Data Processing Agreement

1.1 The following definitions explain the terminology used in this addendum to the Terms of Service:

2.1 Processor undertakes to process all Data in accordance with the GDPR and other applicable laws and regulations.

2.2 Processor may only process the Data on documented instructions from the Controller. Instructions are set out in the Terms or in another written document exchanged between the parties.

2.3 During the term of this DPA, the Controller remains owner of the Data transferred to the Processor. Nothing in this DPA transfers ownership of the Data to the Processor or any third party.

2.4 The Controller warrants that the Data is obtained lawfully and that the Processing requested does not violate any applicable law.

2.5 Data may be processed within the term of this DPA.

3.1 Processor ensures that all employees, contractors and other persons acting under its authority are bound by a strict confidentiality obligation before being granted access to the Data.

3.2 Processor takes measures to ensure that any person acting under its authority who has access to the Data does not process it except on instructions from the Controller.

4.1 Taking into account the state of the art, costs of implementation, nature and purposes of processing, and the risk to the rights and freedoms of Data Subjects, the Processor implements appropriate technical and organisational measures, including: pseudonymisation and encryption; ensuring ongoing confidentiality, integrity, availability and resilience of processing systems; the ability to restore availability of and access to Data after an incident; and a process for regularly testing, assessing and evaluating the effectiveness of these measures.

4.2 The appropriate level of security takes particular account of risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data.

5.1 Processor shall not engage another processor without prior specific or general written authorisation from the Controller. With general authorisation, the Processor informs the Controller of intended changes concerning the addition or replacement of other processors, giving the Controller the opportunity to object within fifteen (15) days of notification.

5.2 Where Processor engages another processor, the same data-protection obligations as set out in this DPA are imposed on that other processor by way of a contract or other legal act. If the other processor fails to fulfil its obligations, the Processor remains fully liable to the Controller for performance.

6.1 Processor shall assist the Controller, by appropriate technical and organisational measures, to respond to requests from Data Subjects exercising their rights under the GDPR.

6.2 Processor shall notify the Controller without delay if it or a Sub-processor receives a Data Subject request, and shall not respond to such request except on documented instructions from the Controller, unless required by law applicable to the Processor.

7.1 Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting the Data, providing sufficient information to enable the Controller to meet any notification obligations to competent authorities and Data Subjects.

7.2 Processor shall cooperate with the Controller and take all reasonable commercial steps to assist in the investigation, mitigation and remediation of any Data Breach.

8.1 Processor shall provide reasonable assistance to the Controller with any data-protection impact assessments and prior consultations with supervisory authorities, in each case solely in relation to the Processing of Data and taking into account the nature of processing and the information available to the Processor.

9.1 Subject to sections 9.2 and 9.3, the Processor and any Sub-processor shall promptly and in any event within thirty (30) days of the date of termination of services involving the Processing of Data (the ‘Termination Date’) delete and ensure deletion of all copies of that Data.

9.2 Subject to 9.3, the Controller may, at its discretion and by written notice to the Processor within seven (7) days of the Termination Date, require the Processor and any Sub-processor to return a complete copy of all Data to the Controller via secure file transfer in a format reasonably specified by the Controller.

9.3 The Processor may retain Data to the extent required by applicable law and only for the period required, provided that confidentiality is maintained and the Data is processed only as required by the applicable law and for no other purpose.

9.4 Processor shall certify in writing to the Controller within sixty (60) days of the Termination Date that it has fully complied with this section 9.

10.1 Subject to this section 10, Processor shall on request make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

10.2 The Controller’s information and audit rights only arise under section 10.1 to the extent the Terms do not otherwise grant them rights meeting the relevant requirements of the GDPR.

11.1 Any matter not governed by this DPA is governed by the Terms or any Statement of Work or Order concluded between the parties.

11.2 If any part of this DPA is invalid, unlawful or unenforceable, this shall not affect the validity or enforceability of the rest of the Terms.

11.3 Failure to exercise or enforce any right or provision of this DPA does not constitute a waiver of that right or provision.

11.4 Section titles in this DPA are for convenience only and have no legal or contractual effect.