1ESG - Sustainable ESG

Data Processing Agreement

For enterprise customers · Last updated: 19 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TechProConsult Limited, the operator of 1ESG · Sustainable ESG ("Processor") and the customer entity ("Controller") and applies whenever the Processor processes Personal Data on behalf of the Controller in connection with the Service.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. Capitalised terms not defined here have the meaning given in the GDPR.

2. Subject matter & duration

  • Subject matter: processing of Personal Data necessary to provide the Service.
  • Duration: the term of the underlying Terms of Service plus a 90-day deletion window.
  • Nature & purpose: hosting, computation and reporting of ESG data.
  • Categories of data: business contact data, employee headcount aggregates, supplier contact data, and any Personal Data the Controller chooses to upload.
  • Categories of data subjects: Controller's employees, contractors and supplier contacts.

3. Processor obligations

The Processor will:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement the technical and organisational measures listed in Annex A.
  • Assist the Controller in responding to data subject requests within 5 business days.
  • Notify the Controller of any Personal Data breach without undue delay (within 48 hours of becoming aware).

4. Sub-processors

The Controller authorises the use of the sub-processors listed in Annex B. The Processor will give 30 days' prior notice of any new sub-processor; the Controller may object on reasonable data-protection grounds.

5. International transfers

Personal Data is hosted in EU regions. Where any sub-processor processes data outside the EEA, the parties incorporate the EU Standard Contractual Clauses (Module 2 or 3 as applicable, 2021/914) and supplementary measures as required.

6. Audits

The Processor will provide the Controller with the latest SOC 2-style summary or equivalent evidence on request, and will permit one on-site audit per year on reasonable notice, subject to confidentiality.

7. Deletion / return

On termination, the Controller may export data via the in-product XLSX/CSV export. After 90 days, all Personal Data is deleted from production and within 30 further days from backups.

8. Liability

Liability under this DPA is governed by the limitation-of-liability clause in the Terms of Service.

Annex A — Security measures

  • TLS 1.3 in transit; AES-256 at rest.
  • Row-Level Security on every multi-tenant table.
  • Bcrypt password hashing; SSO (SAML/OIDC) available on Enterprise.
  • Daily encrypted backups, 30-day retention.
  • Quarterly access reviews; least-privilege IAM.
  • Annual penetration test; continuous dependency scanning.

Annex B — Authorised sub-processors

  • Supabase — managed Postgres & auth (EU / Frankfurt).
  • Cloudflare — edge compute & CDN (global, EU PoPs preferred).
  • Resend — transactional email (EU).
  • Google Cloud (Vertex AI) / OpenAI — AI inference for the co-pilot. No customer data is used for model training.

Signing

To execute a counter-signed copy of this DPA, email legal@techproconsult.com with your company details. We countersign within 2 business days.