GLADLANE DATA PROCESSING ADDENDUM
Version: 16 June 2026
This Data Processing Addendum ("DPA") forms part of, and is subject to, the Gladlane Terms and Conditions or other written agreement between you ("Customer", "you" or "your") and Gladlane Limited ("Gladlane", "we", "us" or "our") governing your use of the Services (the "Agreement"). It applies to the extent Gladlane processes Personal Data on Customer's behalf in the course of providing the Services.
In the event of any conflict between this DPA and the Agreement in relation to the processing of Personal Data, this DPA prevails.
1. Definitions
Capitalised terms not defined here have the meaning given in the Agreement.
"Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR.
"UK GDPR", "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "processing" and "Sub-processor" have the meanings given in the Data Protection Laws.
"Customer Personal Data" means Personal Data contained within the Customer Data that Gladlane processes on Customer's behalf under the Agreement.
"Sub-processor" means any third party engaged by Gladlane to process Customer Personal Data.
2. Roles and scope
2.1 Roles. As between the parties, Customer is the Controller (or, where Customer itself acts as a processor for a third party, the processor) of Customer Personal Data, and Gladlane is the Processor (or sub-processor). Each party shall comply with its obligations under the Data Protection Laws.
2.2 Scope and details of processing. Gladlane processes Customer Personal Data only for the purpose of providing and supporting the Services. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex A.
2.3 Customer responsibilities. Customer is responsible for the accuracy, quality and legality of Customer Personal Data and the means by which it acquired such data, and warrants that it has a valid lawful basis for the processing instructed under this DPA and the necessary rights to provide the data to Gladlane for processing.
3. Processing instructions
3.1 Gladlane shall process Customer Personal Data only on Customer's documented instructions, including as set out in this DPA and the Agreement and as necessary to provide the Services, unless required to do otherwise by applicable law (in which case Gladlane shall, where legally permitted, inform Customer of that requirement before processing).
3.2 Gladlane shall promptly inform Customer if, in its opinion, an instruction infringes the Data Protection Laws. Gladlane is not obliged to monitor Customer's compliance with the Data Protection Laws generally.
4. Confidentiality
Gladlane shall ensure that personnel authorised to process Customer Personal Data are subject to an appropriate duty of confidentiality and process the data only as instructed, and shall limit access to those personnel who need it to provide the Services.
5. Security
5.1 Gladlane shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, having regard to the state of the art, the costs of implementation, and the nature, scope and purposes of processing. A description of those measures is set out in Annex B.
5.2 Customer acknowledges that the measures in Annex B are appropriate as at the date of this DPA and that Gladlane may update them from time to time, provided the level of protection is not materially reduced.
6. Use of Sub-processors
6.1 General authorisation. Customer provides general authorisation for Gladlane to engage Sub-processors to process Customer Personal Data. The Sub-processors engaged as at the date of this DPA are listed in Annex C.
6.2 Sub-processor obligations. Gladlane shall impose on each Sub-processor, by written contract, data protection obligations no less protective than those in this DPA, and remains liable to Customer for the performance of each Sub-processor's obligations.
6.3 Changes. Gladlane shall give Customer notice (which may be by updating the list at Annex C or the published sub-processor list and notifying Customer) before adding or replacing a Sub-processor. Customer may reasonably object to a new Sub-processor on data protection grounds within fourteen (14) days of notice. The parties shall work in good faith to resolve the objection; if it cannot be resolved, Customer may terminate the affected Services.
6.4 AI Sub-processors. Gladlane shall ensure that any Sub-processor providing artificial-intelligence or machine-learning inference is contractually prohibited from using Customer Personal Data to train, fine-tune or improve generative or machine-learning models for the benefit of any other customer or third party, and from using Customer Personal Data for any purpose other than providing the contracted processing to Gladlane.
7. Assistance to Customer
7.1 Data Subject requests. Taking into account the nature of the processing, Gladlane shall assist Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects to exercise their rights under the Data Protection Laws. If Gladlane receives such a request directly, it shall, where legally permitted, promptly forward it to Customer and not respond except on Customer's instructions.
7.2 Compliance assistance. Gladlane shall provide reasonable assistance to Customer with data protection impact assessments, prior consultations with supervisory authorities, and Customer's obligations relating to security and Personal Data Breaches, taking into account the information available to Gladlane.
8. Personal Data Breach
Gladlane shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall provide Customer with information reasonably available to it to assist Customer in meeting its own breach-notification obligations. Such notification is not an acknowledgement of fault or liability.
9. International transfers
9.1 Gladlane and its Sub-processors may process Customer Personal Data outside the United Kingdom, including in the locations identified in Annex C.
9.2 Where Gladlane transfers Customer Personal Data to a country not subject to a UK adequacy decision, it shall ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or the relevant provider's certification under an approved framework.
10. Deletion and return
On termination or expiry of the Agreement, Gladlane shall, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, within thirty (30) days of a valid request, unless applicable law requires continued storage. Backup copies are deleted in accordance with Gladlane's standard backup cycle.
11. Audits
Gladlane shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), on reasonable prior notice, during business hours, and subject to confidentiality. Gladlane may satisfy this obligation by providing relevant third-party certifications or audit reports where available.
12. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
13. General
13.1 This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the English courts, unless the Agreement specifies otherwise.
13.2 Except as amended by this DPA, the Agreement remains in full force and effect.
13.3 Privacy queries and notices under this DPA may be sent to security@gladlane.com.
ANNEX A — Details of Processing
Subject matter: Provision of Gladlane's AI-native accounts payable platform and related support.
Duration: For the term of the Agreement, plus the deletion/return period in clause 10.
Nature and purpose of processing: Capturing, extracting, validating, matching, classifying and routing for approval supplier invoices and related financial documents; preparing payments and transmitting payment instructions to third-party payment providers where applicable; generating embeddings of Customer content for semantic search; providing AI-assisted automation; maintaining an audit trail; and providing security, support and the operation of the Services.
Types of Personal Data: - Account and user data: names, work email addresses, job titles, workspace identifiers, role and permission settings, authentication data, and usage and log data. - Personal Data contained within Customer Data, which may include: names and contact details of individuals at suppliers; details of sole traders and other named individuals appearing on invoices, purchase orders, statements or contracts; and, where Customer manages payments through the Services, supplier bank and payment details. - Embeddings derived from Customer content.
Categories of Data Subjects: - Customer's authorised users (for example, finance, accounts payable and approver users). - Individuals whose Personal Data appears in the Customer Data processed through the Services (for example, supplier contacts and named individuals on financial documents).
ANNEX B — Technical and Organisational Measures
Gladlane maintains measures including:
- Encryption: encryption of Customer Personal Data in transit (TLS) and at rest.
- Access control: role-based access on a least-privilege basis; access to Customer Personal Data restricted to personnel and systems that need it to provide the Services; authentication controls, including multi-factor authentication where available.
- Network and infrastructure security: secure, reputable cloud infrastructure; network protections; and protection against common threats.
- Logging and monitoring: logging of relevant system and access events and monitoring for security purposes.
- Resilience and backups: measures to support availability and recovery of data, including backups.
- Secure development: secure software development practices and change management.
- Sub-processor management: due diligence on Sub-processors and contractual data protection obligations.
- Personnel: confidentiality obligations and security awareness for personnel with access to Customer Personal Data.
- Incident response: processes to detect, respond to and notify Personal Data Breaches.
These measures may be updated over time provided the overall level of protection is not materially reduced.
ANNEX C — Sub-processors
Gladlane engages the following Sub-processors. All are bound by data processing agreements requiring appropriate technical and organisational measures.
| Sub-processor | Legal Entity | Country | Service / Purpose | Data Processed |
|---|---|---|---|---|
| Amazon Web Services | Amazon Web Services, Inc. | USA | Cloud infrastructure, compute, storage, and networking | All customer data processed by the platform |
| Anthropic | Anthropic, PBC | USA | AI model inference (Claude) | Prompts and content submitted to AI features |
| Clerk | Clerk, Inc. | USA | User authentication and identity management | Name, email address, authentication credentials |
| Cloudflare | Cloudflare, Inc. | USA | CDN, DDoS protection, and DNS | IP addresses, HTTP request metadata |
| Google (AI) | Google LLC | USA | AI model inference (Gemini) | Prompts and content submitted to AI features |
| OpenAI | OpenAI, LLC | USA | AI model inference (GPT series) | Prompts and content submitted to AI features |
| Render | Render Services, Inc. | USA | Application hosting and deployment infrastructure | All customer data processed by hosted services |
| Slack | Slack Technologies, LLC | USA | Internal team communication and notifications | Operational alerts and internal team data |
| turbopuffer | turbopuffer Inc. | Canada | Vector database and semantic search | Embeddings derived from customer content |
This list is updated periodically. Customers will be notified of material changes in accordance with clause 6.3.
Last updated: June 2026