Data Protection Agreement

Data Processing Agreement

Last Updated April 2025

This Data Processing Agreement (“Agreement” or “DPA”) is incorporated into the C-Link SaaS Software as a Service Subscription Agreement entered into between:

Construction Link Limited (Company No. 09791821), a company registered in England and Wales, of 85 Great Portland Street, First Floor, London, United Kingdom, W1W 7LT. Email: info@c-link.com (“we”, “us” or “our”); and

1. The customer who signs up to our C-Link platform (“you” or “your”),

2. Together the “Parties”, and each a “Party”.

1.0 Commencement and Term

1.1 This DPA will commence on the date that the C-Link SaaS Software as a Service Subscription Agreement is entered into, and will continue for as long as the Agreement remains in effect (“Term”).

1.2 Where you make any deletions or other revisions to this DPA, this DPA will be null and void, unless otherwise agreed by us in writing.

1.3 By entering into this DPA, each Party agrees to be bound by the terms and conditions set out herein, in exchange for the other Party also agreeing to be bound by it.

2. WHEREAS

(A) You act as a Data Controller.
(B) You wish to subcontract certain Services, which imply the processing of personal data, to us as the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with applicable Data Protection Laws, including Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).
(D) The Parties wish to lay down their rights and obligations.

3. Definitions and Interpretation

3.1 Unless otherwise defined, capitalised terms shall have the following meanings:

“Agreement” means this Data Processing Agreement and all Schedules;
“Company Personal Data” means any Personal Data Processed by us on your behalf under the Agreement;
“Contracted Processor” means a Subprocessor;
“Data Protection Laws” means the GDPR, UK GDPR, and any applicable data protection or privacy laws;
“EEA” means the European Economic Area;
“EU Data Protection Laws” means EU Directive 95/46/EC as amended or replaced, including by GDPR;
“GDPR” means Regulation (EU) 2016/679;
“Data Transfer” means a transfer of personal data outside the EEA or UK that would be restricted under Data Protection Laws;
“Services” means the software-as-a-service (SaaS) procurement and tendering platform provided by us;
“Subprocessor” means any person appointed by us to process personal data on your behalf.

3.2 Terms such as “Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data Breach”, and “Supervisory Authority” shall have the meanings given in the GDPR.

4. Processing of Company Personal Data

4.1 We shall:

4.1.1 comply with all applicable Data Protection Laws in our Processing; and
4.1.2 only process Company Personal Data on documented instructions from you.

4.2 You instruct us to process Company Personal Data solely as necessary to provide the Services under the Subscription Agreement.

5. Processor Personnel

We shall take reasonable steps to ensure the reliability of any personnel who may have access to your Personal Data and ensure they are subject to confidentiality obligations.

6. Security

6.1 We shall implement appropriate technical and organisational measures in accordance with Article 32 GDPR, considering the state of the art, costs, scope, and risk.
6.2 We shall assess security risks including those related to data breaches.

7. Subprocessing

7.1 You authorise us to engage the Subprocessors listed in Annex 1 (Approved Subprocessors). These Subprocessors provide infrastructure, communication, AI/ML services, analytics, and business operations essential to the provision of our Services.
7.2 From time to time, we may appoint additional Subprocessors or make changes to the list. Where legally required, we will notify you and allow for objection on reasonable grounds related to data protection.
7.3 We will ensure Subprocessors are contractually bound to protection obligations as strict as this DPA.

8. Data Subject Rights

8.1 We will assist you in fulfilling Data Subject rights under applicable law.
8.2.1 We will notify you without undue delay if we receive a request.
8.2.2 We will not respond without your instruction unless legally required and will inform you where permitted.

9. Personal Data Breach

9.1 We will notify you within 24 hours of becoming aware of a Personal Data Breach affecting Company Personal Data.
9.2 We will cooperate with any investigation, mitigation, or remediation efforts.

10. Data Protection Impact Assessment and Prior Consultation

We shall assist you in complying with obligations under Articles 35 and 36 GDPR, including supporting Data Protection Impact Assessments and prior consultations with regulators, where relevant to the Services.

11. Deletion or Return of Company Personal Data

Upon termination of the Agreement, we shall delete or return all Company Personal Data within 10 business days unless retention is required by law.

12. Audit Rights

12.1 Upon written request, we shall make available all information necessary to demonstrate compliance with this DPA and allow audits (including inspections) by you or an authorised auditor.
12.2 These audit rights are subject to what is already granted under the Subscription Agreement.

13. Data Transfer

13.1 We shall not transfer Company Personal Data outside the EEA or UK without your prior written consent.
13.2 Where authorised, transfers will be conducted in accordance with standard contractual clauses or other legal mechanisms approved under Data Protection Laws.

14. General Terms

14.1 Confidentiality

Each Party shall keep this DPA and related information confidential unless required by law or publicly available.

14.2 Notices

All notices shall be in writing and delivered to the contact addresses notified in the Subscription Agreement or updated in writing by the Parties.

15. Governing Law and Jurisdiction

15.1 This DPA is governed by the laws of England and Wales.
15.2 Any dispute arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Annex 1 (Approved Subprocessors)

Subprocessor	Purpose/Function	Website
Amazon Web Services	Cloud infrastructure, hosting, data centres	amazon.com
Microsoft	Cloud services, document editing, BI	microsoft.com
Google	Cloud services, document editing, BI	google.com
DocuSign	Electronic signatures and approval workflows	docusign.com
Loom	Customer onboarding and support	loom.com
Vimeo	Hosting of videos and tutorials	vimeo.com
Sentry	Monitoring and alerting of errors	sentry.io
Slack	Internal communication	slack.com
HubSpot	CRM and marketing automation	hubspot.com
OpenAI (ChatGPT)	ML and generative AI services	openai.com
Anthropic	Natural language AI tools	anthropic.com

Cookie	Description
token_production	This cookie is used to retrieve user information
wp-settings	Is used by Wordpress to maintain the wp-admin setting of a WordPress user
wp-settings-time	Used by Wordpress to customize the view of admin interface

Cookie	Description
_clck	Microsoft Clarity cookie used for user analytics.
_clsk	Microsoft Clarity cookie used for session analytics.
_ga	Google Analytics cookie used to distinguish users.
_ga_6S8J9LXEQJ	Google Analytics cookie used to distinguish users.
_ga_BZYPST9YJQ	Google Analytics cookie used to distinguish users.
_ga_VWMZ4SHPPK	Google Analytics cookie used to distinguish users.
_gcl_au	Used by Google AdSense for experimenting with advertisement efficiency.
_gid	Google Analytics cookie, used to distinguish users.

Cookie	Description
__hssc	Tracks sessions and determines if HubSpot should increment the session number and timestamps.
__hssrc:	Used by HubSpot to determine if the user has restarted their browser.
__hstc	The main cookie for tracking visitors in HubSpot.
hubspotutk	Keeps track of a visitor's identity and is passed to HubSpot on form submission.
messagesUtk	Used for tracking user messages through the website’s chat feature.

Cookie	Description
_gat_gtag_UA_74744918_1	Google Tag Manager cookie used to manage tracking.
_gat_UA-74744918-1	Google Tag Manager cookie used to manage tracking.
_zitok	First-party cookie set by ZoomInfo to identify unique visitors