Book a Demo

DATA PROCESSING ADDENDUM FOR CLIENTS

  1. Preamble 

This Data Processing Addendum, including its exhibits and appendices (“Addendum”) is entered into between Provider and the Client as defined in the applicable “Order,” Master Services Agreement (“Master Agreement”), “Schedule of Services,” and other relevant Service Attachments, forms the Agreement between the parties the terms to which the parties agree to be bound. 

  1. Introduction 

In the course of providing its services pursuant to the Master Agreement, Provider processes certain Client Data. This Addendum amends the Agreement to ensure that such Client data is processed in compliance with applicable data protection principles and legal requirements.  

  1. Definitions and Interpretation 

The following definitions and rules of interpretation apply in this Addendum. 

Business Purposes:  means the legitimate and specific activities or objectives for which Personal Data is processed by or on behalf of a party, as necessary to perform obligations under the Master Agreement or as otherwise permitted by applicable Data Protection Law. These purposes may include, but are not limited to, delivering services, managing relationships, improving operations, ensuring compliance with legal or regulatory requirements, or other agreed-upon activities relevant to the business relationship.  
Client Data: means the Personal Data provided by Client to Provider for processing on behalf of Client, in accordance with the terms of the Master Agreement and this Addendum, and subject to Client’s instructions and applicable Data Protection Law.  
Controller, Data Subject, Personal Data, Personal Data Breach, Process, Processor: has the meaning as set out in the applicable Data Protection Law, and their cognate and corresponding terms shall be construed accordingly.  
Data Protection Law: means all laws and regulations applicable to the Processing of Client Data, including but not limited to the laws and regulations identified in Exhibit B hereto as may be amended, modified, or supplemented from time to time, as applicable.  
Effective Date: means the date that the Master Agreement came into the effect.  
GDPR: means the EU GDPR and UK GDPR as those terms are defined within Exhibit B, as applicable.  
Master Agreement: means the overarching contractual agreement between the parties that governs the general terms and conditions of their business relationship, of which this Addendum forms a part. The Master Agreement sets out the primary obligations, rights, and responsibilities of the parties, while this Addendum supplements those terms specifically in relation to the processing of personal data in compliance with applicable Data Protection Law.  
Privacy Regulator:   means any regulatory authority responsible for overseeing and enforcing data protection laws, including, but not limited to, the supervisory authorities established under the General Data Protection Regulation (EU) 2016/679 (GDPR) within the European Economic Area (EEA) and the Information Commissioner’s Office (ICO) in the United Kingdom, as well as any other relevant data protection or privacy enforcement authority in applicable jurisdictions.  
Restricted Transfer: means any transfer of Client Data protected by applicable Data Protection Laws to a Third Country or an international organization in a Third Country (including data storage on foreign servers).  
Standard Contractual Clauses (SCCs):   means  the standard contractual clauses approved by the European Commission under Regulation (EU) 2016/679 for the transfer of personal data to third countries from the European Economic Area (EEA),, and/or the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU SCCs approved by the UK Information Commissioner’s Office (ICO) for the transfer of personal data from the UK, and/or such alternative clauses or frameworks as may be approved by the European Commission or the UK from time to time for ensuring appropriate safeguards for international data transfers.  
Subcontractor: means any sub-processor engaged by the processor (or by any other sub-processor of the processor) to process personal data on behalf of the controller.  
  1. All capitalized terms in this Addendum which are used but not defined herein shall have the meanings given to them in the Master Agreement. Except as modified or supplemented above, the definitions of the Master Agreement shall remain in full force and effect. 
  1. This Addendum is subject to the terms of the Master Agreement and is incorporated into the Master Agreement.  
  1. Any reference to writing or written excludes fax but not email. 
  1. In the case of conflict or ambiguity between:  
  1. any provision contained in the body of this Addendum and any provision contained in its exhibits or appendices (excluding any executed SCC), the provision in the body of this Addendum will prevail;  
  1. any of the provisions of this Addendum (or any other provision contained in any of the documents referred to in (a) above) and any executed SCC, the provisions of the executed SCC will prevail;  
  1. any provision contained in the Master Agreement (including any annexures, exhibits, and appendices thereto) and this Addendum, the provisions of this Addendum shall prevail. 
  1. Personal Data Types and Purposes of Processing 
  1. Client and Provider agree and acknowledge that for the purpose of the Data Protection Law: 
  1. Client is the Controller, and Provider is the Processor. 
  1. Client retains control of Client Data and remains responsible for its compliance obligations under the applicable Data Protection Law, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Provider. 
  1. Exhibit A describes the subject matter, duration, nature and purpose of the processing and Client Data categories and Data Subject types in respect of which Provider may process Client Data to fulfil the Business Purposes. 
  1. Provider’s Obligations 
  1. Provider will only process Client Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with Client’s written instructions. The Addendum and the Master Agreement set out the instructions for Processing Personal Data. Provider will not process Client Data for any other purpose or in a way that does not comply with this Addendum or the Data Protection Law. Provider must promptly notify Client if, in its opinion, Client’s instructions do not comply with the Data Protection Law. 
  1. Provider will promptly comply with any Client written instructions requiring Provider to amend, transfer, delete or otherwise process Client Data, or to stop, mitigate or remedy any unauthorised processing. 
  1. Provider will maintain the confidentiality of Client Data and will not disclose Client Data to third parties unless Client or this Addendum specifically authorises the disclosure, or as required by domestic law, court or regulator. If a domestic law, court or regulator requires Provider to process or disclose Client Data to a third party, Provider must first inform Client of such legal or regulatory requirement and give Client an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice. 
  1. Provider will reasonably assist Client with meeting Client’s compliance obligations under the Data Protection Law taking into account the nature of the Provider’s processing and the information available to Provider, including in relation to data protection impact assessments and prior consultations with the applicable Privacy Regulator under the Data Protection Law. 
  1. Provider’s Employees 
  1. Provider will ensure that all of its staff dealing with Client Data: 
  1. are informed of the confidential nature of Client Data and are bound by confidentiality obligations and use restrictions in respect of Client Data; 
  1. have undertaken relevant training on the applicable Data Protection Law relating to handling Personal Data and how it applies to their particular duties; and 

(c) are aware both of Provider’s duties and their personal duties and obligations under the Data Protection Law and this Addendum. 

  1. Security  
  1. Provider will assist Client in meeting its obligations under Data Protection Law related to the security of Processing including by implementing appropriate technical and organizational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Client Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Client Data including, but not limited to, the security measures set out in Appendix I to Exhibit A.  
  1. Provider must implement such measures to ensure a level of security appropriate to the risk involved taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, including as appropriate: 
  1. the pseudonymisation and encryption of personal data; 
  1. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 
  1. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 
  1. a process for regularly testing, assessing and evaluating the effectiveness of the security measures. 
  1. Personal Data Breach  
  1. In the event Provider discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Client Data under its or its subcontractors’ control, Provider shall (i) immediately implement measures to stop the unauthorized access; (ii) secure the Client Data; and (iii) notify Client without undue delay and, in any event, within 72 hours after becoming aware of the breach. The notification shall include, to the extent reasonably possible: 
  1. a description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and records concerned; 
  1. the likely consequences of the Personal Data Breach; and 

(c) the measures taken or proposed to address the Personal Data Breach and mitigate its effects. 

  1. Provider shall promptly assist Client in meeting its respective obligations pursuant to applicable Data Protection Law, including notifying the relevant Privacy Regulator and, where applicable, data subjects, by providing relevant information and support as reasonably requested. 
  1. Provider shall take reasonable steps to contain, investigate, and mitigate the Personal Data Breach’s impact, including implementing corrective actions to prevent future occurrences. 
  1. Provider shall not be held liable for the consequences of a Personal Data Breach if it has complied with its obligations under this Addendum and applicable Data Protection Law. 
  1. Restricted Transfers  
  1. Restricted Transfers of Client Data within the scope of this Addendum shall be conducted in accordance with Exhibit B and applicable Data Protection Laws. 
  1. If the relevant authorities adopt a new version of SCCs as a lawful mechanism for Restricted Transfers in a jurisdiction governing the processing of Client Data, the Parties are deemed to have agreed to the execution of the new version of the SCCs by signing this Addendum, and, if necessary, Provider shall be entitled to update Exhibit A and Exhibit B (and their appendices) accordingly. 
  1. If an alternative transfer mechanism, such as participating in the Data Privacy Framework, is adopted by Provider during the term of the Agreement (an “Alternative Mechanism”), and Provider notifies Client that some or all Restricted Transfers can be conducted in compliance with applicable Data Protection Laws pursuant to the Alternative Mechanism, the Parties will rely on the Alternative Mechanism instead of the transfer mechanisms in Exhibit B for Restricted Transfers to which the Alternative Mechanism applies. 
  1. Subcontractors 
  1. Client authorizes Provider to continue using those third parties engaged to process Client Data as of the Effective Date and set out within Appendix II to Exhibit A (Subcontractors) and further authorizes Provider and its Subcontractors to appoint additional Subcontractors, provided the obligations of this Section 10 (and the respective obligations of Exhibit B) are met. 
  1. To appoint additional subcontractors, Provider will provide Client with written notice, which will include the details of Processing to be undertaken as described within Appendix II to Exhibit A. 
  1. Provider may only authorize a Subcontractor to process Client Data if: 
  1. Client is provided with written notice as described in Section 10.2 at least 14 days in advance of engaging the additional subcontractor. Client will be deemed to have consented to the additional Subcontractor if no objection is received within 14 days after Provider’s notice; and 
  1. With respect to each Subcontractor, Provider shall:  
  1. conduct due diligence to ensure that the Subcontractor is capable of providing the level of protection and security for Client Data required by this Addendum; 
  1. disclose, upon request, the results of that due diligence; 
  1. restrict the Subcontractor’s access to Client Data only to what is necessary to assist Provider in providing the services, and prohibit the subcontractor from accessing Client Data for any other purpose; and 
  1. ensure that the arrangement between Provider and the subcontractor is governed by a written contract that includes terms which offer at least the same level of protection for Client Data as those set out in this Addendum, to the extent applicable to the nature of the services provided by such subcontractor. 
  1. In the event of an objection, Provider shall not engage the subcontractor for processing Client Data until Client’s concerns are resolved. Provider and Client will work in good faith to address Client’s objections, including by considering alternative subcontractors or providing additional assurances regarding the proposed subcontractor’s compliance measures. If no mutually agreeable resolution is available, Client may terminate the Master Agreement immediately upon written notice to Provider, with no further fees due, other than what has been accrued up to and including the date of termination. Upon notice of termination, Provider shall cease Processing Client Data. 
  1. Where the subcontractor fails to fulfil its obligations under the written agreement with Provider which contains terms substantially the same as those set out in this Addendum, Provider remains fully liable to Client for the subcontractor’s performance of its agreement obligations.  
  1. Complaints, Data Subject Requests, and Third-Party Rights 
  1. Provider shall, at no additional cost to Client, take appropriate technical and organizational measures and provide reasonable assistance to enable Client to comply with its obligations under Data Protection Law including responding to Data Subject rights requests and regulatory inquiries. Where Client requests assistance that involves significant effort, disproportionate work, or exceeds the scope of Provider’s standard obligations, Client shall reimburse Provider for reasonable costs incurred, subject to prior agreement on those costs. Provider shall promptly notify Client of any Data Subject requests or regulatory communications it directly receives relating to the processing of Client Data and will not respond to such requests without Client’s prior written instructions, except where required by applicable law. 
  1. Term and Termination 
  1. This Addendum will remain in full force and effect so long as: 
  1. the Master Agreement remains in effect; or  
  1. Provider retains any of Client Data related to the Master Agreement in its possession or control (“Term”). 
  1. Any provisions of this Addendum that expressly or by implication are intended to survive the termination of the Master Agreement, particularly those related to the protection, confidentiality, or secure deletion of Client Data, shall remain in full force and effect. 
  1.  If a change in Data Protection Law prevents either party from fulfilling its obligations under this Addendum or the Master Agreement, the parties shall cooperate in good faith to modify the processing activities to ensure compliance. If compliance cannot reasonably be achieved within 30 days, either party may terminate the affected processing activities or, where necessary, the Master Agreement, by providing 30 days’ prior written notice, unless immediate termination is required by law. 
  1. Data Return and Destruction 
  1. Upon termination or expiry of the Master Agreement or the Term of this Addendum (whichever is the later), Provider shall, at Client’s written request and expense, return Client Data in a commonly used format or securely delete it. If no instructions are received within 15 days after termination, Provider will securely delete all Client Data and shall have no further liability, with Client indemnifying Provider for any claims arising from such deletion. 
  1. Where legal or regulatory obligations require Provider to retain Client Data, Provider shall notify Client and ensure the data is securely retained only for as long as necessary to meet those obligations, after which it will be securely deleted. 
  1. Provider will provide reasonable documentation regarding the handling, retention, and deletion of Client Data upon Client’s request, subject to the reimbursement of reasonable costs for excessive or detailed requests. 
  1. Amendment and Online Hosting.  
  1. Subject to the conditions specified in this Addendum, Provider may host the content of the exhibits and appendices to this Addendum online, and further update such exhibits and appendices, provided that prior notice is given to Client.  
  1. If no objection is received within fourteen (14) days of receipt of the notice, Client will be deemed to have consented to the update. If Client issues notice of non-acceptance, the Parties will cooperate and negotiate in good faith regarding any required updates.  

(b) If no mutually agreeable resolution is available, Client may terminate the Agreement immediately upon written notice to Provider, with no further fees due, other than what has been accrued up to and including the date of termination. Upon notice of termination, Provider shall cease Processing Client Data.  

  1. To the extent that an exhibit or appendix is hosted online, the latest version online shall take precedence over the relevant exhibit or appendix within this Addendum.  
  1. Audit 
  1. Provider shall permit Client or its authorized representatives to audit Provider’s compliance with this Addendum once per calendar year, upon at least 30 days’ written notice. Audits must be conducted during normal business hours with minimal disruption to Provider’s operations. 
  1. Additional audits may only be conducted if: 
  1. required by a regulatory authority; or 
  1. Client reasonably believes that Provider is in material breach of its obligations under this Addendum or applicable Data Protection Law 
  1. At Client’s written request, Provider shall: 
     
  1. conduct an information security audit before commencing the processing of any Client Data and repeat such audits annually; and 
  1. provide Client with a written report summarizing the audit results, including any identified security deficiencies and proposed remedies. 
  1.  During any audit, Provider shall provide necessary assistance, subject to the following conditions: 
  1. access will be limited to relevant systems and information strictly necessary to verify compliance; 
  1.  Provider will redact or anonymize third-party data or any non-relevant personal data to protect confidentiality; and 
  1. Client shall bear the costs of any additional or extraordinary audits outside the agreed schedule. 
  1. Client agrees to treat all audit findings as confidential and ensure that third-party representatives comply with equivalent confidentiality obligations. 
  1. Warranties 
  1. Provider warrants and represents that it will process Client Data in compliance with applicable Data Protection Law and other relevant laws and it has no reason to believe that its obligations under the Data Protection Law prevent it from providing the contracted services under the Master Agreement. 
  1. Client warrants and represents that: 
  1. Provider’s use of Client Data as instructed by Client for the agreed Business Purposes will comply with applicable Data Protection Law; and 
  1.  it will provide lawful instructions and ensure its own employees, agents, and representatives operate in compliance with applicable Data Protection Law where such instructions or activities affect Provider’s ability to comply with its obligations under this Addendum. 
  1.  Indemnification 
  1. Provider shall indemnify and hold harmless Client against direct and proven costs, claims, damages, or expenses incurred solely as a result of Provider’s material breach of its obligations under this Addendum or applicable Data Protection Law, provided that: 
  1. Client notifies Provider promptly in writing of any claim or potential claim; 
  1. Provider is given sole control over the defense or settlement of the claim; and 
  1. Client provides Provider with reasonable assistance and cooperation in defending the claim, at Provider’s expense. 
  1. Client shall indemnify and hold harmless Provider against direct and proven costs, claims, damages, or expenses incurred solely as a result of: 
  1. Client’s breach of its obligations under this Addendum or applicable Data Protection Law; or 
  1. Client’s provision of unlawful instructions or failure to comply with its responsibilities regarding the processing of Client Data, provided that Provider: 
  1. notifies Client promptly in writing of any claim or potential claim; 
  1. allows Client sole control over the defense or settlement of the claim; and 
  1. provides Client with reasonable assistance and cooperation in defending the claim, at Client’s expense. 
  1. The liability of both parties under this clause shall be subject to the limitations of liability set out in the Master Agreement, except where liability cannot be lawfully limited under applicable Data Protection Law.