Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Stonehill Labs Limited (“Processor”, “we”) and the Customer (“Controller”, “you”) for the use of Alivio (the “Service”). It governs the processing of personal data that the Controller provides to the Processor for processing on the Controller’s behalf.

Where the Controller’s customers, staff, or third parties (such as horse owners) have personal data recorded in the Service, the Controller is responsible for ensuring it has a lawful basis to process and share that data.

1. Definitions

The terms “personal data”, “processing”, “controller”, “processor”, “data subject”, and “personal data breach” have the meanings given in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Subject matter and duration

Subject matter: processing of personal data necessary to provide the Service to the Controller.

Duration:for the duration of the Controller’s use of the Service, plus a 30-day post-termination period during which data may be retained pending export or deletion.

Nature and purpose: to enable horse welfare record-keeping, daily yard task management, health logging, and team coordination for riding schools and livery yards.

Categories of data subjects:the Controller’s staff (yard managers, instructors, grooms), and individuals whose details the Controller chooses to record within the Service (such as horse owners, vets, and farriers).

Categories of personal data: names, email addresses, phone numbers, photographs (where uploaded), and activity logs.

3. Processor obligations

The Processor will:

• Process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by UK or EU law (in which case the Processor will inform the Controller of the legal requirement before processing, unless prohibited by that law)
• Ensure that personnel authorised to process personal data are bound by confidentiality
• Implement appropriate technical and organisational measures (see Annex A below)
• Engage sub-processors only on the terms set out in section 5
• Assist the Controller, taking into account the nature of processing, in responding to data subject requests
• Assist the Controller in complying with its obligations under UK GDPR Articles 32 to 36, including security, breach notification, impact assessments, and prior consultation
• At the Controller’s choice, delete or return all personal data after the end of provision of the Service, and delete existing copies unless legally required to retain
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (subject to reasonable confidentiality undertakings)

4. Controller obligations

The Controller is responsible for:

• Ensuring it has a lawful basis under UK GDPR for the personal data it records in the Service
• Providing data subjects with the information required by UK GDPR Articles 13 and 14
• Configuring user access and permissions appropriately within the Service
• Responding to data subject rights requests relating to data held within its account

5. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed on the sub-processors page. The Processor will:

• Impose data protection terms on each sub-processor at least as protective as this DPA
• Remain liable to the Controller for each sub-processor’s compliance
• Notify the Controller of intended changes to sub-processors by updating the sub-processors page, and where reasonably possible provide at least 30 days’ notice

The Controller may object to a proposed sub-processor change for reasonable data-protection grounds by emailing privacy@alivio.org.ukwithin the notice period. If the Processor cannot resolve the objection, the Controller may terminate the Service.

6. International transfers

Some sub-processors operate outside the UK. Where this is the case, the Processor relies on lawful transfer mechanisms, including the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, and the EU-US Data Privacy Framework where applicable.

7. Personal data breaches

The Processor will notify the Controller without undue delay (and in any case within 48 hours) after becoming aware of a personal data breach affecting the Controller’s data, including:

• The nature of the breach
• The categories and approximate number of data subjects and records affected
• The likely consequences
• The measures taken or proposed to address it

8. Audits

The Processor will, on request and no more than once per 12-month period (unless required by a regulator or after a breach), make available a summary of its security practices and respond in reasonable time to written security questionnaires.

9. Liability

Liability under this DPA is subject to the limitations in the Terms of Service.

10. Governing law

This DPA is governed by the laws of England and Wales.

Annex A — Technical and organisational measures

The Processor maintains the following measures, reviewed at least annually:

• Encryption in transit: TLS 1.2 or higher for all customer connections
• Encryption at rest: all stored personal data is encrypted using industry-standard algorithms
• Access control: role-based access; multi-factor authentication required for administrative access; principle of least privilege
• Authentication: strong password requirements; session tokens with appropriate expiry; brute-force protection
• Network security: WAF protection via Cloudflare; intrusion detection at the application layer
• Backups: automated daily backups, encrypted, retained 30 days
• Audit logging: application-level audit trail of administrative actions
• Vulnerability management: dependency monitoring; security updates applied promptly
• Personnel: all personnel with data access bound by confidentiality obligations; training on data protection at onboarding
• Sub-processor due diligence: review of sub-processor security and data-protection practices before engagement

Annex B — Sub-processors

The current list of authorised sub-processors is maintained at /sub-processors and forms part of this DPA.