Data Processing Agreement

    1. Introduction and Status

    1.1 This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms and Conditions and any associated agreement (together, the "Agreement") between Morbit Software Ltd ("Morbit", "We", "Us", "Our") and the customer (the "Client", "You", "Your") under which Morbit provides the morbit studio service.

    1.2 This DPA applies to the extent that Morbit processes Personal Data on behalf of the Client in the course of providing the Services.

    1.3 Morbit Software Ltd is a limited company registered in England under company number 12658362, with its registered office in Norwich, England (full registered details as set out in our Privacy Policy).

    2. Definitions

    2.1 The terms "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach" and "Supervisory Authority" have the meanings given in the UK GDPR.

    2.2 "UK GDPR" means the United Kingdom General Data Protection Regulation as defined in the Data Protection Act 2018, together with that Act and all applicable data protection laws of England and Wales.

    2.3 "Services" means the morbit studio service and any related services provided by Morbit under the Agreement.

    2.4 "Sub-processor" means any third party engaged by Morbit to process Personal Data on its behalf in connection with the Services.

    3. Roles of the Parties

    3.1 As between the parties, the Client is the Controller and Morbit is the Processor in respect of the Personal Data processed under the Agreement.

    3.2 The Client retains control of the original data sources. The Client authorises Morbit to access those sources via the relevant provider's API, using credentials supplied and authorised by the Client. Morbit does not determine the purposes of the processing.

    3.3 The Client warrants that it has a lawful basis to authorise the access and processing described in this DPA, and that it has provided all notices and obtained all consents required for Morbit to process the Personal Data on its behalf.

    4. Scope, Nature and Purpose of Processing

    4.1 Subject matter: the provision of the morbit studio unified-communications monitoring and analytics Services.

    4.2 Duration: for the term of the Agreement and any period thereafter expressly permitted under clause 12 (Return and Deletion).

    4.3 Nature and purpose: accessing the Client-authorised data source(s) via API; and collecting, storing and analysing communications metadata to provide monitoring, reporting, health-check and analytics functionality, including the optional AI Insights feature described in clause 8.

    4.4 Types of Personal Data: names; email addresses and user principal names; and communications metadata, namely call and meeting times, dates, types, durations, frequency, call-quality indicators, and device or peripheral identifiers. The Services process metadata only and do not process the content of communications, recordings or transcripts.

    4.5 Categories of Data Subjects: the Client's personnel and other users within the Client's environment, including meeting organisers and participants.

    4.6 No special categories of Personal Data (Article 9 UK GDPR) are intended to be processed under this DPA.

    5. Obligations of Morbit as Processor

    5.1 Morbit shall process the Personal Data only on the documented instructions of the Client, including with regard to transfers, unless required to do otherwise by law (in which case Morbit shall, where legally permitted, inform the Client of that requirement before processing). The Agreement and this DPA constitute the Client's initial documented instructions.

    5.2 Morbit shall ensure that persons authorised to process the Personal Data are subject to an appropriate duty of confidentiality.

    5.3 Morbit shall promptly inform the Client if, in its opinion, an instruction infringes the UK GDPR or other applicable data protection law.

    6. Security

    6.1 Taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, Morbit shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Schedule 2.

    6.2 Morbit does not currently hold a formal information-security certification (such as ISO/IEC 27001 or SOC 2). The measures in Schedule 2 are provided in place of certification and may be updated as Morbit's security posture develops.

    7. Sub-processors

    7.1 The Client provides general authorisation for Morbit to engage Sub-processors to process the Personal Data, subject to this clause 7.

    7.2 Morbit shall impose on each Sub-processor data-protection obligations no less protective than those set out in this DPA.

    7.3 Morbit maintains a current list of Sub-processors in Schedule 3. Morbit shall notify the Client by email of any intended addition or replacement of a Sub-processor, so that the Client has the opportunity to object on reasonable data-protection grounds.

    7.4 Morbit remains liable to the Client for the performance of each Sub-processor's data-protection obligations.

    8. AI Insights Processing

    8.1 Where the Client enables the optional AI Insights feature, communications metadata is analysed to generate written reports and insights using Amazon Bedrock, operated within Morbit's Amazon Web Services environment in the EU (Ireland) region.

    8.2 Personal Data processed via AI Insights is not shared with the AI model's provider, is not used to train or improve any AI model, and is not retained by the AI service after the relevant report has been produced. The feature is disabled by default and operates only where the Client has enabled it.

    8.3 The AI Insights feature does not carry out automated decision-making producing legal or similarly significant effects within the meaning of Article 22 UK GDPR.

    9. International Transfers

    9.1 Morbit and its Sub-processors process the Personal Data within the European Economic Area (Republic of Ireland). The Personal Data is not transferred outside the EEA.

    9.2 Should any transfer outside the UK or EEA become necessary, Morbit shall ensure an appropriate transfer mechanism (such as the UK International Data Transfer Agreement or Addendum, or Standard Contractual Clauses) is in place before any such transfer.

    10. Assistance to the Client

    10.1 Taking into account the nature of the processing, Morbit shall assist the Client by appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligation to respond to requests from Data Subjects exercising their rights under the UK GDPR.

    10.2 Morbit shall assist the Client in ensuring compliance with its obligations relating to security, personal data breach notification, data protection impact assessments and prior consultation, taking into account the nature of processing and the information available to Morbit.

    11. Personal Data Breaches

    11.1 Morbit shall notify the Client without undue delay after becoming aware of a Personal Data Breach affecting the Personal Data, and shall provide sufficient information to allow the Client to meet any obligation to report the breach to a Supervisory Authority or to Data Subjects.

    12. Return and Deletion

    12.1 On termination or expiry of the Agreement, Morbit shall, at the Client's choice, delete or return all Personal Data processed on the Client's behalf and delete existing copies, unless retention is required by law.

    12.2 Unless the Client requests return or earlier deletion, Morbit shall delete the Personal Data within 30 days of termination or expiry.

    13. Audit and Information

    13.1 Morbit shall make available to the Client the information necessary to demonstrate compliance with Article 28 UK GDPR.

    13.2 Given the nature of the Services, the Client's audit right shall ordinarily be satisfied by Morbit responding to reasonable written information requests and security questionnaires. On-site audits, where genuinely required, shall be on reasonable prior notice, no more than once per year (save where required by a Supervisory Authority), during business hours, and subject to confidentiality.

    14. Liability and Precedence

    14.1 This DPA forms part of the Agreement, and the limitations and exclusions of liability set out in the Terms and Conditions apply to it.

    14.2 In the event of a conflict between this DPA and the remainder of the Agreement in relation to the processing of Personal Data, this DPA shall prevail.

    15. Governing Law

    15.1 This DPA is governed by, and construed in accordance with, the laws of England and Wales, and is subject to the jurisdiction provisions of the Terms and Conditions.

    Schedule 2 — Technical and Organisational Measures

    The following measures apply and may be updated as Morbit's security posture develops:

    • Encryption of Personal Data in transit using TLS 1.2 / 1.3.

    • Hosting within Amazon Web Services in the EU (Ireland) region, relying on AWS's physical and infrastructure security controls. ISO27001 certified provider.

    • Role-based access controls and least-privilege access to Personal Data.

    • Logical separation of each Client's data within the Services.

    • Logging and monitoring of system and security events.

    • Timely application of security patches and updates.

    • Confidentiality obligations on all personnel with access to Personal Data.

    Schedule 3 — Sub-processors

    Current Sub-processors engaged by Morbit:

    • Amazon Web Services, Inc — cloud hosting and infrastructure, and the Amazon Bedrock AI service used for the optional AI Insights feature. Processing location: EU (Ireland). Purpose: hosting and operation of the Services, and AI analysis of communications metadata where AI Insights is enabled.

    For the avoidance of doubt, the Client's own communications providers (for example Microsoft 365 or Zoom), which the Client authorises Morbit to access via API, are the Client's own systems and are not Sub-processors of Morbit.

    Last updated: 15 June 2026.