Data Processing Addendum

DPA Terms

1. What is this agreement about?

Purpose. The parties are entering into this Data Processing Agreement (‘DPA’) for the purpose of processing Personal Data (as defined in the DPA Variables section above).
Definitions. Under this DPA:
adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data, and
Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws; and
Business and Service Provider have the same meanings as in the CCPA/CPRA; and
Sub-Processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data.

2. What are each party’s obligations?

Controller obligations. Controller instructs Processor to process Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Processor to process Personal Data.
Processor/Sub-Processor obligations. Processor will:
only process Personal Data in accordance with this DPA and Controller’s instructions (unless legally required to do otherwise);
not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement;
inform Controller immediately if (in its opinion) any instructions infringe Data Protection Laws;
use the technical and organisational measures described in Annex I when processing Personal Data to ensure a level of security appropriate to the risk involved;
notify Controller of a Personal Data breach within the Breach Notification Period and provide assistance to Controller as required under Data Protection Laws in responding to it, as set out in more detail in clauses 6.2. to 6.5.;
ensure that anyone authorised to process Personal Data is committed to confidentiality obligations;
without undue delay, provide Controller with reasonable assistance with:
data protection impact assessments;
responses to data subjects’ requests to exercise their rights under Data Protection Laws in accordance with clause 6.3.; and
engagement with supervisory authorities;
if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and the DPA;
allow for audits at Controller’s request, if the requirements of clause 7 are met; and
return Personal Data upon Controller’s written request or delete Personal Data by the end of the Term, unless retention is legally required.
Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.

3. Sub-processing

Use of sub-processors. Controller authorises Processor engage other processors (referred to in this section as Sub-Processors) when processing Personal Data. Processor’s existing Sub-Processors are listed in Annex II.
Sub-processor requirements. Processor will: 
require its Sub-Processors to comply with equivalent terms as Processor’s obligations in this DPA;
ensure appropriate safeguards are in place before internationally transferring Personal Data to its Sub-Processor; and
be liable for any acts, errors or omissions of its Sub-Processors as if they were a party to this DPA.
Approvals. Processor may appoint new Sub-Processors provided that they notify the Controller in writing in accordance with the Sub-Processor Notification Period.
Objections. Controller may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.

4. International Personal Data transfers

Instructions. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.
Transfer mechanism. Where a party is located outside the UK, the EEA or an adequate country and receives Personal Data: 
that party will act as the data importer;
the other party is the data exporter; and
the relevant Transfer Mechanism will apply.
Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.
Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):
challenge the request and promptly notify the data exporter about it; and
only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure. 

5. Other important information

Survival. Any provision of this DPA which is intended to survive the Term will remain in full force.
Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order: 
Transfer Mechanism;
DPA; and
Main Agreement.
Notices. Formal notices under this DPA must be in writing and sent to the Contact on the DPA’s front page as may be updated by a party to the other in writing.
Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.
Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter (i.e. data protection) and neither party has relied on any statement or representation of any person in entering into this DPA.
Amendments. Any amendments to this DPA must be agreed in writing.
Assignment. Neither party can assign this DPA to anyone else without the other party's consent. 
Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.
Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.

6. Privacy and security

Controller’s  Privacy Requirements. Without limiting any other clause of the DPA or the Main Agreement:
Controller must publish a privacy policy that complies with applicable Data Protection Laws; and
Controller is responsible for the accuracy, quality, integrity and legality of its Data (including Personal Data) and the means by which Controller acquired its Data (including ensuring a legal basis for collection and sharing of Personal Data with the Processor before transferring to Processor).
Processor’s Privacy Requirements: Without limiting any other clause of the DPA or the Main Agreement:
Processor must, in respect of all Personal Data held in connection with the DPA or the Main Agreement, comply with any reasonable requests or directions issued by Controller from time to time arising from the exercise of the functions of any privacy regulator;
Processor must not, in respect of any Personal Data held in connection with the DPA, without the prior written approval of Controller (including in the Main Agreement):
disclose, transfer or permit the disclosure or transfer outside of the information outside of the data location specified (if any) in the Main Agreement; or
allow or permit access to any such information by any person outside of the data location specified (if any) in the Main Agreement.
Complaints handling:  We must inform You within the Breach Notification Period:
if a request is received from a data subject to inspect, access or change Personal Data relating to that person; or
of any privacy complaints received from a data subject or any events relating to Personal Data which may cause the Data Protection Laws to be breached, and comply with the reasonable directions of Controller regarding any request or complaint received.
Mandatory Data Breach Protection: If Processor becomes aware of, or has a reasonable suspicion that there has been any unauthorised access to, or disclosure or loss of, any Personal Data that has been collected from or on behalf of Controller, directly or indirectly, pursuant to the DPA or the Main Agreement, Processor must notify Controller immediately ('Breach'). In the event of a Breach, Processor must:
cooperate with Controller or any appointed authority in relation to any ensuing investigation or enquiry relating to the Breach;
cooperate with Controller or any appointed authority in relation to the preparation of any determination, statement or notice regarding the Breach, and any notifications to affected individuals; and
cooperate with Controller or any appointed authority in relation to the provision of information surrounding the circumstances of the Breach, such information which should include: the Personal Data in question; the data subjects that are likely to be affected by the Breach; details of the security measures in place and how these may be improved; and all other information relevant for an investigation.
Processor must follow Controller’s reasonable directions in relation to any interactions We have with any individuals who may be potentially potentially affected by a Breach or a notification under clause 6.5.
Notification processes:
In the event of a disagreement between You and Us as to whether or not a Notification should be provided, the disagreeing Party must provide written notice of the basis of its disagreement to the other Party. The Parties must act in good faith to agree on whether or not to provide the Notification.
If a party reasonably believes there is a legal requirement to submit a Notification, following the process set out in clause 6.7.1 above, either party may elect to provide a Notification, with written notice to the other party.

7. Audit

SOC 2 report. Controller acknowledges that Processor is regularly audited against SOC 2 standards by an independent third-party auditor. Controller acknowledges that a recent SOC 2 audit report will, unless clause 7.2. or 7.3. applies,, satisfy any requirement of the Controller with respect to a request to conduct an audit of Processor.
Breach as exceptional circumstances. In the event of a Breach as defined in clause 6.4., Controller may request an audit of Processor’s security and data processing practices.
Conditions on audits. If Controller requires an audit of Processor’s practices which does not fall under clauses 7.1. or 7.2. above, Controller may request an audit of Processor’s practices, provided:
audits are limited to once a year, conducted during business hours; and
Controller reimburses Processor for its reasonable costs in participating in the audit (including internal resources at Processor’s hourly rate).