unibound.ai shall only process Personal Data based on the documented instructions provided by the Controller, unless otherwise required by law.

3.4 Internal Processing Purposes: Unibound.ai may process Personal Data for internal security, compliance, and performance monitoring purposes.

3.5 Data Storage: Unibound.ai does not store Personal Data but transmits it to Relevance AI, which holds the data on behalf of the Controller.

4. Sub-processors

4.1 Approved Sub-processors: The Controller authorises Unibound.ai to engage the following sub-processors:

• Relevance AI (EU) – AI data processing and storage.
• Memberstack (US) – Storage of user registration data.
• Webflow (US) – Website hosting and user interface storage.

4.2 Sub-processor Notification & Objections: Unibound.ai shall notify the Controller in writing of any intended changes concerning sub-processors, giving the Controller the opportunity to object.

5. Data Transfers Outside the UK/EU

5.1 Standard Contractual Clauses (SCCs): Unibound.ai ensures that Personal Data transferred outside the UK/EU is protected under appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the UK and EU authorities.
• Sub-processor commitments to maintain GDPR compliance.

6. Security Measures

6.1 Unibound.ai shall implement technical and organizational measures to ensure the security of Personal Data, including:

• SSL encryption for all data transmitted through its platform.
• Access controls to restrict data processing to authorised personnel.
• Regular security audits to assess potential risks.

7. Data Subject Rights & DPIA Assistance

7.1 The Processor shall assist the Controller in responding to data subject requests related to:

• Access, correction, or deletion of Personal Data.
• Restriction or objection to processing.
• Data portability requests.

7.2 The Processor shall assist the Controller with Data Protection Impact Assessments (DPIAs) as required under Articles 35 & 36 of UK GDPR.7.3 Requests must be submitted to james@unibound.ai for processing.

8. Data Breach Notification

8.1 In the event of a data breach, Unibound.ai shall notify the Controller without undue delay and no later than 24 hours, providing details of:

• The nature of the breach.
• Categories of affected data subjects.
• Measures taken to mitigate the breach.

8.2 The Controller is responsible for notifying affected individuals and regulators as required by law.

9. Retention and Deletion

9.1 Unibound.ai retains Personal Data only for the duration necessary to fulfill its processing obligations.

9.2 Upon termination of services, Unibound.ai shall delete or return Personal Data at the Controller’s request unless retention is required by law.

10. Audit Rights

10.1 The Controller shall have the right to request audits or receive compliance documentation to verify Unibound.ai’s compliance with this DPA.

10.2 Audits shall be limited to one per year unless a security breach has occurred.

11. Governing Law and Dispute Resolution

11.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales.

11.2 Any disputes arising under this DPA shall be subject to binding arbitration in London, UK.

‍

IN WITNESS WHEREOF, the parties have caused this Data Processing Agreement to be executed by their duly authorised representatives as of the Effective Date.

‍