Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service (the "Agreement") between InspireGreen Ltd, a company registered in England and Wales (company no. 11872394), registered office Abacus House, Caxton Place, Cardiff, CF23 8HA ("SolarFleet", "we", "us", "Processor"), and the customer organisation that uses the SolarFleet platform (the "Customer", "you", "Controller"). It records the parties' obligations in respect of Personal Data processed through the SolarFleet platform (the "Service") and reflects the requirements of Article 28 of the UK GDPR.

1. Definitions

"UK GDPR" means the United Kingdom General Data Protection Regulation as defined in the Data Protection Act 2018; and "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003, in each case as amended. The terms "Controller", "Processor", "Personal Data", "Personal Data Breach", "Processing", "Data Subject" and "Sub-processor" have the meanings given in the Data Protection Laws. "Customer Personal Data" means Personal Data that we Process on your behalf under the Agreement, as described in Annex 1.

2. Roles and scope of processing

As between the parties, you are the Controller and we are the Processor of Customer Personal Data. Where you act as a processor for a third party (for example, a site owner whose data your client surfaces through SolarFleet), you appoint us as a sub-processor and confirm you have authority to do so.

We will Process Customer Personal Data only:

• on your documented instructions (including those given through the Service and its configuration), unless required to do otherwise by law — in which case we will notify you first unless that law prohibits notification;
• as necessary to provide, secure, and support the Service in accordance with the Agreement; and
• for the subject matter, duration, nature, purpose, data types and Data Subject categories set out in Annex 1.

We will inform you if, in our opinion, an instruction infringes the Data Protection Laws. You are responsible for the accuracy and lawfulness of Customer Personal Data and for having a valid lawful basis for the Processing you instruct.

3. Confidentiality

We ensure that personnel authorised to Process Customer Personal Data are bound by appropriate obligations of confidentiality and are made aware of the confidential nature of the data. Access is limited to those who need it to provide the Service.

4. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk to Data Subjects, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2 and on our security page. We may update these measures provided the level of protection is not materially reduced.

5. Sub-processors

You provide general written authorisation for us to engage Sub-processors to Process Customer Personal Data. Our current Sub-processors, their purpose and their region are published and maintained at solarfleet.io/legal/sub-processors (Annex 3).

We will give you reasonable prior notice of any intended addition or replacement of a Sub-processor (by updating that page and, where you have subscribed to notifications, by email), giving you the opportunity to object on reasonable data-protection grounds. We impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain liable to you for a Sub-processor's performance of those obligations.

6. Assistance with data subject rights

Taking into account the nature of the Processing, we assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under the Data Protection Laws (access, rectification, erasure, restriction, portability and objection). The Service provides self-service export and deletion tools to support this; where a request cannot be fulfilled through those tools, we will provide reasonable assistance. If we receive a request directly from one of your Data Subjects, we will not respond other than to direct them to you, unless legally required, and will notify you without undue delay.

7. Personal data breach

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Our notification will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. We will provide reasonable cooperation and information to help you meet your own notification obligations to the Information Commissioner's Office (ICO) and affected Data Subjects. Reporting a breach is not an admission of fault or liability.

8. Data protection impact assessments

Taking into account the nature of Processing and the information available to us, we provide reasonable assistance with any data protection impact assessments and prior consultations with the ICO that you are required to carry out under the Data Protection Laws.

9. Return and deletion of data

You may export Customer Personal Data at any time through the Service's data-export tools. On termination or expiry of the Agreement, we will, at your choice, delete or return Customer Personal Data and delete existing copies, unless we are required by law to retain it. You may export Your Data for 30 days after account closure; after that period, live Customer Personal Data is permanently deleted from our active systems. Residual copies held in routine encrypted backups are overwritten on the backup-rotation cycle (no later than 35 days) and are not used for any other purpose in the interim. Anonymised or aggregated data that no longer identifies a Data Subject may be retained.

10. Audits and information

We make available to you the information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits are limited to once in any 12-month period (save where required by a supervisory authority or following a Personal Data Breach), on reasonable prior written notice, during business hours, subject to confidentiality, and conducted so as to minimise disruption. We may satisfy an audit request by providing our security documentation and responses to a reasonable security questionnaire.

11. International transfers

Customer Personal Data is stored in a UK region. Some of our Sub-processors (identified in Annex 3) may Process limited Personal Data outside the UK. Where a transfer of Personal Data to a third country takes place, we ensure an appropriate transfer mechanism is in place — UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK Addendum, as applicable — and that appropriate safeguards are maintained. We will not make a new transfer to a third country without an adequate transfer mechanism.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the exclusions and limitations of liability set out in the Agreement. This DPA does not limit any liability that cannot be limited under the Data Protection Laws.

13. Term, governing law and precedence

This DPA takes effect on the date you accept the Agreement and continues for as long as we Process Customer Personal Data. It is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales. In the event of conflict between this DPA and the Agreement on the subject of data protection, this DPA prevails.

14. Contact

Data protection enquiries and signed-DPA requests: hello@solarfleet.io.
InspireGreen Ltd, Abacus House, Caxton Place, Cardiff, CF23 8HA. Registered in England and Wales, company no. 11872394.

---

Annex 1 — Details of processing

• Subject matter: provision of the SolarFleet solar O&M monitoring and management platform.
• Duration: the term of the Agreement, plus the deletion period in clause 9.
• Nature and purpose: hosting, storing, displaying, and processing Personal Data to deliver portfolio monitoring, alerting, case management, maintenance/inspection records, reporting, billing and account administration.
• Types of Personal Data: account and contact details of the Customer's users and named site/client contacts (name, work email, phone, role, organisation); authentication identifiers (managed by our identity provider); audit and activity logs; and any Personal Data the Customer chooses to enter into free-text fields, notes, documents or reports.
• Categories of Data Subjects: the Customer's staff and authorised users; the Customer's own clients and site owners/contacts; and field engineers recorded against visits and reports. SolarFleet is not designed to process special-category data.

Annex 2 — Technical and organisational measures

• UK-region data: Customer Personal Data is held in a UK-region managed database.
• Tenant isolation: every query is scoped to the Customer's organisation; an automated test verifies on every release that no application route can return another organisation's data.
• Encryption in transit: all traffic served over TLS 1.3 with HSTS enforced.
• Encryption at rest: integration credentials and secrets are encrypted at rest; the encryption key is held only in our hosting environment, not in the database.
• Authentication & access control: sign-in is handled by a dedicated identity provider; organisation roles gate every API route; internal cross-tenant tooling is restricted to authorised staff.
• Backups: automated, encrypted backups held in-region, with a defined rotation/retention cycle.
• Logging & monitoring: structured application logging and an immutable audit log of sensitive actions.
• Secure development: changes pass automated tests and a tenant-isolation check before deployment; least-privilege access to production.
• Data minimisation & deletion: self-service export and a verified deletion cascade (see clause 9).

Annex 3 — Sub-processors

The current list of Sub-processors, with purpose and region, is maintained at solarfleet.io/legal/sub-processors and forms part of this DPA.