(A) References to the term “Data Processing Agreement” means this Agreement and the following schedules attached hereto:
Services, Processing, Personal Data and Data Subjects
The terms and expressions set out in this Agreement shall have the following meanings:
1.1 Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in (ii) any successor legislation to the GDPR or the Data Protection Act 1998;
1.2 “Controller”, “Processor”, “Processing” and “Data Subject” shall have the meanings given to them in the Data Protection Legislation;
1.3 ICO means the Information Commissioner’s Office;
1.4 Personal Data means all such “personal data” as defined in the Data Protection Legislation as is, or is to be, processed by the Processor on behalf of the Controller;
1.5 Services means those services and/or facilities described in Schedule 1 which are provided by the Processor to the Controller and which the Controller uses for the purpose(s) described in Schedule 1.
1.6 “Security Measures” means the security measures set out in Schedule 2
1.7 Clause, Schedule and paragraph headings shall not affect the interpretation of this agreement.
1.8 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.9 The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.
1.10 A reference to a company shall include any company, corporation or other corporate bodies, wherever and however incorporated or established.
1.11 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular. Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
2.1 The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to Data Protection Legislation, including the responsibility to ensure the necessary legal basis for collecting, processing and transfer of Personal Data.
2.2 The terms of this Agreement supersede any other arrangement, understanding or agreement made between the Parties at any time relating to the protection of Personal Data.
2.3 This Agreement concerns the Processor’s processing of Personal Data on behalf of the Controller in connection with the Processor’s provision of the Services or otherwise as described in Schedule 1.
2.4 The nature and the purpose of the processing, including operations and activities, are specified in Schedule 1 but the Processor is only to carry out the Services, and only to process Personal Data received from the Controller or tasked by the Controller to generate, acquire or organize:
2.5 The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Controller and in compliance with its documented instructions and in accordance with the Processing Agreement unless otherwise stipulated in applicable statutory laws.
2.6 The Processor shall immediately inform the Controller if, in the Processor’s opinion, an instruction infringes the Data Protection Legislation.
2.7 The Processor shall promptly comply with any request from the Controller requiring the Processor to amend, transfer or delete the Personal Data.
2.8 The Processor agrees to comply with any reasonable measures required by the Controller, and the Controller agrees to comply with any reasonable measures required by the Processor, to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and all applicable legislation from time to time in force and any best practice guidance issued by the ICO.
2.9 Where the Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Controller it shall:
2.9.1 be resolved that the Controller gives the Processor explicit permission to process the Personal Data outside the European Union where applicable under the transfer obligations of Chapter V of the Data Protection Legislation;
2.9.2 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as is required by law or any regulatory body including but not limited to the ICO;
2.9.3 implement appropriate technical and organizational measures and take all steps necessary to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested from the Controller;
2.9.4 any transfer of Personal Data is subject to the Data Protection Legislation’s standard contractual clauses or another legal basis for such transfer or disclosure; and
2.9.5 if so requested by the Controller supply details of the technical and organizational systems in place to safeguard the security of the Personal Data held and to prevent unauthorized access.
2.10 The Processor shall notify the Controller (within five working days) if it receives:
2.10.1 a request from a data subject to have access to that person’s Personal Data; or
2.10.2 a complaint or request relating to the Controller’s obligations under the Data Protection Legislation.
2.11 The Processor agrees to provide the Controller with full cooperation and assistance in relation to any complaint or request made, including by:
2.11.1 providing the Controller with full details of the complaint or request;
2.11.2 complying with a data access request within the relevant timescale and in accordance with the Controller’s instructions;
2.11.3 providing the Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Controller);
2.11.4 providing the Controller with any information requested by the Controller;
2.12 notify the Controller immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of any of the Personal Data.
3.1 The Processor shall implement appropriate technical and organisational measures as stipulated in Data Protection Legislation and/or measures imposed by the ICO to ensure an appropriate level of security and these are outlined in Schedule 2.
3.2 The Processor shall assess the appropriate level of security and take into account the risks related to the processing, including risk for accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Person Data transmitted, stored or otherwise processed.
3.3 All transmissions of Personal Data between the Processor and the Controller or between the Processor and any third party shall be done by means of adequate encryption agreed between the Parties.
3.4 The Processor shall provide reasonable assistance to the Controller, taking into account relevant information available to the Processor, if the Controller is obliged to perform an impact assessment and/or consult ICO in connection with the processing of Personal Data. The Controller shall bear any costs accrued by the Processor related to such assistance.
4.1 The Processor shall notify the Controller without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed (“Personal Data Breach“). The Controller is responsible for notifying the Personal Data Breach to the ICO within 72 hours of any such breach.
4.2 The notification to the Controller shall as a minimum describe (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences, in the reasonable opinion of the Processor, of the Personal Data Breach; (iii) the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.3 In the event the Controller is obliged to communicate a Personal Data Breach to the Data Subjects, the Processor shall assist the Controller, including the provision, if available, of necessary contact information to the affected Data Subjects. The Controller shall bear any costs related to such assistance provided by the Processor and to such communication to the Data Subject.
5.1 The Processor may engage another processor (“Sub-processor“) in the processing of the Personal Data without the written consent of the Controller.
5.2 The Processor shall ensure that its data protection obligations set out in this Agreement and the Data Protection Legislation are imposed to any Sub-processors by way of a written agreement. Any Sub-processor shall, in particular, provide sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Legislation. The Processor shall remain fully liable to the Controller for the performance of any Sub-processor.
6.1 Each party warrants to the other that it will process the Personal Data in compliance with this Agreement and in accordance with the Data Protection Legislation.
6.2 The Parties shall each be liable for and shall indemnify (and keep indemnified) each other against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demand incurred by the other which arise directly or in connection with any data processing activities which are subject to this Agreement.
6.3 LIMITATIONS ON LIABILITIES. IN NO EVENT OR ANY CIRCUMSTANCES WHATSOEVER SHALL ANY PARTY BE LIABLE FOR LOST PROFITS OR OTHER INCIDENTAL OR CONSEQUENTIAL, INDIRECT, SPECIAL, EXEMPLARY OR PUNITIVE DAMAGES, EVEN IF SUCH PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF THEY WERE OTHERWISE FORESEEABLE. EACH PARTY’S TOTAL LIABILITY FOR TORT, CONTRACT AND OTHER DAMAGES SHALL NOT EXCEED THE TOTAL AMOUNT OF ALL MONTHLY SUBSCRIPTION FEES AS DEFINED ON EXHIBIT B PAID TO COMPANY BY THE CUSTOMER IN THE TWELVE-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE UPON WHICH A CLAIM IS FIRST ASSERTED, LESS AGGREGATE DAMAGES PREVIOUSLY PAID BY SUCH PARTY UNDER THIS AGREEMENT. NEITHER PARTY SHALL BE LIABLE FOR ANY CLAIM OR DEMAND AGAINST THE OTHER PARTY BY ANY THIRD PARTY EXCEPT FOR THE INDEMNIFICATION SET FORTH IN THIS SECTION 6. THESE LIMITATIONS OF LIABILITY SHALL APPLY TO ALL CLAIMS AGAINST EACH PARTY IN THE AGGREGATE (NOT PER INCIDENT) AND TOGETHER WITH THE DISCLAIMER OF WARRANTIES SHALL SURVIVE FAILURE OF ANY EXCLUSIVE REMEDIES PROVIDED IN THIS AGREEMENT.
7.1 The Controller is subject to a duty of confidentiality regarding any documentation and information, received by the Processor, related to the Processor’s and its Sub-processors’ implemented technical and organisational security measures.
7.2 The obligations in this Clause 7 shall continue for a period of five years after the cessation of the provision of Services by the Processor to the Controller. Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed by the ICO or a court. Both parties shall, however, where possible, discuss together the appropriate response to any request from the ICO or court for disclosure of information.
8.1 The Processing Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller.
8.2 In the event of the Processor’s breach of the Processing Agreement, the Controller may (i) instruct the Processor to stop further processing of Personal Data with immediate effect; (ii) terminate the Processing Agreement with immediate effect; the Controller may not claim damages for direct economic loss caused by the Processor’s breach, subject always to the provisions (including limitation of liability provisions) of the agreement(s) pursuant to which the Services are provided.
8.3 The Processor shall, upon the termination of this Agreement and at the choice of the Controller or the Processor, delete all the Personal Data collected or used on behalf of the Controller, unless otherwise stipulated otherwise in the Data Protection Legislation.
9.1 This Agreement may only be amended by the Parties subject to mutual consent and in accordance with the Data Protection Legislation.
9.2 The Processor shall not subcontract to any third party any of its rights or obligations under this Agreement save for where permitted by the Parties under this Agreement.
9.3 This Agreement shall be governed by the laws of the state of Delaware and subject to the exclusive jurisdiction of the courts of Delaware.
The “Services” referred to in Sub-Clause 1.5 means services as outlined in the Terms of Service . Further description of the Services is set out in the applicable service agreement and documentation.
The Personal Data will be subject to the following basic processing activities:
Information categorization and organization
3. Personal data & Data Subjects
The Personal Data and Data Subjects are processed in accordance with our Data Protection Policy.
The Security Measures are processed in accordance with our Data Protection Policy.