Skip to main content

Data Processing Agreement

Last updated: 1 June 2026 · Version 1.0

This Data Processing Agreement (the “DPA”) forms part of the agreement between Calion Group Ltd (“Calion”, “Processor”) and the customer named in the underlying agreement (“Customer”, “Controller”) (each a “Party” and together the “Parties”) and applies where Calion processes Personal Data on behalf of the Customer in connection with the Service.

This DPA gives effect to Article 28 of the UK General Data Protection Regulation (“UK GDPR”) and Article 28 of the EU General Data Protection Regulation (“EU GDPR”) (together, the “GDPR”), and incorporates by reference the European Commission Standard Contractual Clauses (Decision (EU) 2021/914, Module Two) (the “SCCs”) and the UK International Data Transfer Addendum issued by the Information Commissioner's Office (the “IDTA”), where international transfers occur.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR. “Personal Data” means personal data that Calion processes on behalf of the Customer under this DPA; other capitalised terms have the meaning given in the underlying agreement.

2. Roles

For Personal Data processed under this DPA the Customer is the Controller and Calion is the Processor. For Personal Data Calion processes for its own purposes (for example, operating its business, compliance with its own legal obligations, or fraud prevention on its platform) Calion is an independent Controller; the Privacy Policy applies.

3. Subject matter, duration, nature, and purpose

  • Subject matter: processing of Personal Data necessary to provide the Service.
  • Duration: for the term of the underlying agreement plus any period required by law for record-keeping.
  • Nature and purpose: hosting, storage, transmission, retrieval, analysis, and other operations needed to provide the Service.

4. Categories of Data Subjects and Personal Data

  • Data Subjects: Customer's personnel, directors, beneficial owners, end users invited by the Customer, applicants and their representatives.
  • Categories of Personal Data: identification data (name, email), business and financial data (where shared by the Customer), KYC/AML data (where the Customer instructs Calion to process it), usage and audit data.
  • Special categories: none are knowingly processed by default; the Customer must not upload special-category data unless agreed in writing.

5. Customer instructions

Calion will process Personal Data only on the documented instructions of the Customer, including with regard to transfers, unless required by UK or EU law (in which case Calion will, where lawful, inform the Customer first). The Customer's use of the Service in accordance with the underlying agreement constitutes its documented instructions. Calion will inform the Customer if it considers an instruction infringes the GDPR.

6. Confidentiality

Calion will ensure that personnel authorised to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

7. Security (Article 32 GDPR)

Calion will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Current measures are described on our Security page and include, at minimum:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with least-privilege and quarterly review.
  • Two-factor authentication for privileged accounts.
  • Append-only audit logging of state-changing actions.
  • Rate limiting and abuse detection on public endpoints.
  • Documented incident-response and business-continuity processes.
  • Vulnerability scanning and timely patching.
  • Background checks for personnel with access to production data.

8. Sub-processors

The Customer grants Calion a general authorisation to engage sub-processors to provide the Service. The current list is published at /legal/sub-processors. Calion will give the Customer at least 14 days' advance notice (by updating that page and, where the Customer subscribes, by email) of any intended addition or replacement of a sub-processor. The Customer may object on reasonable data-protection grounds; the Parties will then discuss in good faith. If no resolution is reached the Customer may terminate the affected portion of the Service for convenience.

Calion will ensure that each sub-processor is bound by terms no less protective than those in this DPA and remains liable to the Customer for the acts and omissions of its sub-processors as if they were its own.

9. International transfers

Where Personal Data is transferred from the UK or the EEA to a country that has not been the subject of an adequacy decision, the Parties incorporate the SCCs (Module Two: Controller-to-Processor) and the IDTA into this DPA, with the following selections:

  • Docking clause (Clause 7): applies.
  • Sub-processor authorisation (Clause 9): Option 2 (general authorisation) with a 14-day notice period.
  • Redress (Clause 11): Option (a) (independent dispute-resolution body) does not apply.
  • Governing law (Clause 17): the law of Ireland (for EEA transfers) or the law of England and Wales (for UK transfers).
  • Forum (Clause 18): Irish courts (EEA) or English courts (UK).

The technical and organisational measures in section 7 above, and the data described in section 4, complete Annexes II and I of the SCCs respectively.

10. Assistance to the Customer

Calion will, taking into account the nature of the processing, assist the Customer:

  • By appropriate technical and organisational measures, in fulfilling its obligation to respond to Data Subject requests under Chapter III of the GDPR.
  • In ensuring compliance with its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessment, and prior consultation), taking into account the information available to Calion.

11. Personal Data breach notification

Calion will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Customer's data. The notice will include the information then available to Calion, including the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed.

12. Audit

Calion will make available to the Customer information necessary to demonstrate compliance with Article 28 of the GDPR, including via:

  • Third-party attestations and certifications (SOC 2 Type II or ISO 27001 reports of Calion or its sub-processors, where available).
  • Responses to reasonable security questionnaires.
  • On 30 days' written notice, an on-site audit by the Customer or an independent third-party auditor (subject to confidentiality, no more than once per calendar year except where required by a regulator or following a breach, and at the Customer's cost).

13. Return and deletion

On termination or expiry of the underlying agreement Calion will, at the Customer's choice, delete or return all Personal Data and delete existing copies, unless retention is required by UK or EU law. Calion may retain Personal Data in encrypted backups for up to 35 days, after which it is securely destroyed.

14. Liability

Each Party's liability under this DPA is subject to the limitations of liability in the underlying agreement.

15. Conflict and signed copy

If there is a conflict between this DPA, the SCCs/IDTA, and the underlying agreement, the SCCs/IDTA prevail (to the extent of the conflict), then this DPA, then the underlying agreement. A counter-signed PDF DPA suitable for procurement is available on request: email legal@calion.ie.