Version 0.2 (draft for final legal review) — 12 July 2026

This Data Processing Agreement ("DPA") records the terms required by Article 28 of the UK GDPR where SEE Change Happen Ltd processes personal data on behalf of a Customer in connection with the Customer's use of The Trans Inclusion Toolkit. It is intended to be incorporated by reference into, and to form part of, the Subscription Terms (the "Main Agreement"). Until so incorporated and executed, this draft has no contractual effect.

1. Parties and Roles

1.1 This DPA is between:

1.2 In relation to personal data processed by SEE Change Happen on the Customer's behalf under the Main Agreement, the Customer is the controller and SEE Change Happen is the processor, each as defined in the Data Protection Legislation. This DPA does not apply to personal data for which SEE Change Happen is itself the controller (for example, personal data collected through the public marketing website), which is governed by SEE Change Happen's Privacy Policy.

1.3 Incorporation. This DPA is intended to be incorporated by reference into the Main Agreement and to be read as one document with it. Entering into the Main Agreement is intended to constitute the Customer's and SEE Change Happen's agreement to this DPA. (The Main Agreement itself is not amended by this draft; incorporation will be given effect when the final version is settled.)

1.4 Each party warrants that it will comply with its respective obligations under the Data Protection Legislation. The Customer is responsible for establishing a lawful basis for the processing and for the lawfulness of the instructions it gives to SEE Change Happen.

2. Definitions

2.1 In this DPA:

2.2 Terms not defined in this DPA have the meanings given to them in the Main Agreement.

3. Scope of Processing

3.1 The subject matter, duration, nature and purpose of the processing, the categories of personal data, and the categories of data subjects are set out in Annex A.

3.2 SEE Change Happen shall process Customer Personal Data only for the purposes described in Annex A and as necessary to provide the services under the Main Agreement, and not for any other purpose.

4. Processor Obligations

4.1 Processing on documented instructions

SEE Change Happen shall process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law — in which case SEE Change Happen shall (where legally permitted) inform the Customer of that legal requirement before processing. The Main Agreement, this DPA, and the Customer's use of the platform's configuration options constitute the Customer's documented instructions. SEE Change Happen shall inform the Customer if, in its opinion, an instruction infringes the Data Protection Legislation.

4.2 Confidentiality of personnel

SEE Change Happen shall ensure that persons authorised to process Customer Personal Data are subject to an appropriate duty of confidentiality and access it only on a need-to-know basis.

4.3 Security

SEE Change Happen shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of Article 32 of the UK GDPR. The measures in place are described in Annex B.

4.4 Sub-processing

The Customer gives SEE Change Happen general written authorisation to engage the Sub-processors listed in Annex C. SEE Change Happen shall:

4.5 Assistance with data subject rights

Taking into account the nature of the processing, SEE Change Happen shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to respond to requests to exercise data subject rights under the Data Protection Legislation. Where a data subject request is made directly to SEE Change Happen in relation to Customer Personal Data, SEE Change Happen shall promptly forward it to the Customer and shall not respond to it itself except on the Customer's documented instructions.

4.6 Personal data breach

SEE Change Happen shall notify the Customer without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting Customer Personal Data, and shall provide the Customer with sufficient information to enable the Customer to meet its own obligations to report the breach to the Information Commissioner's Office within its own 72-hour reporting window and, where required, to affected data subjects. [owner-set value: 48 hours — solicitor to confirm]

4.7 Data protection impact assessments

SEE Change Happen shall provide reasonable assistance to the Customer with any data protection impact assessment and any prior consultation with the Information Commissioner's Office that the Customer is required to carry out under the Data Protection Legislation, taking into account the nature of the processing and the information available to SEE Change Happen.

4.8 Return or deletion

At the Customer's choice, SEE Change Happen shall delete or return all Customer Personal Data to the Customer after the end of the provision of the services, and delete existing copies, unless the law requires storage of the personal data. This reflects the retention arrangements described in the Privacy Policy, under which Strategic Pathway data (including Policy Vault documents) is deleted 90 days after the Authorised User's last activity, and saved assessments and tool outputs are retained for 90 days after a subscription is cancelled and may then be permanently deleted. The Customer may request immediate deletion at any time using the "Request Deletion" option in the dashboard account settings or by contacting SEE Change Happen.

4.9 Information and audit

SEE Change Happen shall make available to the Customer all information necessary to demonstrate compliance with the obligations in Article 28 of the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits shall be conducted on reasonable prior written notice, no more than once in any twelve-month period (save where required by a supervisory authority or following a personal data breach), during normal business hours, and in a manner that does not disrupt SEE Change Happen's operations or the confidentiality of other customers' data.

4.10 No use for AI model training

SEE Change Happen shall not use Customer Personal Data to train artificial-intelligence models. Where Customer Personal Data (including messages sent to the Quinn assistant and text from uploaded policies) is transmitted to the AI Sub-processors listed in Annex C, it is processed under agreements that prohibit the use of that data to train their models.

5. International Transfers

5.1 Some Sub-processors process Customer Personal Data outside the United Kingdom. Where they do, SEE Change Happen relies on the transfer safeguards recorded for each Sub-processor in Annex C, as stated in the Privacy Policy. In summary:

5.2 No claim of an adequacy decision is made in respect of any transfer beyond the safeguards stated above. Each transfer safeguard is that recorded in the relevant Sub-processor's own published Data Processing Addendum, as referenced in the Privacy Policy.

6. Liability, Precedence, Term and Governing Law

6.1 Liability. Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Main Agreement. Nothing in this DPA limits either party's liability where it cannot lawfully be limited.

6.2 Precedence. This DPA forms part of the Main Agreement. In the event of a conflict between this DPA and the other terms of the Main Agreement on a matter of data protection, this DPA prevails. On all other matters, the Main Agreement prevails.

6.3 Term. This DPA takes effect on the date the Main Agreement takes effect and continues for as long as SEE Change Happen processes Customer Personal Data on the Customer's behalf. Clauses that by their nature are intended to survive termination (including clause 4.8) shall survive.

6.4 Governing law and jurisdiction. This DPA is governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, consistent with the Main Agreement.

Annex A — Details of the Processing

Subject matter. The provision of The Trans Inclusion Toolkit platform and its features to the Customer's Authorised User(s) under the Main Agreement.

Duration. For the term of the Customer's subscription and thereafter for the retention periods described in the Privacy Policy, until Customer Personal Data is deleted or returned under clause 4.8.

Nature of the processing. Collection, hosting, storage, retrieval, organisation, analysis (including AI-assisted analysis), transmission to Sub-processors, and deletion of personal data, carried out by automated means as necessary to operate the platform.

Purpose of the processing. To enable the Authorised User to access the toolkit's resources and tools; to deliver the Trans Inclusion Impact Diagnostic and its calculated scores; to operate the Strategic Pathway and its tools (including Policy Roast, the EqIA/DPIA Wizard, the Defensibility Builder, Response Scripts, Scenario Stress-Tests, Complaints Triage and Board Briefing); to provide the Quinn AI inclusion assistant; and to manage the Customer's subscription, access tier and billing.

Categories of personal data:

Special category data. None is intended to be processed. The diagnostic is an organisational self-assessment and, as stated in the Privacy Policy, does not collect special category data under Article 9 of the UK GDPR.

Categories of data subjects. The Customer's Authorised User(s) — the single named individual licensed under each subscription. Where the Authorised User includes personal data about other individuals in free-text inputs or uploaded documents, those individuals are also data subjects, although the platform instructs users not to include personal data about identifiable individuals.

Annex B — Technical and Organisational Security Measures

SEE Change Happen maintains the following technical and organisational measures, as described in the Privacy Policy and the Main Agreement:

Annex C — Authorised Sub-processors

The Customer authorises the engagement of the following Sub-processors. Purposes, locations and transfer safeguards are recorded exactly as stated in the Privacy Policy.

Sub-processor Purpose Processing location Transfer safeguard (as stated)
Stripe Payment processing for paid subscriptions (PCI DSS Level 1) United States and other jurisdictions Standard Contractual Clauses and certification under the EU–US Data Privacy Framework
HubSpot CRM, form processing and email communications United States (some data) European Commission Standard Contractual Clauses and the UK International Data Transfer Agreement
Cloudflare Hosting, content delivery and security (bot management and Turnstile form protection) Cloudflare's global network Cloudflare's Data Processing Addendum, incorporating the European Commission Standard Contractual Clauses and the UK Addendum (International Data Transfer Agreement)
Amazon Web Services File and media storage (S3), backups, and content delivery (CloudFront) United Kingdom — London (eu-west-2) region No restricted transfer — processing remains in the UK
OpenAI Powers the Quinn AI assistant and Strategic Pathway AI analysis; API inputs and outputs are not used to train OpenAI's models United States OpenAI's Data Processing Addendum, incorporating the Standard Contractual Clauses and the UK Addendum
Pinecone Vector database used by Quinn to search the knowledge base (query embeddings only; no personal data stored) United States Pinecone's Data Processing Addendum, incorporating the Standard Contractual Clauses and the UK Addendum

Source: Privacy Policy §6 (Third-Party Services), §7 (Data Sharing) and §11 (International Data Transfers).

Solicitor Sign-off Checklist

The document is content-complete. The following points remain for the owner's solicitor to confirm before it is published and relied on. They do not reopen the substantive processing terms above.