Legal

Data Processing Agreement

Last updated: 21 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Esteem (“Esteem”, “we”, “us”, the “Processor”) and the customer that has agreed to our Terms of Service or signed an Order Form (the “Customer”, “you”, the “Controller”) for the provision of the Esteem platform and related services (the “Services”, and that agreement, the “Principal Agreement”).

This DPA reflects the parties’ agreement on the processing of Personal Data in connection with the Services, in accordance with the requirements of Data Protection Law, including Article 28 of the UK GDPR and the EU GDPR. Where the Customer accepts the Principal Agreement, the Customer also accepts this DPA on behalf of itself and, to the extent required, its Authorised Affiliates.

In the event of any conflict between this DPA and the Principal Agreement with respect to the processing of Personal Data, this DPA prevails.

1. Definitions

Capitalised terms not defined here have the meanings given in the Principal Agreement.

“Authorised Affiliate” means an Affiliate of the Customer that is permitted to use the Services under the Principal Agreement.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Special Categories of Personal Data”, and “Supervisory Authority” have the meanings given in Data Protection Law.

“Customer Personal Data” means any Personal Data that Esteem processes on behalf of the Customer in the course of providing the Services, as more particularly described in Annex I.

“Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Principal Agreement, including: (a) the UK GDPR and the Data Protection Act 2018; (b) the EU GDPR (Regulation (EU) 2016/679) and applicable EU member-state laws; and (c) any other applicable privacy or data-protection law, including the CCPA/CPRA where relevant.

“EU SCCs” means the standard contractual clauses approved by the European Commission in Decision 2021/914 of 4 June 2021 for the transfer of personal data to third countries.

“Restricted Transfer” means a transfer of Customer Personal Data to a country or recipient not recognised as providing an adequate level of protection under Data Protection Law.

“Subprocessor” means any third party engaged by Esteem to process Customer Personal Data.

“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

2. Roles and scope

2.1 Roles of the parties

With respect to Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of a third-party controller) and Esteem is the Processor. Where the Customer is itself a processor, the Customer warrants that it has the necessary authority from the relevant controller to engage Esteem as a subprocessor on the terms of this DPA.

2.2 Scope

This DPA applies to Esteem’s processing of Customer Personal Data on behalf of the Customer in connection with the Services. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

2.3 Customer’s responsibilities

The Customer is responsible for the lawfulness of Customer Personal Data and of the Customer’s instructions, including having a valid legal basis for the processing, providing any required notices, and obtaining any required consents from Data Subjects. The Customer must not provide Esteem with any Special Categories of Personal Data except as expressly agreed and described in Annex I.

3. Processing of Customer Personal Data

3.1 Documented instructions

Esteem will process Customer Personal Data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do otherwise by law (in which case Esteem will inform the Customer of that legal requirement before processing, unless the law prohibits it). The Principal Agreement, this DPA, and the Customer’s configuration and use of the Services constitute the Customer’s complete and final instructions.

3.2 Lawfulness of instructions

Esteem will inform the Customer if, in its opinion, an instruction infringes Data Protection Law, without obligation to actively monitor the Customer’s compliance.

3.3 No sale of data; no AI training

Esteem will not sell Customer Personal Data, will not retain, use, or disclose it for any purpose other than providing the Services and as permitted by this DPA, and will not use Customer Personal Data to train, fine-tune, or improve any generative or foundation AI model. Esteem requires its AI Subprocessors to make the same commitment.

4. Confidentiality

Esteem will ensure that any person it authorises to process Customer Personal Data (including its personnel and Subprocessors) is subject to a duty of confidentiality (whether contractual or statutory) and processes Customer Personal Data only as instructed, on a need-to-know basis.

5. Security

5.1 Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, Esteem will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. A description of these measures is set out in Annex II.

5.2 Access and traceability

Esteem will ensure that access to Customer Personal Data is logged and traceable and is limited to authorised personnel who require access to provide the Services.

5.3 Updates to measures

Esteem may update its security measures from time to time, provided that the updated measures do not materially reduce the overall level of protection of Customer Personal Data.

6. Subprocessors

6.1 General authorisation

The Customer provides a general authorisation for Esteem to engage Subprocessors to process Customer Personal Data, subject to this Section 6. A current list of Subprocessors is available at https://esteem.team/legal/subprocessors.

6.2 Subprocessor obligations

Esteem will impose on each Subprocessor data-protection obligations that are no less protective than those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Esteem remains fully liable to the Customer for the performance of each Subprocessor’s obligations.

6.3 Notice of changes and right to object

Esteem will provide the Customer with a mechanism to be notified of any intended addition or replacement of a Subprocessor (for example, by subscribing to updates to the Subprocessors page), giving the Customer the opportunity to object. The Customer may object on reasonable data-protection grounds within fourteen (14) days of being notified. If the Customer does not object within that period, the change is deemed accepted. If the Customer objects and the parties cannot reach a resolution, the Customer may, as its sole remedy, terminate the affected part of the Services.

7. Assistance to the Customer

7.1 Data Subject requests

Taking into account the nature of the processing, Esteem will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Data Protection Law (including access, rectification, erasure, restriction, portability, and objection). If Esteem receives such a request directly, it will, unless legally prohibited, promptly inform the Customer and direct the Data Subject to the Customer.

7.2 Compliance assistance

Esteem will provide reasonable assistance to the Customer with: (a) data-protection impact assessments (DPIAs); (b) prior consultations with Supervisory Authorities; and (c) the Customer’s obligations relating to the security of processing and Personal Data Breach notification, taking into account the information available to Esteem.

8. Personal Data Breach

Esteem will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent available, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Esteem will take reasonable steps to mitigate the effects of the breach and will cooperate with the Customer so the Customer can meet its own breach-notification obligations.

9. International transfers

9.1 Transfer mechanism

The Customer authorises Esteem to transfer Customer Personal Data to, and process it in, countries other than the country in which it was collected, including through its Subprocessors. Where such a transfer is a Restricted Transfer, the parties agree that an appropriate transfer mechanism applies, including:

• the EU SCCs, which are incorporated into this DPA by reference for transfers subject to the EU GDPR (with Esteem as “data importer” and the Customer as “data exporter”, Module Two (controller to processor) or Module Three (processor to processor) as applicable); and
• the UK Addendum, which applies to transfers subject to the UK GDPR.

9.2 Completion of the clauses

The parties agree that, for the purposes of the SCCs and the UK Addendum: the relevant Annexes are populated by Annex I and Annex II of this DPA; the optional docking clause and the supervisory authority are completed as set out in Annex I; the governing law and forum are those of the relevant clauses; and Esteem’s entry into this DPA constitutes its signature of the applicable clauses.

9.3 Supplementary measures

Where necessary, Esteem will apply supplementary technical, organisational, and contractual measures to ensure an essentially equivalent level of protection for transferred Customer Personal Data.

10. Audits

10.1 Audit rights

Esteem will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK/EU GDPR, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

10.2 Conduct of audits

To minimise disruption, the Customer will give at least fourteen (14) days’ prior written notice, audits will take place during business hours no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach), and the parties will agree on the scope and timing in advance. Esteem may satisfy audit requests by providing relevant certifications, third-party audit reports, or completed security questionnaires. The Customer bears its own costs and Esteem’s reasonable costs of an audit.

11. Return and deletion

On termination or expiry of the Principal Agreement, Esteem will, at the Customer’s choice, return or delete Customer Personal Data, and delete existing copies, unless storage is required by law. Esteem will make Customer Personal Data available for export for the period described in the Documentation, after which it will delete Customer Personal Data in the ordinary course of operations within a commercially reasonable period.

12. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, and any reference in the Principal Agreement to a party’s liability means the aggregate liability of that party under the Principal Agreement and this DPA together. Nothing in this DPA limits any liability that cannot be limited under Data Protection Law.

13. Term

This DPA takes effect when the Customer accepts the Principal Agreement (or, if later, when this DPA is entered into) and remains in force for as long as Esteem processes Customer Personal Data on behalf of the Customer. Provisions that by their nature should survive termination will survive.

14. General

This DPA is governed by the same law as the Principal Agreement (the laws of England and Wales), except to the extent that Data Protection Law or the SCCs require otherwise. If any provision of this DPA is found to be unenforceable, the remaining provisions remain in effect. Except as amended by this DPA, the Principal Agreement remains in full force and effect.

Annex I — Description of Processing

A. List of parties

Data exporter (Controller): The Customer, as identified in the Principal Agreement. Contact details and the Customer’s data-protection contact are those provided in the Customer’s Account or Order Form. Role: Controller (or processor acting on behalf of a third-party controller).

Data importer (Processor): Esteem. Contact: privacy@esteem.team. Role: Processor.

B. Description of the transfer / processing

Categories of Data Subjects whose Personal Data is processed:

• the Customer’s Authorised Users (for example, employees, contractors, and agents);
• the Customer’s clients, prospects, and their personnel (for example, contacts associated with deals, projects, estimates, and the Client Portal);
• the Customer’s suppliers and other business contacts; and
• any other individuals whose Personal Data the Customer chooses to include in Customer Data.

Categories of Personal Data processed:

• identity and contact data (such as names, email addresses, telephone numbers, job titles, and organisations);
• account and profile data (such as user identifiers, roles, and permissions);
• business and commercial data relating to deals, estimates, projects, time records, and finance (which may include the names and contact details of individuals);
• communications and content submitted to the Services (such as messages, documents, and call transcripts); and
• usage, log, and technical data associated with use of the Services.

Special Categories of Personal Data: Not intended to be processed. The Customer must not submit Special Categories of Personal Data unless expressly agreed in writing; if it does, the Customer is responsible for ensuring an appropriate legal basis and additional safeguards.

Frequency of the processing: Continuous, for the duration of the provision of the Services.

Nature and purpose of the processing: Hosting, storage, and processing of Customer Personal Data to provide, maintain, secure, and support the Services (including the Deals, Projects, Finance, Esteem AI, Client Portal, and Growth Hub features), in accordance with the Principal Agreement and the Customer’s instructions.

Duration of the processing: For the term of the Principal Agreement and until Customer Personal Data is returned or deleted in accordance with this DPA.

Subprocessing: Esteem may engage Subprocessors as described in Section 6 and listed at https://esteem.team/legal/subprocessors.

C. Competent Supervisory Authority

The competent Supervisory Authority is determined in accordance with Data Protection Law. For transfers subject to the UK GDPR, the competent authority is the UK Information Commissioner’s Office (ICO). For transfers subject to the EU GDPR, the competent authority is the Supervisory Authority of the EEA member state in which the Customer (or its EU representative) is established, or as otherwise determined under the EU SCCs.

Annex II — Technical and Organisational Measures

Esteem implements and maintains the following technical and organisational measures (TOMs) to protect Customer Personal Data. These measures may be updated provided the overall level of protection is not reduced.

1. Encryption. Data is encrypted in transit using TLS (TLS 1.2 or higher), and data at rest is encrypted using industry-standard algorithms.

2. Access control. Role-based access controls, the principle of least privilege, individual user accounts, strong-password requirements, and multi-factor authentication for administrative access. Access rights are reviewed periodically and revoked promptly when no longer needed.

3. Network and application security. A hardened network configuration, security headers (including HSTS), protections against common web vulnerabilities, a strict content-security policy, firewalls/web-application-firewall protections, and protection against denial-of-service attacks via the content-delivery and edge layer.

4. Logging and monitoring. Logging of access to systems containing Customer Personal Data, monitoring for anomalous or malicious activity, and retention of logs to support traceability and incident investigation.

5. Pseudonymisation and minimisation. Where feasible, data is pseudonymised or aggregated, and processing is limited to what is necessary for the relevant purpose.

6. Resilience and backups. Regular backups, redundancy, and measures designed to restore availability and access to Customer Personal Data in a timely manner following an incident.

7. Organisational measures. Internal security and privacy policies, confidentiality obligations for personnel, security-awareness training, vendor and Subprocessor due diligence, and a defined incident-response process.

8. Secure development and vulnerability management. Secure development practices, change management, dependency and infrastructure patching, and periodic vulnerability assessment and remediation.

9. Personnel. Background-appropriate onboarding, confidentiality undertakings, and termination procedures that remove access promptly.

10. Physical security. Customer Personal Data is hosted in data centres operated by Esteem’s hosting Subprocessors, which maintain physical-security and environmental controls (such as access restrictions, monitoring, and power and fire protection) consistent with recognised industry standards.

Annex III — List of Subprocessors

Esteem’s current Subprocessors, including their purpose, location, and applicable transfer mechanism, are listed and kept up to date at https://esteem.team/legal/subprocessors, which is incorporated into this DPA by reference.

This Data Processing Agreement was last updated on 21 June 2026.