Aireo

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of Correla’s Terms and Conditions (and any related documentation), as amended from time to time (the “Agreement”), between the Company and Correla. All capitalised terms not defined in this DPA have the meaning set out in the Agreement.

Definitions and Interpretation

Definitions:

Authorised Persons
the persons or categories of persons that the Company authorises to give Correla written personal data processing instructions as identified in Schedule 1 and from whom Correla agree solely to accept such instructions.
Business Purposes
the services to be provided by Correla to the Company as described in the Agreement and any other purpose specifically identified in Schedule 1
Commissioner
The Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018)
Company
means the entity receiving the Services under the Agreement.
Controller
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has the meaning of Data Controller as given to it in section 6, DPA 2018.
Processor
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Data Subject
The identified or identifiable living individual to whom personal data relates,
Data Protection Legislation
all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018”); the EU GDPR; the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party.
Data Subject
the identified or identifiable living individual to whom the Personal Data relates.
EU GDPR
the General Data Protection Regulation ((EU) 2016/679).
EEA
the European Economic Area.
Personal Data
means any information relating to an identified or identifiable living individual that is processed by Correla on behalf of the Company as a result of, or in connection with, the provision of the services under the Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Personal Data Breach
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data,
Processing, processes, processed, process
any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties.
Records
has the meaning given to it in Clause 12.
Term
this DPA's term as defined in Clause 10.
UK GDPR
has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.

The Schedules form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules.

A reference to writing or written includes email.

In the case of conflict or ambiguity between:

  1. any provision contained in the body of this DPA and any provision contained in the Schedules, the provision in the body of this DPA will prevail; and
  2. any of the provisions of this DPA and the provisions of the Agreement, the provisions of the Agreement will prevail.

Personal data types and processing purposes

The Company and Correla agree and acknowledge that for the purpose of the Data Protection Legislation:

  1. The Company is the Controller and Correla is the Processor.
  2. The Company retains control of the Personal Data and remains responsible for its compliance to obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions The Company gives to Correla.
  3. Schedule 1 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Correla may process the Personal Data to fulfil the Business Purposes.

Our obligations

Correla will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Company’s written instructions. Correla will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. Correla will notify the Company as soon as reasonably practicable if, in Correla’s opinion, the Company’s instructions do not comply with the Data Protection Legislation.

Correla will comply with the Company’s reasonable written instructions requiring Correla to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

Correla will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Company or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Correla to process or disclose the Personal Data to a third-party, Correla must first inform the Company of such legal or regulatory requirement and give the Company an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

Correla will reasonably assist the Company with meeting it’s compliance obligations under the Data Protection Legislation, taking into account the nature of Correla‘s processing and the information available to Correla, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.

Our employees

Correla will ensure that all of its employees:

  1. are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
  2. have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
  3. are aware both of its duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

Correla will take reasonable steps to ensure the reliability, integrity and trustworthiness of Correla’s employees with access to the Personal Data.

Security

Correla will implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Schedule 2.

Correla must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  1. the pseudonymisation and encryption of Personal Data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

Personal data breach

Correla will, within 48 hours, and in any event without undue delay, notify the Company in writing if it becomes aware of:

  1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;
  2. any accidental, unauthorised or unlawful processing of the Personal Data;
  3. Undue loss of availability of the Personal Data; or
  4. any Personal Data Breach.

Where Correla becomes aware of (a), (b), (c) and/or (d) above, Correla will, without undue delay, also provide the Company with the following written information:

  1. description of the nature of (a), (b), (C) and/or (d), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
  2. the likely consequences; and
  3. a description of the measures taken or proposed to be taken to address (a), (b), (c) and/or (d), including measures to mitigate its possible adverse effects.

Promptly following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, Correla will reasonably co-operate with the Company in its handling of the matter, including but not limited to:

  1. assisting with any investigation;
  2. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Company; and
  3. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

Correla will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Company’s written consent, except when required to do so by domestic law.

Correla agrees that the Company has, as Controller, the sole right to determine:

  1. whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Company’s discretion, including the contents and delivery method of the notice; and
  2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

Cross-border transfers of personal data

Correla (and any of our sub-processors) must not transfer or otherwise process the Personal Data outside the UK or EEA without obtaining the Company’s prior written consent. Where this consent is provided in writing, Correla will ensure the appropriate transfer mechanism is in place with any sub-processors.

Sub-processors

Correla may only authorise a third-party (sub-processor) to process the Personal Data if:

  1. the Company is provided with an opportunity to object to the appointment of each sub-processor within 10 working days after Correla supplies the Company with full details in writing regarding such sub-processor;
  2. Correla enters into a written contract with the sub-processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures; and
  3. Correla maintains responsibility over all of the Personal Data it entrusts to the sub-processor.

Those sub-processors approved as at the commencement of the Agreement are as set out in Schedule 1 and include any sub-processor's name and location.

Where the sub-processor fails to fulfil its obligations under the written agreement with Correla which contains terms substantially the same as those set out in this DPA, Correla remains fully liable to the Company for the sub-processor's performance of its agreement obligations.

Complaints, data subject requests and third-party rights

Correla must take such technical and organisational measures as may be appropriate, and promptly provide such information to the Company as the Company may reasonably require, to enable the Company to comply with:

  1. the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
  2. information or assessment notices served on the Company by the Commissioner under the Data Protection Legislation.

Correla must notify the Company without undue delay in writing if Correla receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

Correla must notify the Company without undue delay and in any case within 5 working days, if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

Correla will give the Company its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

Correla must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Company’s written instructions, or as required by domestic law.

Term and termination

This DPA will remain in full force and effect so long as the Agreement remains in effect (the “Term”).

Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect the Personal Data will remain in full force and effect.

If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations pursuant to the Agreement, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 10 working days, either party may terminate the Agreement on not less than 5 working days on written notice to the other party.

Data return and destruction

At the Company’s request, Correla will give the Company, a copy of or access to all or part of the Personal Data in Correla’s possession or control in the format and on the media reasonably specified by the Company.

On termination of the Agreement for any reason or expiry of its term, Correla will securely delete or destroy or, if directed in writing by the Company, return and not retain, all or any of the Personal Data related to the Agreement in Correla’s possession or control.

If any law, regulation, or government or regulatory body requires Correla to retain any documents, materials or Personal Data that Correla would otherwise be required to return or destroy, Correla will notify the Company in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

Records

Correla will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (“Records”).

Correla will ensure that the Records are sufficient to enable the Company to verify Correla’s compliance with its obligations under this DPA and the Data Protection Legislation and Correla will provide the Company with copies of the Records upon request.

Audit

Correla will permit the Company and the Company’s third-party representatives to audit its compliance with this DPA’s obligations, on at least 90 days' notice, during the Term. Any audit will take place no more than once per year, except where a breach has been identified in which case further follow up audits will be permitted until the breach is remedied. Correla will give the Company and its third-party representatives all reasonable assistance to conduct such audits. The assistance may include:

  1. reasonable physical access to, remote electronic access to, and copies of the Records and any other information held at Correla’s premises or on systems storing the Personal Data;
  2. access to and meetings with any of Correla’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
  3. inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.

Notice

  1. Any notice given to a party under or in connection with this DPA must be in writing and delivered to the individual as identified by each party to the other from time to time.
  2. Clause 14.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Schedule 1: Personal data processing purposes and details

Subject matter of processing:

The subject matter of the processing pertains to the management, administration, and operation of the web app toolkit related to the Agreement, which involves handling personal data of heat pump and heating engineers, installers, and homeowners to facilitate the installation and management of heat pumps and system design support.

Duration of Processing:

The duration of the processing will be for the length of the subscription and any retention period stated in the Agreement, unless the law requires its storage.

Nature and Purpose of Processing:

The nature of the processing includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction of personal data.

The purpose of processing personal data may include:

  • Facilitating the creation and management of installer accounts.
  • Enabling installers to enter and manage homeowner addresses and contact details.
  • Using homeowner addresses to trigger workflows that retrieve geographical data (longitude and latitude) via a third-party API.
  • Capturing the property's Energy Performance Certificate (EPC).
  • Retrieving street map images of the property through a third-party API.
  • Allowing installers to upload photographs taken during site visits.

Personal Data processed:

  • Installer Data: Name, address, email, phone number, account details, avatar images.
  • Homeowner Data: Name, address, email, phone number.
  • Property Data: Property address, longitude and latitude, floorplans, Energy Performance Certificate, street map images, photos of the property, MCS 031 and MCS 020 reports
  • Usage Data: Log data, IP address, browser type, interaction with the portal.

Data Subject Types:

  • Installers and engineers: Individuals who use the portal to manage heat pump installations.
  • Homeowners: Individuals whose property information and contact details are entered into the portal by installers.

Approved Sub-processors:

  • Ordnance Survey: (UK)
  • EPC.gov and mygov.scot: (UK)
  • Google Cloud: (Ireland)
  • Open AI: (USA)
  • Hubspot Ireland Limited: (Ireland)
  • Google Maps: (USA)
  • Vercel Inc: (USA)
  • Supabase Inc: (UK/Singapore)
  • Functional Software, Inc. d/b/a Sentry: (USA)
  • Resend: (USA)
  • API Hero Limited: (UK)
  • Hotjar Limited: (EU)
  • Render Services Inc: (USA)
  • Twilio Inc: (UK)

Schedule 2: Security Measures

Information Security Management

Correla operates a corporate Information Security Management System (ISMS) certified to ISO 27001 and Cyber Essentials Plus. The ISMS establishes a risk-based framework for the identification, assessment and treatment of information security risks and governs the design, implementation and operation of security controls across Correla’s corporate and service environments. The ISMS is subject to annual independent external audit and ongoing internal review.

Correla maintains a Security Operations capability responsible for the monitoring and management of security events across its environments. This includes centralised log management and event correlation through a Security Information and Event Management (SIEM) platform, continuous security monitoring, incident detection and response processes, and defined escalation procedures. Security incidents are managed in accordance with documented response plans and, where applicable, contractual notification obligations.

Correla undertakes regular vulnerability assessment, penetration testing and control effectiveness reviews to support continual improvement of its security posture. Security governance is overseen by senior management, with defined accountability for information security, risk management, and compliance.

Data Governance and Protection

Correla manages all information assets under its Data Governance Framework, ensuring compliance with UK GDPR, the Data Protection Act 2018, and internal information management policies. Aireo inherits these same corporate controls.

Core data protection measures include:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Strict access control and activity logging to maintain least-privilege access.
  • Data Protection Impact Assessments (DPIAs) for new systems and data flows.
  • Regular data quality validation and retention aligned to contractual requirements.
  • Secure deletion and disposal following defined retention schedules.
  • Mandatory annual staff training in Information Security and GDPR.

Business Continuity and Disaster Recovery

Correla maintains corporate Business Continuity Management (BCM) and Disaster Recovery (DR) procedures aligned to ISO 22301 principles. These ensure that critical business functions and systems can be recovered within defined objectives in the event of a disruption.

Key controls include:

  • High-availability hosting and automated backup for SaaS platforms.
  • Annual supplier resilience reviews managed by Correla’s Business Continuity and Risk teams.

Change and Release Control

All system changes follow ITIL-aligned change management processes to ensure safe, controlled, and auditable deployment. Changes are logged in industry-standard change management solutions, assessed for impact, and approved by the Change Advisory Board (CAB) before release.

All controls listed can be reviewed with Correla if requested.