Legal
Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated by reference into, and forms part of, the EcoIntel Terms of Service (the “Terms”). It governs the processing of personal data that Ecological Intelligence Ltd (“EcoIntel”, “we”, the “Processor”), registered in England and Wales (No. 16866497), registered office Brimbles, Ashburton, Newton Abbot, England, TQ13 7HU, carries out on behalf of a customer (the “Customer”, the “Controller”) in providing the EcoIntel Land Health System and related services (the “Services”). References in this DPA to the “main agreement” mean the Terms.
1. Definitions
Terms not defined here have the meaning given in the UK GDPR.
- Data Protection Legislation: the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR (Regulation 2016/679), together with any successor or implementing legislation.
- Controller, Processor, Personal Data, Processing, Data Subject, Personal Data Breach, Supervisory Authority: as defined in the Data Protection Legislation.
- Customer Personal Data: Personal Data that EcoIntel processes on behalf of the Customer in providing the Services.
- Sub-processor: any third party engaged by EcoIntel to process Customer Personal Data.
- Transfer Mechanism: the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK Addendum, the UK-US data bridge (the UK Extension to the EU-US Data Privacy Framework), or another lawful mechanism for international transfers of personal data.
2. Roles and scope of processing
2.1 The Customer is the Controller and EcoIntel is the Processor in respect of Customer Personal Data.
2.2 EcoIntel will process Customer Personal Data only to provide the Services and only on the Customer’s documented instructions, including those in this DPA, the main agreement, and any later written instructions. If EcoIntel considers that an instruction infringes the Data Protection Legislation, it will inform the Customer. Where EcoIntel is required by UK or EU law to process Customer Personal Data otherwise than on the Customer’s instructions, it will inform the Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
2.3 The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are set out in Annex 1.
3. EcoIntel’s obligations
EcoIntel will:
3.1 Instructions. Process Customer Personal Data only as set out in clause 2.2.
3.2 Confidentiality. Ensure that the people authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality.
3.3 Security. Implement and maintain appropriate technical and organisational measures to protect Customer Personal Data, taking account of the state of the art, the costs of implementation and the nature, scope and purposes of processing, as required by Article 32 of the UK GDPR. The measures set out in Annex 2 are the contractual baseline; EcoIntel may add to them but will not materially reduce the overall security of the Services during the term.
3.4 Sub-processors.
(a) The Customer gives a general authorisation for EcoIntel to engage the Sub-processors listed in Annex 3.
(b) EcoIntel will give at least 30 days’ notice of any intended addition or replacement of a Sub-processor (by updating its published sub-processor list or by written notice). The Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, the Customer may terminate the affected Services; any fee consequences of that termination are as set out in the main agreement.
(c) EcoIntel will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Customer for each Sub-processor’s performance.
3.5 Assistance. Taking account of the nature of the processing, EcoIntel will assist the Customer by appropriate technical and organisational measures, so far as possible, to: (a) respond to Data Subjects exercising their rights; and (b) comply with its obligations on security, Personal Data Breach notification, data protection impact assessments and prior consultation with a Supervisory Authority (Articles 32 to 36 of the UK GDPR). EcoIntel provides reasonable assistance of this kind at no charge; where assistance is extensive or repeated, EcoIntel may charge its reasonable costs, notified in advance.
3.6 Breach notification. Notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide the information the Customer reasonably needs to meet its own notification obligations.
3.7 Deletion or return. At the end of the Services, and at the Customer’s choice, delete or return all Customer Personal Data and delete existing copies, unless the law requires EcoIntel to retain it.
3.8 Records and audits. Make available the information reasonably necessary to demonstrate compliance with this clause 3, and allow for and contribute to audits on reasonable prior notice, no more than once a year (unless a Supervisory Authority or a Personal Data Breach requires otherwise), subject to confidentiality and EcoIntel’s security policies. EcoIntel may satisfy this obligation by providing relevant third-party certifications and reports (its own and its Sub-processors’, such as Google Cloud’s ISO 27001 and SOC 2 reports) together with reasonable responses to a security questionnaire, with on-site inspection reserved for where there is good cause. EcoIntel may charge its reasonable costs for audits beyond one per year or beyond this standard support.
3.9 Artificial intelligence. Where EcoIntel uses an AI service (currently Anthropic’s Claude API) to generate the Customer’s reports, Customer Personal Data sent to that service is processed only to produce the outputs the Customer has requested, under this DPA, and is not used to train or improve the AI provider’s models.
4. International transfers
EcoIntel will not transfer Customer Personal Data outside the UK or the European Economic Area unless it has put in place a valid Transfer Mechanism or the transfer is otherwise lawful. The current Sub-processors and the countries in which they process Customer Personal Data are listed in Annex 3; transfers to Sub-processors outside the UK/EEA are covered by the applicable Transfer Mechanism.
5. General
5.1 This DPA forms part of, and is subject to, the main agreement between the parties. Where this DPA and the main agreement conflict on the parties’ data-protection obligations, this DPA prevails; in all other respects, including the allocation and limitation of liability, the main agreement governs.
5.2 This DPA takes effect when the Services begin and continues for as long as EcoIntel processes Customer Personal Data.
5.3 This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, without prejudice to any mandatory rights of Data Subjects.
5.4 Each party’s total liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability in the main agreement, except for liability that cannot be excluded or limited under the Data Protection Legislation or other mandatory law.
Annex 1: Details of the processing
- Subject matter: EcoIntel’s provision of the Land Health System and related diagnostic and reporting services.
- Duration: the term of the Services.
- Nature and purpose: hosting, assessing, diagnosing and reporting on the health of land, from data the Customer provides or authorises, and supporting the Customer’s use of the Services.
- Types of Personal Data: account and user contact details (name, email, role); land-holding and business identifiers that may be personal data (for example Single Business Identifier (SBI) numbers, field and parcel boundaries, holding addresses); and any other Personal Data the Customer chooses to submit.
- Categories of Data Subjects: the Customer’s authorised users, and individuals identifiable from the data the Customer submits, such as named landowners, farmers or land managers.
Annex 2: Technical and organisational measures
This Annex is the contractual baseline for the security measures. The summary published at www.ecointel.io/trust may add current detail but does not reduce it.
- Encryption in transit: all connections use TLS.
- Encryption at rest: stored data is encrypted by default (AES-256) on Google Cloud Platform. Backups are additionally encrypted client-side before leaving EcoIntel’s systems, versioned, made immutable, with keys held offline.
- Data location: the primary database is hosted in the United Kingdom (London); encrypted backups are held in the European Union (Amsterdam).
- Access control: access to Customer Personal Data is restricted to a small number of named, authorised personnel under confidentiality.
- Infrastructure: the Services run on Google Cloud Platform, which holds ISO 27001 and SOC 2 certification.
- Resilience: regular, encrypted, versioned, immutable off-site backups.
Annex 3: Sub-processors
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google Cloud Platform | Application hosting, database, satellite data processing | United Kingdom (London) | Not applicable (UK) |
| Backblaze | Encrypted off-site backups | European Union (Amsterdam) | UK adequacy (the UK recognises the EEA as adequate) |
| Anthropic | AI generation of land-health reports | United States | IDTA |
| Stripe | Payments and billing | European Union (Ireland) | UK adequacy (the UK recognises the EEA as adequate) |
| Cloudflare | Website delivery, security, analytics | United States | UK-US data bridge |
| Microsoft Azure | Sign-in and authentication | United States | UK-US data bridge |
| Google Workspace | Business email and documents | United States | UK-US data bridge |
| Vu Digital | Application development and marketing | United Kingdom | Not applicable (UK) |
| FreeAgent | Accounting and billing administration | United Kingdom | Not applicable (UK) |
The current list is maintained at www.ecointel.io/trust. Transfer mechanisms reflect each provider’s current Data Privacy Framework status (verified on the official DPF list); EcoIntel reviews these if a provider’s status changes.