Sustainify AI

Data Processing Agreement

Version 3.5.2Effective 11 January 2026

Owned and operated by Codedevza AI Ltd
Version: 3.5.2
Effective Date: 11 January 2026

This Data Processing Agreement sets out the terms on which Codedevza AI Ltd processes personal data on behalf of subscribing organisations in connection with the Sustainify AI platform. This Agreement forms part of the overall contractual relationship between Codedevza AI Ltd and the Client and should be read alongside the Privacy Policy, Terms of Use and Master Services Agreement.

1. Parties

Data Controller: The subscribing organisation accessing and using the Sustainify AI platform, referred to throughout as the Client.

Data Processor: Codedevza AI Ltd, a company registered in England and Wales, Company Number 16485057, ICO Registration ZB905842, Covent Garden, London, United Kingdom, referred to throughout as Codedevza AI.

2. Definitions

For the purposes of this Agreement:

  • Personal Data means any information relating to an identified or identifiable natural person as defined under UK GDPR
  • Processing means any operation performed on personal data including collection, storage, use, disclosure or deletion
  • Data Subject means the individual to whom personal data relates
  • Sub-Processor means any third party engaged by Codedevza AI to process personal data on its behalf
  • UK GDPR means the UK General Data Protection Regulation as retained in UK law
  • Data Protection Act 2018 means the UK Data Protection Act 2018 and any amendments

3. Scope and Purpose of Processing

3.1 Codedevza AI processes personal data solely for the purpose of providing and maintaining the Sustainify AI platform and associated services to the Client.

3.2 Processing is carried out strictly on the documented instructions of the Client acting as Data Controller unless otherwise required by applicable law.

3.3 Where Codedevza AI is required by law to process personal data beyond the Client's instructions, Codedevza AI will inform the Client of that requirement before processing unless prohibited by law.

4. Nature of Personal Data Processed

Personal data processed through Sustainify AI may include:

User and account data:

  • Full name, work email address, job title and organisation
  • User role and access permissions
  • Login history and session data
  • Audit trail entries and system access records

Platform submission data:

  • Emissions, energy, waste and sustainability data submitted by users
  • Building and portfolio configuration data
  • Tenant submission data including contact details and usage figures
  • Supplier submission data including contact details and supply chain information
  • Financial data inputs submitted by users
  • Compliance and certification data
  • Social value and TOMs submission data

Technical data:

  • IP addresses and device information
  • Usage logs and analytics data
  • Security monitoring data

5. Categories of Data Subjects

Data subjects whose personal data may be processed include:

  • Organisation administrators and platform users
  • Building managers and data entry personnel
  • Tenant users and tenant representatives
  • Supplier users and supplier representatives
  • Auditors and assurance reviewers
  • Any other individuals whose data is submitted to the platform by the Client

6. Obligations of Codedevza AI as Data Processor

Codedevza AI agrees to:

6.1 Process personal data only on documented instructions from the Client and only for the purposes set out in this Agreement.

6.2 Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations.

6.3 Implement and maintain appropriate technical and organisational security measures as set out in Section 10 of this Agreement.

6.4 Not engage any Sub-Processor without the prior written consent of the Client, except where consent is given generally for categories of Sub-Processors as set out in Section 9.

6.5 Assist the Client, where reasonably practicable, in responding to data subject rights requests including access, rectification, erasure and portability requests.

6.6 Assist the Client in meeting its obligations under UK GDPR in relation to security, breach notification, data protection impact assessments and prior consultation with the ICO.

6.7 At the choice of the Client, delete or return all personal data upon termination of the subscription, unless retention is required by applicable law.

6.8 Make available to the Client all information reasonably necessary to demonstrate compliance with this Agreement.

7. Obligations of the Client as Data Controller

The Client is solely responsible for:

7.1 Ensuring a lawful basis exists for all personal data submitted to the platform including the data of tenants, suppliers, auditors and any other third parties within the portfolio.

7.2 Providing all required privacy notices to data subjects whose data is submitted to the platform.

7.3 Responding to data subject rights requests from individuals within their organisation or portfolio, using assistance from Codedevza AI where applicable under Section 6.5.

7.4 Ensuring the accuracy, completeness and lawfulness of all data submitted to the platform.

7.5 Determining the purposes and means of processing personal data within the platform.

7.6 Notifying affected data subjects and the ICO in the event of a personal data breach where required by UK GDPR.

7.7 Ensuring all users within their organisation comply with applicable data protection laws when using the platform.

Codedevza AI accepts no liability for any failure by the Client to meet these obligations.

8. Data Subject Rights

8.1 Where a data subject submits a rights request directly to Codedevza AI, Codedevza AI will promptly notify the Client and provide reasonable assistance in responding.

8.2 The Client is solely responsible for determining the appropriate response to all data subject rights requests relating to personal data processed through the platform.

8.3 Codedevza AI will not respond directly to data subject rights requests on behalf of the Client without prior written instruction.

9. Sub-Processors

9.1 The Client provides general written consent for Codedevza AI to engage Sub-Processors for the purposes of hosting, infrastructure, security monitoring and platform delivery.

9.2 All Sub-Processors are bound by data protection obligations equivalent to those in this Agreement.

9.3 Codedevza AI remains responsible to the Client for the performance of Sub-Processors to the extent required by UK GDPR.

9.4 A current list of Sub-Processors is available on request by contacting hello@sustainifyai.co.uk.

9.5 Codedevza AI will notify the Client of any intended changes to Sub-Processors. The Client may object to such changes within 14 days of notification. If no objection is received within this period, consent is deemed given.

10. Security Measures

Codedevza AI implements and maintains the following technical and organisational measures to protect personal data:

  • Encryption of personal data in transit using TLS
  • Encryption of personal data at rest
  • Role-based access controls limiting data access to authorised personnel only
  • Multi-factor authentication for platform access
  • Continuous security monitoring and intrusion detection
  • Regular security assessments and vulnerability management
  • Secure cloud infrastructure with reputable hosting providers
  • Incident detection, response and recovery procedures
  • Staff confidentiality obligations and data protection training

Codedevza AI will review and update these measures periodically to maintain an appropriate level of security relative to the risks presented by the processing.

Codedevza AI is not liable for security incidents caused by factors outside its reasonable control including client-side vulnerabilities, compromised user credentials, user negligence, misconfiguration by the Client or third-party system failures.

11. Personal Data Breaches

11.1 Codedevza AI will notify the Client without undue delay, and no later than 72 hours where reasonably practicable, upon becoming aware of a personal data breach affecting data processed under this Agreement.

11.2 Notification will include, to the extent available at the time:

  • Nature of the breach and categories of data affected
  • Approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

11.3 The Client is solely responsible for:

  • Assessing whether the breach requires notification to the ICO
  • Notifying the ICO within 72 hours where required
  • Notifying affected data subjects where required
  • Managing all communications with regulatory authorities and data subjects

11.4 Codedevza AI is not liable for any regulatory penalty, fine or reputational damage arising from a breach caused by client-side vulnerabilities, user actions or factors outside Codedevza AI's reasonable control.

12. International Data Transfers

12.1 Codedevza AI will not transfer personal data outside the UK without ensuring that appropriate safeguards are in place in accordance with UK GDPR.

12.2 Where transfers outside the UK are necessary for platform delivery, Codedevza AI will apply adequacy decisions, standard contractual clauses or other appropriate transfer mechanisms recognised under UK law.

12.3 Details of international transfer mechanisms in use are available on request.

13. Data Retention and Deletion

13.1 Codedevza AI retains personal data only for as long as necessary to provide the platform services and meet legal, contractual and audit obligations.

13.2 Upon termination of the subscription, Codedevza AI will, at the Client's written request, delete or return all personal data within a reasonable period unless retention is required by applicable law.

13.3 Codedevza AI's standard data retention schedule is available on request.

14. Audits and Compliance Demonstration

14.1 Codedevza AI will make available all information reasonably necessary to demonstrate compliance with this Agreement upon written request from the Client.

14.2 The Client may request an audit of Codedevza AI's data processing activities no more than once per calendar year with a minimum of 30 days written notice. Any audit must be conducted during normal business hours and at the Client's expense.

14.3 Codedevza AI may satisfy audit requests through provision of third-party certification, security reports or documented compliance evidence in lieu of direct audit access.

15. Limitation of Liability

15.1 To the fullest extent permitted by law, Codedevza AI's total liability under this Agreement is limited to the subscription fees paid by the Client in the preceding six months or £1,000 GBP, whichever is lower.

15.2 Codedevza AI excludes all liability for:

  • Indirect or consequential loss
  • Loss of profit, revenue or opportunity
  • Reputational damage
  • Regulatory fines or penalties
  • Losses arising from inaccurate or unlawful data submitted by the Client or its users
  • Losses arising from client-side security vulnerabilities or user actions

15.3 Nothing in this Agreement limits liability for death or personal injury caused by negligence or for fraud or fraudulent misrepresentation.

16. Term and Termination

16.1 This Agreement remains in force for the duration of the subscription and terminates automatically upon subscription termination.

16.2 Obligations of confidentiality and data protection survive termination of this Agreement.

17. Changes to This Agreement

Codedevza AI may update this Agreement to reflect changes in applicable law or processing activities. Clients will be notified of material changes. Continued use of the platform following notification constitutes acceptance.

18. Governing Law

This Agreement is governed exclusively by the laws of England and Wales. All disputes fall under the exclusive jurisdiction of the courts of England and Wales.

19. Contact

For data protection queries or to exercise rights under this Agreement:

Codedevza AI Ltd
Covent Garden, London, United Kingdom
Company Number: 16485057
ICO Registration: ZB905842
Email: hello@sustainifyai.co.uk
Website: https://sustainifyai.co.uk