Data Processing Addendum

Main Terms

How Unpaved handles customer personal data

1. Scope and applicability

This Data Processing Addendum forms part of the agreement between Unpaved and the customer for the provision of the Unpaved services. It applies whenever Unpaved processes personal data on the customer's behalf in connection with those services.

Where applicable, this addendum is intended to support compliance with the UK GDPR, the EU GDPR, and related data protection laws. If there is a conflict between this addendum and the main services agreement on data protection matters, this addendum will control to the extent of that conflict.

2. Roles of the parties

The customer acts as controller, or as a processor acting on behalf of another controller, for customer personal data submitted to or generated through the services. Unpaved acts as processor for that customer personal data when processing it to provide the services.

The customer is responsible for determining the lawful basis for processing, providing any required notices to data subjects, and ensuring that its instructions to Unpaved comply with applicable law.

3. Customer instructions and permitted processing

Unpaved will process customer personal data only on documented instructions from the customer, unless otherwise required by applicable law. The agreement, the customer's use of the services, and written configuration or support requests together form the customer's documented instructions.

Unpaved may process customer personal data to provide the service, maintain service security, troubleshoot issues, prevent abuse, comply with legal obligations, and carry out other activities that are reasonably necessary to operate the services on the customer's behalf.

4. Confidentiality and personnel access

Unpaved will ensure that personnel authorized to process customer personal data are subject to appropriate confidentiality obligations and only have access to the data on a need-to-know basis.

Access to customer personal data will be limited to personnel who require that access to operate, support, secure, or improve the services in line with this addendum.

5. Security measures

Unpaved will maintain appropriate technical and organizational measures designed to protect customer personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures may include access controls, authentication measures, encryption in transit and at rest where appropriate, logging and monitoring, vulnerability management, data segregation, and procedures supporting retention and deletion.

6. Subprocessors

The customer authorizes Unpaved to engage subprocessors to support delivery of the services. Unpaved will impose data protection obligations on subprocessors that are no less protective than the obligations set out in this addendum, taking into account the nature of the processing.

Unpaved remains responsible for the performance of its subprocessors to the extent required by applicable law. Customers may contact Unpaved at info@unpaved.ai for questions relating to subprocessors used in connection with the services.

7. International transfers

Where Unpaved transfers customer personal data outside the United Kingdom or European Economic Area, it will do so using an appropriate transfer mechanism recognized under applicable data protection law.

Depending on the circumstances, that mechanism may include adequacy regulations, standard contractual clauses, the UK international data transfer addendum, or another lawful basis for transfer.

8. Data subject requests and customer assistance

Taking into account the nature of the processing, Unpaved will provide reasonable assistance to help the customer respond to requests from data subjects to exercise their rights under applicable law.

Unpaved will also provide reasonable assistance with security assessments, breach-related obligations, and data protection impact assessments where the information required is available to Unpaved and the customer cannot reasonably obtain it by other means.

9. Personal data incidents

If Unpaved becomes aware of a confirmed personal data incident affecting customer personal data, Unpaved will notify the customer without undue delay and provide information reasonably available to help the customer meet its notification and remediation obligations.

Unpaved may take steps to contain, investigate, and remediate the incident before sharing complete details, but will continue to provide material updates as they become available.

10. Return and deletion

At the end of the services, and subject to the terms of the main agreement, Unpaved will delete or return customer personal data at the customer's request unless retention is required by applicable law.

Unpaved may retain limited data for legitimate business purposes such as security, backup integrity, dispute resolution, or compliance, but only for so long as permitted by law and subject to appropriate safeguards.

11. Audits and information rights

Unpaved will make available information reasonably necessary to demonstrate compliance with this addendum. Where appropriate and proportionate, the parties may agree on a reasonable audit process, subject to confidentiality obligations, security restrictions, and protection of other customers' information.

Any audit rights under this section must be exercised in a manner that does not unreasonably disrupt Unpaved's operations or compromise service security.

12. Contact

Questions about this Data Processing Addendum, Unpaved's data handling practices, or subprocessors may be sent to info@unpaved.ai.

This page is effective as of 8 April 2026 and may be updated from time to time to reflect changes to the services, applicable law, or Unpaved's processing practices.