DRAGON2000’s STANDARD DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms an integral part of the Terms & Conditions between (i) the Customer and (ii) Dragon2000.

1. DEFINITIONS

In the DPA, the following terms have the meanings indicated below:
1.1 “Data Protection Law” means the applicable legislation protecting the fundamental rights and freedoms of individuals and their right to privacy with regard to the processing of Personal Data under the Terms & Conditions, including the UK General Data Protection Regulation and the Data Protection Act 2018.
1.2 “Data Subject” means the persons whose Personal Data are processed under the Terms & Conditions as listed in Annex 1 of the DPA.
1.3 “Data Controller” means the Customer who, alone or in association with other persons, determines the purposes and methods of processing Personal Data.
1.4 “Detailed Elements”: refers to the data contained in Dragon2000 Products and Services;
1.5 “Personal Data” means any information relating to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The categories of Personal Data processed under the Terms & Conditions by Dragon2000 are specified in the Annex 1 of the DPA.
1.6 “Personal Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.7 “Dragon2000 Products and Services”: means DragonDMS, associated apps and website provided by Dragon2000
1.8 “Subcontractor” means Dragon2000 who processes Personal Data on behalf of the Data Controller.
1.9 “Services” refers to all services provided by Dragon2000 to the Customer.

2. GENERAL OBLIGATIONS OF THE PARTIES

In the context of the performance of the Terms & Conditions and the provision of Services, Dragon2000 processes Personal Data as a Subcontractor on behalf of the Customer, acting as the Data Controller, under the conditions set out below

2.1 Responsibility of the Data Controller

The Customer, in their capacity as Data Controller, remains solely responsible for the lawfulness of the processing entrusted to the Service Provider, with regard to the principles and obligations set forth by Data Protection Law, particularly concerning the legal basis for the processing and the provision of information to Data Subjects.

The Customer undertakes, within the framework of this DPA, to process Personal Data in compliance with Data Protection Law, and in particular to document in writing all instructions concerning the processing of Personal Data to Dragon2000, to ensure beforehand, and throughout the duration of the processing, that Dragon2000 complies with its obligations set forth by Data Protection Law, and to guarantee that the Customer hold all the necessary rights and authorisations, in compliance with Data Protection Law, to enable Dragon2000 to lawfully carry out the processing.

In the event of an audit of Dragon2000 by a supervisory authority concerning all or part of the processing entrusted to it by the Customer, the Customer undertakes to actively cooperate with Dragon2000 and, if necessary, with the supervisory authority, including by providing all relevant documents or information at its disposal.

The Customer is solely responsible for the content and messages transmitted, received, generated, and stored on Dragon2000 Products and Services. The Customer therefore indemnifies Dragon2000 against any claim, complaint, or demand from a Data Subject whose Personal Data is processed within Dragon2000 Products and Services.

2.2 Customer Instructions

Dragon2000 undertakes to process Personal Data in accordance with the legitimate and documented instructions provided by the Customer and only for the purposes described in the Terms & Conditions, (i) including with regard to transfers of Personal Data to a third country or to an international organisation, unless Dragon2000 is required to do so under UK law or the law of the other country to which it is subject; in this case, Dragon2000 shall inform the Customer of this legal obligation before processing, unless the law concerned prohibits such information for important reasons of public interest and (ii) with the exception of instructions which Dragon2000 considers to constitute a violation of the Data Protection Law, in which case Dragon2000 shall inform the Customer.

2.3 Confidentiality

To process Personal Data, Dragon2000 undertakes that any member of staff authorised to process Personal Data within the framework of the DPA is subject to an obligation of confidentiality.

2.4 Cooperation

Dragon2000 undertakes, in particular, to:

• Assist the Customer in ensuring compliance with its obligations regarding the security of the processing of Personal Data;
• Assist the Customer, to the extent reasonably possible, and provide it with all the information in its possession that Dragon2000 generally makes available concerning the Services (such as this Data Protection Impact Assessment, the Terms & Conditions, audit reports, and certifications) enabling the Customer to conduct data protection impact assessments and fulfil its obligation to consult the supervisory authorities in accordance with Data Protection Law. If the Customer requires assistance from Dragon2000 that goes beyond what is reasonably possible, the Parties will meet to define the financial and operational terms of this assistance, within the limits of the legal obligations imposed on Dragon2000 by Data Protection Law.

2.5 Rights of Data Subjects

Dragon2000 undertakes to provide all reasonable assistance to the Customer to help the Customer fulfil its obligation to respond to requests to exercise rights made by any Data Subject.

Dragon2000 undertakes to communicate to the Customer, as soon as possible and without responding, any request to exercise rights made by any Data Subject.

3. SECURITY OF THE PROCESSING

3.1 Security Measures

Dragon2000 has implemented appropriate technical and organisational measures to ensure a level of security commensurate with the risk and to protect Personal Data against unauthorised access or use, and to prevent any loss, alteration, disclosure, or destruction of Personal Data.

The security measures implemented by Dragon2000 are described in Appendix 2 of this DPA.

3.2 Personal Data Breach

Upon discovering a Personal Data Breach, Dragon2000 will inform the Customer as soon as possible and provide all reasonable information in its possession to assist the Customer in fulfilling its obligation to notify the competent supervisory authority of the Personal Data Breach and to communicate the Personal Data Breach to the Data Subjects in accordance with Data Protection Law. Dragon2000 may provide this information in stages, as it becomes available. Such notification shall not be construed as an admission of fault or liability by Dragon2000.

Dragon2000 also undertakes to take all reasonably necessary steps or actions to correct or mitigate the impact of any Personal Data Breach and to inform the Customer of any significant evolution relating to said Personal Data Breach.

4. AUDITS

During the term of this DPA, Dragon2000 shall provide the Customer with all necessary documentation to demonstrate compliance with its obligations and those of its subsequent subcontractors with the Data Protection Law (documentary audit).

In addition, and during the term of this DPA, the Customer may, once a year and at its own expense, conduct or have conducted by an independent auditor who is not a competitor of Dragon2000, an audit to verify the compliance of the Personal Data processing implemented by Dragon2000 with the DPA, subject to a minimum notice period of thirty (30) business days. The audit shall last a maximum of three (3) business days.

The persons appointed by the Customer must be competent specialists in the areas being audited, and their number shall be limited to three (3) persons.

Dragon2000 reserves the right to refuse the auditor selected by the Customer for any legitimate reason, including but not limited to if the auditor belongs to a competitor of Dragon2000 or if there is an ongoing dispute with the selected auditor.

The auditor must sign a confidentiality agreement with Dragon2000 beforehand.

The scope, date, and procedures of the audit must be defined by mutual agreement between the Parties through the signing of an audit protocol prior to its implementation.

It is specified that access to the documents provided by Dragon2000 to the auditor must be limited exclusively to Dragon2000’s premises. Access is strictly restricted to the scope of the auditor’s assigned tasks; the information gathered may not be used for any other purpose. No reproduction of the documents, in whole or in part, may take place without Dragon2000’s prior consent.

The audit will be conducted during Dragon2000’s business hours and must not disrupt Dragon2000’s operations. In particular, the audit may not, in any way, compromise (i) the technical and organisational security measures implemented by Dragon2000, (ii) the security and confidentiality of the Personal Data of Dragon2000’s other clients, or (iii) the proper functioning and organisation of Dragon2000’s production.

Dragon2000 agrees to collaborate with the Customer by providing the information reasonably necessary for conducting this audit and to contribute to the audit itself. The time spent by Dragon2000’s staff will be charged to Dragon2000, up to a limit of ten (10) working hours per year. Any time spent beyond this limit, as well as all expenses incurred by Dragon2000 as a result of this audit, will be billed to the Customer based on the time spent and the profile of each Provider’s staff member, at Dragon2000’s then-current rates.

The audit report will be sent free of charge to Dragon2000 to allow Dragon2000 to submit any observations or comments in writing, which will be appended to the final version of the audit report. Each audit report will be considered confidential information.

5. SUBSEQUENT SUBCONTRACTORS

Dragon2000 may subcontract all or part of the processing of Personal Data with the Customer’s prior consent. As an exception, simple notification will suffice if the subsequent subcontractor is a subsidiary of Dragon2000 located within the European Union.

Any modification to the list of subsequent subcontractors is subject to prior notification to the Customer (by any means, including email), who has 10 calendar days from receipt of such notification to submit duly justified objections (related in particular to the security of Personal Data). At the end of this period, (i) if the Customer remains silent, Dragon2000 is authorized to modify the list of subsequent subcontractors, or (ii) if the Customer submits duly justified objections, the Parties have 15 calendar days to collaborate and find a solution enabling the continued performance of the Terms & Conditions. Failing this, the Customer may, as of right, terminate the portion of the Terms & Conditions impacted by these processing activities, without such termination giving rise to any compensation for the Customer.

Dragon2000 undertakes to enter into contracts ensuring that subsequent subcontractors provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing complies with the requirements of the Data Protection Law and imposing on subsequent subcontractors, in substance, the same obligations regarding the protection of Personal Data as those imposed on Dragon2000 by the DPA.

Dragon2000 is fully responsible to the Customer for its subsequent subcontractors’ compliance with the obligations regarding the protection of Personal Data as defined in the DPA.

6. TRANSFERS OF PERSONAL DATA

As part of providing the Services, Dragon2000 transfers personal data from the United Kingdom to a third country in the two situations described below:

• For Clients subscribed to the DRAGON2000 DMS and the Instavid Spin360 product: Dragon2000 sends, on behalf of and for the Clients and at their request, vehicle registration information and images contained in the DragonDMS to South Africa for integration into Spin360 by Instavid. The conditions for processing Personal Data in Spin360 are outside the scope of Dragon2000. Clients are advised to contact Instavid to learn about the procedures of Personal Data processing, enter into a data protection agreement, or even agree to additional appropriate safeguards and security measures if no adequacy decision is reached. For clarification, Instavid is not considered a subsequent subcontractor of Dragon2000.

• For customers subscribed to Appraise Ai: Dragon2000 uses a subsequent subcontractor within its Group : LACOUR CONCEPT. Within the framework of Appraise Ai, Dragon2000 sends vehicle registration information, videos, and images contained in Appraise Ai to LACOUR CONCEPT, based in France. In this regard, it is recalled that there is an adequacy decision between France and the United Kingdom which authorizes these data flows.

In the event of a change in circumstances, and in all cases, Dragon2000 undertakes to ensure that any transfer of personal data is carried out either to a country deemed appropriate for the use of this data in the country concerned, or, failing that, to guarantee the implementation of appropriate safeguards and security measures in accordance with applicable data protection legislation. This applies to Services performed by Dragon2000 and, where applicable, by its subsequent subcontractors.

7. DATA DELETION OR RESTORATION

Clients have the option to extract their data from Dragon2000 Products and Services in CSV format.

In accordance with Dragon2000 ‘s Terms & Conditions, upon termination of the contract, all Detailed Elements will be permanently deleted after a reasonable period not exceeding six months. Clients may request in writing that the deletion occur within a shorter period.

8. DATA PROTECTION OFFICER

Dragon2000’s contact for matters relating to the processing of Personal Data is Data Protection Officer, who can be contacted by:

Post:
Data Protection Officer
Dragon2000 Ltd
The Byre
Blisworth Hill Business Park
Stoke Road
Blisworth
Northamptonshire
NN7 3DB

Email: dataprotection@dragon2000.co.uk

ANNEX 1 – PROCESSING DESCRIPTION

1. PURPOSE, NATURE, DURATION AND PURPOSES OF THE PROCESSING

The purpose of processing Personal Data is to provide services within the Dragon2000 Products and Services.

The nature of the data processing operations is as follows:

• Organisation
• Structuring
• Hosting
• Backup
• Consultation
• Use
• Communication
• Storage
• Deletion
• Destruction
• Archiving
• Analysis

The processing period is the duration of the Terms & Conditions.

2. LIST OF PERSONAL DATA PROCESSED

The Personal Data processed is as follows:

• Vehicle identification: registration number and vehicle identification number (VIN);

• Identification information of the vehicle owner and/or driver, car dealer including their staff, the repair shop, the expert, the insurance company, and the rental company: title, gender, last name, first name, postal address, mobile and landline telephone numbers, email address, date of birth, voice recording, personal emails exchanged between customer and DragonDMS Customer, and copies of identification documents.

The categories of Data Subjects are as follows: vehicle owner and/or driver, car dealer including their staff, repair shop, expert, and staff of the finance provider, and/or insurance company and/or rental/leasing company.

ANNEX 2 – TECHNICAL AND ORGANISATIONAL MEASURES

Respect for the integrity and security of Personal Data:

We are committed to maintaining the integrity, confidentiality, and security of all Personal Data processed within our organisation. We apply appropriate technical and organisational measures designed to protect Personal Data against unauthorised access, alteration, disclosure, or destruction.

These measures include (but are not limited to):

• Access controls ensuring only authorised personnel can access Personal Data.
• Encryption of data in transit and at rest where appropriate.
• Regular security monitoring and auditing to detect and prevent potential vulnerabilities.
• Data minimisation and retention practices to ensure Personal Data is only used for legitimate, clearly defined purposes.
• Employee training on data protection responsibilities and secure handling of Personal Data.
• Incident response procedures to promptly address and report any actual or suspected data breaches in line with applicable legal requirements.

We continuously review and update our security practices to ensure ongoing compliance with relevant data protection laws and industry standards.

Limitation of access to Personal Data:

We ensure that access to Personal Data is strictly limited to individuals who require it for legitimate business purposes. Access is granted on a least‑privilege basis, ensuring users only have the minimum permissions necessary to perform their roles.

Key controls include:

• Role‑based access controls (RBAC): Permissions are assigned based on job responsibilities to prevent unnecessary or excessive access.
• Authentication measures: Strong password policies, multi‑factor authentication, and secure login processes help safeguard access.
• Regular access reviews: User permissions are periodically reviewed, updated, or revoked when roles change or access is no longer required.
• Logging and monitoring: Access to Personal Data is logged and monitored to detect and respond to unauthorised or inappropriate activity.
• Strict onboarding and offboarding procedures: Access is only provisioned after approval and is removed promptly when no longer needed.
• Internal policies and training: Employees are trained to understand their responsibilities in safeguarding data and respecting access limitations.

These measures ensure Personal Data is accessed only by authorised individuals, for appropriate purposes, and with a high level of accountability.

Disaster recovery centre:

UK based – Rackspace LDN1

Measures for the pseudonymization and encryption of Personal Data

Use of AES-256 encryption for sensitive authentication credentials at rest and TLS 1.2+ for all data in transit

Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services

• Strict firewalls are in place to ensure confidentiality and restricted access to data to only authenticated users.
• Failover clustering is in use to ensure uptime and availability of services.
• Load balancing is in use for APIs and other backend services to ensure uptime of all data processing.
• Additional monitoring and recovery systems are established to enable automated recovery of all services to ensure maximum uptime and stability.

Measures to ensure the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident:

• An automated backup system is maintained of all customer data, enabling point-in-time recovery of data backed up to within 6 hours of any incident.
• Additional backups are also taken in case of any corruption of data allowing access to data from 7 or 30 days prior, should this be required.
• Data recovery can be arranged within just a few hours should an incident occur.
• A data recovery plan is documented internally should an incident occur.

Processes for regularly testing, evaluating, and assessing the effectiveness of technical and organisational measures to ensure the security of processing:

• Regular testing occurs of the data backups, many times weekly including point-in-time tests.
• Historical backups are maintained and monitored by our Microsoft service partner.

Measures for user identification and authorisation:

• Domain-authenticated users via Microsoft Entra ID with enforced MFA and conditional access.
• Role based access control in place.
• All VPN access uses enforced MFA.

Measures to protect data during transmission:

End-to-end encryption for transfers is in use at all times, between internal APIs as well as for any access to data storage.

Measures to protect data during storage:

• Rackspace security essentials provided by ‘Armor’ in use on the server cluster for SQL data including Intrusion Detection, File Integrity Monitoring, Malware Protection, Log Collection & Management, Vulnerability Scanning & Antivirus.
• Advanced firewall in place preventing unauthorised access not only to data but also the server cluster itself.
• Backend services (separate to our databases) are decoupled into isolated Docker containers, preventing cross-service data leakage and ensuring that a compromise in one service does not grant access to the underlying host or other data volumes.
• We utilize container images that are stateless and read-only where possible. This ensures a consistent security baseline and prevents unauthorized persistent changes to the processing environment.

Measures to ensure the physical security of the premises where Personal Data is processed:

• All cloud infrastructure storing personal data is managed 24x7x365 by network and system engineers, and the facilities are equipped with biometric scanners, video surveillance, alarm systems, key card access and laser-based smoke detection.
• Our cloud provider for data storage (Rackspace) adheres to a broad range of information and security certifications & standards including SSAE18 SOC1, SOC2, SOC3, PCI DSS, ISO27001, ISO14001 and ISO9001.

Measures to ensure event logging:

• We maintain a wide range of logging of user activity and system changes, standard infrastructure event log backups are maintained for 12 months.
• Relevant user events affecting data changes within user data are maintained for longer to ensure data integrity.

Measures to ensure System configuration, including default configuration; measures relating to internal governance and management of information technology and IT security:

• System configurations are regularly backed up to ensure configuration recovery is always available.
• Use of Infrastructure as Code (IaC) for consistent setups is utilised across cloud infrastructure.

Measures to certify/guarantee processes and products:

All software development follows a secure software development lifecycle, including mandatory peer code reviews. Products are subjected to rigorous Quality Assurance (QA) testing in staging environments that are strictly segregated from production data to guarantee system integrity prior to deployment.

Measures to ensure data minimisation:

• Data collection is technically restricted to the specific categories required to serve the purpose of the software, ensuring only the minimum amount of Personal Data necessary for the specified purpose is processed.
• Retention and deletion processes are enforced to ensure that data is purged or anonymized once the primary purpose of processing is fulfilled or the retention period expires, preventing the accumulation of redundant or unnecessary datasets.

Measures to ensure data quality:

• We utilise automated input validation and data integrity checks at the point of collection.
• We also utilise several periodic automated data reviews in certain areas to guarantee data integrity over time.

Measures to ensure limited retention of personal data:

Data is only maintained while relevant and a client remains active. Once inactive, data is disposed of ~6 months following.

Measures to enable data portability and ensure erasure:

We have established procedures to support individuals’ rights to data portability and erasure in accordance with applicable data protection laws (such as GDPR).

Data Portability

We provide mechanisms to ensure that individuals can obtain their Personal Data in a structured, commonly used, and machine‑readable format. Measures include:

• Export functionality to generate Personal Data in standard formats (e.g., CSV, JSON, or other interoperable formats).
• Secure transfer processes to transmit Personal Data directly to another controller upon request, where technically feasible.
• Identity verification steps to ensure data is only provided to the correct data subject or authorised party.

Data Erasure (Right to Be Forgotten)

We also maintain policies and processes to ensure Personal Data can be securely and permanently erased when no longer necessary or when a legitimate erasure request is received. Measures include:

• Formal erasure workflows allowing authorised staff to validate, approve, and action deletion requests.
• Data minimisation and retention schedules ensuring data is not kept longer than required for legal or operational reasons.
• Secure deletion from live systems and backups, using methods appropriate to the system’s technical capabilities.
• Audit logging to record erasure actions for compliance and accountability.
• Employee training to ensure staff understand and correctly implement these rights.

These measures ensure we can effectively support data subjects’ rights while maintaining security, compliance, and operational integrity.

ANNEX 3 – SUBSEQUENT AUTHORISED SUBCONTRACTORS

Last Updated: April 2026