Legal

Data processing addendum

Effective 18 May 2026. This addendum forms part of the agreement between Dina Holdings LLC ("Processor") and any client ("Controller") for whom we process personal data on the Controller's behalf.

Roles and scope

For services in which the Controller provides personal data and Dina Holdings processes that data on the Controller's behalf, Dina Holdings is a Processor and the Controller is the Controller within the meaning of the GDPR, the UK GDPR, and equivalent laws. For data we determine the purposes and means of processing, we act as Controller. This addendum applies to processing in our Processor capacity.

Processing details

  • Subject matter. Provision of the services agreed in the engagement letter.
  • Duration. The term of the engagement plus the retention period in the engagement letter or in our privacy policy.
  • Nature and purpose. Hosting, processing, analytics, support, and delivery of the contracted services.
  • Categories of data subjects. Controller's employees, customers, prospects, and end users as specified in the engagement.
  • Categories of personal data. Contact information, account credentials, transactional records, usage data, and any additional categories specified in the engagement.

Obligations of the Processor

  • Process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do otherwise by applicable law
  • Ensure personnel authorised to process personal data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organisational measures, including those summarised in our security overview
  • Respect the conditions set out below for engaging sub-processors
  • Assist the Controller in responding to data subject requests by appropriate technical and organisational measures
  • Assist the Controller with security, breach notification, data protection impact assessments, and consultation with supervisory authorities
  • On termination, delete or return personal data, except where retention is required by law
  • Make available all information necessary to demonstrate compliance and contribute to audits

Sub-processors

Dina Holdings maintains a current list of sub-processors at dinaholdings.com/legal/sub-processors. The Controller authorises the use of the listed sub-processors, with the right to object on reasonable grounds to changes prior to engagement of a new sub-processor.

International transfers

Personal data is processed in the United States. Where transfers are made from jurisdictions that require additional safeguards, the parties agree to incorporate the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum as applicable, with appropriate supplementary measures.

Security incidents

Dina Holdings will notify the Controller of any confirmed personal data breach without undue delay and within 72 hours of becoming aware. The notification will include the available facts, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

Liability

Each party's liability under this addendum is subject to the limitations in the engagement letter or the underlying terms of service.

Requesting a counter-signed copy

Email dinaholdingsllc@gmail.com with your engagement reference and Controller details to receive a counter-signed copy.