Data Processing

Effective Date: 11th February 2026

Last Modified: 11th February 2026

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Rehuman Ltd, trading as Longbow Insurance Technology (“Processor”, “Longbow”, “we”, “us”), and the customer identified in the applicable order form or service agreement (“Controller”, “you”), together referred to as the “Parties”.

This DPA sets out the terms on which we will process personal data on your behalf when providing the Longbow platform, as required by Article 28 of the UK GDPR and the Data Protection Act 2018.

2. Definitions

In this DPA, the terms “personal data”, “processing”, “data controller”, “data processor”, “data subject”, “personal data breach”, and “supervisory authority” have the meanings given to them in the UK GDPR. “UK GDPR” means the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

3. Scope and Roles

Roles
For the purposes of this DPA, you are the data controller and we are the data processor in respect of personal data contained within insurance documents uploaded to the Longbow platform.

Scope of Processing
The details of the processing are as follows:

Subject Matter
Processing of personal data contained in insurance documents uploaded to the Longbow platform by the Controller.

Duration
For the term of the service agreement between the Parties, plus any retention period agreed herein.

Nature and Purpose
Automated document processing using OCR, document parsing, and LLM technology to extract, structure, and export data from insurance application forms and policy documents for the purpose of reducing manual data entry for the Controller.

Types of Personal Data
Names, addresses, and contact details of policyholders and insured parties; policy reference numbers; coverage and premium details; claims history; and any other personal data contained within uploaded insurance documents.

Categories of Data Subjects
Policyholders, insured parties, claimants, and any other individuals whose personal data is contained in documents uploaded by the Controller.

4. Controller Obligations

The Controller warrants that:

•  It has a lawful basis under applicable data protection law for the processing of personal data by the Processor as contemplated by this DPA
•  It has provided all necessary notices and obtained all necessary consents or authorisations required for the lawful transfer of personal data to the Processor
•  It will comply with its obligations as a data controller under applicable data protection law
•  Its instructions to the Processor will not cause the Processor to violate applicable law

5. Processor Obligations

The Processor shall:

•   Process personal data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law)
•  Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
•  Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in our Security Policy
•  Not engage another processor (subprocessor) without prior written authorisation of the Controller, subject to the subprocessor provisions in Section 7 below
•  Assist the Controller, taking into account the nature of processing, in responding to requests from data subjects exercising their rights under the UK GDPR
•  Assist the Controller in ensuring compliance with Articles 32–36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to the Processor
•  At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires storage
•  Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller

6. Security Measures

The Processor implements the technical and organisational security measures described in the Longbow Security Policy, which is available on our website. These measures include, without limitation:
‍

•  Encryption of personal data in transit and at rest
•  Role-based access controls and the principle of least privilege
•  Secure cloud infrastructure with enterprise-grade providers
•  Audit logging and monitoring
•  Incident response procedures
•  Regular security assessments

The Controller acknowledges that these measures are appropriate having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of data subjects.

7. Subprocessors

General Authorisation
The Controller provides general written authorisation for the Processor to engage subprocessors to assist in providing the Service, subject to the conditions set out in this section.

Current Subprocessors
A list of current subprocessors is maintained on the Longbow Subprocessors page on our website. The Controller confirms that it has reviewed and approved the subprocessors listed as at the date of this DPA.

Notification of Changes
The Processor shall notify the Controller of any intended addition or replacement of subprocessors, providing at least 30 days’ notice before the new subprocessor begins processing personal data. The notification will include the subprocessor’s name, the processing it will perform, and the location of processing.

Objection Right
If the Controller objects to a new subprocessor on reasonable grounds relating to data protection, the Parties will discuss the concerns in good faith. If the Parties cannot reach resolution within a reasonable period, the Controller may terminate the affected services by providing written notice.

Subprocessor Agreements
The Processor shall impose data protection obligations on each subprocessor that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each subprocessor’s obligations.

8. International Transfers

The Processor shall not transfer personal data to a country outside the United Kingdom unless:

•  The transfer is to a country recognised by the UK Secretary of State as providing adequate protection for personal data; or
•  Appropriate safeguards have been put in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or
•  Another approved transfer mechanism under UK data protection law applies

Details of international transfers and the safeguards in place are set out in our Privacy Policy and Subprocessors page.

9. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification shall include:

•  A description of the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned
•  The name and contact details of the point of contact where more information can be obtained
•  A description of the likely consequences of the breach
•  A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests from data subjects exercising their rights under the UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

If the Processor receives a request directly from a data subject, it shall promptly notify the Controller and shall not respond to the request directly unless instructed to do so by the Controller or required by applicable law.

11. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with the ICO or other supervisory authority that the Controller is required to carry out under Articles 35 and 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor.

12. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to:

•  Reasonable advance notice of at least 30 days (except in the case of an audit required by a supervisory authority)
•  Audits being conducted during normal business hours and in a manner that minimises disruption to the Processor’s operations
•  The Controller bearing the costs of any audit
•  Audit findings being treated as confidential information

13. Data Deletion and Return

Upon termination or expiry of the service agreement, or upon the Controller’s written request, the Processor shall, at the Controller’s choice:

•  Return all personal data to the Controller in a commonly used, machine-readable format; or
•  Delete all personal data and confirm deletion in writing

Deletion shall be completed within 30 days of the request or termination, unless applicable law requires continued storage, in which case the Processor shall inform the Controller and continue to protect the data in accordance with this DPA.

14. Liability

Each Party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Use, except that nothing in this DPA limits either Party’s liability for breaches of applicable data protection law to the extent such limitation is not permitted by law.

15. Term

This DPA shall remain in effect for the duration of the Processor’s processing of personal data on behalf of the Controller. Obligations that by their nature should survive termination (including confidentiality, data deletion, and audit rights) shall continue in effect after termination.

16. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising from this DPA.

17. Contact

For matters relating to this DPA, please contact:

Rehuman Ltd (trading as Longbow Insurance Technology)

Email: info@longbowtech.co.uk

Registered Address: 14 Grays Inn Road, London, Greater London, United Kingdom, WC1X 8HN

‍

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Rehuman Ltd, trading as Longbow Insurance Technology (“Processor”, “Longbow”, “we”, “us”), and the customer identified in the applicable order form or service agreement (“Controller”, “you”), together referred to as the “Parties”.

This DPA sets out the terms on which we will process personal data on your behalf when providing the Longbow platform, as required by Article 28 of the UK GDPR and the Data Protection Act 2018.

2. Definitions

In this DPA, the terms “personal data”, “processing”, “data controller”, “data processor”, “data subject”, “personal data breach”, and “supervisory authority” have the meanings given to them in the UK GDPR. “UK GDPR” means the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

3. Scope and Roles

Roles
For the purposes of this DPA, you are the data controller and we are the data processor in respect of personal data contained within insurance documents uploaded to the Longbow platform.

Scope of Processing
The details of the processing are as follows:

Subject Matter
Processing of personal data contained in insurance documents uploaded to the Longbow platform by the Controller.

Duration
For the term of the service agreement between the Parties, plus any retention period agreed herein.

Nature and Purpose
Automated document processing using OCR, document parsing, and LLM technology to extract, structure, and export data from insurance application forms and policy documents for the purpose of reducing manual data entry for the Controller.

Types of Personal Data
Names, addresses, and contact details of policyholders and insured parties; policy reference numbers; coverage and premium details; claims history; and any other personal data contained within uploaded insurance documents.

Categories of Data Subjects
Policyholders, insured parties, claimants, and any other individuals whose personal data is contained in documents uploaded by the Controller.

4. Controller Obligations

The Controller warrants that:

•  It has a lawful basis under applicable data protection law for the processing of personal data by the Processor as contemplated by this DPA
•  It has provided all necessary notices and obtained all necessary consents or authorisations required for the lawful transfer of personal data to the Processor
•  It will comply with its obligations as a data controller under applicable data protection law
•  Its instructions to the Processor will not cause the Processor to violate applicable law

5. Processor Obligations

The Processor shall:

•  Process personal data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law)
•  Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
•  Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in our Security Policy
•  Not engage another processor (subprocessor) without prior written authorisation of the Controller, subject to the subprocessor provisions in Section 7 below
•  Assist the Controller, taking into account the nature of processing, in responding to requests from data subjects exercising their rights under the UK GDPR
•  Assist the Controller in ensuring compliance with Articles 32–36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to the Processor
•  At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires storage
•  Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller

6. Security Measures

The Processor implements the technical and organisational security measures described in the Longbow Security Policy, which is available on our website. These measures include, without limitation:

•  Encryption of personal data in transit and at rest
•  Role-based access controls and the principle of least privilege
•  Secure cloud infrastructure with enterprise-grade providers
•  Audit logging and monitoring
•  Incident response procedures
•  Regular security assessments

The Controller acknowledges that these measures are appropriate having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of data subjects.

7. Subprocessors

General Authorisation
The Controller provides general written authorisation for the Processor to engage subprocessors to assist in providing the Service, subject to the conditions set out in this section.

Current Subprocessors
A list of current subprocessors is maintained on the Longbow Subprocessors page on our website. The Controller confirms that it has reviewed and approved the subprocessors listed as at the date of this DPA.

Notification of Changes
The Processor shall notify the Controller of any intended addition or replacement of subprocessors, providing at least 30 days’ notice before the new subprocessor begins processing personal data. The notification will include the subprocessor’s name, the processing it will perform, and the location of processing.

Objection Right
If the Controller objects to a new subprocessor on reasonable grounds relating to data protection, the Parties will discuss the concerns in good faith. If the Parties cannot reach resolution within a reasonable period, the Controller may terminate the affected services by providing written notice.

Subprocessor Agreements
The Processor shall impose data protection obligations on each subprocessor that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each subprocessor’s obligations.

8. International Transfers

The Processor shall not transfer personal data to a country outside the United Kingdom unless:

•  The transfer is to a country recognised by the UK Secretary of State as providing adequate protection for personal data; or
•  Appropriate safeguards have been put in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or
•  Another approved transfer mechanism under UK data protection law applies

Details of international transfers and the safeguards in place are set out in our Privacy Policy and Subprocessors page.

9. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification shall include:

•  A description of the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned
•  The name and contact details of the point of contact where more information can be obtained
•  A description of the likely consequences of the breach
•  A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests from data subjects exercising their rights under the UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

If the Processor receives a request directly from a data subject, it shall promptly notify the Controller and shall not respond to the request directly unless instructed to do so by the Controller or required by applicable law.

11. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with the ICO or other supervisory authority that the Controller is required to carry out under Articles 35 and 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor.

12. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to:

•  Reasonable advance notice of at least 30 days (except in the case of an audit required by a supervisory authority)
•  Audits being conducted during normal business hours and in a manner that minimises disruption to the Processor’s operations
•  The Controller bearing the costs of any audit
•  Audit findings being treated as confidential information

13. Data Deletion and Return

Upon termination or expiry of the service agreement, or upon the Controller’s written request, the Processor shall, at the Controller’s choice:

•  Return all personal data to the Controller in a commonly used, machine-readable format; or
•  Delete all personal data and confirm deletion in writing

Deletion shall be completed within 30 days of the request or termination, unless applicable law requires continued storage, in which case the Processor shall inform the Controller and continue to protect the data in accordance with this DPA.

14. Liability

Each Party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Use, except that nothing in this DPA limits either Party’s liability for breaches of applicable data protection law to the extent such limitation is not permitted by law.

15. Term

This DPA shall remain in effect for the duration of the Processor’s processing of personal data on behalf of the Controller. Obligations that by their nature should survive termination (including confidentiality, data deletion, and audit rights) shall continue in effect after termination.

16. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising from this DPA.

17. Contact

For matters relating to this DPA, please contact:

Rehuman Ltd (trading as Longbow Insurance Technology)

Email: info@longbowtech.co.uk

Registered Address: 14 Grays Inn Road, London, Greater London, United Kingdom, WC1X 8HN