Data Processing Addendum (DPA)

Effective Date: February 10, 2026

1. Scope

This DPA applies where Rabbit SaaS Limited ("Processor") processes personal data on behalf of a Business Customer ("Controller").

2. Processing of Data

The Processor shall process personal data only on the written instructions of the Controller and in accordance with UK GDPR.

3. Security

The Processor shall implement appropriate technical and organizational measures to ensure security, including encryption in transit and at rest.

4. Sub-processors

The Controller authorizes the use of: Stripe, DigitalOcean, Amazon AWS, and Email Providers (Alerts).

5. Deletion

Upon termination of the Service, the Processor shall delete all personal data unless UK law requires its retention.