Last modified: December 2025
This Data Processing Agreement ("Agreement" or "DPA") forms part of the Online Services Agreement and / or Online Subscription Agreement (the "Principal Agreement") between:
(each referred to as the "Processor") and the company or organisation using divergent's Services (the "Company", regardless of legal form).
This Agreement governs the requirements of Data Protection Laws to the extent that the Company's use of the Services involves the Processing of Personal Data subject to those laws. It is complementary to the divergent Privacy Policy, which is the primary reference for divergent's data protection practices.
The term of this Agreement follows the term of the Principal Agreement. Terms not defined here have the meaning given in the Principal Agreement.
(A) The Company acts as a Data Controller (the "Controller"), or as a Data Processor for a third-party Controller.
(B) The Company wishes to subscribe to certain Services that involve the Processing of Personal Data, with divergent acting as a Data Processor (the "Processor").
(C) The Parties wish to implement a data processing agreement that complies with Regulation (EU) 2016/679 (the "GDPR"), the UK General Data Protection Regulation, and other applicable Data Protection Laws.
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1.1 "Agreement" means this Data Processing Agreement.
1.2 "Company Personal Data" means any Personal Data relating to the Company or to the Company's customers, employees, contacts or other Data Subjects that is Processed by the Processor in connection with the Principal Agreement.
1.3 "Data Protection Laws" means the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, the Data Use and Access Act 2025 (UK), national laws implementing or supplementing those regulations, and the Privacy and Electronic Communications Regulations 2003 (UK), in each case as amended or replaced from time to time.
1.4 "Data Transfer" means a transfer of Company Personal Data from the Controller to the Processor, or an onward transfer from the Processor to a Subprocessor.
1.5 "EEA" means the European Economic Area.
1.6 "Services" means the divergent products subscribed to by the Company under the Principal Agreement, including Connect, Inflo, Neo, Reservate, Identity and any successor or replacement service.
1.7 "Subprocessor" means any third party engaged by the Processor to Process Company Personal Data on its behalf.
The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" have the meanings given in the GDPR and applicable Data Protection Laws.
The Processor shall:
2.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.2 not Process Company Personal Data other than on the Controller's documented instructions, which are: the Principal Agreement, this Agreement, the Controller's use of the Services in accordance with the Principal Agreement, and any further written instructions agreed between the Parties.
The Controller instructs the Processor to Process Company Personal Data to:
2.3 provide the Services and related technical support;
2.4 fulfil legal obligations or resolve disputes;
2.5 perform internal tasks aimed at optimising the security, privacy, confidentiality, reliability and functionality of the Services;
2.6 perform internal reporting, financial reporting and other similar internal tasks.
A description of the subject matter, duration, nature, purpose, categories of Personal Data and categories of Data Subjects of the Processing is set out in Schedule 1.
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Company Personal Data, ensuring that access is limited to those individuals who need to access the data to perform the Principal Agreement or to comply with applicable laws, and that all such individuals are bound by written or statutory confidentiality obligations.
In accordance with Article 32 of the GDPR, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing.
These measures include, as a minimum: encryption of Company Personal Data in transit using TLS 1.2 or higher; encryption of Company Personal Data at rest using AES-256 or an equivalent standard; multi-factor authentication and least-privilege access controls for production systems; logging of production activity to an append-only audit log; periodic vulnerability scanning and at least annual independent penetration testing of the Services; documented incident response procedures; background checks of personnel commensurate with role; and annual security and data protection training for personnel.
The Processor may update its measures from time to time provided that the level of protection is not materially reduced. A current summary is available on written request to help@divergent.group.
The Company grants the Processor general authorisation to engage Subprocessors and to disclose or transfer Company Personal Data to them in connection with the Services. The current list of Subprocessors is set out in or referenced from the divergent Privacy Policy, and is made available to the Company on written request to help@divergent.group.
The Processor shall give the Company at least thirty (30) days' prior notice of any intended change to its Subprocessors, either by email to the Company's nominated contact or by updating the Privacy Policy and notifying registered Company contacts. The Company may, within that 30-day period, object to a proposed Subprocessor on reasonable data protection grounds. If the Parties are unable to agree a resolution within thirty (30) days of the objection, the Company may, as its sole and exclusive remedy, terminate the affected Services without penalty, with a pro-rated refund of any prepaid fees for the unused portion of the term.
The Processor shall impose on each Subprocessor, by written contract, data protection obligations that are no less protective than those imposed on the Processor under this Agreement, to the extent applicable to the nature of the services provided by the Subprocessor. The Processor remains liable to the Company for the acts and omissions of its Subprocessors.
Taking into account the nature of the Processing, the Processor shall reasonably assist the Company in fulfilling the Company's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
The Processor shall:
6.1 promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2 not respond to that request except on the documented instructions of the Controller or as required by applicable law, in which case the Processor shall inform the Company of the legal requirement before responding (to the extent permitted by law).
In the event of a Personal Data Breach affecting Company Personal Data, the Processor shall notify the Company without undue delay, and in any event within seventy-two (72) hours of confirmation of the breach, providing sufficient information to enable the Company to fulfil its obligations under Data Protection Laws.
The Processor shall co-operate with the Company and take reasonable commercial steps as the Company directs to assist in the investigation, mitigation and remediation of the breach.
Each party shall bear the costs of the investigation, remediation and other related actions to the extent the Personal Data Breach is caused by that party. Each party shall bear the cost of any fines, penalties or damages imposed by a regulatory authority or court to the extent arising from that party's breach of its obligations under this Agreement.
The Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with Supervisory Authorities that the Controller reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, taking into account the nature of the Processing and the information available to the Processor.
On termination or expiry of the Principal Agreement, or of the relevant Services, the Processor shall, at the Company's choice, return or delete all Company Personal Data in its possession or control, except to the extent that storage is required by law or for the establishment, exercise or defence of legal claims.
The Company should request a copy of its data before terminating its account; requests received after account deletion or after the post-termination grace period cannot be honoured. Residual copies in routine backups will be deleted in accordance with the Processor's backup retention schedule (typically up to ninety (90) days, or longer where retention is required to comply with a legal or regulatory obligation) and remain subject to the confidentiality and security obligations of this Agreement until deletion.
The Processor shall make available to the Company on written request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or by an auditor mandated by the Company.
The Company shall not exercise its audit rights more than once per calendar year, except following a Personal Data Breach affecting Company Personal Data or where required by a Supervisory Authority. The Company shall give the Processor at least sixty (60) days' prior written notice of its intention to audit. Audits shall be conducted during the Processor's business hours, shall not disrupt the Processor's operations, and shall protect the confidentiality of the Processor's, the Company's and other Data Subjects' Personal Data. The Parties shall mutually agree the date, scope, duration, security and confidentiality controls applicable to any audit in advance. The Company acknowledges that the signing of a non-disclosure agreement may be required prior to the conduct of the audit.
To the extent that information made available by the Processor under this Agreement (including any independent penetration test summary or security questionnaire response provided on request) is sufficient to demonstrate compliance with this Agreement, the Company's audit rights under this section 10 do not separately arise.
The Processor shall, to the extent reasonably possible, Process Company Personal Data within the United Kingdom, the European Economic Area, or in a country subject to a relevant adequacy decision under Article 45 of the GDPR or section 17A of the UK Data Protection Act 2018.
Where Company Personal Data is transferred from the UK or EEA to a country outside that scope, the Parties shall ensure that the Personal Data is adequately protected. The Processor shall, unless the Parties otherwise agree, rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), the UK International Data Transfer Addendum issued by the Information Commissioner, the EU-US Data Privacy Framework (or its UK Extension), or other transfer mechanisms permitted under Data Protection Laws. The Processor may make corresponding onward transfers to Subprocessors provided that adequate safeguards are implemented.
Compliance with Applicable Laws. The Processor will Process Company Personal Data in accordance with this Agreement and Data Protection Laws applicable to its role. The Processor is not responsible or liable for complying with Data Protection Laws applicable solely to the Company by virtue of its business or industry.
Confidentiality. Each party must keep any information it receives about the other party and its business in connection with this Agreement ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other party, except to the extent that (a) disclosure is required by law, or (b) the relevant information is already in the public domain through no fault of the parties.
Notices. Notices under this Agreement must be in writing and sent by email. Notices to the Controller shall be sent to the address registered to its divergent account. Notices to the Processor shall be sent to help@divergent.group.
Liability. The parties' aggregate liability arising out of or in connection with this Agreement is subject to the limitations of liability set out in the Principal Agreement, save that nothing in this Agreement or the Principal Agreement excludes any liability that cannot be excluded under applicable law, including liability under Article 82 of the GDPR.
Governing Law and Jurisdiction. This Agreement is governed by the law of the jurisdiction stated in the Principal Agreement (England & Wales where the contracting entity is divergent UK Operations Ltd; the Republic of Lithuania where the contracting entity is UAB divergent EU Operations), and the parties submit to the exclusive jurisdiction of the courts specified in the Principal Agreement, except that the EU Standard Contractual Clauses and the UK International Data Transfer Addendum are governed by the laws and subject to the jurisdictions specified within them.
Conflict. In the event of conflict between this Agreement and the Principal Agreement, this Agreement prevails in respect of the subject matter of this Agreement. In the event of conflict between this Agreement and the EU Standard Contractual Clauses or UK Addendum, those Clauses or the Addendum prevail.
In case of discrepancy between the English version of this Agreement and any translated version, the English version shall prevail.
Subject matter. Provision of the divergent Services subscribed to by the Company.
Duration. The term of the Principal Agreement, plus the post-termination period set out in section 9.
Nature and purpose. Hosting, storing, transmitting, displaying, securing and otherwise handling Company Personal Data as necessary to provide the Services to the Company, including account management, customer support, security monitoring, anti-abuse, fault diagnosis and the delivery of Service features.
Categories of Data Subjects. As determined by the Company's use of the Services, including: the Company's representatives, administrators and end users; the Company's customers, prospects, suppliers and counterparties whose Personal Data the Company chooses to process through the Services; the Company's employees, contractors and other workforce members; and recipients of communications sent or received via the Services.
Categories of Personal Data. As determined by the Company's use of the Services, including: identifiers (name, username, email, phone number, customer reference); contact information; authentication data (hashed credentials, multi-factor tokens, IP addresses, device identifiers, session metadata); communications content and metadata (Connect messages, SMS and email bodies and headers); booking, reservation and transaction data (Reservate); analytics, integration and operational data ingested or generated through Inflo and Neo; audit and security logs; and any other Personal Data that the Company or its users elect to submit through the Services.
Special Category Personal Data. The Services are not designed for the routine processing of Special Category Personal Data, criminal-offence data or children's Personal Data. Where the Company's lawful use of the Services involves any such data, the Parties shall agree appropriate additional safeguards in writing before that Processing commences.
Frequency of Processing. Continuous, for the duration of the Principal Agreement.
Retention. Company Personal Data within the Services: for the term of the Principal Agreement, then deleted in accordance with section 9 (default: end of subscription, plus up to ninety (90) days for backup rotation, save where longer retention is required to comply with a legal or regulatory obligation). Authentication and security logs: up to thirteen (13) months by default. Aggregated, de-identified usage data: indefinitely.
Recipients. The Processor's personnel under confidentiality obligations, and Subprocessors as referenced from the Privacy Policy or notified to the Company under section 5.