AgriantaAgrianta

Data Processing Addendum

Last updated: 12 April 2026

1. Introduction and Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Astraeus Technology Limited, a company registered in England and Wales under number 15162283 ("Agrianta", "we", "us", or the "Processor"), and the customer using the Services ("you" or the "Controller").

This DPA applies whenever we process personal data on your behalf in the course of providing the Services. It is designed to meet the requirements of Article 28 of the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR").

By agreeing to our Terms of Service or using the Services, you accept this DPA, which forms a legally binding contract between you and us for the processing of personal data. You do not need to sign or countersign this DPA for it to take effect, but a signed copy is available on request by contacting privacy@agrianta.com.

2. Order of Precedence

If there is any conflict between this DPA and the Terms of Service or any other agreement between the parties, this DPA prevails on matters relating to the processing of personal data. All other provisions of the Terms of Service remain in full force.

3. Definitions

Unless defined below, capitalised terms have the meaning given to them in the Terms of Service or, where relevant, in UK GDPR.

  • "Applicable Data Protection Laws" means UK GDPR, the Data Protection Act 2018, EU GDPR, the Privacy and Electronic Communications Regulations 2003, and any other data protection laws that apply to the processing of Customer Personal Data.
  • "Customer Personal Data" means personal data that we process on your behalf in order to provide the Services.
  • "Data Subject", "personal data", "processing", "controller", and "processor" have the meanings given to them in UK GDPR.
  • "Sub-processor" means any third party engaged by us to process Customer Personal Data on our behalf in connection with the Services, as listed in our Sub-processors page.
  • "Personal Data Breach" has the meaning given to it in UK GDPR.

4. Role of the Parties

In providing the Services, you act as the Controller and we act as the Processor of Customer Personal Data. Where you use the Services to process personal data on behalf of another controller (for example, a farm business you manage), you remain responsible for ensuring you have authority to instruct us and that your use complies with Applicable Data Protection Laws.

Each party is independently responsible for its own compliance with Applicable Data Protection Laws.

5. Subject Matter, Duration, Nature and Purpose

The subject matter, duration, nature, purpose, types of personal data, and categories of Data Subjects relating to our processing of Customer Personal Data are as follows:

  • Subject matter: the provision of the Services described in our Terms of Service, including farm management, livestock monitoring, compliance reporting, alerting, data storage, and AI-powered insights.
  • Duration: for the term of your subscription plus any post-termination export period set out in the Terms of Service, subject to deletion or return under Section 13 below.
  • Nature and purpose: storing, organising, analysing, displaying, transmitting, and otherwise processing Customer Personal Data to deliver the Services, including transmission to Sub-processors for the purposes set out on our Sub-processors page.
  • Types of personal data: names, email addresses, phone numbers, organisational roles, login credentials, payment and billing details, farm location, livestock records, compliance records, device and sensor data, livestock images, audit logs, and user-generated content (for example, notes, task descriptions, and Scout AI prompts).
  • Categories of Data Subject: your personnel, team members and farm workers; veterinarians and agricultural advisors you share data with; suppliers and contractors; and other individuals whose personal data appears in farm records you upload.

6. Your Instructions

We will process Customer Personal Data only on your documented instructions, which are:

  • the Terms of Service and this DPA;
  • the instructions you give us through the configuration, administration, and use of the Services; and
  • any additional written instructions you give us from time to time that we agree in writing to act on.

We will promptly inform you if, in our opinion, an instruction infringes Applicable Data Protection Laws. Where we are required by law to process Customer Personal Data other than on your instructions, we will inform you of the legal requirement before processing, unless the law prohibits such notice.

7. Confidentiality

We will ensure that any person we authorise to process Customer Personal Data is subject to a duty of confidentiality, whether contractual or statutory, and is trained on their obligations under Applicable Data Protection Laws.

8. Security of Processing

We will implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security measures are set out in Annex III to this DPA and are reviewed and updated from time to time in line with industry practice. We will not materially reduce the overall level of protection during the term of your subscription.

9. Sub-processors

You grant us general authorisation to engage Sub-processors to process Customer Personal Data, subject to the conditions in this Section 9. The current list of Sub-processors is published at agrianta.com/subprocessors.

Before engaging a new Sub-processor or materially changing an existing one, we will update the Sub-processors page and, where required, give at least 30 days' notice by email to business customers. If you reasonably object to a proposed new Sub-processor on data-protection grounds, you should notify us in writing within that notice period, and we will work in good faith to address your concerns. If we cannot, you may terminate the affected part of your subscription in accordance with the Terms of Service.

We will impose written contractual obligations on each Sub-processor that are substantially the same as those set out in this DPA, including the obligations relating to security, confidentiality, Data Subject rights, and international transfers. We remain responsible to you for the acts and omissions of our Sub-processors in relation to Customer Personal Data.

10. Data Subject Rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection.

If we receive a request directly from a Data Subject that relates to Customer Personal Data, we will promptly forward it to you and will not respond ourselves unless you authorise us to or we are legally required to do so.

11. Personal Data Breach Notification

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Our notification will be made by email to the primary administrator address on your account and will, so far as possible, include the information required by Article 33(3) UK GDPR, namely:

  • the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
  • the likely consequences of the breach and the measures we have taken or propose to take to address it and mitigate its possible adverse effects; and
  • the contact point for further information.

We aim to make initial notification within 48 hours of awareness so that you can meet your own 72-hour notification obligation to the UK Information Commissioner's Office (ICO) under UK GDPR. Where information is not available at the time of initial notification, we will provide it in stages as it becomes available.

12. Data Protection Impact Assessments and Consultation

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to help you carry out Data Protection Impact Assessments and, where required, prior consultations with the ICO or other supervisory authority.

13. Deletion and Return of Data

On termination of your subscription, you have 30 days to export Customer Personal Data using our standard export tools. After this period, we will delete Customer Personal Data from our active systems within a further 30 days, except where retention is required by law (for example, financial records retained for 7 years under UK law). Backup copies are purged in line with our standard backup retention cycles, which do not exceed 90 days.

At your written request before the end of the export period, we will provide Customer Personal Data in a commonly used, machine-readable format.

14. Audit Rights

We will make available to you all information reasonably necessary to demonstrate our compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an independent auditor mandated by you, subject to the following:

  • audits must be scheduled at a mutually agreed time with at least 30 days' written notice, must not occur more than once per calendar year (except following a Personal Data Breach or as required by a supervisory authority), and must not disrupt the Services;
  • the auditor must sign a confidentiality agreement with us in a form we reasonably require;
  • we may satisfy audit requests by providing copies of independent third-party audit reports or certifications we hold (for example, ISO 27001 or SOC 2 reports, if available); and
  • each party bears its own costs unless an audit reveals a material breach of this DPA by us, in which case we will bear the reasonable costs of the audit.

15. International Transfers

Where we transfer Customer Personal Data outside the United Kingdom or the European Economic Area, we will ensure an appropriate transfer mechanism is in place before the transfer takes place. Depending on the Sub-processor and the destination country, this will be one of:

  • a UK or EU adequacy decision covering the destination country;
  • the UK International Data Transfer Agreement (IDTA) issued by the ICO;
  • the European Commission's Standard Contractual Clauses (Decision 2021/914) supplemented by the UK Addendum; or
  • the EU-US Data Privacy Framework or UK Extension where the recipient is certified.

By agreeing to this DPA you also enter into, and authorise us to enter into on your behalf with Sub-processors, the relevant transfer instrument on the standard terms published by the issuing authority. The parties agree that such transfers are made under the transfer mechanism identified for each Sub-processor on our Sub-processors page. Further details are set out in Annex II.

16. Liability

Each party's liability arising under or in connection with this DPA, whether in contract, tort (including negligence) or otherwise, is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits or excludes any liability which cannot be limited or excluded under Applicable Data Protection Laws or other applicable law.

17. Term and Changes

This DPA takes effect on the date you accept the Terms of Service (or first use the Services) and continues for as long as we process Customer Personal Data on your behalf. Obligations that by their nature survive termination (including Sections 11, 13, 14, 15, and 16) will continue to apply after termination.

We may update this DPA from time to time. Where changes are material, we will notify you in advance by email and post the updated version on this page. Your continued use of the Services after the effective date of an update constitutes acceptance of the updated DPA.

18. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales, and is subject to the exclusive jurisdiction of the courts of England and Wales, in each case as provided in the Terms of Service.

Annex I: Details of Processing

List of Sub-processors: the current list is maintained at agrianta.com/subprocessors and is incorporated into this DPA by reference.

Subject matter, duration, nature and purpose, types of personal data, and categories of Data Subject: as set out in Section 5 of this DPA.

Frequency of processing: continuous, for as long as you use the Services.

Annex II: Transfer Mechanisms

For each Sub-processor located outside the United Kingdom and the European Economic Area, the transfer mechanism relied upon is as follows:

  • Stripe (United States): EU-US Data Privacy Framework (including UK Extension) and/or Standard Contractual Clauses with UK Addendum.
  • Resend (United States): Standard Contractual Clauses with UK Addendum.
  • OpenAI (United States): Standard Contractual Clauses with UK Addendum, together with OpenAI's Data Processing Addendum.
  • Anthropic (United States): Standard Contractual Clauses with UK Addendum, together with Anthropic's Data Processing Addendum.

Sub-processors located in the United Kingdom or European Economic Area (Zitadel, Sentry, PostHog, Railway) do not require a transfer mechanism under this Annex. Transfers to the UK Livestock Information Service take place within the United Kingdom.

Annex III: Technical and Organisational Security Measures

We maintain technical and organisational measures appropriate to the risks presented by our processing of Customer Personal Data, including:

  • Encryption: TLS 1.2 or higher for data in transit; industry-standard encryption for data at rest in databases and object storage.
  • Access control: role-based access control, principle of least privilege, multi-factor authentication for administrative access, granular permissions for customer team-member access.
  • Network and application security: segregated environments, hardened infrastructure, secure development lifecycle, code review, dependency vulnerability scanning.
  • Monitoring and logging: application and security logging, anomaly detection, privileged-access audit trails (including impersonation).
  • Penetration testing: periodic independent security assessments.
  • Business continuity: regular encrypted backups and tested restoration procedures.
  • Personnel: confidentiality obligations, data protection training, background checks where lawful.
  • Incident response: documented incident response plan covering detection, containment, investigation, and notification of Personal Data Breaches.
  • Sub-processor due diligence: risk assessment and contractual controls for all Sub-processors.

Contact

Astraeus Technology Limited

Company Number: 15162283

Data protection enquiries: privacy@agrianta.com

Data Processing Addendum - Agrianta | Agrianta