Data Processing Agreement

Between: Mintstone Ltd (Processor) and the Customer named in the Order Form (Controller)

Version 1.0 · Effective: 9 April 2026 · Governs use of the Mintstone Platform

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Master Services Agreement or Order Form between Mintstone Ltd and the Customer. In the event of any conflict between this DPA and the main agreement, this DPA shall prevail in respect of the processing of personal data.

1. Definitions

In this DPA, the following terms have the meanings set out below:

"Controller" means the Customer, being the party that determines the purposes and means of processing of personal data.
"Processor" means Mintstone Ltd, being the party that processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).
"Processing" has the meaning given in UK GDPR Article 4(2).
"UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended.
"Data Protection Laws" means UK GDPR, the Data Protection Act 2018, and any successor legislation.
"Sub-processor" means any third party appointed by Mintstone to process personal data on behalf of the Controller.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
"Platform" means the Mintstone SaaS software and associated services described in the Order Form.

2. Scope and Nature of Processing

Mintstone processes personal data solely to provide the Platform and associated services as described in Schedule 1 (Processing Details) to this DPA.

Mintstone shall not process personal data for any purpose other than those set out in this DPA and as instructed in writing by the Controller from time to time.

3. Controller Obligations

The Controller warrants and represents that:

It has a lawful basis for processing the personal data it submits to the Platform under applicable Data Protection Laws.
It has provided all necessary notices to and obtained all necessary consents from data subjects as required by Data Protection Laws.
It has the authority to appoint Mintstone as a data processor and to instruct Mintstone as set out in this DPA.
Its instructions to Mintstone shall at all times comply with Data Protection Laws.

4. Processor Obligations

Mintstone shall, in relation to any personal data processed in connection with its obligations under this DPA:

Process personal data only on the documented instructions of the Controller, unless required to do so by applicable law (in which case Mintstone shall inform the Controller before processing, unless the law prohibits such notification).
Ensure that persons authorised to process personal data are subject to appropriate obligations of confidentiality.
Implement and maintain the technical and organisational security measures described in Schedule 2.
Not engage any Sub-processor without prior written authorisation from the Controller, except as set out in Schedule 3 (Authorised Sub-processors), which the Controller hereby approves.
Assist the Controller, by appropriate technical and organisational measures, in responding to data subject rights requests under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and information available to Mintstone.
At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of the services, and delete existing copies, unless applicable law requires storage of the personal data.
Make available to the Controller all information necessary to demonstrate compliance with the obligations in UK GDPR Article 28, and allow for and contribute to audits conducted by the Controller or its designated auditor (with reasonable notice and at the Controller's cost).

5. Sub-processors

The Controller grants Mintstone general written authorisation to engage the Sub-processors listed in Schedule 3. Mintstone shall:

Impose data protection obligations on each Sub-processor equivalent to those in this DPA.
Remain liable to the Controller for the acts and omissions of its Sub-processors.
Notify the Controller of any intended changes to Sub-processors by updating Schedule 3 with at least 14 days' prior written notice, giving the Controller the opportunity to object to such changes.

6. International Transfers

Personal data shall be processed within the United Kingdom or European Economic Area, except where a Sub-processor operates in a third country. Where transfers occur outside the UK/EEA, Mintstone shall ensure that adequate safeguards are in place pursuant to UK GDPR Chapter V, including reliance on adequacy decisions or UK-approved standard contractual clauses as applicable.

The current transfer mechanisms applicable to each Sub-processor are described in Schedule 3.

7. Security Incidents

Mintstone shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Security Incident affecting personal data processed under this DPA.

Such notification shall include, to the extent available: (a) the nature of the Security Incident; (b) the categories and approximate number of data subjects concerned; (c) the likely consequences; and (d) the measures taken or proposed to address the incident.

Mintstone shall cooperate with the Controller and take such steps as are reasonably required by the Controller to mitigate and remedy the Security Incident.

8. Data Subject Rights

Mintstone shall promptly notify the Controller if it receives a request from a data subject relating to personal data processed under this DPA. Mintstone shall not respond to any such request without the Controller's prior written consent, except to inform the data subject that their request has been passed to the Controller.

Mintstone shall provide such assistance as is reasonably requested by the Controller to enable the Controller to comply with data subject rights requests within the statutory timeframes.

9. Data Retention and Deletion

Upon termination or expiry of the main agreement, or upon written request from the Controller:

Mintstone shall, at the Controller's election, either return all personal data to the Controller in a portable format or securely delete all personal data within 30 days.
Mintstone shall provide written confirmation of deletion upon request.
Mintstone may retain personal data to the extent required by applicable law, and shall notify the Controller of any such retention obligations.

10. Records of Processing

Mintstone shall maintain records of all categories of processing activities carried out on behalf of the Controller as required by UK GDPR Article 30(2).

11. Audits

The Controller (or its appointed auditor) may, upon providing at least 30 days' written notice and at its own cost, audit Mintstone's compliance with this DPA no more than once per calendar year. Any auditor must be subject to appropriate obligations of confidentiality. Mintstone may object to any auditor that it reasonably considers to be a competitor.

12. Limitation of Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the main agreement between the parties, except that neither party limits its liability for matters that cannot be limited under applicable Data Protection Laws.

13. Governing Law

This DPA shall be governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Order of Precedence

In the event of any inconsistency between this DPA and the main agreement regarding the processing of personal data, this DPA shall prevail.

Schedule 1: Processing Details

Item	Details
Subject matter	The provision of the Mintstone platform for development finance portfolio monitoring and ADC loan classification.
Duration	For the term of the main agreement between the parties.
Nature of processing	Collection, storage, analysis, enrichment, display, and reporting of financial, project, and transactional data. AI-assisted document analysis and classification. Open banking transaction ingestion via TrueLayer.
Purpose	To enable lenders to monitor development finance loans, track project progress, verify borrower equity, and produce ADC risk weight classification outputs and PRA audit reports.
Categories of personal data	Borrower/developer identity data (name, company, contact details) Borrower financial data (bank transactions, account numbers, balances) Contractor identity data (name, company, contact details, bank account details) Site and property data associated with identifiable individuals Lender employee identity and access data Telegram/messaging metadata where used for project communication
Categories of data subjects	Borrowers (property developers); their directors, employees and agents; contractors and subcontractors; lender employees and authorised users.
Special category data	None anticipated. The Controller must notify Mintstone before submitting any special category data to the Platform.

Schedule 2: Technical and Organisational Security Measures

Mintstone implements and maintains the following measures:

Access Control

Role-based access controls (RBAC) with least-privilege principles enforced at the application layer.
Multi-factor authentication available for all user accounts; enforced for administrative access.
All access to production systems requires authenticated, logged sessions.
Separation of customer data at the database level via tenant isolation.

Encryption

All data in transit encrypted using TLS 1.2 or higher.
All data at rest encrypted using AES-256 (AWS RDS and S3 server-side encryption).
S3 document storage uses server-side encryption with AWS-managed keys (SSE-S3).

Infrastructure Security

Platform hosted on Vercel (edge network) and AWS (eu-west-2, London region).
Database hosted on managed PostgreSQL infrastructure with automated backups and point-in-time recovery.
Network access to database restricted by IP allowlisting and private networking.
Automated dependency vulnerability scanning via package manager tooling.

Operational Security

Audit logging of all significant user actions within the Platform.
Rate limiting on all API endpoints to prevent abuse and unauthorised bulk extraction.
Cron-based monitoring jobs run with authenticated secrets.
Security incident response procedure maintained internally with 72-hour breach notification commitment.

Personnel

All personnel with access to personal data are subject to confidentiality obligations.
Access to production systems restricted to essential personnel only.

Schedule 3: Authorised Sub-processors

The Controller hereby authorises Mintstone to engage the following Sub-processors. Mintstone will provide 14 days' written notice of any additions or replacements.

Sub-processor	Service	Data Processed	Location	Transfer Mechanism
Amazon Web Services (AWS)	Cloud infrastructure, object storage (S3), managed database (RDS/PostgreSQL)	All personal data stored on the Platform including documents, images, transaction data	UK (eu-west-2, London)	UK adequacy / AWS DPA
Vercel Inc.	Application hosting, edge network, serverless compute	Request/response data, authentication tokens; no persistent personal data stored	USA (primary), EU edge nodes	SCCs / Vercel DPA
OpenAI, Inc.	AI document analysis (invoice parsing, contract analysis, valuation extraction)	Extracted text from uploaded documents (invoices, JCT contracts, valuation reports). May contain contractor names, addresses, amounts.	USA	SCCs / OpenAI DPA (zero data retention API)
Anthropic PBC	AI-assisted analysis and classification tasks	Structured data extracts passed for analysis. May contain project financial data.	USA	SCCs / Anthropic DPA
TrueLayer Ltd	Open banking data API for bank account connection and transaction retrieval	Bank account metadata, transaction history for connected borrower accounts	UK	UK entity / TrueLayer DPA
Telegram Messenger Inc.	Project communication channel (optional feature)	Messages, media, and user identities in project Telegram groups (only where Telegram feature is enabled by the Controller)	USA / UAE	SCCs / Telegram Terms
PropertyData Ltd	Property market data API	Property postcodes and addresses (no direct personal data; pseudonymised location data)	UK	UK entity / PropertyData Terms

Public sector data sources (HM Land Registry SPARQL API, ONS, Bank of England, MHCLG EPC Register, Open-Meteo, Nominatim/OpenStreetMap) are called with postcode or property reference data only. These are open government/open data APIs with no personal data transfer agreements required.

Execution

By signing below, each party agrees to the terms of this Data Processing Agreement.

Mintstone Ltd (Processor)

Company No. 17105543
128 City Road, London, EC1V 2NX

Authorised Signatory

Name & Title (print)

Date

[Customer Name] (Controller)

As named in the Order Form

Authorised Signatory

Name & Title (print)

Date