Skip to main content

Data Processing Agreement (DPA)

DATA PROCESSING AGREEMENT

(DPA)

Between ArgonGate Ltd. (Data Controller)
and
The User / Subscriber (Data Subject & Data Controller where applicable)

Company No: 16771850
Registered in: England and Wales
Effective Date: Date of Account Registration
CONFIDENTIAL

1. DEFINITIONS AND INTERPRETATION

1.1 In this Data Processing Agreement (hereinafter referred to as the "DPA"), the following terms shall have the meanings set out below unless the context requires otherwise:

- "Agreement": The Terms of Service, Privacy Policy, and this DPA, collectively governing the relationship between the Controller and the Processor.
- "Applicable Data Protection Law": The UK General Data Protection Regulation (UK GDPR) as retained by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, Regulation (EU) 2016/679 (EU GDPR), and any other applicable data protection legislation in force from time to time.
- "Controller": ArgonGate Ltd., Company No. 16771850, registered in England and Wales, which determines the purposes and means of Processing Personal Data.
- "Data Subject": An identified or identifiable natural person to whom Personal Data relates.
- "EEA": The European Economic Area.
- "International Transfer": A transfer of Personal Data from the UK or EEA to a country outside the UK or EEA that has not been deemed to provide an adequate level of data protection.
- "Personal Data": Any information relating to an identified or identifiable natural person, as defined under the Applicable Data Protection Law.
- "Personal Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- "Processing" (and cognates): Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Processor": ArgonGate Ltd. when it Processes Personal Data on behalf of a User who acts as a Controller (where applicable).
- "Services": The CBAM (Carbon Border Adjustment Mechanism) compliance and reporting platform and related services provided by ArgonGate Ltd. through its website and applications.
- "Sub-processor": Any third party appointed by the Processor to Process Personal Data on behalf of the Controller.
- "User" or "Subscriber": The natural or legal person who registers for and uses the Services.

1.2 References to legislation include any amendment, re-enactment, or replacement thereof.
1.3 Words in the singular include the plural and vice versa; words importing one gender include all genders.

2. SCOPE AND PURPOSE OF PROCESSING

2.1 This DPA sets out the terms upon which the Processor shall Process Personal Data on behalf of the User when providing the Services.
2.2 This DPA is supplementary to and forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail in relation to data protection matters.
2.3 The subject matter, duration, nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1 to this DPA.

3. CONTROLLER OBLIGATIONS

3.1 The User warrants and represents that:
- it has complied and shall continue to comply with all Applicable Data Protection Law in respect of Personal Data provided to the Processor;
- it has obtained (and shall maintain) all necessary consents, authorisations, and legal bases required under Applicable Data Protection Law for the Processor to Process the Personal Data for the purposes described in this DPA;
- it has provided adequate notice to Data Subjects regarding the Processing of their Personal Data; and
- all instructions given to the Processor shall comply with Applicable Data Protection Law.

4. PROCESSOR OBLIGATIONS

4.1 The Processor shall:
- Process Personal Data only on documented instructions from the Controller (including as set out in the Agreement and this DPA), unless required to do so by Applicable Data Protection Law, in which case the Processor shall inform the Controller of that legal requirement before Processing (unless prohibited by law);
- ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement and maintain appropriate technical and organisational measures as set out in Annex 2 to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing;
- not engage another processor (Sub-processor) without prior specific or general written authorisation of the Controller, subject to Section 7 of this DPA;
- taking into account the nature of the Processing, assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law;
- assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR / EU GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of Processing and the information available to the Processor;
- at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless storage is required by Applicable Data Protection Law; and
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4.2 The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law.

5. DATA SUBJECT RIGHTS

5.1 The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise any of their rights under Applicable Data Protection Law, including but not limited to the right of access, rectification, erasure, restriction, data portability, and the right to object.
5.2 The Processor shall not respond to any such Data Subject request directly unless expressly authorised by the Controller in writing, except to inform the Data Subject that their request has been forwarded to the Controller.
5.3 The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests, taking into account the nature of the Processing.

6. PERSONAL DATA BREACH

6.1 The Processor shall notify the Controller without undue delay, and where feasible, within 72 hours, upon becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
6.2 Such notification shall include, at a minimum:
- a description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records concerned;
- the name and contact details of the Processor's data protection point of contact;
- a description of the likely consequences of the Personal Data Breach; and
- a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
6.3 The Processor shall cooperate with and assist the Controller in investigating, mitigating, and remediating the Personal Data Breach and in complying with any notification obligations under Applicable Data Protection Law.

7. SUB-PROCESSORS

7.1 The Controller hereby provides general written authorisation for the Processor to engage Sub-processors, subject to the conditions set out in this Section 7.
7.2 The Processor shall maintain an up-to-date list of Sub-processors (set out in Annex 3) and shall make this list available to the Controller upon request.
7.3 The Processor shall notify the Controller of any intended changes to the list of Sub-processors (whether by addition or replacement) at least 30 days prior to any such change, thereby giving the Controller the opportunity to object to such changes.
7.4 If the Controller objects to a new Sub-processor on reasonable data protection grounds within 7 days of receiving notice, the Processor shall use reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, either party may terminate the affected portion of the Services.
7.5 The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

8. INTERNATIONAL TRANSFERS OF PERSONAL DATA

8.1 The Processor shall not transfer Personal Data to a country outside the UK or EEA unless:
- the transfer is to a country that has been deemed to provide an adequate level of data protection by the UK Secretary of State or the European Commission (as applicable);
- appropriate safeguards have been put in place in accordance with Applicable Data Protection Law, including but not limited to the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses (SCCs), Binding Corporate Rules, or an approved certification mechanism; or
- a derogation under Applicable Data Protection Law applies.
8.2 Where the Processor relies on Standard Contractual Clauses or the IDTA for an International Transfer, such clauses are hereby incorporated into this DPA by reference.
8.3 The Processor shall carry out a transfer impact assessment where required by Applicable Data Protection Law and shall implement supplementary measures as necessary.

9. AUDIT AND INSPECTION RIGHTS

9.1 The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with the obligations set out in this DPA.
9.2 The Controller (or its appointed auditor) may, upon giving at least 30 days' prior written notice, carry out an audit of the Processor's Processing activities and facilities, subject to the following conditions:
- the audit right is limited to a maximum of once per calendar year, unless a Personal Data Breach or material non-compliance has been identified, in which case additional audits may be conducted as reasonably necessary;
- the audit shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations;
- the Controller shall bear its own costs of the audit;
- the scope of the audit shall be strictly limited to matters relevant to this DPA and shall expressly exclude the Processor's source code, proprietary algorithms, financial records, trade secrets, and any data belonging to other customers of the Processor;
- where the Controller appoints an independent third-party auditor, such appointment shall be subject to the Processor's prior written approval (not to be unreasonably withheld), provided that the Processor shall be entitled to reject any auditor that is a direct competitor of the Processor or that is employed by or affiliated with a direct competitor; and
- the auditor shall execute a written confidentiality and non-disclosure agreement acceptable to the Processor prior to commencing the audit.
9.3 Where the Processor has obtained a current independent third-party audit report or certification (including but not limited to SOC 2 Type II, ISO/IEC 27001 certification, or a recent penetration test report conducted by a reputable firm), the Processor shall make such report or certification available to the Controller upon written request. In such event, the Controller agrees to accept the report or certification in full satisfaction of its audit rights under Section 9.2 and shall waive its right to conduct an on-site audit for the period covered by such report or certification, unless the Controller can demonstrate, on reasonable grounds, that the report or certification does not adequately address a specific and material data protection concern.

10. DATA PROTECTION IMPACT ASSESSMENTS

10.1 The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Applicable Data Protection Law, taking into account the nature of the Processing and the information available to the Processor.

11. CONFIDENTIALITY

11.1 The Processor shall treat all Personal Data as strictly confidential and shall not disclose Personal Data to any third party except as expressly authorised by this DPA, the Agreement, or as required by Applicable Data Protection Law.
11.2 This obligation of confidentiality shall survive the termination or expiry of this DPA.

12. TERM AND TERMINATION

12.1 This DPA shall come into effect on the date of the User's account registration and shall remain in force for the duration of the Processing of Personal Data by the Processor under the Agreement.
12.2 Upon termination or expiry of the Agreement, the Processor shall, at the Controller's election (to be communicated within 30 days of termination):
- return all Personal Data to the Controller in a commonly used, machine-readable format; or
- securely delete all Personal Data and certify such deletion in writing.
12.3 If no election is made within 30 days, the Processor shall securely delete all Personal Data, unless retention is required by Applicable Data Protection Law, in which case the Processor shall inform the Controller and continue to protect the Personal Data in accordance with this DPA.

13. LIABILITY AND INDEMNIFICATION

13.1 Each party shall be liable for damage caused by Processing that infringes Applicable Data Protection Law, in accordance with the liability provisions set out therein.
13.2 The Processor's total aggregate liability under this DPA shall be subject to the limitations of liability set out in the Agreement, except to the extent that such limitation is prohibited by Applicable Data Protection Law.
13.3 Nothing in this DPA shall exclude or limit either party's liability for fraud, death, or personal injury caused by negligence, or any other liability that cannot be excluded or limited by law.

14. GOVERNING LAW AND JURISDICTION

14.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales.
Mandatory arbitration prior to court proceedings. Before applying to the courts of England and Wales, disputes shall first be submitted on a mandatory basis to arbitration under ISTAC (Istanbul Arbitration Centre) rules. If the arbitration process does not result in a final resolution, court proceedings may then be initiated.
14.2 The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.
14.3 Nothing in this Section shall prevent either party from seeking interim or injunctive relief in any court of competent jurisdiction.

15. GENERAL PROVISIONS

15.1 Amendments. This DPA may only be amended in writing. The Processor reserves the right to update this DPA from time to time to reflect changes in Applicable Data Protection Law or the Services. Material changes shall be notified to the Controller at least 30 days in advance.
15.2 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
15.3 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties in relation to the Processing of Personal Data and supersedes all prior negotiations, representations, or agreements relating to such Processing.
15.4 No Waiver. A failure or delay by either party in exercising any right or remedy under this DPA shall not constitute a waiver of that right or remedy.
15.5 Third-Party Rights. Save as expressly provided, no third party shall have any right to enforce any provision of this DPA under the Contracts (Rights of Third Parties) Act 1999.
15.6 Notices. Any notice required under this DPA shall be given in writing and sent to the registered address of the relevant party or to such email address as notified from time to time. Notices to the Processor shall be sent to: legal@argongate.com.

16. ACCEPTANCE AND ELECTRONIC EXECUTION

16.1 By registering for an account on the ArgonGate platform and accepting the Terms of Service, the User acknowledges that they have read, understood, and agree to be bound by this DPA.
16.2 This DPA may be executed electronically, and electronic acceptance (including click-through acceptance during the registration process) shall constitute a valid and binding agreement equivalent to a handwritten signature.

ANNEX 1: DETAILS OF PROCESSING

- Subject Matter of Processing: Provision of the ArgonGate CBAM compliance and reporting platform and related services.
- Duration of Processing: For the duration of the User's subscription to the Services and for such period thereafter as required for account closure, data return/deletion, and legal retention obligations.
- Nature of Processing: Collection, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission (to EU authorities where applicable), alignment, and erasure of Personal Data as necessary for providing CBAM compliance services.
- Purpose of Processing: To enable the User to comply with EU CBAM regulatory requirements, including preparation and submission of CBAM declarations, calculation of embedded emissions, management of CBAM certificates, supplier data management, and generation of compliance reports.
- Categories of Data Subjects: Users and their employees/representatives; the User's suppliers, vendors, and their authorised contacts; third-party agents, customs brokers, and consultants acting on the User's behalf.
- Types of Personal Data: Full name, email address, telephone number, job title, company name and registration details, login credentials (hashed), IP addresses, browser/device metadata, supplier contact information, CBAM declaration reference data, and any other Personal Data voluntarily provided by the User in connection with the Services.
- Special Categories of Data: The Processor does not intentionally Process special categories of Personal Data. The User shall not submit special category data to the platform.

ANNEX 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

- Access Control: Role-based access control (RBAC); multi-factor authentication for administrative access; principle of least privilege; regular access reviews and deprovisioning upon role change or termination.
- Encryption: Encryption of Personal Data in transit using TLS 1.2 or higher; encryption of Personal Data at rest using AES-256 or equivalent industry-standard encryption.
- Network Security: Firewalls, intrusion detection/prevention systems, network segmentation, and regular vulnerability scanning.
- Data Minimisation: Collection of only such Personal Data as is necessary for the provision of the Services; pseudonymisation where technically feasible and appropriate.
- Backup and Recovery: Regular encrypted backups; documented disaster recovery and business continuity procedures; periodic recovery testing.
- Logging and Monitoring: Audit logging of access to Personal Data; monitoring for unauthorised access attempts; retention of logs for a minimum of 30 days, with extended retention applied where required by Applicable Data Protection Law or ongoing investigations.
- Personnel Security: Confidentiality agreements for all personnel with access to Personal Data; regular data protection awareness training; disciplinary procedures for policy violations.
- Incident Response: Documented incident response plan; designated incident response team; post-incident review and remediation processes.
- Vendor Management: Due diligence assessment of Sub-processors; contractual obligations for Sub-processors no less stringent than those in this DPA.
- Physical Security: Where applicable, secure hosting facilities with controlled physical access, environmental controls, and surveillance systems.
- Software Development: Secure development lifecycle (SDLC); regular security testing; code review processes; timely patching of known vulnerabilities.

ANNEX 3: APPROVED SUB-PROCESSORS

- Vercel Inc. | United States | Website and application hosting, edge network delivery | EU SCCs / DPF
- Supabase Inc. | United States | Database hosting, authentication, and backend services | EU SCCs / DPF
- Stripe, Inc. | United States | Payment processing and subscription management | EU SCCs / DPF
- Anthropic, PBC | United States | AI-assisted compliance analysis and content generation | EU SCCs / DPF
- Resend, Inc. | United States | Transactional email delivery for account and service communications | EU SCCs / DPF
- Sanity AS | Norway (EEA) | Content management system for blog and public content | EEA (Adequate)

The Processor shall update this list and notify the Controller of any changes in accordance with Section 7 of this DPA.

ANNEX 4: CONTACT DETAILS

- Controller / Processor Name: ArgonGate Ltd.
- Company Number: 16771850
- Jurisdiction: England and Wales
- Data Protection Contact: legal@argongate.com
- Website: https://www.argongate.com
- Registered Office: As registered with Companies House

This DPA was last updated on 11 April 2026.