Data Processing Agreement (DPA)

Effective Date: April 10, 2026 Version: 1.0 Last Modified: April 10, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the organization identified below (the "Controller" or "you") and Crealot Publications Limited, a company registered in England and Wales, trading as Cognistase (the "Processor," "Cognistase," "we," "us," or "our"), for the provision of the Cognistase platform and related services (the "Service") as described in our Terms of Service (the "Principal Agreement").

This DPA applies where Cognistase processes personal data on behalf of the Controller in connection with the Service. This DPA is designed for schools, educational institutions, clinical practices, and other organizations that use the Cognistase platform in a professional capacity.

For individual parents and guardians: This DPA is intended for institutional and organizational use. If you are an individual parent or guardian, the processing of your personal data is governed by our Privacy Policy and Terms of Service.

---

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the UK GDPR, the EU GDPR, or the Principal Agreement, as applicable.

"Applicable Data Protection Law" means (i) the UK General Data Protection Regulation ("UK GDPR") as retained in UK law pursuant to the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018; (ii) the EU General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), where applicable; and (iii) any other applicable data protection laws and regulations.

"Controller" means the organization that determines the purposes and means of the processing of Personal Data and enters into this DPA with the Processor.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including children, parents, guardians, educators, and professionals whose data is processed through the Service.

"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means Crealot Publications Limited (trading as Cognistase), which processes Personal Data on behalf of the Controller.

"Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning a person's sex life or sexual orientation, as defined in Article 9 of the UK GDPR / EU GDPR.

"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

---

2. Scope and Roles

2.1 Roles of the Parties

The Controller determines the purposes and means of the processing of Personal Data. The Processor processes Personal Data solely on behalf of and under the documented instructions of the Controller, as set out in this DPA and the Principal Agreement.

2.2 Controller's Responsibilities

The Controller is responsible for:

• Ensuring that it has a lawful basis for the processing of Personal Data, including obtaining all necessary consents from Data Subjects (including parental or guardian consent for children's data).
• Providing accurate and lawful instructions to the Processor.
• Complying with its obligations under Applicable Data Protection Law.
• Assessing the suitability of the Processor's technical and organizational measures for the intended processing activities.

2.3 Processor's Responsibilities

The Processor shall:

• Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, as described in Annex B.
• Assist the Controller in fulfilling its obligations under Applicable Data Protection Law, including in relation to Data Subject rights requests, data protection impact assessments, and consultations with supervisory authorities.

---

3. Details of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex A to this DPA.

---

4. Sub-Processing

4.1 Authorized Sub-Processors

The Controller grants the Processor general written authorization to engage Sub-Processors for the processing of Personal Data in connection with the Service, subject to the conditions set out in this Section 4. The current list of authorized Sub-Processors is set out in Annex C.

4.2 Obligations on Sub-Processors

The Processor shall:

• Enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those set out in this DPA.
• Remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

4.3 Changes to Sub-Processors

The Processor shall notify the Controller at least 30 days in advance of any intended changes to the list of Sub-Processors, including the addition or replacement of Sub-Processors. The Controller shall have 14 days from the date of the notification to object to the proposed change on reasonable grounds relating to data protection. If the Controller objects, the parties shall discuss the objection in good faith with a view to reaching a resolution. If no resolution can be reached, the Controller may terminate the Principal Agreement and this DPA.

---

5. Data Subject Rights

5.1 Assistance

The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including the right of access, rectification, erasure, restriction, portability, and the right to object.

5.2 Direct Requests

If the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the request to the Controller, unless the Processor is required by applicable law to respond directly. The Processor shall not respond to any Data Subject request without the Controller's prior written instructions, unless required to do so by applicable law.

---

6. Security Measures

6.1 Technical and Organizational Measures

The Processor shall implement and maintain the technical and organizational security measures described in Annex B. These measures are designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

6.2 Ongoing Security

The Processor shall regularly test, assess, and evaluate the effectiveness of its technical and organizational measures and shall update them as necessary to maintain an appropriate level of security, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks to Data Subjects.

---

7. Personal Data Breaches

7.1 Notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data Breach. The notification shall include:

• A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records affected.
• The name and contact details of the Processor's Data Protection Officer or other contact point where further information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

7.2 Assistance

The Processor shall cooperate with and assist the Controller in investigating the Personal Data Breach and in fulfilling the Controller's notification obligations to the relevant supervisory authority and affected Data Subjects under Applicable Data Protection Law.

7.3 Documentation

The Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken. This documentation shall be provided to the Controller upon request.

---

8. Data Protection Impact Assessment

Where a data protection impact assessment is required under Applicable Data Protection Law, the Processor shall provide the Controller with reasonable assistance, taking into account the nature of the processing and the information available to the Processor.

---

9. Audits and Inspections

9.1 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

9.2 Conditions

Audits shall be subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice of an audit (except in the case of an audit required due to a Personal Data Breach or regulatory investigation, in which case reasonable notice shall be given).
• Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations.
• The Controller (or its auditor) shall comply with the Processor's reasonable security and confidentiality requirements.
• The costs of audits shall be borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the costs.
• The Controller may conduct no more than one audit per 12-month period, unless an audit is specifically requested by a supervisory authority or triggered by a Personal Data Breach.

9.3 Third-Party Certifications

Where the Processor holds relevant third-party certifications (such as ISO 27001 or SOC 2 Type II), the Processor may provide copies of audit reports or certificates in satisfaction of the Controller's audit rights, provided such reports adequately address the Controller's concerns.

---

10. International Data Transfers

10.1 No Transfers Outside the UK/EEA

The Processor shall not transfer Personal Data to any country outside the United Kingdom or the European Economic Area. All processing of Personal Data occurs on the Processor's privately managed, EU-based infrastructure located in Germany.

10.2 No Public Cloud AI

The Processor does not use public cloud AI services or APIs that could route Personal Data to servers outside the UK/EEA. All AI processing is performed on the Processor's privately managed infrastructure within the European Union.

10.3 Changes

If the Processor intends to change the location of its data processing infrastructure, it shall notify the Controller at least 60 days in advance. Any new location shall be within the United Kingdom or the European Economic Area.

---

11. Return and Deletion of Data

11.1 Upon Termination

Upon termination of the Principal Agreement (or upon the Controller's written request at any time), the Processor shall, at the Controller's election:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV); and/or
• Delete all Personal Data through cryptographic erasure, rendering the data permanently and irrecoverably inaccessible.

11.2 Timeline

The Processor shall complete the return and/or deletion of Personal Data within 30 days of receiving the Controller's instructions. The Processor shall certify in writing that it has complied with its obligations under this section.

11.3 Exceptions

The Processor may retain Personal Data to the extent required by applicable law (e.g., audit logs for regulatory compliance), provided the Processor continues to protect such data in accordance with this DPA and processes it only for the purposes required by law. The Processor shall inform the Controller of any such retention requirement.

---

12. Confidentiality

12.1 Obligations

The Processor shall treat all Personal Data as confidential and shall ensure that all persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

12.2 Disclosure

The Processor shall not disclose Personal Data to any third party except:

• To authorized Sub-Processors in accordance with Section 4.
• As required by applicable law, in which case the Processor shall inform the Controller (where legally permitted) and limit the disclosure to the minimum required.
• With the Controller's prior written consent.

---

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, except that nothing in this DPA or the Principal Agreement shall limit or exclude either party's liability for breaches of Applicable Data Protection Law.

---

14. Term and Termination

14.1 Term

This DPA shall take effect on the date it is executed by both parties and shall remain in effect for the duration of the Principal Agreement.

14.2 Survival

The obligations of the Processor under Sections 7 (Personal Data Breaches), 9 (Audits), 11 (Return and Deletion), 12 (Confidentiality), and 13 (Liability) shall survive the termination of this DPA.

---

15. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, subject to the mandatory consumer protection and data protection provisions of any applicable EU Member State law.

---

16. Contact

Data Protection Officer Crealot Publications Limited (trading as Cognistase) Email: dpo@cognistase.com

Security Email: security@cognistase.com

Legal Email: legal@cognistase.com

---

Annex A: Details of Processing

---

Annex B: Technical and Organizational Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

B.1 Encryption

• In transit: All data transmitted between users and the Service is encrypted using TLS 1.3.
• At rest: All stored Personal Data is encrypted using AES-256-GCM.
• Per-record encryption: Each record is encrypted with its own unique Data Encryption Key (DEK), enabling cryptographic erasure.
• Key management: Encryption keys are stored in a dedicated key management system, separate from the data they protect.

B.2 Access Controls

• Role-based access control (RBAC): Access to Personal Data is restricted based on role and necessity. Users access only the data relevant to their role and authorization level.
• Multi-factor authentication (MFA): Enforced for all staff with access to infrastructure and for professional accounts.
• Principle of least privilege: Staff access is limited to the minimum necessary for their role.
• Unique credentials: Every staff member uses unique, individual credentials. Shared accounts are prohibited.

B.3 Infrastructure Security

• Private cloud: All Personal Data is stored and processed on privately managed servers within the European Union (Germany). No public cloud providers (AWS, Google Cloud, Microsoft Azure) are used for the storage or processing of Personal Data.
• Network segmentation: Clinical and developmental data is stored in a separate, isolated network segment (PHI Isolation Zone) with additional access controls.
• Zero-trust architecture: Every request is verified independently. No implicit trust is granted based on network location.
• Firewall and intrusion detection: Network firewalls and intrusion detection systems monitor for unauthorized access attempts.

B.4 De-Identification

• Before any AI processing, Personal Data is de-identified. The AI processes clinical and developmental data points only, it does not have access to identifying information.
• De-identification follows the HIPAA Safe Harbor standard (18 identifier categories removed) as an additional protective measure beyond GDPR requirements.

B.5 Audit Trail

• All access to Personal Data is logged in an immutable, cryptographically chained audit trail.
• Audit logs record who accessed what data, when, and what action was performed.
• Audit logs do not contain clinical or developmental data content, only metadata about access events.
• Audit logs are retained for a minimum of 7 years for regulatory compliance.

B.6 Personnel Security

• All staff with access to Personal Data undergo background checks.
• All staff receive data protection and information security training upon onboarding and annually thereafter.
• All staff are bound by confidentiality obligations.

B.7 Business Continuity and Disaster Recovery

• Regular encrypted backups of all data.
• Backup data is stored in the same jurisdiction (EU) as primary data.
• Disaster recovery plan tested and reviewed regularly.
• Backups are encrypted using the same per-record encryption model, ensuring that cryptographic erasure affects backups as well.

B.8 Vulnerability Management

• Regular vulnerability scanning of all systems.
• Penetration testing by independent third parties.
• Security code reviews for all code changes.
• Responsible disclosure program for external security researchers.
• Incident response plan tested regularly through drills.

B.9 Physical Security

• Data center access restricted to authorized personnel only.
• Physical security controls include access badges, CCTV monitoring, and environmental controls (fire suppression, climate control, power redundancy).

---

Annex C: Authorized Sub-Processors

The following Sub-Processors are authorized to process Personal Data on behalf of the Controller:

The Processor shall maintain this list and notify the Controller at least 30 days in advance of any changes, in accordance with Section 4.3 of this DPA.

---

This Data Processing Agreement was last updated on April 10, 2026.