Login

Volunteer-run Boards

Charities, Sports, Housing Associations and more

Small & Medium businesses

Perfect for any size and type

Partners & Resellers

Find out more about our partnership options

Our Platform

Explore our range of features

Board Meeting Portal

Risk Register toolkit

Action Register and Document store

Director Academy

Trial Governance360

Start a free trial in less than 12 minutes

More about Governance360

Pricing Plans

Find a Partner

Board Meeting Portal

Run better board meetings

Risk Register

Manage and mitigate risk

Action Register

Build board accountability

Director Academy

Upskilling Directors

All Features

Platform overview

Trial Governance360

Start your free trial today

About Governance360

Pricing Plans

Start Free Trial

Data Processing Addendum

Data Processing Addendum (DPA)

Last Updated: 28 October 2025

Introduction

This Data Processing Addendum (“DPA” or “Addendum”) forms part of the Terms of Use and any related documentation (“Agreement”) between you, the Customer, and Board Secure Limited trading as Governance360 (“Governance360”, “we”, “us”, “our”).

This DPA governs the processing of personal data by Governance360 on behalf of the Customer when the Customer uses:

  • The Governance360 platform subscription service
  • Any related services where Governance360 processes personal data as a processor on the Customer’s behalf

This DPA applies only where:

  • The Customer is a data controller under Applicable Data Protection Law (as defined below), and
  • Governance360 processes personal data on the Customer’s behalf as a data processor

If you entered into earlier data processing terms with Governance360, this DPA replaces those terms.

Plain English Note: This is a legal addendum (an add-on document) to your main contract with us. It’s specifically about the data you put into our platform about your board members and other governance information. This document sets out what we can and can’t do with that data, and what obligations we both have under UK data protection law. If you’re using our platform to store information about your board, this document is really important.

  1. Definitions

In this DPA, the following terms have the following meanings:

Term

Definition

Applicable Data Protection Law

The UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any UK laws made under or pursuant to them, as amended or replaced from time to time

Controller

Has the meaning given in Applicable Data Protection Law (the party that determines the purposes and means of processing personal data)

Customer

The organisation that has entered into the Agreement with Governance360

Customer Data

All personal data that the Customer submits, stores, sends, or receives via the Services

Data Subject

Has the meaning given in Applicable Data Protection Law (an identified or identifiable living individual)

Personal Data

Has the meaning given in Applicable Data Protection Law (any information relating to an identified or identifiable living individual)

Processing (and Process)

Has the meaning given in Applicable Data Protection Law (any operation performed on personal data, including collection, storage, use, disclosure, and deletion)

Processor

Has the meaning given in Applicable Data Protection Law (a party that processes personal data on behalf of a controller)

Services

The Governance360 platform subscription service and any related services provided under the Agreement

Special Category Data

Has the meaning given in Applicable Data Protection Law (sensitive personal data including health data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, data concerning sex life or sexual orientation)

Sub-Processor

Any third-party processor engaged by Governance360 to process Customer Data

Supervisory Authority

The Information Commissioner’s Office (ICO) or any successor regulatory body responsible for data protection in the UK

All capitalised terms not defined in this DPA have the meaning set out in the Agreement.

Plain English Note: These are the key legal terms we’ll use throughout this document. The most important distinction to understand is between “Controller” (that’s you – you decide what data to collect and why) and “Processor” (that’s us – we just store and process the data according to your instructions). The “Customer Data” is the information you put into our platform about your board members.

  1. Scope and Roles

2.1 Application of this DPA

This DPA applies to the processing of Customer Data by Governance360 in the course of providing the Services under the Agreement.

2.2 Data Controller and Data Processor

The parties acknowledge and agree that:

(a) The Customer is the data controller with respect to Customer Data. The Customer determines:

  • What personal data to collect from data subjects (e.g., board members)
  • Why that personal data is collected and processed
  • How long to retain the personal data
  • When to delete or modify the personal data

(b) Governance360 is the data processor with respect to Customer Data. Governance360 processes Customer Data only:

  • On the Customer’s documented instructions
  • For the purposes set out in this DPA and the Agreement
  • In accordance with Applicable Data Protection Law

(c) Each party will comply with the obligations applicable to it under Applicable Data Protection Law.

2.3 Customer’s Role as Data Controller

As data controller, the Customer is responsible for:

  • Ensuring it has a lawful basis under UK GDPR for processing the personal data
  • Providing appropriate privacy information to data subjects (e.g., board members)
  • Obtaining any necessary consents from data subjects
  • Ensuring the accuracy of Customer Data
  • Responding to data subject rights requests from board members and others
  • Determining retention periods for Customer Data
  • Only providing data to Governance360 that it is lawfully entitled to process

Plain English Note: This section confirms who’s responsible for what. You (the Customer) are in charge of the data about your board members – you decide what to collect, why to collect it, and how long to keep it. We (Governance360) just provide the technology platform and store the data securely for you. We only do what you tell us to do with your data. This means the legal responsibility for data protection compliance with your board members sits with you, not us – though we have our own obligations to you, which this document sets out.

  1. Customer Instructions and Processing

3.1 Processing Instructions

Governance360 will process Customer Data only:

(a) On the Customer’s documented instructions, which include:

  • Instructions set out in this DPA
  • Instructions set out in the Agreement
  • Instructions given through the use of the Services (e.g., when the Customer adds, modifies, or deletes data via the platform)
  • Any other written instructions agreed between the parties

(b) For the following purposes (the “Permitted Purposes“):

  • Providing the Services as described in the Agreement
  • Maintaining and supporting the Services
  • Improving the Services (using aggregated, anonymised data only)
  • Complying with Governance360’s legal obligations
  • Protecting against fraud, abuse, or security incidents

3.2 Instruction Compliance

(a) If Governance360 believes that any instruction from the Customer infringes Applicable Data Protection Law, Governance360 will inform the Customer without undue delay.

(b) Governance360 is not responsible for compliance with data protection laws applicable to the Customer’s industry or use case that are not generally applicable to Governance360.

3.3 Prohibited Data

The Customer must not (and must not permit data subjects to) submit or upload to the Services:

(a) Special Category Data – Unless explicitly agreed in writing by Governance360 and appropriate safeguards are implemented. This includes:

  • Health data
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for identification purposes
  • Data concerning sex life or sexual orientation

(b) Criminal Conviction Data – Data relating to criminal convictions and offences

(c) Children’s Data – Personal data of anyone under the age of 18

(d) Unlawfully Obtained Data – Any personal data that the Customer is not lawfully entitled to process

If Governance360 becomes aware that such prohibited data has been uploaded, it may (at its discretion):

  • Suspend access to the affected data
  • Require the Customer to delete the data immediately
  • Delete the data itself if the Customer fails to do so promptly

Plain English Note: We’ll only process your data in the ways you tell us to and for the purposes needed to provide our service. If you ask us to do something that we think breaks UK data protection law, we’ll let you know and won’t do it.

Importantly, you must not put certain types of sensitive data into our platform (like health information, political views, or information about children). Our platform isn’t designed for this type of data, and processing it would create significant legal obligations. If we find sensitive data on the platform, we may suspend access or delete it to protect everyone involved.

  1. Governance360’s Obligations as Data Processor

4.1 Confidentiality

Governance360 will ensure that all personnel authorised to process Customer Data (“Authorised Personnel“):

(a) Are subject to binding confidentiality obligations (whether contractual or statutory)

(b) Are appropriately trained in data protection and security

(c) Process Customer Data only as necessary to provide the Services or as instructed by the Customer

4.2 Security Measures

Governance360 will implement and maintain appropriate technical and organisational measures to protect Customer Data, as set out in Appendix A (Security Measures) of this DPA.

These measures are designed to:

  • Protect against accidental or unlawful destruction of Customer Data
  • Prevent loss, alteration, unauthorised disclosure, or access to Customer Data
  • Ensure an appropriate level of security for the risks presented by the processing

Governance360 will review and update these security measures regularly to ensure they remain appropriate and effective.

Detailed security information is available at: www.governance360.com/legal/security-measures

4.3 Security Incidents and Data Breaches

(a) If Governance360 becomes aware of a confirmed security incident affecting Customer Data (“Security Incident“), Governance360 will:

(i) Notify the Customer without undue delay (and in any event within 24 hours of confirmation)

(ii) Provide the Customer with sufficient information to enable the Customer to meet any reporting obligations under UK GDPR, including:

  • Description of the nature of the Security Incident
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of personal data records affected
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the Security Incident and mitigate its effects

(iii) Take reasonable measures to remedy or mitigate the Security Incident

(iv) Provide ongoing updates to the Customer about the Security Incident investigation and remediation

(v) Cooperate with the Customer in any investigation or notification to the ICO or affected data subjects

(b) Governance360’s notification of a Security Incident will not be construed as an acknowledgement of fault or liability.

(c) The Customer remains responsible for:

  • Determining whether to notify the ICO (within 72 hours of becoming aware)
  • Determining whether to notify affected data subjects
  • Making any required notifications

Plain English Note: We take several key steps to protect your data. First, our staff sign confidentiality agreements and are trained in data security. Second, we have comprehensive technical security measures in place (detailed in Appendix A and on our security page).

If something goes wrong – like a data breach – we’ll tell you quickly (within 24 hours) and give you all the information you need. However, it’s your responsibility to decide whether to report the breach to the ICO or tell affected board members, because you’re the data controller. We’ll help and support you, but the legal obligation to report sits with you.

  1. Sub-Processors

5.1 Customer Authorisation

The Customer grants Governance360 general authorisation to engage third-party Sub-Processors to process Customer Data for the Permitted Purposes, subject to the conditions in this Section 5.

5.2 Sub-Processor List

(a) Governance360 maintains a current list of all Sub-Processors at: www.governance360.com/legal/sub-processors

(b) The Sub-Processor list identifies:

  • The name of each Sub-Processor
  • The services they provide
  • Their location
  • Links to their privacy and security information

5.3 Sub-Processor Obligations

When engaging any Sub-Processor, Governance360 will:

(a) Conduct appropriate due diligence on the Sub-Processor’s data protection and security practices

(b) Impose contractual obligations on the Sub-Processor that:

  • Provide a level of protection for Customer Data that is at least equivalent to this DPA
  • Require processing only on Governance360’s instructions (which are based on the Customer’s instructions)
  • Include appropriate security measures
  • Address confidentiality, data breach notification, and audit rights

(c) Remain fully liable to the Customer for any breach of this DPA caused by the Sub-Processor, as if such breach had been caused by Governance360

5.4 Changes to Sub-Processors

(a) Governance360 may add, replace, or remove Sub-Processors from time to time.

(b) Governance360 will provide the Customer with at least 30 days’ prior written notice before:

  • Engaging a new Sub-Processor, or
  • Replacing an existing Sub-Processor

(c) Notice will be provided by:

  • Updating the Sub-Processor list on the website (with a “Last Updated” date)
  • Sending email notification to the Customer’s registered account administrator

5.5 Customer Objection Rights

(a) If the Customer objects to Governance360’s appointment or replacement of a Sub-Processor, the Customer must notify Governance360 in writing within 14 days of receiving notice.

(b) The objection must be based on reasonable grounds relating to data protection.

(c) If the Customer raises a valid objection:

(i) Governance360 will use reasonable efforts to make available a change in the Services or recommend a commercially reasonable alternative that does not involve the use of the objected-to Sub-Processor

(ii) If Governance360 determines (in its reasonable discretion) that such alternative is not reasonably possible:

  • The Customer may terminate the affected Services by providing written notice to Governance360
  • Termination will take effect at the end of the then-current subscription term
  • The Customer will not be entitled to any refund of pre-paid fees
  • The Customer remains liable for any outstanding fees up to the termination date

(d) If the Customer does not object within the 14-day notice period, the Customer will be deemed to have accepted the new or replacement Sub-Processor.

5.6 Sub-Processor International Transfers

Where a Sub-Processor processes Customer Data outside the UK, Governance360 will ensure appropriate safeguards are in place as required by Applicable Data Protection Law (see Section 6).

Plain English Note: We use other companies (called “Sub-Processors”) to help us provide our service – for example, cloud hosting companies to store data securely. This section explains the rules around this.

We keep a list of all Sub-Processors on our website, and we make sure they all have proper contracts in place that protect your data to the same standards as we do. If we want to add a new Sub-Processor, we’ll tell you 30 days in advance.

If you have concerns about a new Sub-Processor (for data protection reasons), you have 14 days to tell us. We’ll try to find an alternative, but if we can’t, you have the right to end your subscription at the end of your current term. If you don’t object within 14 days, we’ll assume you’re okay with the new Sub-Processor and proceed.

  1. International Data Transfers

6.1 Data Location

Governance360 stores and processes Customer Data primarily within the United Kingdom.

6.2 Transfers Outside the UK

Where Governance360 or any Sub-Processor transfers Customer Data outside the United Kingdom, Governance360 will ensure that appropriate safeguards are in place, including:

(a) UK Adequacy Regulations – Transfers to countries or territories that the UK Government has determined provide adequate protection for personal data

(b) UK International Data Transfer Agreement (UK IDTA) or UK Addendum to EU Standard Contractual Clauses – For transfers to countries without adequacy decisions

(c) Additional Security Measures – Where required by the ICO or Applicable Data Protection Law, including:

  • Encryption of data in transit and at rest
  • Pseudonymisation where appropriate
  • Access controls and authentication measures
  • Regular security assessments

6.3 Transfer Information

Upon written request from the Customer, Governance360 will provide:

  • Information about which countries Customer Data may be transferred to
  • Details of the safeguards in place for those transfers
  • Copies of relevant transfer agreements (subject to redaction of confidential commercial information)

6.4 Suspension of International Transfers

If Applicable Data Protection Law prohibits the transfer of Customer Data to a particular country or to a particular Sub-Processor:

(a) Governance360 will suspend the relevant transfer, and

(b) Either:

  • Find an alternative Sub-Processor or data storage location in a permitted country, or
  • If no alternative is reasonably available, the provisions of Section 5.5(c) (Customer Objection Rights) will apply

Plain English Note: We try to keep all your data within the UK. However, some of our service providers (like cloud hosting companies) might store or process data in other countries.

When data goes abroad, UK law requires us to put special protections in place. We do this in two ways: either we send it to countries the UK government says are safe (like the EU), or we use special legal contracts approved by the ICO that require the same level of protection as UK law.

If you want to know exactly which countries your data might go to, just ask us and we’ll tell you. If data protection law changes and we can’t legally send data somewhere anymore, we’ll stop doing it and find an alternative.

  1. Data Subject Rights

7.1 Customer’s Responsibility

As data controller, the Customer is responsible for responding to requests from data subjects (e.g., board members) who wish to exercise their rights under UK GDPR, including:

  • Right of access (subject access requests)
  • Right to rectification (correction of inaccurate data)
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

7.2 Governance360’s Assistance

(a) Governance360 will provide reasonable assistance to enable the Customer to respond to data subject rights requests, taking into account the nature of the processing.

(b) This assistance may include:

(i) Data Access and Export – Providing the Customer with tools to export Customer Data in a commonly used, machine-readable format (typically CSV)

(ii) Data Correction – Enabling the Customer to update or correct Customer Data through the platform interface

(iii) Data Deletion – Providing tools for the Customer to delete Customer Data, or deleting data at the Customer’s written instruction

(iv) Access Logs – Providing information about how Customer Data has been processed (where technically feasible)

(c) Governance360 will respond to Customer requests for assistance within 5 business days of receiving the request.

7.3 Direct Data Subject Requests

(a) If Governance360 receives a data subject rights request directly from one of the Customer’s data subjects (e.g., a board member):

(i) Governance360 will promptly forward the request to the Customer (within 2 business days)

(ii) Governance360 will not respond directly to the data subject without the Customer’s prior written authorisation

(iii) The Customer will be responsible for responding to the data subject within the timeframes required by UK GDPR (typically within one month)

(b) Governance360 may inform the data subject that they should direct their request to the Customer.

7.4 Fees for Assistance

Assistance provided under this Section 7 will be provided at no additional charge, except that:

(a) If the Customer’s requests are manifestly excessive or repetitive, Governance360 may charge a reasonable fee based on its administrative costs

(b) Governance360 will notify the Customer of any proposed fees before providing the assistance

Plain English Note: When your board members want to access, correct, or delete their personal data, that’s your responsibility to handle, not ours – because you’re the data controller. However, we’ll help you by providing the tools and information you need.

For example, if a board member asks for a copy of their data, we can export it for you in a usable format. If they want it deleted, you can delete it through the platform, or we can do it for you if you ask.

If a board member contacts us directly, we’ll forward their request to you and let them know they need to deal with you. We won’t respond to them without your permission. We’ll help you respond to these requests for free, unless you’re making excessive or unreasonable requests.

  1. Data Protection Impact Assessments and Prior Consultation

8.1 DPIAs

If the Customer is required to conduct a Data Protection Impact Assessment (DPIA) under UK GDPR in relation to its use of the Services, Governance360 will provide reasonable cooperation and assistance, including:

(a) Providing information about Governance360’s data processing activities

(b) Providing information about security measures (as set out in Appendix A and on the security page)

(c) Providing information about Sub-Processors and international transfers

8.2 Prior Consultation

If a DPIA indicates that the Customer’s use of the Services would result in a high risk to data subjects’ rights and freedoms in the absence of mitigating measures, and the Customer is required to consult the ICO, Governance360 will provide reasonable assistance with that consultation.

8.3 High-Risk Processing

If Governance360 believes that the Customer’s instructions or use of the Services is likely to result in high-risk processing that would require a DPIA, Governance360 will inform the Customer.

Plain English Note: Sometimes under UK GDPR, you might need to do a “Data Protection Impact Assessment” (DPIA) – a formal evaluation of privacy risks. This is usually required when you’re doing something that might create high privacy risks for people.

If you need to do a DPIA about how you’re using our platform, we’ll help by giving you information about our security measures and how we process data. If the assessment shows high risks and you need to talk to the ICO about it, we’ll assist with that too.

  1. Deletion or Return of Customer Data

9.1 Customer-Initiated Deletion

The Customer may delete Customer Data at any time through the Services interface. Deleted data will be:

(a) Immediately removed from production systems and made inaccessible

(b) Permanently deleted from all systems (including backups) within 30 days of deletion, unless a longer retention period is required by law

9.2 Upon Termination or Expiry

(a) Upon termination or expiry of the Agreement:

(i) Governance360 will make Customer Data available for export by the Customer for a period of 30 days following termination or expiry

(ii) After the 30-day period, Governance360 will delete all Customer Data in accordance with Section 9.1(b) above

(iii) The Customer acknowledges that once data is deleted, it cannot be recovered

(b) If the Customer requests return or deletion of Customer Data before the end of the 30-day period:

(i) For Return: Governance360 will provide the Customer Data in a commonly used, machine-readable format (typically CSV) within 5 business days of the request

(ii) For Immediate Deletion: Governance360 will delete the Customer Data in accordance with Section 9.1(b), starting from the date of the request

9.3 Legal Retention Requirements

Notwithstanding the above:

(a) Governance360 may retain Customer Data to the extent required by applicable UK law (e.g., for tax or accounting purposes – typically 6 years)

(b) Any retained data will:

  • Be retained securely
  • Be used only for the purposes required by law
  • Be deleted as soon as the legal retention requirement expires
  • Remain subject to confidentiality obligations

9.4 No Charges

No additional fees will be charged for deletion, return, or export of Customer Data under this Section 9.

Plain English Note: You can delete data from the platform at any time – either individual records or everything. When you do, it’s immediately removed from our active systems and permanently deleted within 30 days (including from backups).

When your subscription ends, we’ll keep your data available for 30 days so you can export it if you need it. After that, we’ll delete everything unless you’ve already done so. Once deleted, we can’t get it back – so make sure you’ve saved anything you need before deletion.

The only exception is if UK law requires us to keep certain data (like financial records for tax purposes). If so, we’ll keep only what’s legally required, store it securely, and delete it as soon as we’re legally allowed to.

  1. Audit Rights

10.1 Customer Audit Rights

Subject to this Section 10, the Customer (or its appointed independent third-party auditor) may audit Governance360’s compliance with this DPA.

10.2 Audit Process

(a) The Customer must provide Governance360 with at least 30 days’ prior written notice of any audit

(b) Audits may be conducted no more than once per year, unless:

  • Required by a Supervisory Authority, or
  • Governance360 has experienced a significant Security Incident affecting Customer Data

(c) Audits must be conducted during normal UK business hours

(d) Audits must not unreasonably interfere with Governance360’s business operations

(e) The Customer and its auditor must sign Governance360’s standard confidentiality agreement before the audit commences

10.3 Information and Documentation

As an alternative to an audit, or to satisfy the Customer’s audit requirements, Governance360 may provide:

(a) Copies of relevant third-party audit reports, certifications, or attestations (e.g., ISO 27001, SOC 2) – subject to confidentiality restrictions

(b) Completed security questionnaires

(c) Information about security measures, controls, and Sub-Processors

(d) Other evidence of compliance with this DPA

10.4 Audit Costs

(a) The Customer is responsible for all costs associated with any audit, including:

  • Auditor fees
  • Governance360’s reasonable costs for facilitating the audit

(b) Governance360 will provide the Customer with an estimate of its costs before the audit commences

10.5 Sub-Processor Audits

Audit rights extend to Sub-Processors to the extent the Sub-Processor’s contract with Governance360 permits such audits. Governance360 will use reasonable efforts to facilitate Customer audits of Sub-Processors, subject to:

(a) The Sub-Processor’s audit procedures and restrictions

(b) Additional confidentiality and non-disclosure requirements

(c) Advance notice and scheduling requirements

Plain English Note: You have the right to audit us to check we’re complying with this DPA. However, there are practical limitations: you need to give us 30 days’ notice, you can only audit once a year (unless there’s been a serious security incident), and you have to do it during normal business hours without disrupting our business.

Often it’s easier and quicker for us to just send you audit reports, security certificates, or other documentation that proves our compliance. This saves everyone time and money.

If you do want to audit, you’ll need to pay for the auditor and cover our reasonable costs for helping with the audit. We’ll tell you what our costs will be upfront. If you want to audit our Sub-Processors, we’ll help where we can, but we can’t force them to allow unlimited audits – we’re limited by what our contracts with them permit.

  1. Liability and Indemnity

11.1 Governance360’s Liability

(a) Governance360 is liable to the Customer for any breach of this DPA caused by:

  • Governance360’s failure to comply with its obligations as a data processor
  • Governance360’s acts or omissions that breach Applicable Data Protection Law
  • Any act or omission of a Sub-Processor

(b) Subject to Section 11.1(c), Governance360’s total liability under this DPA is subject to the limitation of liability provisions set out in the Agreement.

(c) Nothing in this DPA limits or excludes either party’s liability for:

  • Death or personal injury caused by negligence
  • Fraud or fraudulent misrepresentation
  • Any other liability that cannot be limited or excluded under applicable UK law

11.2 Customer’s Responsibilities

The Customer acknowledges and agrees that Governance360 is not liable for any claims or losses arising from:

(a) The Customer’s failure to comply with its obligations as a data controller

(b) The Customer’s instructions to Governance360 that breach Applicable Data Protection Law

(c) The Customer’s provision of inaccurate, incomplete, or prohibited data (e.g., Special Category Data)

(d) Unauthorised access to Customer Data caused by the Customer’s failure to maintain secure credentials

(e) Actions or omissions of the Customer’s users

11.3 Regulatory Fines and Penalties

(a) If either party is fined by a Supervisory Authority due to the other party’s breach of this DPA or Applicable Data Protection Law, the breaching party will indemnify the non-breaching party for the full amount of the fine, plus reasonable legal costs.

(b) If a fine is imposed due to the acts or omissions of both parties, liability will be apportioned according to each party’s degree of responsibility.

Plain English Note: If we breach this DPA and you suffer losses as a result, we’re liable to you. Our liability is generally limited by the main terms of your contract with us, except for things like fraud or causing death or injury, which can never be limited.

However, we’re not liable if problems are caused by your actions – for example, if you give us unlawful instructions, upload prohibited data types, or don’t keep your login credentials secure.

If the ICO fines you because of something we did wrong, we’ll cover the fine and your legal costs. Similarly, if they fine us because of something you did wrong, you’ll cover ours. If we’re both partly responsible, we’ll split it fairly based on who was more at fault.

  1. General Provisions

12.1 Duration

This DPA will remain in effect for as long as Governance360 processes Customer Data on behalf of the Customer.

12.2 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA will take precedence, but only to the extent of the conflict or inconsistency.

12.3 Changes to this DPA

(a) Governance360 may update this DPA from time to time to reflect:

  • Changes in Applicable Data Protection Law
  • Guidance from the ICO or other regulatory authorities
  • Changes to Governance360’s business practices

(b) Material changes to this DPA will be notified to Customers at least 30 days before taking effect

(c) The current version of this DPA will always be available at: www.governance360.com/legal/dpa

(d) Continued use of the Services after the effective date of changes constitutes acceptance of the updated DPA

12.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect, and the invalid or unenforceable provision will be replaced with a valid provision that most closely reflects the parties’ intent.

12.5 Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. Any disputes arising out of or in connection with this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales.

Plain English Note: This DPA stays in effect for as long as we’re processing your data. If there’s any contradiction between this DPA and your main contract, the DPA wins (because data protection is that important).

We might update this DPA occasionally when laws change or we get new guidance from the ICO. If we make significant changes, we’ll give you 30 days’ notice. The latest version is always on our website.

This DPA is governed by English and Welsh law, and any legal disputes would be dealt with in English or Welsh courts.

  1. Contact Information

For any questions or concerns about this DPA or data processing matters:

Director

Clive Bawden
Board Secure Limited trading as Governance360
Alacrity House, Moderator Wharf, Kingsway, Newport, Wales, NP20 1HG

Email: dataprotection@governance360.com
Website: www.governance360.com

Plain English Note: If you have any questions about this DPA or how we process your data, get in touch using the details above.

APPENDIX A: Security Measures

This Appendix A sets out the technical and organisational security measures implemented by Governance360 to protect Customer Data.

More detailed and regularly updated information is available at: www.governance360.com/legal/security-measures

A.1 Technical Security Measures

A.1.1 Access Control and Authentication

  • Unique user accounts with strong password requirements
  • Multi-factor authentication available for all users
  • Role-based access controls (RBAC)
  • Automatic session timeouts
  • Password encryption using industry-standard hashing algorithms
  • Regular access reviews and revocation of unused accounts

A.1.2 Data Encryption

  • Encryption in transit: TLS 1.2 or higher for all data transmitted over public networks
  • Encryption at rest: AES-256 encryption for data stored in databases and file systems
  • Secure key management practices
  • Regular review and updating of encryption protocols

A.1.3 Network Security

  • Firewall protection at network perimeter
  • Intrusion detection and prevention systems (IDS/IPS)
  • Network segmentation to isolate sensitive systems
  • Regular vulnerability scanning and penetration testing
  • DDoS protection measures
  • Virtual Private Networks (VPNs) for remote administrative access

A.1.4 Application Security

  • Secure software development lifecycle (SDLC)
  • Regular security code reviews
  • Web application firewall (WAF)
  • Protection against common vulnerabilities (SQL injection, XSS, CSRF, etc.)
  • Regular security patching and updates
  • Input validation and output encoding

A.1.5 Data Backup and Recovery

  • Regular automated backups of Customer Data
  • Encrypted backup storage
  • Geographically distributed backup locations
  • Regular backup integrity testing
  • Documented backup and disaster recovery procedures
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets

A.1.6 Logging and Monitoring

  • Comprehensive audit logs of system access and activities
  • Real-time security monitoring and alerting
  • Log retention for a minimum of 90 days
  • Regular log review and analysis
  • Security Information and Event Management (SIEM) system

A.1.7 Malware Protection

  • Anti-malware software on all systems
  • Regular malware signature updates
  • Email filtering and scanning
  • File upload scanning

A.2 Organisational Security Measures

A.2.1 Staff Security

  • Background checks on all staff with access to Customer Data (where permitted by law)
  • Mandatory confidentiality and non-disclosure agreements
  • Regular data protection and security awareness training
  • Clear security policies and procedures
  • Disciplinary measures for policy violations
  • Principle of least privilege (staff only have access to data necessary for their role)
  • Immediate access revocation upon termination of employment

A.2.2 Physical Security

  • Secure data centre facilities with restricted access
  • 24/7 physical security monitoring (for co-location and cloud facilities)
  • Visitor logging and escort requirements
  • Environmental controls (fire suppression, climate control, power backup)

A.2.3 Vendor Management

  • Due diligence assessment of all Sub-Processors
  • Contractual data protection requirements for all Sub-Processors
  • Regular review of Sub-Processor security and compliance
  • Documented Sub-Processor risk assessments

A.2.4 Incident Response

  • Documented incident response plan
  • Designated incident response team
  • Regular incident response testing and drills
  • Root cause analysis for all security incidents
  • Continuous improvement based on lessons learned

A.2.5 Business Continuity and Disaster Recovery

  • Documented business continuity plan (BCP)
  • Documented disaster recovery plan (DRP)
  • Regular testing of BCP and DRP
  • Redundant systems and failover capabilities
  • Alternative processing facilities

A.2.6 Change Management

  • Formal change management process
  • Testing and approval requirements for system changes
  • Rollback procedures for failed changes
  • Change documentation and audit trail

A.2.7 Asset Management

  • Inventory of all systems and assets that store or process Customer Data
  • Classification of data and systems by sensitivity
  • Secure disposal procedures for hardware and media containing Customer Data
  • Regular asset reviews and updates

A.3 Compliance and Certification

Governance360 maintains and regularly reviews its compliance with relevant standards and frameworks, which may include:

  • UK GDPR and Data Protection Act 2018
  • ISO 27001 Information Security Management
  • Cyber Essentials and Cyber Essentials Plus (or equivalent)
  • Industry-specific standards as applicable

Current certifications and audit reports are available upon request, subject to confidentiality restrictions.

A.4 Security Measure Reviews and Updates

Governance360 will:

  • Review these security measures at least annually
  • Update security measures in response to:
    • New threats and vulnerabilities
    • Changes in technology
    • Regulatory guidance and requirements
    • Audit findings and recommendations
  • Notify Customers of material changes that reduce the level of security

Plain English Note: These are the specific technical and security measures we use to protect your data. They cover everything from encryption and access controls to staff training and incident response plans. We review and update these regularly to keep up with new threats and technology changes. For more detailed and up-to-date information, visit our security measures page.

APPENDIX B: Description of Processing

This Appendix B describes the processing of Customer Data under this DPA.

B.1 Subject Matter and Duration of Processing

Subject Matter:
The processing of personal data entered by the Customer into the Governance360 platform for the purposes of governance management, including board meeting management, document storage, action tracking, and related governance activities.

Duration:
Processing continues for the duration of the Agreement and the retention periods specified in Section 9 of this DPA.

B.2 Nature and Purpose of Processing

Nature of Processing:

  • Storage of personal data on secure servers
  • Retrieval and display of personal data via the platform interface
  • Organisation and structuring of personal data
  • Backup and recovery of personal data
  • Deletion of personal data at Customer instruction

Purpose of Processing:

  • To provide the Governance360 platform subscription service as described in the Agreement
  • To enable the Customer to manage board governance activities
  • To store and retrieve documents, meeting records, actions, and related governance information
  • To provide customer support and technical assistance
  • To maintain and improve the Services

B.3 Types of Personal Data

The Customer may input various types of personal data into the platform, which may include:

Identifying Information:

  • Names
  • Job titles and roles
  • Email addresses
  • Telephone numbers
  • Business addresses

Professional Information:

  • Board positions and committee memberships
  • Meeting attendance records
  • Meeting contributions and discussions (if recorded)
  • Actions assigned and completed
  • Skills, qualifications, and expertise (if recorded)

Documents and Communications:

  • Board papers and documents
  • Minutes of meetings
  • Correspondence
  • Reports and presentations
  • Policies and procedures

System Information:

  • Login credentials (encrypted)
  • IP addresses
  • Device information
  • Usage data and activity logs

Important: The Customer must not input Special Category Data, criminal conviction data, or children’s data (see Section 3.3 of this DPA).

B.4 Categories of Data Subjects

Data subjects whose personal data may be processed include:

  • Board members (directors, trustees, governors)
  • Committee members
  • Senior executives and officers
  • Company secretaries
  • Legal advisers and professional advisers
  • External auditors
  • Other individuals involved in governance activities as determined by the Customer

Plain English Note: This appendix describes what data we process, why we process it, and who it relates to. Essentially, we process whatever governance-related information you choose to put into the platform about your board members and related individuals. We store it, let you access and organise it, back it up, and delete it when you tell us to. Remember: you decide what goes in and who it relates to – we just provide the technology platform.

APPENDIX C: Sub-Processors

A current list of Sub-Processors is maintained at:

www.governance360.com/legal/sub-processors

The Sub-Processors list includes:

  • Name of each Sub-Processor
  • Services provided
  • Location of data processing
  • Links to privacy and security information

This list is updated in accordance with Section 5 of this DPA, with at least 30 days’ prior notice to Customers before any additions or changes.

Plain English Note: Rather than listing all our Sub-Processors here (which would quickly become out of date), we maintain a current list on our website. That way you always have access to the most accurate information. Check the link above to see who we’re currently working with.

APPENDIX D: International Data Transfers

D.1 Transfer Mechanisms

Where Customer Data is transferred outside the United Kingdom, Governance360 relies on the following transfer mechanisms as appropriate:

D.1.1 UK Adequacy Decisions

Transfers to countries or territories that have been deemed to provide adequate protection by the UK Government under Section 17A of the Data Protection Act 2018 and related adequacy regulations.

Current adequacy decisions include (but are not limited to):

  • European Economic Area (EEA) member states
  • Other countries as designated by the UK Government

D.1.2 UK International Data Transfer Agreement (UK IDTA)

For transfers to countries without an adequacy decision, Governance360 uses the UK IDTA, which is the approved standard data protection clauses issued by the ICO.

The UK IDTA includes:

  • Standard contractual clauses for data protection
  • Requirements for technical and organisational security measures
  • Rights for data subjects
  • Audit and inspection rights
  • Data breach notification requirements

D.1.3 UK Addendum to EU Standard Contractual Clauses

Where appropriate, Governance360 may use the UK Addendum to the European Commission’s Standard Contractual Clauses, as approved by the ICO for UK data transfers.

D.2 Supplementary Measures

In addition to the transfer mechanisms above, Governance360 implements supplementary measures for international transfers, including:

  • Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Strict authentication and authorisation requirements
  • Data Minimisation: Only transferring data that is necessary
  • Pseudonymisation: Where technically feasible and appropriate
  • Regular Assessments: Ongoing monitoring of legal and practical circumstances in destination countries

D.3 Monitoring Legal Developments

Governance360 actively monitors:

  • Changes to adequacy decisions
  • ICO guidance on international transfers
  • Legal developments in destination countries that may affect data protection

If Governance360 becomes aware that a transfer mechanism is no longer valid or that a destination country no longer provides adequate protection, it will:

  • Notify affected Customers promptly
  • Implement alternative safeguards or suspend transfers
  • Work with Customers to find alternative solutions

D.4 Customer Rights

Customers have the right to:

  • Request information about which countries their Customer Data is transferred to
  • Request copies of transfer agreements (subject to redaction of confidential commercial information)
  • Object to transfers to specific countries (in accordance with Section 5.5 of this DPA)

Plain English Note: This appendix explains how we protect your data when it’s processed outside the UK. We use approved legal mechanisms – either sending data to countries the UK government says are safe, or using special contracts (called UK IDTA or UK Addendum) that require UK-level protection.

We also add extra technical protections like encryption. We keep an eye on legal changes, and if a country becomes unsafe for data processing, we’ll tell you and stop sending data there. You can ask us where your data goes and object if you have concerns about specific countries.

END OF DATA PROCESSING ADDENDUM

Acceptance

By using the Governance360 Services, the Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Addendum.

For questions about this DPA:
Email: dataprotection@governance360.com
Attention: Clive Bawden, Director

This Data Processing Addendum is compliant with UK GDPR, the Data Protection Act 2018, and reflects best practices for B2B SaaS data processing agreements in the United Kingdom.

Version: 2.0
Last Updated: 28 October 2025
Effective Date: 28 October 2025

© 2025 Board Secure Limited trading as Governance360. All rights reserved.