Data Processing Addendum

Version 1.0 · 12 May 2026

Plain-English summary. This document sets out how Olive handles personal data that you, the client, send to us in the course of using the service. It is required under Article 28 UK GDPR whenever one organisation processes personal data on behalf of another. If you sign up as a paying client, you are agreeing to this Addendum as part of the Terms.

This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Client”) and CSQS Ltd, trading as Olive AI (“Olive”), under which Olive provides AI-powered professional-services work. It governs the processing of Personal Data by Olive on behalf of the Client.

1. Definitions

Terms used in this DPA have the meanings given in the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. In particular, “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, “Data Subject” and “Supervisory Authority” take their UK GDPR meanings.

2. Roles

For Personal Data that the Client sends to Olive in the course of using the service — including the contents of emails, attachments, project files, and any third-party Personal Data contained within them — the Client is the Controller and Olive is the Processor.

For Personal Data Olive collects directly about the Client (account information, billing, support correspondence), Olive is the Controller and the Olive Privacy Policy applies.

3. Subject matter, duration, nature, purpose and data

Subject matter	The provision of AI-assisted professional services (e.g. quantity surveying, design, legal-content drafting, project-management work) and ancillary services to the Client.
Duration	For the term of the Client’s account, plus a reasonable period afterwards for the purposes set out in clause 9.
Nature and purpose	Reading the content of Client requests, generating deliverables, returning them to the Client, and storing the artefacts associated with each job for the Client’s future reference and audit.
Types of Personal Data	Names, contact details, business affiliations, project addresses, financial figures, and any other Personal Data the Client includes in messages or attachments sent to Olive.
Categories of Data Subjects	The Client, the Client’s personnel, the Client’s own clients and counterparties, property owners/tenants, professional service providers (architects, engineers, solicitors), and any other individuals whose details appear in Client materials.

4. Olive’s obligations as Processor

Olive will:

Process Personal Data only on the Client’s documented instructions, including with regard to international transfers, unless required to do otherwise by UK or EU law (in which case Olive will inform the Client of that legal requirement before processing, unless the law prohibits this on important grounds of public interest).
Ensure that persons authorised to process the Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those set out in clause 7.
Respect the conditions in clause 5 for engaging Sub-processors.
Assist the Client, by appropriate technical and organisational measures, in fulfilling the Client’s obligation to respond to requests from Data Subjects exercising their rights under UK GDPR.
Assist the Client in ensuring compliance with the Client’s obligations under Articles 32 to 36 UK GDPR, taking into account the nature of processing and the information available to Olive.
At the Client’s choice, delete or return all the Personal Data to the Client after the end of the provision of services, and delete existing copies unless UK or EU law requires storage of the Personal Data.
Make available to the Client all information necessary to demonstrate compliance with the obligations in this clause, and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.

5. Sub-processors

The Client gives Olive general authorisation to engage Sub-processors for the provision of the service. Olive’s current Sub-processors are listed at /sub-processors.

Olive will inform the Client of any intended changes to Sub-processors at least 14 days before the change takes effect. The Client may object to the change in writing within that period. If a reasonable objection cannot be resolved, the Client may terminate the affected service on written notice and Olive will refund any pre-paid fees on a pro-rata basis.

Olive will impose data-protection terms on each Sub-processor that are no less protective than those in this DPA.

6. International transfers

Personal Data may be transferred to, and processed in, the United States by Sub-processors based there. Each such transfer relies on one of:

The UK Extension to the EU–US Data Privacy Framework, where the Sub-processor is certified under it; or
The UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, where the Sub-processor is not DPF-certified.

The current safeguard for each Sub-processor is recorded at /sub-processors.

7. Security measures

Olive implements the following measures, in proportion to the risk to Data Subjects:

TLS encryption for all data in transit between the Client, Olive, and Sub-processors.
Server-side session storage and bcrypt-hashed passwords for portal authentication.
Restricted access to project files at the operating-system level. Each Client’s data is sandboxed at filesystem level by a runtime guard.
Encrypted off-site backups with restricted access.
Logging of administrative access and material processing events.
Regular review of access lists and credentials.

8. Personal Data breach

Olive will notify the Client without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting the Client’s data. The notification will include the information required under Article 33(3) UK GDPR to the extent it is available to Olive, and Olive will provide updates as further information becomes available.

9. Return and deletion

On termination of the Client’s account, Olive will, at the Client’s written request, either:

Return all Personal Data held in the Client’s project folder in a commonly used machine-readable format and confirm deletion of the originals; or
Delete all Personal Data held in the Client’s project folder and confirm deletion in writing.

Olive may retain Personal Data after termination only where UK or EU law requires it, or where it is necessary for the establishment, exercise or defence of legal claims, and only for so long as those purposes require.

10. Audit

The Client may, on reasonable written notice and no more than once per calendar year (unless a Personal Data breach has occurred), audit Olive’s compliance with this DPA. Olive may satisfy an audit request by providing the Client with a written response to a reasonable set of questions, or by providing an independent third-party audit report where one exists.

11. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the main Terms between the parties.

12. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.

13. Order of precedence

In the event of a conflict between this DPA and the main Terms between the parties, this DPA prevails in respect of the subject matter of data protection only.

How to accept this DPA

If you are a paying Client, you accept this DPA when you sign up for the service. If your organisation requires a counter-signed copy of the DPA for internal records, write to [email protected] and we will provide one.

Olive AI is operated by CSQS Ltd, registered in England and Wales. For all data protection enquiries: [email protected].