Data Processing Addendum

7. Data Processing Addendum

7.1 About this Data Processing Addendum

This Data Processing Addendum forms part of the Terms of Service between Solardeck and the customer using Solardeck for business purposes.

This Addendum applies where Solardeck processes personal data on behalf of a business customer in connection with providing the Service.

It is intended to support compliance with applicable data protection laws, including where relevant UK GDPR, EU GDPR, the Data Protection Act 2018, and similar privacy laws.

Contact: support@solardeck.co

7.2 Definitions

In this Addendum:

"Customer" means the business, organisation, consultancy, adviser, or workspace owner using Solardeck.

"Customer Personal Data" means personal data that the Customer enters, uploads, submits, or otherwise makes available to Solardeck for processing on behalf of the Customer.

"Data Protection Laws" means applicable privacy and data protection laws, including where applicable UK GDPR, EU GDPR, the Data Protection Act 2018, and other applicable laws.

"Controller", "processor", "personal data", "processing", "data subject", and "subprocessor" have the meanings given to them under applicable Data Protection Laws.

7.3 Roles

For Customer Personal Data, the Customer is generally the controller and Solardeck is generally the processor.

The Customer determines the purposes and means of processing Customer Personal Data.

Solardeck processes Customer Personal Data only to provide, secure, maintain, support, and improve the Service, and as otherwise permitted by this Addendum, the Terms, or applicable law.

7.4 Customer responsibilities

The Customer is responsible for:

having a lawful basis for collecting and processing Customer Personal Data;

providing required privacy notices to data subjects;

obtaining required consents or permissions;

ensuring Customer Personal Data is accurate, relevant, and lawful;

ensuring the Customer has the right to upload or submit Customer Personal Data to Solardeck;

responding to data subject requests where the Customer is the controller;

ensuring use of Solardeck complies with laws applicable to the Customer.

7.5 Solardeck processing instructions

The Customer instructs Solardeck to process Customer Personal Data as necessary to:

provide the Service;

manage accounts and workspaces;

process project intake data;

process uploaded files;

generate draft documents and proposal materials;

provide client portal links;

export PDFs;

provide support;

maintain security;

detect misuse;

debug errors;

process billing and account administration;

comply with applicable law.

Solardeck will not process Customer Personal Data for purposes incompatible with these instructions unless required by law.

7.6 Nature and purpose of processing

The nature and purpose of processing includes hosting, storing, transmitting, analysing, extracting, generating, formatting, securing, supporting, deleting, and otherwise processing Customer Personal Data to provide Solardeck.

7.7 Types of personal data

Customer Personal Data may include:

names;

email addresses;

business contact details;

client names;

project/site addresses;

project notes;

proposal materials;

uploaded files;

comments and review notes;

workspace activity;

user-generated content;

any personal data included by the Customer in project files or proposal materials.

7.8 Categories of data subjects

Customer Personal Data may relate to:

Customer users;

Customer employees;

Customer contractors;

Customer clients;

prospective clients;

site contacts;

building owners;

tenants;

landlords;

consultants;

installers;

project stakeholders;

other individuals whose data is submitted by the Customer.

7.9 Duration of processing

Solardeck processes Customer Personal Data for the duration of the Customer's use of the Service, and thereafter as needed for deletion, backup expiry, legal compliance, billing, security, fraud prevention, dispute handling, or other legitimate operational purposes.

7.10 Confidentiality

Solardeck will ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.

7.11 Security measures

Solardeck will maintain reasonable technical and organisational measures designed to protect Customer Personal Data against unauthorised access, loss, misuse, alteration, or disclosure.

These measures may include:

secure authentication;

access controls;

workspace-level permissions;

encrypted connections;

infrastructure security controls;

logging and monitoring;

rate limiting;

vendor access restrictions;

backup controls;

account deletion tools;

security review processes appropriate to the stage of the Service.

7.12 Subprocessors

The Customer authorises Solardeck to use subprocessors to provide the Service.

Subprocessors may include providers for:

hosting and infrastructure;

database storage;

authentication;

payment processing;

email delivery;

AI processing;

mapping and geocoding;

solar estimation;

analytics;

logging;

monitoring;

customer support;

security;

legal and operational support.

Solardeck will require subprocessors to protect Customer Personal Data using appropriate contractual, technical, and organisational measures.

7.13 International transfers

Customer Personal Data may be processed outside the country where the Customer or data subjects are located.

Where required by Data Protection Laws, Solardeck will use appropriate transfer mechanisms, which may include adequacy decisions, standard contractual clauses, the UK International Data Transfer Agreement or Addendum, or other lawful transfer mechanisms.

7.14 Data subject requests

Where Solardeck receives a data subject request relating to Customer Personal Data for which the Customer is controller, Solardeck may refer the request to the Customer unless legally required to respond directly.

Solardeck will provide reasonable assistance to the Customer, taking into account the nature of the processing and information available to Solardeck.

7.15 Assistance with compliance

Taking into account the nature of processing and information available to Solardeck, Solardeck will provide reasonable assistance to the Customer with:

data subject requests;

security obligations;

breach notifications;

data protection impact assessments;

regulator consultations where required by law.

Solardeck may charge reasonable fees for assistance that is outside normal support or requires significant time, technical work, or legal review.

7.16 Security incidents

If Solardeck becomes aware of a confirmed personal data breach affecting Customer Personal Data, Solardeck will notify the Customer without undue delay, where required by law.

The notification may include available information about the nature of the incident, affected data, likely consequences, and measures taken or proposed.

7.17 Deletion and return

Upon account deletion, termination, or written request, Solardeck will delete or return Customer Personal Data where technically feasible and legally required, subject to retention required for legal, tax, billing, security, fraud-prevention, backup, dispute, or compliance purposes.

Backup copies may persist for a limited period until overwritten or deleted according to backup cycles.

7.18 Audits

Upon reasonable written request, Solardeck may provide information reasonably necessary to demonstrate compliance with this Addendum.

Audits must be reasonable, limited, non-disruptive, subject to confidentiality, and must not compromise the security, confidentiality, or rights of other customers or systems.

7.19 Conflict

If this Addendum conflicts with the Terms of Service, this Addendum controls only for the processing of Customer Personal Data where Solardeck acts as processor.

7.20 Contact

For questions about this Data Processing Addendum, contact:

support@solardeck.co