Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between TalepNET and the customer entity that purchases or uses TalepNET's services (the "Customer") where TalepNET processes Customer Personal Data on the Customer's behalf. This DPA applies to the extent required by applicable data protection laws, including the GDPR and UK GDPR where relevant.

Last updated: May 25, 2026

1. Scope and Applicability

This DPA applies where the Customer acts as controller or business and TalepNET acts as processor or service provider in connection with Customer Personal Data processed through the TalepNET platform or related support and service operations. This DPA is incorporated into and forms part of the applicable master agreement, subscription agreement, or online terms governing the Services.

2. Roles of the Parties

The Customer determines the purposes and means of processing Customer Personal Data and remains responsible for its instructions, legal basis, notices, and rights management obligations. TalepNET processes Customer Personal Data only on documented instructions from the Customer, unless otherwise required by applicable law.

3. Subject Matter, Duration, and Nature of Processing

The subject matter of the processing is the provision of TalepNET's cloud-based procurement, requisition, approval, supplier, purchasing, and spend management services, including customer support, security, maintenance, and related technical operations. Processing continues for the duration of the applicable Services agreement and any agreed transition or deletion period thereafter.

4. Categories of Data and Data Subjects

• Data subjects may include the Customer's employees, contractors, authorized users, procurement personnel, approvers, supplier representatives, and other individuals whose personal data is submitted to the Services by or on behalf of the Customer.
• Categories of personal data may include identity and business contact information, account credentials or identifiers, role and permission data, workflow and transaction metadata, supplier contact information, communication records, audit logs, and other data submitted by the Customer through the Services.
• Special categories of personal data should not be submitted to the Services unless expressly agreed in writing and supported by appropriate legal and technical measures.

5. Customer Instructions and Restrictions

TalepNET will process Customer Personal Data only to provide the Services, maintain security, prevent abuse, perform support and maintenance, comply with documented Customer instructions, and meet legal obligations. TalepNET will not sell Customer Personal Data or process it for unrelated commercial purposes.

6. Confidentiality and Personnel Commitments

TalepNET will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations and are granted access only on a need-to-know basis consistent with their roles and responsibilities.

7. Security Measures

TalepNET maintains appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature of the processing and the risks involved.

• Access control, role-based permissions, and authentication safeguards.
• Logging, monitoring, and incident detection practices.
• Encryption in transit and other reasonable protections for stored data where appropriate.
• Backup, business continuity, and restoration practices.
• Change management, vulnerability management, and internal security governance.

8. Subprocessors

The Customer authorizes TalepNET to engage subprocessors to support delivery of the Services, including hosting, infrastructure, support, communications, analytics, security, and AI feature providers. TalepNET remains responsible for ensuring that subprocessors are bound by data protection obligations materially consistent with this DPA. TalepNET may update its subprocessor list from time to time as part of its ordinary business operations. The current subprocessors used for the Services are listed in this section of the DPA.

• Google Cloud / Firebase (Google LLC): cloud hosting, authentication, database, storage, serverless functions, logging, and related infrastructure used to operate the TalepNET application and connected services.
• SendGrid (Twilio SendGrid, Inc.): transactional email delivery for invitations, notifications, workflow emails, and other service communications.
• OpenAI (OpenAI, L.L.C. and applicable affiliates): AI-powered assistant and related language-processing features where such features are enabled or used within the Services.
• Google reCAPTCHA Enterprise (Google LLC): abuse prevention, bot detection, and request integrity controls for public-facing forms and protected service flows.
• Google Analytics / Google Tag Manager (Google LLC): website traffic measurement, campaign attribution, and product or marketing analytics where such analytics tooling is enabled.

9. International Transfers

Where Customer Personal Data is transferred to or accessed from jurisdictions outside the country of origin, TalepNET will implement appropriate transfer mechanisms and safeguards required under applicable law, which may include Standard Contractual Clauses or equivalent lawful mechanisms.

10. Data Location

Primary Customer Personal Data is hosted in Google Cloud Firestore in the eur3 (Europe) multi-region configuration, subject to TalepNET's service architecture and the technical and organizational measures required to operate the Services.

11. Assistance with Data Subject Rights and Compliance

Taking into account the nature of the processing, TalepNET will provide reasonable assistance to the Customer in responding to data subject requests and in meeting applicable obligations relating to security, breach notification, impact assessments, and regulator consultations, to the extent required by law and reasonably possible through the Services.

12. Security Incidents

TalepNET will notify the Customer without undue delay after becoming aware of a confirmed security incident affecting Customer Personal Data and will provide available information reasonably necessary for the Customer to meet its legal obligations. TalepNET's notification of a security incident is not an admission of fault or liability.

13. Deletion and Return of Data

Upon termination or expiration of the applicable Services, TalepNET will delete or return Customer Personal Data in accordance with the agreement, documented Customer instructions, and TalepNET's standard retention and deletion procedures, unless retention is required by applicable law, security needs, or legitimate recordkeeping obligations.

14. Audit and Information Rights

TalepNET will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by applicable law and where such information is insufficient, TalepNET may allow a reasonable audit or review process subject to advance notice, confidentiality obligations, scope limitations, security controls, and reimbursement of TalepNET's reasonable costs.

15. Conflict and Priority

If there is a conflict between this DPA and the main Services agreement with respect to the processing of Customer Personal Data, this DPA will control to the extent of that conflict. This DPA does not modify liability provisions except as required by applicable data protection law.