Data Processing Agreement

Version 1.0 — Effective Date: November 26, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SolarScanner ("Processor", "we", "us") and the customer ("Controller", "you") who has agreed to use our services. This DPA governs the processing of personal data by SolarScanner on behalf of the Controller pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions under the UK GDPR and other applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed through the Services.

"Data Subject" means the individual to whom Personal Data relates, specifically visitors to the Controller's website who interact with the SolarScanner widget.

"Services" means the SolarScanner widget and associated platform that enables solar energy estimates and lead generation on the Controller's website.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor provides an embeddable widget that collects information from website visitors to generate solar energy estimates and facilitate lead capture for the Controller.

2.2 Nature and Purpose

Processing is performed to: (a) provide solar estimate calculations; (b) collect and transmit lead information to the Controller; (c) provide analytics on widget usage; and (d) improve Service functionality.

2.3 Duration

Processing continues for the duration of the Controller's use of the Services and for such period thereafter as required for data deletion or return.

3. Categories of Personal Data

The following categories of Personal Data may be processed through the Services:

4. Processor Obligations

The Processor shall:

• (a) Process Personal Data only on documented instructions from the Controller, unless required by applicable law;
• (b) Ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
• (c) Implement appropriate technical and organizational security measures as described in Section 7;
• (d) Assist the Controller in responding to Data Subject requests as described in Section 8;
• (e) Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations;
• (f) Delete or return all Personal Data upon termination as described in Section 10;
• (g) Make available information necessary to demonstrate compliance with this DPA.

5. Controller Obligations

The Controller shall:

• (a) Ensure a valid legal basis exists for processing Personal Data through the Services;
• (b) Provide clear privacy disclosures to Data Subjects regarding the use of the SolarScanner widget;
• (c) Obtain any required consents from Data Subjects for analytics processing where required by applicable law.

5.1 Analytics and Consent

The widget includes analytics functionality powered by PostHog. The widget automatically detects consent signals from common Consent Management Platforms (including TCF API, Google Consent Mode, and standard consent storage patterns). For visitors in jurisdictions requiring consent, analytics processing only occurs when a valid consent signal is detected. Where no consent signal is detected for such visitors, analytics processing is suppressed.

Controllers targeting visitors in the European Economic Area, United Kingdom, or other jurisdictions requiring prior consent must implement a consent mechanism compatible with standard consent APIs. The Controller is responsible for the content and operation of any consent mechanism on their website.

6. Sub-processors

6.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors listed in Annex A. The Processor shall impose data protection obligations on Sub-processors equivalent to those in this DPA.

6.2 Changes to Sub-processors

The Processor shall maintain a current list of Sub-processors at www.solarscanner.ai/sub-processors. The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors. The Controller may object to such changes by providing written notice within 14 days, and the parties shall confer in good faith to address concerns.

6.3 Liability

The Processor remains liable to the Controller for the performance of Sub-processor obligations under this DPA.

7. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• (a) Encryption of Personal Data in transit using TLS 1.2 or higher;
• (b) Encryption of Personal Data at rest;
• (c) Access controls limiting Personal Data access to authorized personnel;
• (d) Regular security assessments and updates;
• (e) Incident response procedures for security events.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations to respond to Data Subject requests exercising rights under applicable data protection law (including access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller of any Data Subject request received directly and shall not respond except on Controller instructions or as required by law.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data breach. Notification shall include: (a) description of the nature of the breach; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.

10. Termination and Data Deletion

Upon termination of the Services or upon Controller request, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days and certify such deletion in writing, unless retention is required by applicable law.

11. International Data Transfers

Personal Data may be transferred to and processed in the United States. Such transfers are conducted in compliance with GDPR Chapter V through one or more of the following mechanisms:

• (a) The EU-U.S. Data Privacy Framework, where the data importer is certified;
• (b) Standard Contractual Clauses adopted by the European Commission (Module 2: Controller to Processor), incorporated by reference and available upon request;
• (c) Other valid transfer mechanisms under applicable law.

The Processor has assessed that current US law, including Executive Order 14086, provides adequate safeguards for transferred Personal Data.

12. Audits

The Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA. Upon reasonable notice and subject to confidentiality obligations, the Controller may conduct or commission an audit of the Processor's compliance, provided such audit does not unreasonably disrupt the Processor's operations. The Processor may satisfy audit requests by providing relevant third-party certifications or audit reports.

13. Governing Law

This DPA is governed by the laws specified in the Terms of Service. For matters relating to GDPR compliance, EU law shall govern the interpretation of data protection obligations.

Annex A: Sub-processors

The following Sub-processors are authorized to process Personal Data under this DPA:

DPF = EU-U.S. Data Privacy Framework; SCCs = Standard Contractual Clauses

Annex B: Data Retention

Contact

For data protection inquiries: support@solarscanner.ai