Data Processing Addendum (DPA)

Effective date: 23 February 2026

Processor: Nevrast Consulting Ltd (trading as Kairo Partners)
Company number: 15924692
Registered office: 4th Floor Radius House, 51 Clarendon Road, Watford, Hertfordshire, England, WD17 1HP

This DPA forms part of any agreement under which Nevrast Consulting Ltd provides services to a client (the Agreement) where Personal Data is processed on behalf of the client as Controller. Capitalised terms have the meanings given in UK GDPR unless defined otherwise.

1. Definitions

Data Protection Laws means UK GDPR, the Data Protection Act 2018, PECR and any applicable amendments or successor legislation.

Sub-processor means any processor engaged by the Processor to process Personal Data on behalf of the Controller.

2. Roles and instructions

The Controller appoints the Processor to process Personal Data only in accordance with documented instructions, the Agreement and this DPA.

The Processor will notify the Controller if an instruction appears to infringe Data Protection Laws (without providing legal advice).

Unless legally prohibited, the Processor will notify the Controller of legally binding requests from public authorities for disclosure of Personal Data.

3. Nature and duration of processing

Details of processing are described in Annex A. Processing continues for the term of the Agreement and any lawful retention period, after which data will be returned or deleted in accordance with Section 10.

4. Confidentiality

The Processor ensures authorised personnel are subject to confidentiality obligations and receive appropriate data protection training.

5. Security

The Processor implements appropriate technical and organisational measures, as summarised in Annex B, taking into account risks, costs and the state of the art.

6. Sub-processors

The Controller provides general authorisation for the use of Sub-processors described in Annex C.

The Processor will impose data protection obligations on Sub-processors that are no less protective than this DPA and remains responsible for their performance.

The Processor will notify the Controller of material changes to Sub-processors and allow reasonable opportunity to object.

7. International transfers

Where Personal Data is transferred outside the UK or EEA, appropriate safeguards will be implemented, including the UK IDTA or EU SCCs with the UK Addendum, as described in Annex D.

8. Assistance

Taking into account the nature of processing, the Processor will assist the Controller with data subject rights, security obligations, breach notification, DPIAs and supervisory authority consultations.

9. Personal Data Breach

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller Personal Data and provide relevant information available to it.

10. Return and deletion

Upon termination of services, the Processor will delete or return Personal Data at the Controller’s choice, unless retention is required by law. Where deletion is not immediately feasible (e.g. backups), data will be securely isolated until deletion is possible.

11. Audit

Upon reasonable notice and no more than once annually (unless required by law or following a breach), the Processor will provide information necessary to demonstrate compliance and permit audits conducted by the Controller or its appointed auditor, subject to confidentiality and proportionality.

12. Liability

Liability under this DPA is subject to the limitations set out in the Agreement except where prohibited by law.

13. Precedence and updates

In the event of conflict, this DPA prevails in relation to data protection matters. Annexes may be updated to reflect operational changes; material changes will be notified.

14. Governing law

This DPA is governed by the laws of England and Wales and subject to the jurisdiction of the English courts.

Annex A — Processing Details

Subject matter: Consulting services including discovery, diagnostics, workshops, pilots and implementation support.

Purpose: Accessing, analysing and storing limited Personal Data where necessary to deliver services.

Duration: Duration of the engagement plus lawful retention.

Types of Personal Data: Business contact details, employee identifiers and limited customer or prospect records. Special category data is not intentionally processed.

Categories of Data Subjects: Client personnel, customers, prospects and partners as relevant.

Annex B — Security Measures (summary)

Role-based access control and MFA; least-privilege access; encrypted data transmission; encryption at rest via cloud providers; managed and secured endpoints; environment separation for testing; vendor-managed backups; logging and monitoring; staff training; data minimisation and timely deletion of working files.

Annex C — Sub-processors (categories)

The Processor uses reputable providers in categories including:

• hosting and infrastructure

• productivity and email platforms

• secure file storage and collaboration tools

• analytics services (where used and consented)

A current vendor list is available on request.

Annex D — International transfers

Where transfers occur to jurisdictions without adequacy, safeguards such as the UK IDTA or EU SCCs with the UK Addendum will be implemented together with supplementary technical and organisational measures where appropriate.