Data Processing Agreement

Last updated: 14th May 2026

This Data Processing Agreement ("DPA") forms part of and is incorporated by reference into the DropTo Terms of Service available at https://drop.to/terms (the "Terms of Service") entered into between AM Data Limited (a company registered in England and Wales with company number 12914020, trading as DropTo) ("DropTo") and the customer contracting for the Services ("Customer").

This DPA sets out the terms that apply when DropTo Processes Personal Data on Customer's behalf as part of providing the Services. It is intended to satisfy the requirements of Article 28 of the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and related UK data protection laws as amended or replaced from time to time (together, the "Data Protection Laws").

The Terms of Service and this DPA are intended to provide the contractual framework required for DropTo to Process Customer Personal Data in accordance with Article 28 of the UK GDPR.

Capitalised terms used but not defined in this DPA have the meanings given in the Terms of Service or in the Data Protection Laws.

"Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and its cognates), "Personal Data Breach", "Special Category Data" and "Supervisory Authority" have the meanings given in the UK GDPR.

"Customer Personal Data" means any Personal Data contained within Customer Content that is Processed by DropTo on behalf of Customer in connection with the Services.

"ICO" means the UK Information Commissioner's Office, or any successor body.

"International Transfer" means a transfer of Customer Personal Data to a country outside the United Kingdom that is not the subject of UK adequacy regulations under section 17A of the Data Protection Act 2018.

"Services" has the meaning given in the Terms of Service.

"Subprocessor" means any third party engaged by DropTo (including any DropTo affiliate) to Process Customer Personal Data in connection with the Services.

In respect of Customer Personal Data, Customer is the Controller and DropTo is the Processor acting on Customer's behalf. Where Customer itself acts as a processor on behalf of a third-party controller, Customer warrants that it has the third-party controller's authorisation to engage DropTo as a subprocessor on the terms of this DPA.

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are described in Schedule 1. This DPA applies for so long as DropTo Processes Customer Personal Data in connection with the Services.

Customer is responsible for determining the purposes and means of the Processing, for ensuring that its instructions to DropTo are lawful, and for complying with its obligations under the Data Protection Laws.

DropTo will Process Customer Personal Data only on Customer's documented instructions, including with regard to International Transfers, unless Processing is required by law to which DropTo is subject. In that case, DropTo will (where the law permits) inform Customer of the legal requirement before Processing.

Customer's instructions are set out in the Terms of Service, this DPA (including the Schedules) and Customer's use and configuration of the Services through Customer's Account. Customer may also give DropTo specific written instructions from time to time (for example, in connection with a Data Subject request), which DropTo will act on to the extent consistent with this DPA.

DropTo will inform Customer if, in its opinion, an instruction infringes the Data Protection Laws. DropTo may suspend Processing under that instruction pending Customer's confirmation or amendment of it, without liability for the suspension.

DropTo will ensure that access to Customer Personal Data is limited to those individuals who need access for the purposes of providing the Services and complying with applicable law, and that all such individuals are subject to written confidentiality obligations or are under an appropriate statutory duty of confidentiality.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects, DropTo will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR.

A summary of the measures applied by DropTo as at the date of this DPA is set out in Schedule 3 and on the DropTo security page at https://drop.to/security. DropTo may modify these measures from time to time provided that any modification does not materially reduce the overall level of security applied to Customer Personal Data.

Customer provides DropTo with general written authorisation to engage Subprocessors to Process Customer Personal Data in connection with the Services. The Subprocessors authorised as at the date of this DPA are listed in Schedule 2 and on https://drop.to/security#subprocessors.

DropTo will give Customer reasonable advance notice before engaging a new Subprocessor or replacing an existing one. Notice may be given by email, by updating https://drop.to/security#subprocessors, or by any other reasonable means.

Customer may object to a proposed new or replacement Subprocessor on reasonable data-protection grounds by notice to [email protected]. The parties will discuss the objection in good faith. If DropTo cannot reasonably accommodate the objection, Customer's sole and exclusive remedy is to stop using the affected part of the Services or to terminate the affected Services in accordance with the Terms of Service.

DropTo will impose on each Subprocessor, by written contract, data-protection obligations that are no less protective than those set out in this DPA. DropTo remains liable to Customer for the performance of each Subprocessor's obligations to the same extent as if DropTo had performed those obligations itself.

As at the date of this DPA, DropTo's production environment is located in the United Kingdom, with limited Processing by Subprocessors outside the United Kingdom as identified in Schedule 2. The location of Processing may change from time to time, and any International Transfer will be made under an appropriate transfer tool as described below.

Where an International Transfer occurs, DropTo will ensure that the transfer is made under an appropriate transfer tool recognised under Chapter V of the UK GDPR. Customer authorises DropTo to enter into the relevant transfer tool with each Subprocessor on Customer's behalf, on terms consistent with this DPA.

Taking into account the nature of the Processing and the information available to DropTo, DropTo will provide reasonable assistance to Customer (by appropriate technical and organisational measures, insofar as this is possible) to enable Customer to respond to requests by Data Subjects exercising their rights under Chapter III of the UK GDPR.

If DropTo receives a request from a Data Subject in relation to Customer Personal Data, DropTo will not respond directly (other than to confirm receipt and direct the Data Subject to Customer) and will inform Customer so that Customer can respond. Customer is responsible for responding to Data Subject requests.

DropTo will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

To the extent reasonably available to DropTo at the time of notification (or as soon as reasonably practicable thereafter), DropTo will provide Customer with information to assist Customer in meeting its own obligations under Articles 33 and 34 of the UK GDPR, including a description of the nature of the Personal Data Breach, its likely consequences, and the measures DropTo has taken or proposes to take to address it.

DropTo will provide Customer with reasonable assistance to investigate and mitigate the Personal Data Breach. DropTo will not be considered to be in breach of this DPA where the Personal Data Breach is caused by Customer or by Customer's Representatives.

Taking into account the nature of the Processing and the information available to DropTo, DropTo will provide reasonable assistance to Customer with data protection impact assessments under Article 35 of the UK GDPR and prior consultations with the ICO under Article 36 of the UK GDPR. Such assistance will be limited to information that is within DropTo's control and reasonably necessary for Customer to discharge its obligations.

On termination or expiry of the Services, DropTo will, at Customer's election, return Customer Content to Customer or delete it.

Unless Customer instructs otherwise, DropTo will provide Customer with a reasonable period to extract Customer Content following termination, and will delete Customer Content from its production systems within a reasonable period thereafter. Residual copies held in DropTo's automated backup systems will be deleted in accordance with DropTo's standard backup-rotation cycle, after which time all copies will have been deleted. Specific timings for extraction and deletion are set out in the Terms of Service.

DropTo may retain Customer Personal Data to the extent and for the period required by law. Data retained on that basis will continue to be protected in accordance with this DPA for so long as it is retained.

DropTo will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. DropTo's current security documentation, summaries of independent third-party audit or certification reports, and summaries of independent penetration-test outcomes will normally satisfy this requirement.

AM Data Limited is registered with the ICO under registration number ZB037387.

Enquiries relating to this DPA, requests for assistance with Data Subject rights, notifications under this DPA, and any other data-protection enquiries should be sent to [email protected].

Each party's liability arising out of or in connection with this DPA, whether in contract, tort (including negligence) or otherwise, is subject to and forms part of, and is not in addition to, the limitations of liability set out in the Terms of Service. Nothing in this DPA excludes or restricts either party's liability where to do so would not be permitted by law.

If this DPA conflicts with the Terms of Service, this DPA prevails only in relation to the Processing of Customer Personal Data to the extent required by Article 28 of the UK GDPR.

DropTo may update this DPA where necessary to reflect changes in the Data Protection Laws, the Services, or Subprocessors, provided the update does not materially reduce the protection given to Customer Personal Data.

This DPA takes effect on the same date as the Terms of Service and remains in force for so long as DropTo Processes Customer Personal Data, after which it terminates automatically. The sections relating to confidentiality, return or deletion and liability survive termination to the extent necessary to give effect to them. Audit rights survive termination only to the extent necessary to address Processing carried out before termination, and only for the period required by law.

The Processing of Customer Personal Data necessary for DropTo to provide the Services to Customer in accordance with the Terms of Service.

For so long as Customer subscribes to the Services, together with the post-termination period specified in the Terms of Service.

The Services are an automated data-warehouse and data-integration platform. DropTo extracts Customer-selected data from Customer-authorised sources, loads it into a Customer-controlled data warehouse hosted on DropTo's infrastructure, and provides functionality for Customer to query, transform, schedule, monitor and share that data. The Processing may include collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure and destruction of Customer Personal Data.

To provide, maintain, secure, monitor and support the Services in accordance with the Terms of Service and the instructions of Customer. Where DropTo uses data to improve the Services, it will do so using aggregated, anonymised or de-identified data wherever reasonably possible.

Customer determines and controls the categories of Personal Data Processed by DropTo on its behalf. Typical categories include identifiers and contact details (such as names, email addresses, phone numbers, employee or customer reference numbers), commercial and transactional data, marketing and engagement data, technical data (such as device identifiers and IP addresses), employment-related data, and any other categories that Customer chooses to load into the Services.

Customer may Process Special Category Data through the Services where it is necessary for Customer's configured use case. Customer remains responsible for ensuring it has a lawful basis under Article 9 of the UK GDPR (and any applicable Schedule 1 Data Protection Act 2018 condition) and that appropriate consents, notices and safeguards are in place.

Customer determines and controls the categories of Data Subjects whose Personal Data is Processed by DropTo on its behalf. Typical categories include Customer's employees, contractors, prospects, customers, suppliers, and end-users of Customer's own products and services.

The current list of authorised Subprocessors, including each Subprocessor's purpose, processing location and applicable transfer mechanism, is maintained at https://drop.to/security#subprocessors. The notice and objection rights set out in the Subprocessors section above apply to any change to that list.

DropTo applies technical and organisational measures appropriate to the risks presented by the Processing, in accordance with Article 32 of the UK GDPR. The current measures are described on the DropTo security page at https://drop.to/security, which is incorporated into this Schedule by reference and may be updated from time to time provided the overall level of security applied to Customer Personal Data is not materially reduced.

As at the date of this DPA, DropTo's production environment is located in the United Kingdom and routine Processing of Customer Content does not involve an International Transfer. The location of Processing may change from time to time in accordance with the Data Protection Laws and the transfer tools set out below.

Where a Subprocessor identified in Schedule 2 Processes Customer Personal Data outside the United Kingdom, DropTo relies on one or more of the following transfer tools:

(a) a UK adequacy regulation under section 17A of the Data Protection Act 2018, where the destination is the subject of such a regulation (including the European Union, the European Economic Area and other jurisdictions designated by the Secretary of State); or

(b) the UK International Data Transfer Agreement, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or another transfer tool recognised under Chapter V of the UK GDPR.

Customer authorises DropTo to enter into the relevant transfer tool with each Subprocessor on Customer's behalf, on terms consistent with this DPA. No separate signature, order form or other document is required from Customer for these transfer tools to apply.

The transfer details applicable to each Subprocessor (including categories of Data Subjects, categories of Personal Data, frequency, nature and purpose of the transfer, retention period and competent supervisory authority) are derived from this DPA (in particular Schedule 1) and the configuration of the Services chosen by Customer. Customer may request a written summary of the transfer details applicable to a particular Subprocessor by contacting [email protected].