Data Processing Agreement

This DPA is entered into between LevelSixLabs Ltd ("LevelSixLabs", "we", "the Processor"), a company registered in Scotland, United Kingdom, and the organisation that has subscribed to the LevelSixLabs platform ("the Customer", "the Controller").

For the personal data processed through the platform, the Customer is the data controller and LevelSixLabs is the data processor. Where LevelSixLabs engages third parties to process data, those parties act as sub-processors. This DPA reflects the requirements of Article 28 of the UK GDPR.

• "UK GDPR" means the United Kingdom General Data Protection Regulation as it forms part of UK law under the Data Protection Act 2018.
• "Personal data", "processing", "controller", "processor" and "data subject" have the meanings given in the UK GDPR.
• "Sub-processor" means any third party engaged by LevelSixLabs to process personal data on the Customer's behalf.
• "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

LevelSixLabs processes personal data only to provide the platform's services — chemical inventory, equipment and room booking, asset management, sustainability reporting, and related features — and to fulfil the agreement with the Customer.

LevelSixLabs shall:

• Process personal data only on documented instructions from the Customer, including with regard to international transfers, unless required to do otherwise by law (in which case we will inform the Customer first, unless prohibited by law);
• Ensure that persons authorised to process the personal data are bound by confidentiality;
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7);
• Respect the conditions for engaging sub-processors set out in Section 5;
• Assist the Customer, taking into account the nature of processing, in responding to data subject rights requests (Section 6);
• Assist the Customer in meeting its obligations relating to security, breach notification, data protection impact assessments, and consultation with the ICO;
• At the Customer's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless retention is required by law (Section 9);
• Make available to the Customer all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits.

The Customer provides general authorisation for LevelSixLabs to engage the sub-processors listed below. Each sub-processor is bound by contractual data protection obligations no less protective than those in this DPA.

The current, authoritative list is maintained at our Subprocessor List. We will notify the Customer at least 14 days before adding or replacing a sub-processor, giving the Customer the opportunity to object on reasonable data-protection grounds.

Taking into account the nature of the processing, LevelSixLabs will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests to exercise data subject rights under the UK GDPR — including access, rectification, erasure, restriction, portability, and objection.

Where a data subject contacts LevelSixLabs directly regarding their personal data, we will, unless legally required to act, refer the request to the relevant Customer without undue delay. Customers and individuals can also use our Privacy Request form.

LevelSixLabs maintains the following technical and organisational measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Database-level Row-Level Security enforcing strict per-organisation isolation;
• Role-based access control with per-module, per-action permissions;
• Private file storage accessed only via short-lived signed URLs;
• Authentication via secure, httpOnly session cookies managed by Supabase Auth, with optional Google/Microsoft SSO;
• Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) applied to all routes;
• An append-only audit log of significant actions;
• Hosting and database providers certified to SOC 2 Type II.

Full detail is available in our Security Overview.

LevelSixLabs will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's personal data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

Our full process is documented in our Incident Response Process.

Primary customer data is stored in the EU West (London) region. Where a sub-processor processes data outside the UK or EEA (for example, US-based hosting edge functions, payments, email, or optional AI processing), such transfers are made under an appropriate UK GDPR transfer mechanism — the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision.

On termination, the Customer may export their data. LevelSixLabs will delete or return personal data within 30 days of the end of the service, unless retention is required by law (for example, billing records retained for statutory accounting periods).

LevelSixLabs will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice, confidentiality obligations, and not more than once per year unless a breach has occurred or is required by a supervisory authority.

This DPA is governed by the laws of Scotland. In the event of any conflict between this DPA and the main subscription agreement regarding the processing of personal data, this DPA prevails. This is a template provided for transparency; a counter-signed copy can be provided on request for procurement and institutional review.