Schedule 1: Data Protection Agreement ("DPA")
1. DEFINITIONS AND INTERPRETATION
-
Unless the context requires otherwise, capitalised terms used in this DPA have the meaning given to them below or in the Terms and Conditions above. Where capitalised terms are used in this DPA but are not defined below then such terms have the meaning given to them in the Data Protection Legislation.
Customer Personal Data: the Personal Data processed by the Supplier on behalf of the Customer under this DPA.
Data Protection Legislation: all legislation and regulatory requirements in force from time to time relating to the use of Personal Data and the privacy of electronic communications, including, without limitation (i) any data protection or privacy legislation from time to time in force in the UK including the Data Protection Act 2018 or any successor legislation, as well as (ii) the General Data Protection Regulation ((EU) 2016/679) and any other directly applicable European Union regulation relating to data protection and privacy (for so long as and to the extent that the law of the European Union has legal effect in the UK).
Data Subject: Request any request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, right to erasure, right to data portability, right to object to the Processing or its right not to be subject to automated individual decision making.
GDPR: the EU General Data Protection Regulation 2016/679.
Personal Data Breach has the meaning given to it in clause 6.1 of this DPA.
Purpose has the meaning given to it in the Background section of this DPA.
- Clause, Schedule and Annex headings shall not affect the interpretation of this DPA.
- The Schedules and Annexes form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules and Annexes.
- Unless otherwise expressly stated, a reference to writing or written includes email but not fax.
- Unless otherwise expressly stated, references to clauses, Schedules and Annexes are to the clauses, Schedules and Annexes of this DPA.
- Any words following the terms including, include, in particular, for example or any other similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or terms preceding those terms.
2. TERM
- This DPA shall commence on the Commencement Date and shall continue in force, unless otherwise terminated in accordance with clause 2.2 until the date the Purpose is completed.
- The Customer may terminate this DPA immediately at any time by giving written notice to the Supplier.
- Termination of this DPA shall be without prejudice to the accrued rights and liabilities of the parties and to those provisions of this DPA which are expressly or by implication intended to survive termination.
3. PROCESSING OF CUSTOMER PERSONAL DATA
- Both parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
- The parties acknowledge and agree that the Supplier is the Processor and the Customer is the Controller of Customer Personal Data Processed under this DPA.
- Annex 1 to this DPA sets out the scope, nature and purpose of the Processing by the Supplier, the duration of the Processing and the types of Personal Data being Processed.
- The Supplier shall process the Customer Personal Data:
- only on written instruction from the Customer;
- strictly as required for the Purpose and
- in accordance with the terms of this DPA.
- The Supplier shall keep the Customer Personal Data confidential and shall ensure that all personnel who have access to and/or Process Customer Personal Data have received appropriate data protection training and are obliged to keep the Personal Data confidential.
- The Supplier shall assist the Customer in ensuring the Customer’s compliance with its obligations under the Data Protection Legislation with respect to security, Personal Data Breach notifications, impact assessments and consultations with Supervisory Authorities or regulators.
4. RIGHTS OF DATA SUBJECTS
- The Supplier shall notify the Customer without undue delay, and in any event within 48 hours, if the Supplier receives any Data Subject Request or any other complaint, notice or communication from a Data Subject which relates directly or indirectly to the Processing of Customer Personal Data or to either party’s compliance with the Data Protection Legislation.
- Notices under clause 4.1 shall be sent in accordance with the Notices section in the Terms and Conditions.
- The Supplier shall provide Customer with reasonable co-operation and assistance in relation to any such Data Subject Request, complaint, notice or communication including assisting Customer in responding to the Data Subject Request and complying with Customer’s obligations under the Data Protection Legislation.
5. SECURITY MEASURES
- The Supplier shall implement technical and organisational measures to ensure a level of protection for the Customer Personal Data which is appropriate to the data security risks involved in the Processing of the Customer Personal Data. Such measures shall include measures to protect the Customer Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction or damage.
- The security measures shall include:
- pseudonymisation, anonymisation and encryption of Customer Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and 5.2.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing of the Customer Personal Data.
6. SECURITY INCIDENTS AND REGULATORY NOTICES
- The Supplier shall notify the Customer without undue delay, and in any event within 48 hours, if the Supplier becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Personal Data (Personal Data Breach) or receives any complaint, notice or communication from a Supervisory Authority or other regulator, which relates directly or indirectly to the Processing of Customer Personal Data.
- All notices under clause 6.1 shall be sent in accordance with the Notice provision within the Terms and Conditions and shall set out:
- the nature of the Personal Data Breach;
- the number of records affected or potentially affected; and
- the steps proposed by the Supplier to remedy the Personal Data Breach.
- If the Supplier is unable to provide all the information referred to in clause 6.2 within the timeframe specified by clause 6.1 then it must nevertheless notify the Customer of the Personal Data Breach within such time frame.
- The Supplier shall provide the Customer with reasonable co-operation and assistance in relation to any Personal Data Breach or other complaint, notice or communication which relates directly or indirectly to the Processing of Customer Personal Data.
7. SUB-PROCESSORS
- The Supplier shall not use any third party Processor (Sub-Processor) of the Customer Personal Data without the prior written consent of the Customer. The Customer acknowledges that it has pre-approved the Sub-Processors, listed in Annex 2 to this DPA.
- Where the Customer consents to the use of a Sub-Processor, the Supplier shall enter into a written agreement with such Sub-Processor containing data protections terms which are substantially similar to, and in any event no less onerous than, the terms of this DPA.
- If at any time the Customer notifies the Supplier that it has withdrawn its consent for the use of a Sub-Processor then the Supplier shall immediately cease to use such Sub-Processor for any Processing activity under this DPA.
- The Supplier shall remain fully liable to the Customer for all acts and omissions of any Sub-Processor appointed by the Supplier under this DPA.
8. DATA TRANSFERS
- The Supplier shall not transfer or Process any Customer Personal Data outside the European Economic Area without the prior written consent of the Customer. Should the Customer request the Services in a territory which requires transfer of Customer Personal Data outside the European Economic Area, the parties shall ensure that transfer is subject to the Standard Contractual Clauses.
9. RETURN OR DELETION OF CUSTOMER PERSONAL DATA
- The Supplier shall, at any time, including on or after termination of this DPA, at the written direction of the Customer, delete or return the Customer Personal Data and copies thereof to the Customer unless the Supplier is strictly required by applicable law to store a copy of the Customer Personal Data.
- If Supplier is required by applicable law to store any Customer Personal Data then the Supplier shall notify the Customer in writing of such requirement. Any Customer Personal Data retained by the Customer must be limited to that strictly required by applicable law and kept confidential and secure. The obligations under this DPA will continue to apply to any Customer Personal Data retained by the Supplier after termination.
10. INFORMATION REQUIREMENTS AND AUDIT
- The Supplier shall maintain and make available to the Customer all information necessary to evidence the Supplier’s compliance with this DPA, or the Supplier or the Customer’s compliance with Data Protection Legislation.
- The Supplier shall, on reasonable notice, permit the Customer or an auditor appointed by the Customer access to its premises to conduct an audit of the Supplier’s systems, books, records and personnel used or created in the performance of the Supplier’s obligations under this DPA. The Supplier acknowledges that in the case of an actual or suspected Personal Data Breach or where Customer is acting on the instructions of a Supervisory Authority or regulator it may be reasonable for the Customer to request immediate access to the Supplier’s premises.
- The Supplier shall provide reasonable assistance to the Customer or its auditor in carrying out the audit and shall permit the copying of such records and other materials as the Customer reasonably requires.
- The auditor’s cost shall be paid for by the Customer unless the audit reveals a breach of this DPA or the Data Protection Legislation by the Supplier in which case the Supplier shall reimburse the Customer for the auditor’s costs. The Supplier shall bear its own costs of complying with its other obligations under this clause 10.
11. LIABILITY AND INDEMNITY
- At all times during the Term of this DPA and thereafter the Supplier shall indemnify the Customer against all direct claims, liabilities, costs, expenses, damages and losses (including but not limited to any regulatory fines or legal costs and other reasonably and necessarily incurred professional costs and expenses) suffered or incurred by the Customer arising directly from the Supplier’s breach or negligent performance of this DPA or the Supplier’s failure to comply with the Data Protection Legislation. This indemnity shall be subject to the cap in clause 8.3.2 of the Agreement.
12. MISCELLANEOUS
- Unless otherwise expressly stated in this DPA, each party shall bear its own costs of complying with its obligations under this DPA and the Data Protection Legislation.
- The rights and remedies set out in this DPA are cumulative and are not exclusive of any other rights and remedies provided by law.
- This DPA may not be varied other than in writing signed by an authorised representative of each party.
- This DPA and any disputes (including non-contractual disputes) arising out of or in connection with it shall be governed and construed in accordance with English law and the parties submit to the exclusive jurisdiction of the English courts.
ANNEX 1
Processing, personal data and data subjects
1. Scope and nature of Processing
Supplier shall provide its own proprietary JavaScript technology which is deployed on the Customer’s website, this script does not have any access to Customer's network or infrastructure. This script shall enable the Supplier to monitor web page activity of Customer’s clients and prospective clients (only where such clients have accepted the Customer’s Cookies). It shall also enable tracking of calls made to Customer by Customer’s clients. Consequently, the Supplier will view and process the IP addresses of Customer’s clients and the telephone number used to make calls to the Customer. Any personal data processed shall be uploaded to the Supplier’s Hub and displayed in full for authorised administrators from both the Supplier and Customer and in an anonymised format for all other authorised users.
2. Purpose of Processing
The purpose of processing the data is to enable the Customer to review the manner in which its clients arrive at its website, the website activity and consequent phone calls made. Once a phone call is made, the Customer is able to review the duration of the call and set additional fields to review the success of the call.
3. Duration of the Processing
The data is processed from point of interaction with Customer's website to the point at which it is uploaded to the Supplier’s Hub. It is then stored on the Supplier Hub, subject to deletion periods which are agreed between the Supplier and the Customer.
4. Types of Personal Data and Data Subjects
Supplier processes IP addresses and phone numbers of Customer’s clients and prospective clients. Supplier also processes email addresses, names and phone numbers of Customer’s employees working with the Supplier. This is done in order to set-up access to the Hub. These details are stored on Supplier’s CRM system.
ANNEX 2
Authorised sub-processors
Name | Services | Location / Transfers |
---|---|---|
Nasstar (number 2150618) whose registered office is at 37 Carr Lane, Hull, HU1 3RE | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls. | United Kingdom(Europe) |
MAGRATHEA TELECOMMUNICATIONS LIMITED (number 04260485) whose registered office is at 5 Commerce Park, Brunel Road, Theale, Berkshire, RG7 4AB | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls. | United Kingdom(Europe) |
CORE TELECOM LIMITED (number 05332008) whose registered office is at Mazhar House, 48 Bradford Road, Stanningley, Leeds | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls. | United Kingdom(Europe) |
DIDWW Ireland Limited 10/13 Thomas Street, The Digital Hub, Dublin 8 | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls.This supplier is used for the provision of non-UK numbers and routing which may involve the transfer of data under Standard Contractual Clauses | Ireland(Europe) |
Equinix Data Centre Reynolds House, 4 Archway, Manchester M15 5RL | Physical Data Centre The provision of physical security and services in respect to our infrastructure. | Manchester(Europe) |
Melbourne (now iomart) Lovell House, 6 Archway, Manchester M15 5RN | Physical Data Centre The provision of physical security and services in respect to our infrastructure. | Manchester(Europe) |
AWS | Cloud Storage and transcription | Dublin, Ireland(Europe) |
Inteliquent 550 W. Adams St., Suite 900, Chicago, IL 60661 | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls in North America. | United States |
Bandwidth Telecom 2021 Edwards, Mill Road, Raleigh, North Carolina | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls in North America. | United States/Europe |
ThinkTel Communications Limited 801-3300 Bloor St West, Toronto, Ontario, M8X 2X2 | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls in North America. | Canada |
RapidSwitch Spectrum House, Clivemont Road, Maidenhead, SL6 7FW | Physical Data Centre The provision of physical security and services in respect to our infrastructure. | Maidenhead and GosportUnited Kingdom |
IDNet | Internet Service and Communications Provider (OFCOM registered and ISO accredited) | LondonUnited Kingdom |
VOXBONE Avenue Louise 489, 6th Floor, Brussels | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls. | Europe / United States |
DIDLogic Limited 20/F,Mongkok Commercial Centre, 16 Argyle Street, Mongkok, Kowloon | Telecommunication Services The provision of telephone number ranges, and the routing of telephone calls in North America. | Hong Kong |
Voicebase 44 Montgomery Street, San Francisco | Transcription and Conversation Analytics customers only | United Kingdom / United States |
AssemblyAI | Transcription and Conversation Analytics customers only | United Kingdom / EEA |
Sisense UK Limited | Dashboard and data visualisation | United Kingdom / EEA |
Singlestore | Data Warehouse | United Kingdom / EEA |