Trust

Legal Notes

Last Updated: January 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Raico Technology Ltd, a company incorporated in England and Wales (Company No. 15956975) with its registered office at 12 Oliver Grove, Ebbsfleet Valley, Swanscombe, England, DA10 1FJ ("Raico", "Processor"), and the customer or other contracting entity ("Customer", "Controller") and applies to the Processing of Personal Data in connection with the Services.

This DPA is intended to satisfy the requirements of Article 28 of the UK GDPR and EU GDPR and to be applicable for customers in the United Kingdom, European Union, United States, and Middle East, including in enterprise, procurement, and audit contexts.

1. Definitions

    For the purposes of this DPA:

  • Applicable Data Protection Laws means all data protection, privacy, and cybersecurity laws and regulations governing the Processing of Personal Data under this DPA, including without limitation the UK GDPR, EU GDPR, the UK Data Protection Act 2018, and applicable Middle East and US data protection laws.
  • Controller, Processor, Personal Data, Processing, Data Subject, and Personal Data Breach have the meanings given in the GDPR.
  • Customer Datameans Personal Data Processed by Raico on behalf of Customer in connection with the Services.
  • Raico means Raico's software-as-a-service platform, trust centre functionality, advisory and professional services, and related support services.
  • Sub-Processors means any third party appointed by Raico to Process Customer Data.

2. Roles of the Parties

2.1

Customer acts as the Controller of Customer Data. Raico acts as a Processor when Processing Customer Data on behalf of Customer.

2.2

Each party shall comply with its respective obligations under Applicable Data Protection Laws.

2.3

Nothing in the DPA shall be construed to create a joint controller relationship between the parties.

3. Scope and Purpose of Processing

3.1

    Raico shall Process Customer Data solely for the purposes of:

  • providing, operating, supporting, and maintaining the Services;
  • providing trust centre functionality as configured by Customer;
  • providing advisory or professional services where applicable;
  • complying with legal obligations; and
  • improving and securing the Services in an aggregated or de-identified manner.
3.2

Categories of Data Subjects: Customer's authorised users, employees, contractors, vendors, assessors, and other individuals whose data is submitted to the Services.

3.3

Categories of Personal Data: business contact details, account credentials, audit artefacts, compliance documentation, usage and log data, communications, and any other data submitted by or on behalf of Customer.

3.4

Duration of Processing: for the term of the Agreement and any lawful retention period thereafter.

4. Instructions

4.1

Customer instructs Raico to Process Customer Data in accordance with this DPA, the Agreement, and Customer's documented instructions as configured through the Services.

4.2

Raico shall inform Customer if it believes an instruction infringes Applicable Data Protection Laws.

5. Confidentiality

Raico shall ensure that persons authorised to Process Customer Data are subject to confidentiality obligations and receive appropriate data protection training.

6. Security Measures

6.1

Raico shall implement appropriate technical and organisational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

6.2

Such measures shall be aligned with recognised industry standards and frameworks, including SOC 2 and ISO 27001 principles.

7. Sub-Processors

7.1

Customer authorises Raico to engage Sub-Processors for the Processing of Customer Data.

7.2

Raico shall:

  • enter into written agreements with Sub-Processors imposing data protection obligations no less protective than this DPA;
  • remain responsible for the acts and omissions of Sub-Processors; and
  • make available information regarding Sub-Processors upon reasonable request.

8. Data Subject Rights Assistance

Taking into account the nature of the Processing, Raico shall provide reasonable assistance to enable Customer to respond to Data Subject requests under Applicable Data Protection Laws.

9. Personal Data Breach Notification

9.1

Raico shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and shall provide information reasonably required to enable Customer to comply with its notification obligations under Applicable Data Protection Laws.

9.2

Such notification shall include, to the extent available:

  • a description of the nature of the Personal Data Breach;
  • the categories and approximate number of affected Data Subjects and Personal Data records;
  • the likely consequences of the Personal Data Breach; and
  • the measures taken or proposed to address the Personal Data Breach and mitigate its potential adverse effects.
9.3

Raico shall not notify any supervisory authority or Data Subject of a Personal Data Breach relating to Customer Data unless required by law or instructed by Customer.

10. Data Protection Impact Assessments and Regulatory Cooperation

Taking into account the nature of the Processing and the information available to Raico, Raico shall provide reasonable assistance to Customer with data protection impact assessments and, where required, consultations with supervisory authorities under Applicable Data Protection Laws.

11. Deletion or Return of Customer Data

11.1

Upon termination or expiry of the Agreement, and at Customer's choice, Raico shall delete or return all Customer Data to Customer, unless retention is required by Applicable Data Protection Laws.

11.2

Where deletion is requested, Raico shall securely delete Customer Data in accordance with its data deletion and destruction policy.

11.3

Any retained Customer Data shall remain subject to the confidentiality and security obligations set out in this DPA.

12. Compliance Information

Raico shall make available to Customer, upon reasonable request, information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

13. International Data Transfers

13.1

Customer acknowledges that Customer Data may be transferred to and Processed in countries outside the UK or EEA.

13.2

Where such transfers occur, Raico shall ensure appropriate safeguards are in place in accordance with Applicable Data Protection Laws, including the use of:

  • UK International Data Transfer Addendum;
  • EU Standard Contractual Clauses; or
  • other lawful transfer mechanisms.

14. Limitation of Liability

Liability arising under this DPA shall be subject to the limitations of liability set out in the Agreement except where such limitations are prohibited by Applicable Data Protection Laws.

15. Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the governing law and jurisdiction specified in the Agreement.

17. Contact and Data Protection Enquiries

For questions or requests relating to this DPA or the Processing of Customer Data, Customer may contact us at:
Email: privacy@raico.io
Data Protection Officer: Angela Raib

Turn compliance into a competitive advantage