Data processing agreement
This Data Processing Agreement (“DPA”) is entered into between:
A. The company stated in the Subscription Agreement (as defined below)
(“Data Controller”)
and
B. Koan Adventures Ltd
The Growth Hub
Stroud Road
Cirencester
GL7 6JR
United Kingdom
Reg. no. 8641729
(“Data Processor”)
1. Background
1.1 The Data Controller determines the purposes and methods of the processing of Personal Data (as defined below).
1.2 The Data Processor has agreed to provide the Services (as defined below) on the terms set out in the Subscription Agreement (as defined below).
1.3 The Parties wish to supplement the Subscription Agreement with this DPA to formalize the terms and conditions applicable to the processing of Personal Data.
1.4 The purpose of this DPA is to secure adequate safeguards with the respect to the protection of privacy and to ensure that the processing of Personal Data is in accordance with the Data Controller’s and Data Processor’s legal obligations.
2. Agreement
2.1 In addition to this main body of the agreement, this DPA incorporates the following documents:
Annex 1 Instructions for processing
2.2 In the event that any provision of this DPA is inconsistent with any term(s) of the Subscription Agreement, this DPA shall prevail.
3. Definitions
3.1 For the purposes of this DPA, the expressions set out below have the following meanings:
- Approved Purpose. Means the processing i) required to fulfil the purpose of the Subscription Agreement or ii) as otherwise agreed between the Data Controller and the Data Processor in writing.
- Approved Territory. Means the territory or territories identified in Annex 1 where the Personal Data can be processed.
- Data Subject. Means the living individual about whom the Data Controller holds Personal Data.
- Personal Data. Has the same meaning as in Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Personal Data Breach. Means any loss, destruction, damage, alteration or unauthorised access or disclosure of Personal Data or any other non-conformity with this DPA.
- Services. Means the services to be supplied by the Data Processor under the Subscription Agreement.
- Subscription Agreement. Means the subscription agreement for Gift Up!, which becomes effective upon the Data Controller’s creation of an account and the acceptance of the terms and conditions.
- Technical Contact Point. Means the parties’ technical representatives identified in Annex 1.
4. General
4.1 This DPA governs the Data Processor’s processing of the Personal Data it processes on behalf of the Data Controller to perform its Services under the Subscription Agreement. The Data Processor shall process the Personal Data only for the Approved Purpose and in accordance with applicable laws and this DPA.
4.2 The Data Controller retains the formal control of, and all ownership and rights to the Personal Data. The Data Processor shall have no rights in or to the Personal Data other than the non-exclusive, revocable and time limited right to process the Personal Data for the Approved Purpose.
5. Approved purpose of processing
5.1 The Data Processor shall process the Personal Data only for the Approved Purpose. Any processing of the Personal Data for any other purpose is strictly forbidden and will be considered a material breach of this DPA.
6. Approved locations of processing
6.1 The processing of the Personal Data shall only take place in technological environments controlled by the Data Controller, the Data Processor and subcontractors in the Approved Territory. For the avoidance of doubt, processing includes accessing the Personal Data from remote locations.
7. Use of subcontractors
7.1 The Data Controller accepts that the Date Processor is entitled to use subcontractors. The Data Processor shall ensure that any processing of the Personal Data by a subcontractor complies with the requirements set out under this DPA. This includes verifying that the security measures implemented by the subcontractor ensures at least the equivalent level of protection to that required of the Data Processor under this DPA.
7.2 The Data Processor shall ensure that a data processor agreement is entered into between the Data Processor and any subcontractor before such subcontractor processes any Personal Data.
8. Processing of personal data in certain jurisdictions
8.1 Where the processing of Personal Data in Approved Territories does not take place
- within the European Economic Area; or
- a territory that has been designated by the European Commission as ensuring an adequate level of protection pursuant to the Data Protection Directive of 1995 (or its successor)
such processing of Personal Data shall be carried out in accordance with the applicable EU standard clauses for the transfer of Personal Data ( EU Model Clauses). Prior to any processing in such territories, the Data Processor shall, as applicable, enter into and/or shall procure that the subcontractor enter into (each a "data importer" under the EU Model Clauses), the EU Model Clauses with the Data Controller ("data exporter” under the EU Model Clauses), in addition to this DPA. In case of conflict between such EU Model Clauses entered into between the parties and this DPA, the EU Model Clauses will prevail.
8.2 The Data Processor is hereby authorized by the Data Controller to enter into the EU model Clauses agreements with any relevant subcontractor on Data Controller’s behalf for the above mentioned purpose and for any relevant Approved Territory.
8.3 If the Data Controller is required to submit a copy of the executed EU Model Clauses to its local Data Protection Authority, the Data Processor will submit a copy of the executed contract to Data Controller for its submission.
8.4 For the avoidance of doubt, the requirement to ensure that the subcontractors enters into a data processor agreement using the EU Model Clauses where so required under this Section 8 does not relieve the Data Processor from its obligations set out under Section 7, including the obligation to ensure that the security measures adopted by the relevant subcontractor offer at least an equivalent level of protection to the Data Controller and the Data Subjects as the requirements imposed on the Data Processor as set out in this DPA.
9. Technical and organizational security measures
9.1 The Data Processor shall perform its obligations and actions under this DPA with all due skill, care and diligence.
9.2 The Data Processor shall use technical and organisational security measures appropriate to prevent the harm which might result from any unauthorised or unlawful processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data which is to be protected.
9.3 Should the Data Processor become aware of any non-conformity with the security requirements set out above, either within its own or within the subcontractor’s organisation, such non-conformity shall be notified to the Data Controller in accordance with the Personal Data Breach procedure set out in Section 11.
10. Secrecy
10.1 The Data Processor shall ensure that it and its employees maintain secrecy and security about any and all Personal Data and that the Personal Data is accessed by the Data Processor’s employees on a need to know basis only.
10.2 The Personal Data shall be considered as confidential information belonging to the Data Controller and/or the Data Subject and shall be subject to confidential handling in accordance with the confidentiality undertakings agreed between the parties in this DPA or elsewhere.
11. Notification of personal data breach
11.1 If the Data Processor becomes aware of any Personal Data Breach, the Data Processor shall without undue delay and within 72 hours at the latest, notify the Data Controller and fully cooperate to remedy the issue as soon as reasonably practicable. The notice shall contain the following information (if available):
- description of the Personal Data Breach including; the categories and number of Data Subjects concerned; summary of the incident that caused the Personal Data Breach; date and time of the relevant incident; the categories and number of data records concerned and the nature and content of the Personal Data affected;
- description of the circumstances of the Personal Data Breach (e.g. loss, theft, copying);
- description of recommended measures to mitigate any adverse effects of the Personal Data Breach;
- description of the likely consequences and potential risk that the Personal Data Breach may have towards the affected Data Subject(s); and
- description of the measures proposed or taken by the Data Processor and/or the sub-contractor, as applicable, to address the Personal Data Breach.
11.2 Notice must be sent by email to the Data Controller’s Technical Contact Point identified in Annex 1. The Data Processor’s Technical Contact Point shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller may have.
11.3 Depending of the nature of the Personal Data Breach the Data Controller may be obliged to make a report to the Data Protection Authority in the country it resides. The Data Processor shall, therefore, at the Data Controller’s request, provide any other information reasonably requested by the Data Controller to comply with the relevant data protection regulation and/or inquiries from the Data Protection Authority.
12. Other notifications
12.1 The Data Processor shall:
- without undue delay and in writing, notify the Data Controller of any planned changes in the technical, organisational or financial aspects of the Data Processor’s provision of the Services or the organisation of the Data Processor or its subcontractors and which might have an adverse effect on the Data Processor’s or its subcontractors’ ability or willingness to process the Personal Data in accordance with the instructions of the Data Controller or the requirements set out in this DPA.
- within five (5) calendar days and in writing, notify the Data Controller if it receives: (i) a request from a Data Subject to have access to that person's Personal Data; or (ii) a complaint or request relating to the Data Controller’s and/or its customers’ obligations under relevant data protection laws.
- without undue delay, notify the Data Controller if it receives a request from the competent data protection authority or other competent governmental body requiring the Data Processor or any of its subcontractors to grant the data protection authority or other applicable governmental body access to Personal Data. Such notice shall wherever possible, and to the extent permitted by applicable laws, be given prior to any disclosure by the Data Processor.
12.2 If the Data Processor is required or requested by any law, regulation, or government or regulatory body to retain any documents or materials that it would otherwise be required to return or destroy under Section 14, it shall, to the extent permitted by law, notify the Data Controller in writing of that retention, giving details of the documents or materials that it must retain. The Data Processor shall not be in breach of Section 14 with respect to the retained documents or materials; however Section 10 shall continue to apply to them.
12.3 Any notifications shall be deemed to be delivered when submitted via email to the Data Controller’s Technical Contact Point. The Data Processor’s Technical Contact Point shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller might have.
13. Breach of agreement
13.1 The Data Processor shall ensure that any material breach is remedied as soon as possible.
13.2 Notwithstanding the above, the Data Controller can with immediate effect instruct the Data Processor to suspend or terminate any further processing of the Personal Data upon the occurrence of any material breach of this DPA.
14. Obligation to delete data
14.1 Personal Data shall not be stored for a longer period than it is necessary to carry out the original purpose for the processing.
14.2 The application permits the Data Controller to migrate Personal Data held by the application and the Data Controller agrees to migrate any and all Personal Data prior to termination of the Subscription Agreement. The Data Processor shall use reasonable commercial endeavours to permit the Data Controller to use the migrate function until expiry of the Subscription Agreement. Where the Subscription Agreement is terminated with immediate effect due to the Data Controller’s breach of this DPA, the Data Processor shall use reasonable commercial endeavours to permit the Data Controller to use the migrate function in the period of 10 days after such termination.
14.3 The Data Processor is not obligated to store any of the Data Controller’s Personal Data after expiry of the Subscription Agreement. The Data Processor shall no later than 30 days after expiry of the Subscription Agreement effectively delete all Personal Data. For the purposes of this provision to effectively delete shall mean that the data is deleted in accordance with best practice industry standards so that Personal Data cannot be reconstructed using any known technology.
14.4 Without limiting the aforementioned, at any given time during the term of this DPA the Data Processor shall effectively delete Personal Data to the extent requested by the Data Controller’s Technical Contact Point or as stated in Annex 1.
15. Term
15.1 This DPA is entered into when the Data Controller accepts this DPA. The acceptance of this DPA is made in connection with the Data Controller’s acceptance of the Subscription Agreement. However, the provisions of this DPA will not become applicable before 25 May 2018. This DPA will remain in force until termination of the Subscription Agreement.
16. Survival of clauses
16.1 Any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after termination of this DPA shall remain in full force and effect.
16.2 To the extent the Data Controller needs to respond to enquiries from Data Protection Authorities or Data Subjects concerning how Personal Data has been processed under the Subscription Agreement and this DPA, the Data Processor shall provide necessary assistance also after the expiry of this DPA.
16.3 For the avoidance of doubt the secrecy and security obligations set out in Section 10 herein, including the employees’, consultants’ etc. obligation to keep Personal Data secret, shall survive the expiry or termination of this DPA.
17. Choice of law and dispute resolution
17.1 This DPA shall be governed and construed in accordance with the law of Denmark. Any dispute, controversy or claim arising out of or in connection with this DPA shall be subject to the exclusive and final jurisdiction of the courts of Denmark.
17.2 In the event that the Data Controller is located in a jurisdiction where judgments rendered by the above mentioned courts cannot be enforced, any dispute, controversy or claim arising out of or in connection with this DPA shall be exclusively and finally settled by arbitration in accordance with the Arbitration Rules of The Danish Institute of Arbitration (Copenhagen Arbitration). The arbitral tribunal shall be composed of one arbitrator, who shall be appointed in accordance with the above arbitration rules. The language to be used in the arbitral proceedings shall be English.
Annex 1 – Instructions for processing
Personal Data to be processed
Categories of Personal Data to be processed under this DPA includes the following categories of data:
- All legal categories of Personal Data which is in accordance with the Approved Purpose. The Data Controller is responsible for and warrants that the Personal Data that the Data Controller’s instructs the Data Processor to process can be lawfully processed by the Data Processor.
Approved Territory
The Approved Territory/Territories for processing of Personal Data are the following regions/countries:
- Microsoft data centers in the EU
Technical Contact Point
The following persons will be the Technical Contact Point between the parties for the purposes of this DPA:
- Data Processor’s Technical Contact Point: gdpr@giftup.com
- Data Controller’s Technical Contact Point: support@giftup.com
Annex 2 – List of sub-processors
We share certain information with companies that may be considered our "sub-processors" under GDPR. This information is limited to the following:
- We use Microsoft Azure to host the data on cloud servers that we pay for. These servers are located within the EU and the UK. We also have checkout nodes in our US and the APAC region that allows Gift Up to resiliently and performantly capture orders close to users in those regions, and transfer them securely to the UK and EU regions for processing.
- We use BugSnag and Sentry to capture any errors that occur within our servers. These contain no PII, but we've added them here for transparency.
- We use HelpScout as help desk software to communicate with you. Although HelpScout isn't a sub-processor used to deliver our services, sometimes these communications includes the personal data of your customers' information, so we've added them here for transparency.