Data Processing Agreement

GDPR Article 28 compliant agreement governing the processing of personal data between Caolu (Processor) and the Subscriber (Controller).

Effective Date: April 2026
Version: 1.2
Governing Law: GDPR & Irish Data Protection Acts
R

Parties & Recitals

Data Controller ("Controller", "Subscriber", "you"): The entity identified in the Caolu subscription agreement.

Data Processor ("Processor", "Caolu", "we", "us"): Caolu Consultants, a company registered in the Republic of Ireland under CRO No. 783041. Full company registration and contact details are published on our Contact page.

Effective Date: The date of the Subscriber's acceptance of the Caolu Terms of Service or execution of this Agreement, whichever is earlier.

Recitals

A. The Controller has entered into a subscription agreement with the Processor for the provision of cloud-based solar assessment, quotation, and proposal generation services (the "Services") via the platform accessible at app.caolu.ie (the "Platform").

B. In the course of providing the Services, the Processor will process Personal Data on behalf of the Controller.

C. The Parties wish to set out their respective obligations regarding the processing of Personal Data in compliance with Regulation (EU) 2016/679 (the "GDPR"), the Data Protection Act 2018 (Ireland), and all applicable data protection legislation (collectively, "Data Protection Law").

D. This Agreement constitutes the written agreement required under Article 28(3) of the GDPR between a controller and a processor.

1

Definitions and Interpretation

1.1 In this Agreement, the following terms shall have the meanings ascribed to them:

  • "Approved Sub-processor" means a third-party processor engaged by the Processor to process Personal Data on behalf of the Controller, as listed in Schedule 2.
  • "Controller Personal Data" means any Personal Data processed by the Processor on behalf of the Controller in connection with the Services.
  • "Data Protection Law" means the GDPR, the Data Protection Act 2018 (Ireland), the ePrivacy Directive 2002/58/EC (as amended), and any national implementing legislation, statutory instruments, regulations, and secondary legislation in Ireland, as amended, replaced, or superseded from time to time.
  • "Data Subject" means an identified or identifiable natural person to whom Controller Personal Data relates, including but not limited to the Controller's customers, prospective customers, and employees.
  • "EEA" means the European Economic Area.
  • "Personal Data" has the meaning given in Article 4(1) of the GDPR.
  • "Personal Data Breach" has the meaning given in Article 4(12) of the GDPR.
  • "Processing" has the meaning given in Article 4(2) of the GDPR, and "process", "processes", and "processed" shall be construed accordingly.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission pursuant to Decision (EU) 2021/914.
  • "Supervisory Authority" means the Data Protection Commission of Ireland (An Coimisiun um Chosaint Sonrai) or any successor body.

1.2 The terms "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" shall have the meanings given to them in the GDPR, and cognate terms shall be construed accordingly.

1.3 In the event of any conflict between this Agreement and the Terms of Service, the provisions of this Agreement shall prevail to the extent of such conflict insofar as it relates to data protection matters.

2

Scope and Purpose of Processing

2.1 The Processor shall process Controller Personal Data solely for the following purposes:

  1. Provision of the Services as described in the Terms of Service, including but not limited to: customer data management, solar system assessment calculations, quotation generation, proposal PDF generation, project configuration storage, team management, and webhook transmission;
  2. Technical support and service maintenance;
  3. Compliance with the Processor's legal obligations; and
  4. Such other purposes as may be agreed between the Parties in writing from time to time.

2.2 The categories of Personal Data processed, the categories of Data Subjects, and the duration of processing are set out in Schedule 1.

2.3 The Processor shall not process Controller Personal Data for any purpose other than those specified in this Agreement unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3

Obligations of the Processor

3.1 Instructions

The Processor shall process Controller Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Law.

3.2 Confidentiality

The Processor shall ensure that all persons authorised to process Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this Agreement.

3.3 Security

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR, including as appropriate:

  1. The pseudonymisation and encryption of Personal Data, including AES-256 encryption at rest for all database storage (Supabase/AWS) and field-level encryption (pgcrypto) for sensitive financial data;
  2. TLS 1.2+ encryption for all data in transit;
  3. Row-Level Security (RLS) policies enforced at the database level ensuring users can access only their own data, with manager access restricted to their own organisation;
  4. Bcrypt password hashing with no plaintext password storage;
  5. Automated session timeout after 30 minutes of inactivity with re-authentication required;
  6. Audit logging of security-relevant events including authentication, data access, configuration changes, and session management;
  7. Infrastructure hosted exclusively within the European Economic Area (AWS eu-west-1, Ireland);
  8. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  9. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  10. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

3.4 Personnel

The Processor shall take reasonable steps to ensure the reliability of any personnel who have access to Controller Personal Data, ensuring that such personnel:

  1. Are aware of the confidential nature of Controller Personal Data;
  2. Have received appropriate training on their data protection responsibilities; and
  3. Are subject to enforceable obligations of confidentiality.

3.5 Sub-processing

The Processor shall not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. The provisions of this clause are further detailed in Section 5.

3.6 Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR (Articles 15-22), including:

  1. Right of access (Article 15);
  2. Right to rectification (Article 16);
  3. Right to erasure (Article 17);
  4. Right to restriction of processing (Article 18);
  5. Notification obligation regarding rectification or erasure (Article 19);
  6. Right to data portability (Article 20);
  7. Right to object (Article 21); and
  8. Rights in relation to automated decision-making and profiling (Article 22).

3.7 The Processor shall promptly notify the Controller, and in any event within two (2) working days, if it receives a request from a Data Subject in respect of Controller Personal Data. The Processor shall not respond to any such request except on the documented instructions of the Controller or as required by law.

3.8 Assistance

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

  1. Security of processing (Article 32);
  2. Notification of a Personal Data Breach to the Supervisory Authority (Article 33);
  3. Communication of a Personal Data Breach to the Data Subject (Article 34);
  4. Data protection impact assessments (Article 35); and
  5. Prior consultation with the Supervisory Authority (Article 36).

3.9 Deletion and Return

Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all Controller Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV), and delete existing copies unless Union or Member State law requires storage of the Personal Data. The Processor shall retain Controller Personal Data for a maximum period of thirty (30) days following termination, after which all data shall be permanently and irrecoverably deleted.

3.10 Audit and Inspection

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this Agreement, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

3.11 The Processor shall immediately inform the Controller if, in its opinion, any instruction given pursuant to this Agreement infringes the GDPR or other Union or Member State data protection provisions.

4

Obligations of the Controller

4.1 The Controller warrants and represents that:

  1. It has a lawful basis for the processing of Personal Data transmitted to the Processor, including but not limited to: contractual necessity (Article 6(1)(b)) for pre-contractual quotation steps, and consent (Article 6(1)(a)) for ongoing storage of customer personal data;
  2. It has provided appropriate notice to Data Subjects regarding the processing of their Personal Data, including disclosure of the Processor as a recipient of their data;
  3. It has obtained all necessary consents required under Data Protection Law for the processing of Personal Data by the Processor;
  4. All instructions given to the Processor shall comply with Data Protection Law;
  5. It is solely responsible for the accuracy, quality, and legality of Controller Personal Data and the means by which it acquired such data;
  6. Where the Controller configures outbound webhook endpoints to transmit Controller Personal Data to third-party systems, the Controller is solely responsible for ensuring that: (i) such transmission complies with Data Protection Law; (ii) appropriate safeguards are in place for any international transfers; (iii) the receiving systems provide adequate security measures; and (iv) Data Subjects have been informed of such transfers.

4.2 The Controller shall be responsible for determining the lawful basis for processing and for responding to Data Subject requests. The Processor's obligation is limited to providing reasonable assistance as specified in Section 3.6.

4.3 The Controller acknowledges that the Platform generates solar energy assessments, financial projections, and quotations based on algorithms and industry-standard data. The Controller is solely responsible for verifying the accuracy of all outputs before presenting them to Data Subjects.

5

Sub-Processors

5.1 The Controller provides general authorisation for the Processor to engage the sub-processors listed in Schedule 2 as at the date of this Agreement.

5.2 The Processor shall:

  1. Provide the Controller with no less than fourteen (14) days' prior written notice of the appointment of any new sub-processor or the replacement of an existing sub-processor, including full details of the processing to be undertaken by the sub-processor;
  2. Notify the Controller via email to the address associated with the Controller's account;
  3. Provide the Controller with an opportunity to object to the appointment of the new sub-processor on reasonable grounds relating to the protection of Personal Data. Such objection must be made in writing within fourteen (14) days of receiving the notification;
  4. Where the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected Services upon thirty (30) days' written notice. In such circumstances, the Controller shall not be liable for any early termination fees.

5.3 The Processor shall impose on any sub-processor, by way of a written contract, data protection obligations no less onerous than those set out in this Agreement. The Processor shall remain fully liable to the Controller for the performance of each sub-processor's obligations.

5.4 The current list of Approved Sub-processors is set out in Schedule 2 and is also maintained at https://account.caolu.ie/privacy (Sub-Processors section).

6

Personal Data Breach

6.1 The Processor shall notify the Controller without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting Controller Personal Data.

6.2 Such notification shall include, to the extent reasonably ascertainable:

  1. A description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
  2. The name and contact details of the Processor's data protection contact point from whom more information can be obtained;
  3. A description of the likely consequences of the Personal Data Breach;
  4. A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
  5. The date and time the breach was discovered; and
  6. The identity of any sub-processor involved, if applicable.

6.3 Where it is not possible to provide all information simultaneously, the information may be provided in phases without undue further delay.

6.4 The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

6.5 The Processor shall not inform any third party of any Personal Data Breach without first obtaining the Controller's written consent, unless notification is required by Union or Member State law, in which case the Processor shall inform the Controller of the legal requirement before such disclosure, unless that law prohibits such information.

6.6 The Processor's notification of a Personal Data Breach shall not be construed as an acknowledgement by the Processor of any fault or liability with respect to the Personal Data Breach.

6.7 The obligations set out in this Section 6 are without prejudice to the Controller's obligation under Article 33 of the GDPR to notify the Supervisory Authority within seventy-two (72) hours of becoming aware of a Personal Data Breach, and under Article 34 to communicate the breach to Data Subjects where required.

7

International Data Transfers

7.1 The Processor shall not transfer Controller Personal Data outside the EEA without the prior written consent of the Controller, unless:

  1. The transfer is to a country that has been deemed to provide an adequate level of protection by the European Commission pursuant to Article 45 of the GDPR;
  2. Appropriate safeguards have been provided in accordance with Article 46 of the GDPR, including Standard Contractual Clauses approved by the European Commission; or
  3. A derogation under Article 49 of the GDPR applies.

7.2 As at the date of this Agreement, Controller Personal Data is stored and processed primarily within the EEA (AWS eu-west-1, Dublin, Ireland). Sub-processors and their transfer mechanisms are detailed in Schedule 2.

7.3 Where Standard Contractual Clauses are relied upon for international transfers, the Processor shall conduct and document a Transfer Impact Assessment in accordance with the EDPB Recommendations 01/2020 and shall make such assessment available to the Controller upon request.

7.4 The Controller acknowledges that where it configures outbound webhook endpoints that transmit Controller Personal Data to recipients outside the EEA, the Controller is solely responsible for ensuring appropriate transfer safeguards are in place. The Processor acts as a technical conduit only for such webhook transmissions and assumes no liability for the compliance of the receiving endpoint.

8

Audit Rights

8.1 The Processor shall make available to the Controller, upon reasonable request and no more than once per calendar year, all information reasonably necessary to demonstrate compliance with the obligations set out in this Agreement and Article 28 of the GDPR.

8.2 The Controller may, at its own cost, conduct an audit of the Processor's processing activities, subject to the following conditions:

  1. The Controller shall provide no less than thirty (30) days' prior written notice of any audit;
  2. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's business operations;
  3. The Controller shall ensure that any third-party auditor engaged is bound by appropriate confidentiality obligations and is not a competitor of the Processor;
  4. The scope of the audit shall be limited to the Processor's processing of Controller Personal Data and compliance with this Agreement;
  5. The Controller shall promptly provide the Processor with a copy of any audit report generated.

8.3 Where multiple Controllers are serviced by the Processor, the Processor may, at its discretion, satisfy audit requests by providing a summary audit report or third-party certification (such as SOC 2 Type II or ISO 27001), where available, in lieu of individual on-site audits.

8.4 The Processor shall promptly remediate any non-compliance identified during an audit at its own cost. The Processor shall provide the Controller with a remediation plan within fourteen (14) days of the audit report and shall complete remediation within a reasonable timeframe agreed between the Parties.

9

Liability and Indemnification

9.1 Each Party shall be liable for any damage caused by processing that infringes the GDPR in accordance with Article 82 of the GDPR.

9.2 The Processor shall indemnify and hold harmless the Controller from and against all claims, actions, third-party claims, losses, damages, and expenses (including reasonable legal fees) arising from:

  1. The Processor's breach of this Agreement;
  2. The Processor's failure to comply with its obligations under Data Protection Law; and
  3. Any act or omission of the Processor's sub-processors in relation to Controller Personal Data,

provided that the Controller has:

  1. Promptly notified the Processor in writing of any claim;
  2. Given the Processor reasonable control of the defence and settlement of such claim; and
  3. Provided reasonable cooperation to the Processor at the Processor's expense.

9.3 Notwithstanding the foregoing, the Processor's total aggregate liability under this Agreement shall not exceed the total subscription fees actually paid by the Controller to the Processor in the calendar year (1 January to 31 December) in which the event giving rise to the claim occurred. Where a claim spans multiple calendar years, the cap shall apply to the calendar year in which the event first arose.

9.4 The limitation in Section 9.3 shall not apply to:

  1. Liability arising from the Processor's wilful misconduct or gross negligence;
  2. Liability for Personal Data Breaches caused by the Processor's failure to implement the security measures specified in Section 3.3;
  3. Fines or penalties imposed by a Supervisory Authority directly attributable to the Processor's breach of this Agreement; or
  4. Liability that cannot be limited under applicable law.

9.5 The Controller shall be solely responsible for any claims arising from: (a) the Controller's failure to obtain necessary consents; (b) the accuracy and legality of Controller Personal Data; (c) instructions given to the Processor that infringe Data Protection Law; and (d) the Controller's configuration and use of webhook endpoints.

10

Term and Termination

10.1 This Agreement shall commence on the Effective Date and shall continue for so long as the Processor processes Controller Personal Data on behalf of the Controller.

10.2 This Agreement shall automatically terminate upon the termination or expiry of the subscription agreement between the Parties.

10.3 Upon termination:

  1. The Processor shall cease processing Controller Personal Data;
  2. At the Controller's election (to be communicated within fourteen (14) days of termination), the Processor shall either: (i) return all Controller Personal Data in a structured, commonly used, and machine-readable format (JSON or CSV); or (ii) securely delete all Controller Personal Data;
  3. In the absence of an election by the Controller within fourteen (14) days, the Processor shall securely delete all Controller Personal Data within thirty (30) days of termination;
  4. The Processor shall provide written confirmation of deletion upon request;
  5. The Processor may retain Controller Personal Data to the extent required by applicable law, subject to the confidentiality and security obligations of this Agreement.

10.4 Sections 3.2 (Confidentiality), 6 (Personal Data Breach), 8 (Audit Rights), 9 (Liability and Indemnification), and this Section 10 shall survive termination of this Agreement.

11

General Provisions

11.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the Republic of Ireland, without regard to its conflict of law provisions.

11.2 Jurisdiction. The courts of the Republic of Ireland shall have non-exclusive jurisdiction to hear and determine any dispute arising out of or in connection with this Agreement.

11.3 Entire Agreement. This Agreement, together with the Schedules, the Terms of Service, and the Privacy Policy, constitutes the entire agreement between the Parties in relation to the subject matter hereof and supersedes all previous agreements, understandings, and arrangements between the Parties, whether written or oral.

11.4 Amendments. No amendment to this Agreement shall be effective unless it is in writing and signed by both Parties, save that the Processor may update Schedule 2 (Sub-processors) in accordance with Section 5.

11.5 Severability. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be severed and the remaining provisions shall continue in full force and effect.

11.6 No Waiver. The failure of either Party to enforce any provision of this Agreement shall not constitute a waiver of that Party's right to enforce that provision at a later date.

11.7 Notices. All notices under this Agreement shall be in writing and delivered by email to: the Controller at the email address associated with their account; and the Processor at [email protected].

11.8 Assignment. Neither Party may assign or transfer this Agreement without the prior written consent of the other Party, except that the Processor may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee assumes all obligations under this Agreement.

S1

Schedule 1: Details of Processing

Item Detail
Subject matter of processing Provision of cloud-based solar assessment, quotation, and proposal generation services
Duration of processing For the term of the subscription agreement, plus 30 days post-termination for data return/deletion
Nature of processing Collection, storage, organisation, retrieval, use, disclosure by transmission (PDF generation, webhook), erasure
Purpose of processing Customer data management, solar system design and assessment, energy savings calculations, financial projections, SEAI grant eligibility assessment, quotation and proposal PDF generation, project configuration management, team management, CRM webhook integration, and (Teams & Enterprise plans only) sales rep performance visibility via the Manager Dashboard — see Section A below.
Categories of Data Subjects (a) Controller's employees and representatives (installers, sales representatives, managers) — whose behavioural and performance data is processed where the Controller enables the Manager Dashboard; (b) Controller's customers and prospective customers (homeowners, business owners) — whose identity, property, and commercial data is processed during the solar quoting workflow.
Categories of Personal Data (a) Identity data: full name; (b) Contact data: email address, telephone number; (c) Property data: address, Eircode, MPRN; (d) Energy data: annual consumption, tariff details, supplier; (e) Technical data: roof orientation, panel configuration, system specifications; (f) Financial data: quotation amounts, payment terms, SEAI grant status; (g) Professional data: name, email, role, SEAI installer number; (h) Sales rep behavioural data (Teams & Enterprise only): assessment events, PDF generation events, configuration save/load events, login/logout events, deal status transitions, aggregated per-rep metrics (assessment count, PDF rate, battery attach rate, average system size, estimated pipeline).
Special categories of data None. No special category data (Article 9) or criminal conviction data (Article 10) is processed.
Sensitive financial data Bank details (IBAN, BIC, bank name) are encrypted at field level using AES-256 (pgcrypto) and decrypted server-side only via authenticated Edge Functions. Card/payment details are processed exclusively by Stripe and never touch Caolu systems.

Section A: Sub-activity — Sales Rep Performance Monitoring (Teams & Enterprise plans only)

Where the Controller enables the Manager Dashboard, the following sub-activity applies in addition to the processing described in the main Schedule 1 table above:

Item Detail
Sub-activity subject matter Collection, aggregation, and presentation of behavioural work-product metrics about individual sales reps employed by the Controller, for the purpose of enabling the Controller's managers to review team performance.
Lawful basis (Controller) Legitimate interest under GDPR Article 6(1)(f). The Controller is responsible for documenting its own balancing test. The Processor supplies the architectural safeguards listed in the "Data minimisation" row below to strengthen the Controller's position in that balancing test.
Categories of Data Subjects affected Solely the Controller's employees and representatives (sales reps, managers). No customer or other third-party data is involved in this sub-activity.
Categories of Personal Data Rep identifiers (full name, email, role, user ID); rep behavioural events (assessment opened, config saved, PDF generated, config loaded, login, logout); per-quote technical metadata (system size, battery attach, orientation, county, annual saving, SEAI eligibility); per-rep aggregated metrics (assessment count, PDF rate, battery attach rate, average system size, estimated pipeline); and deal pipeline state (in progress / won / lost) with categorised loss reason.
Retention (individual level) 90 days. Individual attribution is automatically removed by a nightly scheduled job ("anonymise_old_dashboard_data") operated by the Processor in the production database. After 90 days, data rows still contribute to aggregate team statistics but cannot be linked back to a specific Rep.
Retention (won/lost commercial records) 7 years. Won and lost deal rows retain locked commercial values (quote total, system size, battery capacity at close) as commercial records under Irish Revenue rules (Taxes Consolidation Act 1997). The Rep name associated with a closed record can be scrubbed on erasure request without affecting the commercial figure.
Data minimisation controls (Processor-operated) (a) Pseudonymous by default. Rep cards render as "Rep A / Rep B / Rep C" until a manager explicitly clicks "Reveal names" and confirms a consent dialog.
(b) Audit-logged reveals. Every identity reveal creates a dashboard_identities_revealed event in the immutable audit log, visible to the Rep via the in-app "My Data & Privacy" screen.
(c) Time-bounded reveals. After a reveal, real names auto-hide again after 30 minutes or when the manager closes the dashboard.
(d) No automated scoring. The Manager Dashboard does not compute composite scores, tier labels, or automated evaluative decisions. GDPR Article 22 (automated individual decision-making) is not engaged.
(e) No in-app coaching notes. Free-text manager evaluations of individual reps are not supported by the Processor's platform. The Controller is expected to record coaching conversations in its own HR system.
(f) Team-level alerts only. System-generated dashboard alerts surface team-wide patterns. They do not name individual Reps.
(g) Nightly anonymisation. A scheduled pg_cron job runs every 24 hours and sets the anonymised_at column on all qualifying rows older than 90 days, stripping identifying metadata keys.
(h) Manager-initiated erasure RPC. A service-role function erase_user_performance_data is available for Rep-level GDPR Article 17 requests.
(i) Rep self-service access. A dedicated "My Data & Privacy" screen inside the product lets each Rep see everything the Processor holds about them, including the audit log of identity reveals, and export it as JSON with one click.
Controller obligations specific to this sub-activity (a) Notify each Rep in writing that monitoring is in place, before the Rep begins using the platform under the Controller's account. A template employee notification is available from the Processor on request at [email protected].
(b) Not use Manager Dashboard output as the sole or primary basis for any disciplinary, dismissal, or promotion decision.
(c) Cooperate with the Processor in handling Rep data subject rights requests, including erasure and objection.
(d) Document its own legitimate-interest balancing test and hold it available for inspection by the Irish Data Protection Commission.
Rep rights exercisable directly in the Processor's platform Right of access (Article 15) and right to data portability (Article 20) are self-service via the "My Data & Privacy" screen. Rights of rectification (Article 16), erasure (Article 17), restriction (Article 18), and objection (Article 21) are routed via [email protected] and handled jointly with the Controller.
S2

Schedule 2: Approved Sub-Processors

Sub-processor Purpose Data Processed Location Transfer Mechanism
Supabase Inc. Database, authentication, storage, edge computing All Controller Personal Data; session tokens; encrypted bank details AWS eu-west-1 (Dublin, Ireland) Data remains in EEA
Stripe Ireland Limited Payment processing, subscription billing Controller email, subscription tier, Stripe customer ID. No card data touches Caolu. Ireland (EU entity) Data remains in EEA
Netlify Inc. Application hosting, CDN IP addresses, HTTP request metadata only. No Personal Data at rest. EU CDN edge nodes SCCs (EU-US Data Privacy Framework)
Zoho Corporation B.V. Transactional email, business communications Controller email, email content EU data centre (Netherlands) Data remains in EEA
Google LLC Maps API for roof survey geocoding; future analytics Property addresses (geocoding only; not stored by Google on Caolu's behalf) Global SCCs; EU-US Data Privacy Framework
Anthropic PBC AI coding assistant (Claude and Claude Code) used internally by Caolú engineering to author, review and debug the Caolú codebase. Not a runtime component of the Service. No Customer Personal Data is intentionally transmitted to this sub-processor — see the "Data-Minimisation Carve-Out" box below. Source code, technical documentation, anonymised or synthetic test records only. No real Customer Personal Data (name, email, phone, address, Eircode, MPRN, consent records, saved quotations). United States SCCs (Commercial Terms) where engineering operates under Anthropic's Commercial Terms of Service; otherwise excluded from Personal Data processing scope entirely (see carve-out).
Webhook Endpoints (Controller-configured): Where the Controller configures outbound webhook integrations, Customer Personal Data (name, email, phone, address, Eircode, MPRN, system specifications, grant status) may be transmitted to third-party systems determined solely by the Controller. The Processor acts as a technical conduit only. The Controller is responsible for ensuring compliance with Data Protection Law for such transmissions, including international transfer safeguards where the receiving endpoint is outside the EEA.
Data-Minimisation Carve-Out — AI Development Tooling (Anthropic PBC): The Processor's engineering team uses Anthropic's Claude and Claude Code as an internal software-development assistant only. These tools do not form part of the live Service and are never exposed to Controller or Data Subject Personal Data at runtime. The Processor enforces a written Claude Workflow Data Minimisation Policy that prohibits engineers from transmitting any real Customer Personal Data to Anthropic in any form, and requires the exclusive use of anonymised or synthetic test records in AI-assisted development sessions. Where engineering operates under an Anthropic plan governed by the Commercial Terms of Service (Claude Team, Claude Enterprise, or the Claude API), Anthropic's DPA with Standard Contractual Clauses is automatically incorporated. Where engineering operates under Anthropic's Consumer Terms of Service (Claude Free, Pro, Max, or Claude Code accessed via those plans), the tool is treated as strictly out-of-scope for Personal Data processing, so Article 28 obligations are not engaged for the absence of Personal Data flow. The Controller may request to review the full written policy by contacting [email protected].
S3

Schedule 3: Technical and Organisational Measures

The Processor implements the following measures pursuant to Article 32 of the GDPR:

Encryption

  • TLS 1.2+ for all data in transit (HTTPS enforced; HSTS active)
  • AES-256 encryption at rest for all database storage (Supabase/AWS)
  • Field-level encryption (pgcrypto / pgp_sym_encrypt) for sensitive financial data (bank IBAN, BIC, bank name)
  • Bcrypt password hashing (no plaintext password storage)
  • Property address de-identification via a salted SHA-256 hash (property_hash) of (company_id + normalised eircode). The salt is 32 random bytes stored in a private, service-role-only schema with no public grants. This enables property deduplication in the Manager Dashboard without retaining the eircode in a reversible form.

Access Control

  • Row-Level Security (RLS) enforced at the PostgreSQL database level on every table in the public schema
  • Users can access only their own data; managers restricted to their organisation
  • Company settings (brand, webhook, payment) updatable by managers/admins only (database-enforced)
  • Role-based access control: rep, manager, admin tiers with escalating permissions
  • SECURITY DEFINER function guards on every privileged RPC, with explicit role + company_id verification before any data is returned
  • A Content-Security-Policy and Permissions-Policy are applied at the HTTP response layer to restrict script sources and browser feature access

Authentication & Session Management

  • Supabase Auth with JWT-based session tokens
  • Automated session timeout after 30 minutes of inactivity
  • Re-authentication required after session expiry
  • Session warning at 25 minutes with option to extend

Audit & Monitoring

  • Immutable append-only audit log stored in the assessment_events table with user_id, timestamp, and structured metadata
  • Logged event types include: authentication (login, logout, session timeout), data access and modification (config_saved, config_loaded, pdf_generated, quote_pdf_generated, status_changed, deal_reopened), company profile changes, data export (CSV and JSON), goal setting, Manager Dashboard identity reveals (dashboard_identities_revealed), Manager Dashboard load/render failures, Rep self-view events (rep_data_viewed_self), and Rep data exports (rep_data_exported)
  • Immutable deal status history via a PostgreSQL trigger (trg_saved_configs_status_history) that snapshots locked commercial values (quote total, system size, battery capacity) on every status transition, preventing retrospective modification of closed-deal figures
  • Company profile changes logged with manager identification

Manager Dashboard Controls (Teams & Enterprise plans)

  • Pseudonymisation by default. Rep cards render with pseudonymous labels ("Rep A / Rep B / Rep C") until a manager explicitly clicks "Reveal names".
  • Audit-logged identity reveals. Every reveal creates a dashboard_identities_revealed event visible to the affected Reps via their in-app "My Data & Privacy" screen.
  • Time-bounded reveals. After a reveal, real names auto-hide again after 30 minutes or when the dashboard is closed.
  • No automated scoring or tier labels. GDPR Article 22 (automated individual decision-making) is not engaged because no automated decisions are made.
  • No in-app coaching notes. Free-text manager evaluations of individual Reps are not supported by the platform.
  • Team-level alerts only. System-generated alerts describe team-wide patterns and do not name individual Reps.
  • Automated 90-day anonymisation. A nightly pg_cron job (nightly_anonymise_dashboard_data) sets an anonymised_at marker on assessment_events and in-progress saved_configs older than 90 days and strips identifying metadata keys.
  • Rep self-service access. A dedicated in-app "My Data & Privacy" screen gives every Rep full visibility of their own data, the identity-reveal access log, and JSON export.
  • Manager-initiated erasure handler. The erase_user_performance_data service-role RPC handles GDPR Article 17 requests by anonymising rows and scrubbing identifying profile fields while preserving locked commercial values for Revenue retention.
  • Company offboarding procedure. A service-role RPC (archive_and_delete_company) copies all company data to a cold-storage schema (deleted_companies_archive, service-role only, restrictive RLS) before clearing the live tables, providing a clean FK-safe offboarding path.

Infrastructure

  • Primary data storage: AWS eu-west-1 (Dublin, Ireland)
  • Application hosting: Netlify (EU CDN edges)
  • No on-premise infrastructure; fully managed cloud services
  • Automated backups via Supabase (point-in-time recovery)

Organisational Measures

  • Confidentiality obligations for all personnel with data access
  • Principle of least privilege applied to all system access
  • Regular review of access permissions
  • Incident response procedures documented and tested

Execution

This Agreement may be executed electronically. By accepting the Caolu Terms of Service, the Controller is deemed to have accepted this Data Processing Agreement.

Caolu Consultants — Data Processor

CRO No. 783041 · Republic of Ireland · Company details