Data Processing Agreement

Last Updated: 31 October 2025

This Data Processing Agreement (DPA) is incorporated into and forms part of the Agreement (as defined below) between: (1) Diesta Limited, a company incorporated in England & Wales with company number 13969906 having its registered office at The Northern & Shell Building, 10 Lower Thames Street, London, England, EC3R 6AF (Diesta), and (2) the entity that is a counterparty to the Agreement (Customer). Diesta and Customer together, the Parties and each, a Party.

Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between the DPA and the Agreement, the DPA will govern. 

1. Definitions

1.1. For purposes of this DPA, the terms below have the meanings set forth below: 

(a) Affiliate: any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

(b) Agreement: the Proof of Concept (POC) Agreement or SaaS Agreement (as applicable) entered into by and between Diesta and the Customer.

(c) Applicable Data Protection Laws: as and to the extent applicable, the GDPR, FADP, State Privacy Laws, GLBA, NYDFS Cybersecurity Regulation, PIPEDA, and any other privacy, data protection and data security laws and regulations applicable to Diesta’s Processing of Personal Data under the Agreement agreed to in writing by Diesta.

(d) Controller: the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the California Consumer Privacy Act.

(e) Customer Data: has the meaning given to it in the Agreement. If the Agreement does not include a definition of “Customer Data” it shall mean the information provided by Customer to Diesta for Processing on Customer’s behalf to perform the Services. 

(f) Data Subject: the identified or identifiable natural person to whom Personal Data relates.

(g) EEA: the European Economic Area.

(h) FADP: the Swiss Federal Act on Data Protection in its revised version of 25 September 2020.

(i) FDPIC: Swiss Federal Data Protection and Information Commissioner.

(j) GDPR: as and where applicable to Processing concerned: (i) the General Data Protection Regulation (EU) 2016/679 (EU GDPR); and/or (ii) the UK General Data Protection Regulation (UK GDPR), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, replacement, amendment or re-enactment, to or of the foregoing. References to Articles and Chapters of, and other relevant defined terms in, the GDPR shall be construed accordingly.

(k) Information Security Incident: a breach of Diesta’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized use or disclosure of, or access to, Personal Data in Diesta’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems. 

(l) GLBA: the Gramm-Leach-Bliley Act of 1999, as amended, and any binding regulations promulgated thereunder.

(m) NYDFS Cybersecurity Regulation: Title 23, Chapter I, Part 500 of the New York Code, Rules and Regulations, entitled Cybersecurity Requirements for Financial Services Companies, as amended.

(n) Personal Data: Customer Data that constitutes “personal data,” “personal information,” “non-public personal information” or “personally identifiable information” as defined in Applicable Data Protection Laws, except that Personal Data does not include such information received by Diesta directly or from other sources (such as its other customers) independent of Diesta’s relationship with Customer.

(o) PIPEDA: as and where applicable to Processing concerned: (i) the Canadian Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, and any successor privacy or data protection legislation; and/or (ii) any provincial privacy or data protection legislation deemed substantially similar to PIPEDA by the Governor in Council (Provincial Privacy Laws), including, in each case, any binding regulations promulgated thereunder. 

(p) Process or Processing: any operation or set of operations which is performed by Diesta on behalf of Customer under the Agreement, on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(q) Processor: the entity that Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by the California Consumer Privacy Act.

(r) Restricted Transfer: the disclosure, grant of access or other transfer of Personal Data to any person located in: (i) when transferred from the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an EU Restricted Transfer); (ii) when transferred from the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a UK Restricted Transfer); and (iii) when transferred from Switzerland, a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss authorities (a Swiss Restricted Transfer), in each case, which would be prohibited without a legal basis under the GDPR or FADP.

(s) SCCs: the standard contractual clauses approved by the European Commission pursuant to Implementing Decision (EU) 2021/914.

(t) Security Measures: technical, administrative, physical, and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data described in Annex 4.

(u) Services: the services that Diesta performs for Customer under the Agreement.

(v) State Privacy Laws: collectively, the comprehensive US state-specific data privacy laws currently in effect and applicable to Diesta’s Processing of Personal Data under the Agreement.

(w) Sub-processors: third parties that Diesta engages to Process Personal Data in relation to the Services. 

(x) Supervisory Authority: any entity with the authority to enforce Applicable Data Protection Laws, including, (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office (ICO); (iii) in the context of Switzerland and the FADP, means the FDPIC; and (iv) in the context of PIPEDA and/or Provincial Privacy Laws, means the Office of the Privacy Commission or Commissioner overseeing the relevant law as applicable.

(y) UK Transfer Addendum: the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the UK Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of the Mandatory Clauses included in Part 2 thereof.

1.2 Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.

2. Duration and Scope of DPA

2.1. This DPA will remain in effect so long as Diesta Processes Personal Data, notwithstanding the expiration or termination of the Agreement.

2.2. Processing of Personal Data subject to the GDPR shall be subject to Annex 2 (European Annex).

2.3. Processing of Personal Data subject to the State Privacy Laws with respect to which Customer is a “business”, “controller”, “processor”, or “service provider” (as such terms are defined in State Privacy Laws) shall be subject to Annex 3 (State Privacy Laws Annex) to this DPA. 

3. Customer Instructions

3.1. Diesta will Process Personal Data only in accordance with Customer’s instructions to Diesta. 

3.2. By entering into this DPA, Customer instructs Diesta to Process Personal Data to provide the Services and to perform Diesta’s other obligations and exercise its rights under the Agreement. 

3.3. The Parties acknowledge and agree that the details of Diesta’s Processing of Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA. 

3.4. Unless otherwise expressly provided for, as between the Parties, Customer controls Personal Data.

4. Security

4.1. Diesta Security Measures. Diesta will implement and maintain the Security Measures. Diesta may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.

4.2. Security Compliance by Diesta Staff. Diesta shall require that its personnel who are authorized to access Personal Data are subject to appropriate confidentiality obligations. 

4.3. Information Security Incidents. 

(a) Diesta will notify Customer without undue delay of any Information Security Incident of which Diesta becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Diesta recommends Customer take to address the Information Security Incident. 

(b) Diesta’s notification of or response to an Information Security Incident will not be construed as Diesta’s acknowledgement of any fault or liability with respect to the Information Security Incident. 

(c) Diesta shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Information Security Incident. 

(d) Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Information Security Incident. 

(e) If Customer determines that an Information Security Incident must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Diesta, where permitted by applicable laws, Customer agrees to: (i) notify Diesta in advance, and (ii) in good faith, consult with Diesta and consider any clarifications or corrections Diesta may reasonably recommend or request to any such notification, which: (i) relate to Diesta’s involvement in or relevance to such Information Security Incident; and (ii) are consistent with applicable laws.

4.4. Customer’s Security Responsibilities. Customer agrees that, without limitation of Diesta’s obligations under Section 4 (Security), Customer is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Diesta uses to provide the Services; and (d) backing up Personal Data.

4.5. Customer’s Security Assessment. Customer agrees that the Services, the Security Measures and Diesta’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.

5. Data Subject Rights

5.1. Data Subject Request Assistance. Diesta will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary and technically feasible for Customer to perform its obligations under Applicable Data Protection Laws to fulfil requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (Data Subject Requests) with respect to Personal Data in Diesta’s possession or control, including but not limited to, access, deletion, and cessation of Processing of Personal Data. Customer shall compensate Diesta for any such assistance at Diesta’s then-current professional services rates, which shall be made available to Customer upon request.

5.2. Customer’s Responsibility for Requests. If Diesta receives a Data Subject Request, Diesta will: (a) notify Customer; and (b) advise the Data Subject to submit the request to Customer. Customer will be solely responsible for responding to any such request. 

6. Customer Responsibilities

6.1. Customer shall ensure (and is solely responsible for ensuring) that it has given such notices to and obtained such consents and permissions from third parties (including, without limitation, Data Subjects), and has all rights, in each case, as may be required under applicable law or otherwise for Diesta to Process Personal Data as contemplated by the Agreement.

6.2. Customer represents and warrants to Diesta that Customer Data does not and will not contain any data relating to racial, ethnic or national origin; religious or philosophical beliefs; political opinions; protected health information subject to the Health Insurance Portability and Accountability Act; other mental or physical health condition, diagnosis, history, treatment or other health data; health insurance information; pregnancy; sex life, sexuality or sexual orientation; status as transgender or non-binary; citizenship; citizenship or immigration status; union membership; status as a victim of crime; genetic, biometric, neural or biological data; personal information of children or teens; precise location information; Social Security number; driver’s license number; state identification card number; passport number; other government-issued identification numbers; account login information; tax return data; or contents of a communication unlawfully intercepted, accessed, or shared without authorisation (collectively, Restricted Data).

6.3. Customer represents and warrants that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Diesta of Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)).

6.4. Customer shall ensure that all Data Subjects have: (a) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (b) provided all required consents, in each case (a) and (b) relating to the Processing by Diesta of Personal Data.

7. Sub-processors

7.1. Consent to Sub-processor Engagement. Customer generally authorizes Diesta to engage Diesta’s Affiliates and third parties as Sub-processors in accordance with this Section 7.

7.2. Information about Sub-processors. Information about Sub-processors, including their functions and locations, is available in Annex 5 of this DPA. Diesta may continue to use those Sub-processors already engaged by Diesta as at the date of this DPA.

7.3. Requirements for Sub-processor Engagement. When engaging any Sub-processor, Diesta will enter into a written contract with such Sub-processor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Sub-processor. Diesta shall be liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor to the same extent as Diesta would have been had it performed the Processing itself. 

7.4. Opportunity to Object to Sub-processor Changes. When Diesta engages any new Sub-processor after the effective date of the DPA, Diesta will notify Customer of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by written means, or where made available by Diesta, by publication or subscription-based notification via a designated Diesta webpage. If Customer objects to such engagement in a written notice to Diesta within 30 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Diesta will work together in good faith to find a mutually acceptable resolution to address such objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Diesta and paying Diesta for all amounts due and owing under the Agreement as of the date of such termination.

8. Audits

8.1. Diesta will make available to the Customer information reasonably necessary to demonstrate its compliance with this DPA, including to the extent available SOC 2 Type II reports, ISO 27001 certifications, audit summaries, or other relevant compliance documentation. Diesta will provide such information to Customer within fourteen (14) Business Days of receiving a written request from the Customer.

8.2. To the extent the Customer’s legal or regulatory obligations cannot be satisfied by the information provided by Diesta in accordance with Section 8.1, Customer or its designee may audit Diesta’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws. Subject to the remainder of this Section 8, Diesta will contribute to such audits by providing Customer with the information and assistance reasonably necessary to conduct the audit. 

8.3. If a third party is to conduct the audit, Diesta may object to the auditor if the auditor is, in Diesta’s reasonable opinion, not independent, a competitor of Diesta, or otherwise manifestly unsuitable. Such objection by Diesta will require Customer to appoint another auditor or conduct the audit itself. 

8.4. To request an audit, Customer must submit a proposed audit plan to Diesta at least 30 days in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Diesta will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Diesta security, privacy, employment or other relevant policies). Diesta will work cooperatively with Customer to agree on a final audit plan. 

8.5. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type II, ISO or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Diesta has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. 

8.6. Any audit must:

(a) be conducted during regular business hours, subject to the agreed final audit plan and Diesta’s safety, security or other relevant policies;

(b) be limited to the facilities, systems and records directly relating to the Services provided to the Customer; and

(c) not unreasonably interfere with Diesta’s business activities. 

8.7. Customer will promptly notify Diesta of any non-compliance discovered during the course of an audit and provide Diesta any audit reports generated in connection with any audit under this Section 8, unless prohibited by Applicable Data Protection Laws. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. 

8.8. Any audits are at Customer’s sole expense. Customer shall reimburse Diesta for any time expended by Diesta and any third parties in connection with any audits or inspections under this Section 8 at Diesta’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

8.9. Nothing in this Section 8 shall require Diesta to:

(a) breach any duties of confidentiality or compromise the security of the Services or other customers of Diesta;

(b) provide access to proprietary or commercially sensitive information not relevant to the Services; or

(c) permit removal or copying of records, except as strictly necessary to demonstrate Diesta’s compliance with this DPA.

9. Return and Deletion

9.1. Subject to Sections 9.2 and 9.3, upon the date of cessation of any Services involving the Processing of Personal Data (Cessation Date), Diesta shall promptly cease all Processing of Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.  For the avoidance of doubt, Personal Data may remain within Diesta’s encrypted backup systems for a limited retention period in accordance with its Backup Policy, after which it will be securely deleted or overwritten in the normal course of operations.

9.2. Subject to Section 9.4, to the extent technically possible in the circumstances (as determined in Diesta’s sole discretion), on Customer’s written request to Diesta (to be made no later than ten (10) Business Days after the Cessation Date (Post-cessation Storage Period)), Diesta shall within thirty (30) days of such request, at Customer’s election either: (a) return a complete copy of all structured Personal Data within Diesta’s possession to Customer by secure file transfer, promptly following which Diesta shall delete or anonymize all other copies of such Personal Data; or (b) either (at Diesta’s option) delete or anonymize all structured Personal Data within Diesta’s possession. 

9.3. In the event that during the Post-cessation Storage Period, Customer does not instruct Diesta in writing to either delete or return Personal Data pursuant to 9.2, Diesta shall promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or render anonymous, all structured Personal Data then within Diesta’s possession to the fullest extent technically possible in the circumstances.

9.4. Diesta may retain Personal Data, where permitted or required by applicable law or regulation or any applicable government or regulatory authority, for such period as may be required by applicable law or regulation or the government or regulatory authority, provided that Diesta shall: (a) maintain the confidentiality of all such Personal Data, and (b) Process the Personal Data only as necessary for the purpose(s) specified in the applicable law or regulation permitting or requiring such retention. 

10. . Limitation of Liability

10.1. The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of liability and loss agreed by the Parties in the Agreement.

11. . Miscellaneous

11.1. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the Parties acknowledge and agree that Diesta’s access to Personal Data does not constitute part of the consideration exchanged by the Parties in respect of the Agreement. 

11.2. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Diesta to Customer under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to Diesta’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.

11.3. Diesta agrees to cooperate in good faith with Customer concerning any amendments as may be reasonably necessary to address compliance with Applicable Data Protection Laws.

11.4. Diesta may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time.

Annex 1

Data Processing Details

DIESTA DETAILS

Name: Diesta Limited

Address: The Northern & Shell Building, 10 Lower Thames Street, London, EC3R 6AF, United Kingdom

Contact Details for Data Protection: DPO@diesta.co.uk

Diesta Activities: Delivery of the Services pursuant to the Agreement, including the provision of Diesta’s Software-as-a-Service platform to support the reconciliation and processing of insurance premiums, payments, and associated financial transactions.

Role: Processor

CUSTOMER DETAILS

Name: The entity or other person who is a counterparty to the Agreement.

Customer’s address is: As provided in the Agreement.

Customer’s Contact Details for Data Protection: As provided in the Agreement.

Customer Activities: Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.

Role: Controller

DESCRIPTION OF PROCESSING

Categories of Data Subjects: Relevant Data Subjects include any Data Subjects of Personal Data that Customer causes Diesta to process as part of the provisions of the Service, including end insurance customers and representatives or contacts of insurance intermediaries or capacity providers (e.g. brokers, insurers, underwriters), where such individuals are identifiable from the data provided. 

Categories of Personal Data: Relevant Personal Data includes any Categories of Personal Data Customer causes Diesta to process as part of the provisions of the Service, including:

• Personal details – for example any information that identifies the Data Subject, including full name, and contact information (e.g., email address, telephone number, physical address).

• Insurance policy information – for example policy ID number.

• Bank account information – for example account number and sort code.

• Transactional financial data – for example payment references (which may include personal identifiers), values, booking dates, remittance details, reconciliation results.

• Metadata and System Identifiers – for example, file identifiers, timestamps, IP addresses, or other non-content data generated or included within statements, remittance files, or related reconciliation datasets, used for logging, validation, and audit purposes.

Sensitive Categories of Data, and associated additional restrictions/safeguards:

• Categories of sensitive data: None – as noted in Section 6.2 of the DPA, Customer agrees that Restricted Data, which includes ‘sensitive data’, must not be submitted to the Services.

• Additional safeguards for sensitive data: N/A

Frequency of transfer: Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.

Nature of the Processing: Processing operations required to provide the Services in accordance with the Agreement.

Purpose of the Processing: As necessary to provide the Services as initiated by Customer in its use thereof, and to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.

Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.

Transfers to (sub)processors: Transfers to Sub-processors are as, and for the purposes, described from time to time in the Annex 5.

Annex 2

European Annex

1. Processing of Personal Data

1.1. Where Diesta receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Diesta shall inform Customer.

1.2. Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Personal Data by or on behalf of Diesta pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.

2. Data Protection Impact Assessment and Prior Consultation

2.1. Diesta, taking into account the nature of the Processing and the information available to Diesta, shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Personal Data by Diesta.

2.2. Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Diesta (at Diesta’s then-current professional services rates) in Diesta’s provision of any cooperation and assistance provided to Customer under Paragraph 2.1, and shall on demand reimburse Diesta any such costs incurred by Diesta.

3. Restricted Transfers

3.1. Each Party shall comply with Applicable Data Protection Law when making a Restricted Transfer in connection with the Agreement.

3.2. To the extent that any Processing of Personal Data under this DPA involves a Restricted Transfer from Customer to Diesta or from Diesta to Customer, the Parties agree to promptly enter into the SCCs and/or the UK Transfer Addendum (as applicable) to comply with Applicable Data Protection Law.

Annex 3

State Privacy Laws Annex

1. For purposes of this Annex 3, the terms “business,” “commercial purpose,” “sell,” “share” and “service provider” shall have the respective meanings given thereto in the State Privacy Laws, and “personal information” shall mean Personal Data that constitutes personal information governed by the State Privacy Laws.

2. It is the Parties’ intent that with respect to any personal information, Diesta is a service provider. Diesta: (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Diesta’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Diesta that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

3. Diesta shall not: (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services, or as otherwise permitted by the State Privacy Laws; (c) retain, use or disclose the personal information outside of the direct business relationship between Diesta and Customer; or (d) combine personal information received pursuant to the Agreement with personal information: (i) received from or on behalf of another person, or (ii) or collected from Diesta’s own interaction with any Consumer to whom such personal information pertains, except as and to the extent necessary as a part of Diesta’s provision of the Services. Diesta hereby certifies that it understands its obligations under this Paragraph 3 and will comply with them.

4. Giving Customer notice of Sub-processor engagements in accordance with Section 7 of the DPA shall satisfy Diesta’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.

5. Diesta agrees that Customer may conduct audits, in accordance with Section 8 of the DPA, to help ensure that Diesta’s use of personal information is consistent with Diesta’s obligations under the State Privacy Laws.

6. The Parties acknowledge that Diesta’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Diesta’s provision of the Services and the business relationship between the Parties.

Annex 4

Security Measures

Diesta implements the following technical and organisational security measures to protect Customer Data against unauthorised access, loss, or alteration, in accordance with applicable data protection laws and industry standards.

1. Security Standards. Diesta adheres to industry-leading security and regulatory standards, including ISO 27001:2022, SOC 2 Type II, and GDPR. Compliance with these frameworks is independently audited and verified annually and results are reviewed by senior management to ensure the ongoing effectiveness of Diesta’s information-security management system. Diesta continues to assess alignment with the Digital Operational Resilience Act (DORA) and other applicable financial-sector standards.

   
   

2. Access Control. Diesta enforces strict access controls to protect Customer Data and systems from unauthorised access. Access to all systems is granted on a need-to-know basis, guided by the principle of least privilege.

• Internal Access: Role-Based Access Controls (RBAC) are implemented across all internal systems, with enforcement of Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for sensitive environments, including AWS. Unique user identifiers are used for accountability, and all access is logged and auditable. Centralised identity and access management supports policy-based provisioning and real-time anomaly detection for privileged accounts.

• Access Reviews and Lifecycle Management: Access permissions are reviewed on a quarterly basis to ensure appropriateness. Diesta follows a Joiner-Mover-Leaver (JML) framework to ensure timely provisioning, updates, and deprovisioning of user access in response to role changes or terminations.  Periodic audits identify privilege escalations or inactive accounts.

• Customer Access: Customer Data is logically segregated by organisation within the Diesta platform. Role-Based Access Control (RBAC) is applied based on defined user roles relevant to platform functions. While Diesta enforces secure authentication protocols and maintains comprehensive audit trails, each customer is responsible for managing access permissions within their own environment.

  
  

3. Data Protection

1. Encryption: Customer Data is encrypted in transit using TLS and at rest using industry-standard encryption protocols. Encryption keys are centrally managed under restricted administrative control.

b. Data Minimisation: Diesta collects and processes only the minimum personal data necessary to provide its services and fulfil contractual obligations.

c. Input Controls: Diesta implements validation and authorisation controls to ensure that data received from Customers is processed accurately and securely within the system. Validation checks focus on format consistency, completeness, and authorisation rather than the substantive accuracy of the data itself, which remains the responsibility of the Customer as data controller. All processing actions are authenticated, logged, and traceable to maintain integrity and accountability.

d. Data Integrity and Immutability: Diesta maintains a non-destructive system architecture - original transactional data is stored immutably and is not editable via the application interface. Personal Data cannot be modified on Diesta. All reconciliation outputs are generated from validated source inputs and recorded via traceable, version-controlled logic.

e. Data Retention: Personal Data is retained only for the duration necessary to fulfil the Customer’s contractual requirements and is securely deleted or archived according to agreed retention schedules and Diesta’s data lifecycle policies.  Deletion or archiving is logged and verified.

4. Cloud Infrastructure Security

1. Environment Management: Diesta maintains logically separated production and non-production environments. Resources are deployed using secure, authenticated connections and are governed by network security policies to prevent unauthorised exposure or configuration drift.

b. Network Security: Diesta leverages network segmentation and traffic-control policies to isolate and protect services. Security groups and firewall rules are used to tightly control inbound and outbound traffic. Vulnerability assessments are performed by an independent party at least annually and after major updates.

c. Security Monitoring & Controls: Secrets management is enforced across development and operational environments. System activity is logged, monitored, and reviewed through continuous monitoring tools. Integrated event-monitoring and alerting controls provide continuous oversight to identify and respond promptly to unauthorised access or anomalies.

d. Audit and Configuration Oversight: Security configurations are periodically reviewed and updated in accordance with Diesta’s ISO 27001 and SOC 2 Type II controls. Change control procedures apply to all cloud infrastructure modifications to ensure alignment with security and compliance requirements.

5. Availability Control

1. Resilience & Recovery: Diesta maintains comprehensive backup and disaster recovery procedures to ensure timely restoration of services in the event of a failure. Backups are encrypted and stored in geographically redundant locations within the UK. Diesta’s Disaster Recovery Plan is reviewed and tested at least annually, including restore testing to validate integrity and recovery objectives.

b. System Monitoring and Maintenance: Diesta operates continuous monitoring and fault detection systems to identify potential availability issues. Preventive maintenance and patch management are regularly conducted to maintain platform stability and availability.

c. Redundancy and Failover: Core services are architected with built-in redundancy and failover mechanisms across UK-based infrastructure to ensure high availability and minimise service disruption.

6. Incident Response & Management

1. Incident Handling: Diesta maintains a formal incident response plan to detect, respond to, and recover from security incidents promptly and effectively. All incidents are logged, recorded, and tracked via Diesta’s internal workflow system, with notifications shared through designated messaging channels for coordination purposes, with defined severity classification, containment, and remediation processes. Post-incident reviews and root-cause analyses are conducted to identify lessons learned and preventive actions. Procedures are reviewed and tested at least annually or following significant changes to ensure continuous improvement.

7. Third-Party Risk Management

1. Due Diligence: Diesta conducts thorough due diligence and security assessments for Sub-processors, suppliers, and subcontractors. Contracts mandate robust security measures in line with Diesta’s commitments to its customers, and ongoing monitoring ensures compliance.

b. Monitoring and Re-assessment: Third-party relationships are reassessed at least annually and cross-referenced with Diesta’s data-protection registers to ensure continued compliance.

c. Incident Coordination: Third parties are integrated into Diesta’s incident response processes to mitigate any impacts on Customer Personal Data.

8. Security Governance

1. Regular Audits: Diesta conducts internal and external audits to ensure the effectiveness of security measures and compliance with data protection laws and industry standards as part of its certified frameworks.

b. Policy Review: Security policies and procedures are reviewed and updated at least annually or in response to significant regulatory or threat landscape changes.

c. Employee Training & Onboarding: All new employees undergo thorough security checks during onboarding, including background checks where applicable. They receive mandatory training on Diesta’s security policies, procedures, and best practices to ensure they understand and adhere to our security measures. Annual refresher training is mandatory, and technical personnel receive additional instruction on secure development and configuration, and data-handling practices.

9. Continuous Improvement

1. Diesta promotes a culture of continual improvement across all areas of security and compliance. Security metrics, vulnerability trends, and audit findings are reviewed by senior management at least quarterly to identify opportunities for enhancement and to maintain the effectiveness of Diesta’s information-security framework.

Annex 5

List of Sub-processors

Customer approves that Diesta contracts the following Sub-processors to provide the Services pursuant to the Agreement: