Legal Document

Data Processing Agreement

Effective date: 30 June 2026  ·  Last updated: 30 June 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Hidbrain Ltd (“Processor”) and the Customer entity that has accepted those Terms (“Controller”), and governs the processing of personal data by Hidbrain Ltd on the Controller's behalf in connection with the Timemy service (“Service”). It is entered into pursuant to Article 28 of the UK General Data Protection Regulation (“UK GDPR”) as retained in UK law by the European Union (Withdrawal) Act 2018.

By subscribing to the Service, the Controller agrees to the terms of this DPA. Where a signed copy is required for compliance or procurement purposes, please contact privacy@hidbrain.com.

1. Parties

Processor

Hidbrain Ltd

Registered in England & Wales, Company No. 12170656

ICO registration number: ZA853964

United Kingdom

privacy@hidbrain.com

Controller

The Customer entity that has accepted the Timemy Terms of Service, as identified in the account registration.

2. Definitions

Terms used but not defined in this DPA have the meanings given in the Terms of Service or UK GDPR.

"Controller"The Customer, who determines the purposes and means of processing Personal Data.
"Processor"Hidbrain Ltd, who processes Personal Data on behalf of the Controller.
"Personal Data"Any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.
"Processing"Any operation performed on Personal Data, including storage, retrieval, use and disclosure.
"Data Subject"The natural person to whom Personal Data relates.
"Sub-processor"Any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
"Security Incident"Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"UK GDPR"The General Data Protection Regulation as it forms part of UK law pursuant to the European Union (Withdrawal) Act 2018.

3. Subject Matter, Nature and Purpose of Processing

Subject matterProcessing of Personal Data in connection with the Timemy contract and supplier management platform.
NatureStorage, retrieval, organisation, structuring, disclosure to authorised users, AI-assisted extraction, and deletion of Personal Data.
PurposeTo provide the Timemy Service as described in the Terms of Service — enabling Customers to store contracts, manage supplier relationships, track key dates, and receive renewal reminders.
DurationFor the term of the Controller's subscription, plus any retention period required by law or specified in this DPA, after which data will be deleted or returned.

4. Types of Personal Data and Categories of Data Subjects

4.1 Types of Personal Data

The Personal Data processed may include, as uploaded by the Controller:

  • Names, job titles and contact details of individuals named in contracts or as supplier contacts;
  • Email addresses of team members and supplier representatives;
  • Signatures and signatory details within contract documents;
  • Any other Personal Data contained within contract documents uploaded to the Service by the Controller.

The Processor does not knowingly process special category data (Article 9 UK GDPR) on behalf of the Controller. The Controller is responsible for ensuring that special category data is not uploaded to the Service without appropriate safeguards.

4.2 Categories of Data Subjects

  • The Controller's employees and authorised users of the Service;
  • The Controller's suppliers, contractors and counterparties named in contracts;
  • Any other individuals whose Personal Data is contained in documents uploaded by the Controller.

5. Obligations of the Processor

The Processor shall:

  • Process only on documented instructions — process Personal Data only on the Controller's documented instructions (as set out in this DPA and the Terms of Service), unless required to do so by UK law, in which case the Processor shall inform the Controller unless prohibited by law;
  • Ensure confidentiality — ensure that persons authorised to process the Personal Data are subject to appropriate confidentiality obligations;
  • Implement security measures — implement appropriate technical and organisational measures in accordance with Article 32 UK GDPR (see Section 8);
  • Sub-processor obligations — not engage Sub-processors without the Controller's prior general or specific written authorisation (see Section 6);
  • Assist with Data Subject rights — taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to Data Subject requests (see Section 7);
  • Assist with compliance obligations — assist the Controller in ensuring compliance with Articles 32–36 UK GDPR (security, breach notification, DPIAs and prior consultation), taking into account the nature of the processing and information available to the Processor;
  • Delete or return data — at the Controller's choice, delete or return all Personal Data upon termination of the Service and delete existing copies, unless UK law requires storage (see Section 9);
  • Provide audit information — make available all information necessary to demonstrate compliance with Article 28 UK GDPR and allow for and contribute to audits (see Section 10).

6. Sub-processors

The Controller grants the Processor general authorisation to engage Sub-processors, subject to the conditions in this section.

6.1 Current Sub-processors

The Processor currently uses the following categories of Sub-processor:

CategoryPurposeLocation
Cloud infrastructure & databaseHosting, storage, authentication and database servicesEU (Ireland)
AI document processingAutomated extraction of key data from uploaded contractsEU
Transactional emailSending renewal reminders and account notificationsEU / US (SCCs)
Payment processingSubscription billing and payment card handlingUS (SCCs / adequacy)
Error monitoringApplication error tracking and performance monitoringEU / US (SCCs)

A list of named Sub-processors is available upon request at privacy@hidbrain.com.

6.2 Changes to Sub-processors

The Processor will provide at least 14 days' prior notice of any intended addition or replacement of Sub-processors, by email to the Controller's registered account address or by posting on timemy.com/dpa. The Controller may object to a new Sub-processor within 14 days of notice on reasonable grounds relating to data protection. Where the Processor is unable to accommodate the objection, the Controller may terminate the affected services on written notice.

6.3 Sub-processor Obligations

The Processor shall impose data protection obligations on each Sub-processor equivalent to those set out in this DPA, by way of a written contract. The Processor remains fully liable to the Controller for the performance of a Sub-processor's obligations.

7. Assistance with Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller in responding to Data Subject requests exercised under Articles 15–22 UK GDPR (including rights of access, rectification, erasure, restriction, portability and objection), by:

  • Providing the Controller with export tools enabling download of Personal Data in a machine-readable format;
  • Enabling the Controller to delete individual records or entire accounts from within the Service;
  • Where technical tools are insufficient, processing deletion or export requests within 30 days of written notice from the Controller.

Where a Data Subject contacts the Processor directly, the Processor will promptly forward the request to the Controller and will not respond directly unless instructed to do so or required by law.

8. Technical and Organisational Security Measures

In accordance with Article 32 UK GDPR, the Processor implements and maintains the following measures, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing:

Encryption in transit

TLS 1.2 or higher for all data transmitted between the Service and users.

Encryption at rest

AES-256 encryption for stored documents and database data.

Access controls

Role-based access with principle of least privilege; multi-factor authentication available.

Data isolation

Row-level security (RLS) at the database layer ensures complete isolation between Customer organisations.

Vulnerability management

Regular dependency scanning, penetration testing and security patching.

Business continuity

Automated daily backups with point-in-time recovery; geographically redundant infrastructure.

Incident response

Documented incident response procedures with defined escalation paths and notification timelines.

Supplier security

Sub-processors are assessed for data protection and security standards prior to engagement.

The Processor may update security measures from time to time, provided that updates do not materially reduce the overall level of protection afforded to Personal Data.

9. Data Retention and Deletion

Upon expiry or termination of the Controller's subscription, the Processor will:

  • Retain the Controller's Personal Data for a post-termination grace period of 30 days, during which the Controller may export data using in-app tools;
  • Permanently delete all Personal Data (including backups) within 90 days of the termination date, unless a longer retention period is required by applicable UK law;
  • Provide written confirmation of deletion upon the Controller's request.

The Controller may request early deletion prior to termination by contacting privacy@hidbrain.com. Deletion is irreversible; the Controller is responsible for exporting any data they wish to retain before requesting deletion.

10. Audit Rights

The Processor shall, upon reasonable written request (giving not less than 14 days' notice), make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in Article 28 UK GDPR and this DPA, including:

  • This DPA and any amendments;
  • Certifications and audit reports held by the Processor or its cloud infrastructure provider (e.g. SOC 2 Type II report, ISO 27001 certificate), subject to confidentiality;
  • Responses to reasonable security questionnaires submitted by the Controller.

On-site audits of the Processor's systems are permitted no more than once per year, on reasonable notice, and subject to the Controller bearing reasonable costs. The Processor may require the Controller to sign a non-disclosure agreement before sharing confidential audit information.

11. International Data Transfers

Personal Data is stored on infrastructure located in the EU (Ireland) and does not leave the EU/EEA as a matter of course. Where Sub-processors are located outside the UK or EEA (for example, certain transactional email or monitoring providers), the Processor ensures an appropriate transfer mechanism is in place, including:

  • UK adequacy regulations — for transfers to countries recognised by the UK government as providing adequate protection;
  • UK International Data Transfer Agreements (IDTAs) — or the EU Standard Contractual Clauses as adapted for UK use under Schedule 21 of the Data Protection Act 2018, for transfers to countries lacking adequacy.

Details of the transfer mechanism applicable to each Sub-processor are available upon request at privacy@hidbrain.com.

12. Security Incident Notification

In the event of a Security Incident involving Personal Data processed under this DPA, the Processor shall:

  • Notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the incident;
  • Provide, as soon as available: a description of the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the incident;
  • Take reasonable steps to mitigate the effects and prevent recurrence;
  • Cooperate with and assist the Controller in meeting its own notification obligations to the ICO (within 72 hours under Article 33 UK GDPR) and to affected Data Subjects.

Security incident notifications should be directed to privacy@hidbrain.com.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud, or any liability that cannot be limited or excluded by applicable law.

Where both parties are liable for damage caused by processing in breach of UK GDPR, liability shall be apportioned between them in accordance with Article 82 UK GDPR. The Processor is exempt from liability where it proves it is not in any way responsible for the event giving rise to the damage.

14. Term and Termination

This DPA comes into effect on the date the Controller accepts the Terms of Service and remains in force for the duration of the Controller's subscription. It terminates automatically upon expiry or termination of the subscription, subject to the data retention obligations in Section 9 which survive termination.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. Any dispute arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, except where mandatory consumer protection laws in the Controller's country of residence require otherwise.

16. Changes to This DPA

The Processor may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or Sub-processor arrangements. Material changes will be notified to the Controller by email at least 30 days before taking effect. Continued use of the Service after that date constitutes acceptance. Where a change is required by law, it may take effect immediately.

17. Contact

Questions about this DPA, requests for a countersigned copy, or Sub-processor information should be directed to:

Hidbrain Ltd

Registered in England & Wales, Company No. 12170656

ICO registration: ZA853964

Privacy enquiries: privacy@hidbrain.com

Data Protection Officer: dpo@hidbrain.com