Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Society Platform Agreement and governs the processing of personal data by Magpie Standard on behalf of the Society.

For the purposes of this DPA: - "Personal Data" has the meaning given in UK GDPR - "Controller" means the Society - "Processor" means Magpie Standard - "Data Subject" means the individual whose data is processed

Magpie Standard processes personal data: - For platform operation and maintenance - To facilitate licensing transactions - For analytics and reporting - As directed by the Society

Magpie Standard shall: - Process data only on documented instructions - Ensure personnel are bound by confidentiality - Implement appropriate security measures - Assist with data subject requests - Delete data on termination (subject to legal retention)

Current sub-processors: - AWS (hosting, storage) - Stripe (payment processing) - Sentry (error monitoring) Changes notified 30 days in advance.

Technical and organisational measures include: - Encryption at rest and in transit - Access controls and authentication - Regular security assessments - Incident response procedures

Data transfers outside the UK/EEA: - Rely on Standard Contractual Clauses - Or adequacy decisions where available - Transfer impact assessments conducted

In case of a personal data breach: - Notification to Society within 72 hours - Detailed incident report provided - Cooperation with regulatory notifications - Root cause analysis and remediation