Data Processing Agreement 1.0
Introduction
- SecureAck Limited and Customer are parties to a Services Agreement, End User License, Order Form(s) and/or other services/ordering documents which may be amended from time to time ( together, the “Agreement” ) and which may involve SecureAck Limited as a processor processing personal data on behalf of the Customer ( as a controller ).
- This Data Processing Agreement ( “DPA” ) including appendices and, where applicable, the standard contractual clauses ( “SCCs” ) defined in Clause 2.1, forms part of the Agreement and is intended to reflect the parties agreement with respect to the processing of personal data under the Agreement in accordance with the applicable data protection legislation and where applicable the SCCs.
- This Data Processing Agreement is effective from the date the Customer signs the Agreement and will continue until expiration or the termination of the Agreement in accordance with the terms.
Definitions
“Agreement” | Services Agreement, End User License, Order Form(s) and/or other services/ordering documents; |
---|---|
“SCCs” | means the standard contractual clauses of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council [2021] OJ L 199/31 and which are available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN; |
“Affiliate” | i. Customer; ii. Customer holding company and ultimate holding company and each of its subsidiary companies and its holding company and ultimate holding company's subsidiary companies from time to time (with "holding company" and "subsidiary" having the meanings given to them in section 1159 of the Companies Act 2006); |
“Customer” | Party identified as the "Customer" in the Agreement; |
“Supplier” | SecureAck Limited trading as SecureAck Limited, registered number 13826087, whose registered office is at 86-90 Paul Street, London, United Kingdom, EC2A 4NE; |
“Applicable Laws” | i. law including any statute, statutory instrument, bye-law, order, regulation, directive, treaty, decree, decision (as referred to in Article 288 of the Treaty on the Functioning of the European Union) (including any judgement, order or decision of any court, regulator or tribunal); ii. legally binding rule, policy, guidance or recommendation issued by any governmental, statutory or regulatory body; and/or iii. legally binding industry code of conduct or guideline; In force from time to time which relates to this Agreement and/or the Services and/or the activities which are comprised in all or some of the Services, the use or application of the output from any part of the Services; |
“Business Day” | A day that is not a Saturday, Sunday or public or bank holiday in England and/or Wales; |
“Services” | The services provided by SecureAck Limited; |
“Agreement Personal Data” | Any Personal Data Processed by SecureAck Limited as instructed by and on behalf of the Customer or its Affiliates; |
“Authorised Sub-Processor” | As defined in clause 6.1; |
Data Protection
The parties acknowledge that under this DPA and for Agreement Personal Data the Customer is the controller and SecureAck Limited is the processor.
Compliance with LAWS
- The Supplier shall not cause the Customer to breach any obligation under the Data Protection Legislation.
- The Supplier shall notify the Customer in writing immediately, if in the delivery of the Services as an experienced supplier of the Services, it or they identifies (or identify) any potential areas of actual or potential non-compliance with the Data Protection Legislation.
Authority
- Customer authorises the Supplier to Process the Agreement Personal Data during the term of this DPA as a Data Processor (on its and its Affiliates’ behalf) for the purposes of providing the Services only.
Sub-Processing
- The Supplier shall not engage, use or permit any third party to Process Agreement Personal Data without the prior written consent of the Customer, which may be withheld or subject to conditions at the Customers discretion. If the Customer has consented to the use of third parties (subsequently, an “Authorised Sub-Processor”) for the Processing of Agreement Personal Data:
- The Supplier shall provide the Customer with advance written notice of any intended changes to any Authorised Sub-Processor, allowing the Customer sufficient opportunity to object;
- The Authorised Sub-Processor’s activities must be specified and the same contractual terms set out in this DPA, imposed on that Authorised Sub-Processor. The Supplier shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to this Agreement and the Data Protection Legislation;
Customer Obligations
- Customer, as the controller of Agreement Personal Data, is the sole party responsible for establishing the lawful basis for the processing of Agreement Personal Data by SecureAck Limited under this DPA and will ensure that it has all the necessary and legal bases and notices in place to enable the lawful processing of Agreement Personal Data for the duration and purpose of the DPA.
- Customer, as the controller of Agreement Personal Data, is further the sole responsibility for the accuracy and quality of Agreement Personal Data.
- Customer acknowledges that sensitive data is not to be processed under this DPA. Customer will not upload any sensitive data during its use of the Services without prior written consent of SecureAck Limited.
Supplier Obligations
- SecureAck Limited shall ( and shall procure that any Authorised Sub-Processor shall ):
- Process the Agreement Personal Data only on the documented instructions of the Customer as set out in the DPA and only as otherwise necessary for SecureAck Limited to provide the Services to the Customer or to comply with Applicable Laws;
- Parties agree that any additional instructions outside of the scope of the DPA will be mutually agreed in writing between the parties;
- Ensure that any person authorised to process the Agreement Personal Data are subject to confidentiality obligations in respect of Agreement Personal Data, are under appropriate statutory obligations of confidentiality, and will not cause the Customer or any of its Affiliates to breach any obligations under the Data Applicable Laws;
- Notify the Customer if SecureAck Limited receives a request and/or complaints from a data subject in relation to that data subject’s personal data. SecureAck Limited shall not respond directly to any data subject;
- Notify the Customer without undue delay and in any event no later than 24 hours after becoming aware of a reasonably suspected or actual personal data breach;
- Notify the Customer without undue delay and in any event within 2 Business Days if the supplier receives any legally binding request for disclosure of the Agreement Personal Data by a law enforcement authority, unless otherwise prohibited such as under criminal law;
- SecureAck Limited taking into account the nature of the processing and the information available will assist the Customer in ensuring the Customers compliance with obligations under Articles 32 to 36 GDPR;
- Implement and maintain appropriate technical and organisational security measures to ensure the security of the Agreement Personal Data;
- Agreement Personal Data will be deleted within 30 days of Agreement expiry or termination;
International Transfers
- If and to the extent that the Customer is located in a jurisdiction which is outside of the European Economic Area ("EEA"), the Customer hereby acknowledges that SecureAck Limited will transfer Agreement Personal Data outside of the European Economic Area ("EEA") (as "data exporter") to the Customer (as "data importer") in connection with the Services. In effecting any such international transfer, SecureAck Limited shall ensure that:
- to the extent that such a transfer is pursuant to the SCCs, that such transfer is subject to Module 4 of the SCCs, where SecureAck Limited acts as a processor of Agreement Personal Data for the purposes of the Services; or
- the transfer otherwise complies with Applicable Laws (for example, carried out to a country in respect of which the European Commission has issued a finding of adequacy for the protection of personal data including, without limitation, the UK, Japan, Switzerland and Canada).
- In relation to international transfers of Agreement Personal Data effected in accordance with clause 6.1.1(a) of this DPA:
- Module 4 of the SCCs will apply and be completed as follows:
- Clause 7, the optional docking clause will apply;
- Clause 11(a), optional data subject redress mechanism, shall not apply;
- Clause 14, processing which involves combining personal data, shall not apply;
- Clause 15, processing which involves combining personal data, shall not apply;
- Clause 17, the SCCs will be governed by the laws of England and Wales;
- Clause 18, any disputes arising from the SCCs shall be resolved by the courts of England and Wales;
- Annex I of the SCCs shall be deemed completed with the information set out in the Schedule to this DPA (which is deemed incorporated into and forms part of the SCCs);
- Annex II of the SCCs shall be deemed completed with the information provided by the Customer to SecureAck Limited or set out in the Agreement by the Customer; and
- all relevant terms in this DPA shall be deemed to supplement the provisions of the SCCs to the extent that they relate to each party's compliance with Article 28 of the GDPR.
- Module 4 of the SCCs will apply and be completed as follows:
- If and to the extent SecureAck Limited adopts any alternative transfer mechanism(s) to legitimise the international transfer of Agreement Personal Data from outside the EEA (as "data exporter") (including without limitation any EU-US transatlantic data privacy framework, approved certification or derogation under the GDPR) ("Replacement Transfer Mechanism"), the Replacement Transfer Mechanism will, on SecureAck Limited giving reasonable notice to the Customer to object to any such mechanism, apply to any transfer of Agreement Personal Data by SecureAck Limited pursuant to this DPA (but only to the extent that a Replacement Transfer Mechanism complies with Applicable Data Protection Legislation and extends to territories to which Agreement Personal Data are transferred outside the EEA by SecureAck Limited).
Audit Rights
- SecureAck Limited shall make available all information reasonably requested by the Customer to satisfy itself that SecureAck Limited is complying with its data protection obligations under this DPA;
- Customer (and/or via its third-party representatives, a data protection authority or any other regulatory body) shall be permitted to audit SecureAck Limited systems during normal business hours provided that:
- Customer shall provide at least 14 days prior written notice of its intention to carry out an audit;
- all expenses incurred by SecureAck Limited shall be promptly discharged by Customer;
- SecureAck Limited may request that any third-party representative performing an audit on behalf of Customer shall provide written confidentiality undertakings to the reasonable satisfaction of SecureAck Limited and SecureAck Limited shall be entitled to refuse access to any of its premises or records (in any form) until such time as it has received such undertakings; and
- nothing in this DPA shall entitle Customer to access or inspect any records which contain information relating to any other customers of SecureAck Limited and SecureAck Limited shall be entitled to restrict or prevent access to any part of its premises (including, without limitation its server farms or data centres) which it considers in its sole discretion could compromise the security of any information or data relating to such other customers.
Suspension of Processing
- SecureAck Limited will notify the Customer if it comes to its attention that any instructions received in respect of this DPA infringe the provisions of the Data Protection Legislation or other EU or EU Member State data protection provisions. Notwithstanding the foregoing, SecureAck Limited shall have no obligation to review the lawfulness of any instruction received from the Customer.
- SecureAck Limited will notify the Customer if it is no longer able to comply with its obligations pursuant to the Data Protection Legislation and/or this DPA (including the SCCs). Where SecureAck Limited can no longer comply with such obligations, it reserves the right to suspend all processing in relation to Agreement Personal Data (including any transfers of Agreement Personal Data) and seek to resolve its non-compliance or terminate this DPA in accordance with the terms of the Agreement.
Liability
Any claims brought in connection with this DPA will be subject to the terms including, but not limited to, the exclusions and limitations set out in the Agreement.
Jurisdiction
- The courts of England and Wales have exclusive jurisdiction to determine any dispute arising out of or in connection with this Agreement (including in relation to any non-contractual obligations).
- Any party may seek specific performance, interim or final injunctive relief or any other relief of similar nature or effect in any court of competent jurisdiction.
Governing LAW
- This Agreement and any non-contractual obligations arising out of or in connection with it will be governed by the law of England and Wales.
General Provisions
- In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail regarding the processing of Agreement Personal Data. In the event of any conflict or inconsistency between this DPA and the SCCs, the SCCs shall prevail.
- Any notice to be given by either party for the purposes of this DPA shall be sent by e-mail using the details set out in the Schedule to this DPA. A notice delivered will be deemed received if by e-mail, on the next Business Day after transmission.
- This DPA shall ensure to the benefit of and be binding upon the respective the parties to this DPA and their respective successor's personal representatives and assigns.
- No modification of any provision of this DPA shall be binding unless it is evidenced in writing and duly executed by or on behalf of each of the parties to this DPA
Schedule
Annex 1 of The SCCS
Data Exporter: SecureAck Limited
Address: 86-90 Paul Street, London, United Kingdom, EC2A 4NE
Contact Person's name, position and contact details: Data Protection ( dataprotection@secureack.com )
Activities relevant to the data transferred under the SCCs:
Categories of data subjects: Clients of the Customer and/or staff/employees/personnel of the Customer.
Categories of personal data: The types of Agreement Personal Data collected are dependent on Customers use of and interaction with the Services. Examples can include: first name, last name, e-mail address and issues or queries. Any further Agreement Personal Data which may be processed is entirely dependant on what information is uploaded by Customer during its use of the Services.
Categories of sensitive data: None. SecureAck Limited requires that Customer does not upload any sensitive data during its use of the Services. Customer acknowledges that sensitive data is not to be processed under this DPA and accepts full responsibility to notify SecureAck Limited in writing prior to uploading any sensitive data.
Frequency of processing and transfer: Incidental (processing occurs on an ad hoc basis depending on Customer's use of and interaction with the Services).
Nature and subject matter of the processing and transfer:
The nature of the processing of Agreement Personal Data is carried out using computers and/or IT enabled tools, following organisational procedures and modes strictly related to the purposes indicated. The nature of the processing of Agreement Personal Data includes the following (by automated means):
- collecting;
- organising/structuring;
- recording;
- storing;
- consulting/using;
- disclosing; and
- erasing.
Purposes of the processing and transfer:
Agreement Personal Data are collected and transferred by SecureAck Limited for the purposes of providing the Services to the Customer which includes:
- detecting any malicious or fraudulent activity;
- contacting the Customer;
- managing the Customer database;
- managing contacts and sending messages; and
- conducting analytics, heat mapping and session recording.
- Duration of Processing: The duration of the Agreement.
Signature and date: This Annex shall automatically be deemed executed when the Agreement is executed by SecureAck Limited
Role: Processor
Data Importer: "Customer" as detailed in the Agreement
Address: As detailed in the Agreement
Contact Person's name, position and contact details: As detailed in the Agreement
Annex 2 of The SCCS
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of Data
Data Importer: The technical and organisational measures of the data importer as shared by the Customer with SecureAck Limited.