Data Processing Agreement
This Data Processing Agreement (the "Agreement") forms part of Processor´s Terms and Conditions (the "Master Agreement") between Flowpoint Analytics Ltd (the "Processor") and the party that has accepted the Master Agreement (the "Controller").
(A) The Parties entered into the Master Agreement.
(B) Due to the scope and subject-matter of the Master Agreement, it is necessary for the Processor to Process the Personal Data on behalf of the Controller.
(C) This Agreement sets out the additional terms, requirements and conditions on which the Processor shall Process the Personal Data on behalf of the Controller under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) GDPR for contracts between data controllers and data processors.
(D) The date of execution of the Master Agreement shall constitute the date of execution of this Agreement.
Definitions and interpretation
1.1 The Parties acknowledge that, as per definitions in the Data Protection Legislation, the Controller is a controller and the Processor is a processor, unless otherwise explicitly stated in the Agreement.
1.2 Where the Agreement uses terms that are defined in the Master Agreement, the terms hall have the same meaning as in the Master Agreement.
1.3. The TERMS used in this Agreement have the following meaning:
"Data Protection Legislation" means all privacy and data protection laws applicable to the Processing, including the GDPR and any applicable national implementing laws, regulations and secondary legislation relating to the Processing of the Personal Data and the privacy of electronic communications, as updated, amended or replaced from time to time.
"Data Subject" means an individual who is a subject of the Personal Data.
"GDPR"means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and its national implementing laws, including, but not limited to, the UK GDPR as defined in section 3 of the UK Data Protection Act 2018.
"Personal Data" mmeans any information relating to an identified or identifiable natural person that is Processed by the Processor as specified herein; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as name, identification number, location data, online identifier, or to one or more factors specific to the physical, the physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise Processed.
"Processing", "Processes", "Process" and "Processed" mean either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define “processing”, “processes”, “process” or “processed”. The terms includes any operation or set of operations performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as well as transferring the Personal Data to third parties.
"Regulation (EU) 2018/1725" means Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
"SCCs" means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
"IDTA" means International Data Transfer Agreement incorporating the Standard Data Protection Clauses issued by the Information Commissioner under S119A(1) Data Protection Act 2018 of the United Kingdom.
1.4. Any reference to “writing” or “written” includes faxes, email and electronic messaging services.
The Personal Data types and the Processing purposes
2.1. The Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consent for the Processing instructions it gives to the Processor.
2.2. Subject-matter and nature of the Processing: Provision of services under the Master Agreement, such as analysing the behaviour of the users of the Controller's website. The nature of the Processing activities implies the set of operations, such as collection, recording, organisation, structuring, usage, storage, erasure or destruction of data.
2.3. Duration of the Processing: 6 months after the end of the Master Agreement or earlier if agreed by the Parties.
2.4. Purposes, the Data Subjects, and the Personal Data categories:
|Purposes and activities||Data Subjects||Personal Data categories|
|Website analytics||Users of the Controller's website||- IP address, UID, email address;|
- activity on the Controller's
website (mouse clicks, page
scrolls, page reloads, tabs
switching, repeated clicks, and the
timestamps of their actions);
- details of the devices used (screen
size, device type, other details).
2.5. Security measures:
Access to the database is only possible via a secure and closed VPN connection, with separate credentials;
All communications exposed to the internet are TLS encrypted;
Compulsory prior authentication of the Controller to access the personal data belonging to them and processed by the Processor.
2.6. Subprocessors involved:
|Intercom||Customer communications management||USA|
|Slack Technologies, LLC||Communication||USA|
|One Drive (Microsoft Corporation)||Document storage||USA|
|iCloud (Apple Inc.)||Document storage||USA|
|Namecheap||Domains and hosting||USA|
|Google Drive (Google LLC)||Document storage||USA|
|Notion Labs, Inc.||Task Management solution and document storage||USA|
|Trello, Inc.||Project Management solution||USA|
|IT contractors||IT development and support||Romania|
|Stripe, Inc.||Payment processing platform||USA|
|Mailchimp||Email marketing platform||USA|
|Loom||Online screen recording tool||USA|
The Processor's obligations
3.1. The Processor shall only Process the Personal Data in accordance with the Controller’s written instructions specified herein. The Processor shall not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Processor shall promptly notify the Controller if, in the Processor’s opinion, the Controller’s instructions would not comply with the Data Protection Legislation.
3.2. The Processor shall promptly comply with any of the Controller’s requests or instructions requiring the Processor to amend, transfer, delete or otherwise Process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing.
3.3. The Processor shall maintain the confidentiality of all the Personal Data and shall not disclose the Personal Data to third parties, unless the Controller or this Agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Processor to Process or disclose the Personal Data, the Processor shall first inform the Controller of the legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4. The Processor shall reasonably assist the Controller with meeting the Controller’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor’s Processing and the information available to the Processor, including in relation to the Data Subject’s rights, data protection impact assessments and reporting to and consulting with the supervisory authorities under the Data Protection Legislation.
3.5. The Processor shall promptly notify the Controller of any changes to the Data Protection Legislation that may adversely affect the Processor’s performance of the Master Agreement.
3.6. The Processor shall ensure that all its employees with access to the Personal Data:
a. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data
b. have undertaken training on the Data Protection Legislation relating to handling the Personal Data and how it applies to their particular duties; and
c. are aware of both the Processor’s obligations and their personal obligations under the Data Protection Legislation and this Agreement.
3.7. The Processor shall take reasonable steps to ensure the reliability, integrity and trustworthiness of the employees with access to the Personal Data and conduct their background checks consistent with applicable law.
4.1. The Processor shall at all times implement appropriate technical and organisational measures against the unauthorised or unlawful Processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Personal Data.
4.2. The Processor shall implement such measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk involved.
4.3. The Controller hereby confirms that technical and organisational measures specified herein are sufficient and appropriate under the Data Protection Legislation and this Agreement.
The Personal Data Breach
5.1. The Processor shall promptly and without undue delay notify the Controller if any Personal Data is lost or destroyed, or becomes damaged, corrupted, or unusable. The Processor shall restore such Personal Data at its own expense.
5.2. The Processor shall immediately and without undue delay notify the Controller if the Processor becomes aware of:
a. any accidental, unauthorised or unlawful Processing of the Personal Data; or
b. any Personal Data Breach.
5.3. Where the Processor becomes aware of (a) and/or (b) of Clause 5.2 hereof, the Processor shall, without undue delay, also provide the Controller with the following information:
a. description of the causes and nature of (a) and/or (b) of Clause 5.2 hereof, including the categories and approximate number of both the Data Subjects and the Personal Data records concerned;
b. the likely consequences; and
c. description of the measures taken or proposed to be taken to address (a) and/or (b) of Clause 5.2 hereof, including measures to mitigate the possible adverse effects.
5.4. Immediately, following any unauthorised or unlawful Processing of the Personal Data or the Personal Data Breach, the Parties shall coordinate with each other to investigate the matter. The Processor shall reasonably cooperate with the Controller in the Controller's handling of the matter, including:
a. assisting with any investigation;
b. providing the Controller with physical access to any facilities and operations affected;
c. facilitating interviews with the Processor's employees, former employees and others involved in the matter;
d. making available all relevant records, logs, files, data reporting and other materials required to comply with all the Data Protection Legislation or as otherwise reasonably required by the Controller; and
e. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or the unlawful Processing of the Personal Data.
5.5. The Processor shall not inform any third party of any Personal Data Breach without first obtaining the Controller’s prior written consent, except when required to do so by law.
5.6. The Processor agrees that the Controller has the sole right to determine:
a. whether to provide a notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Controller’s discretion, including the contents and delivery method of the notice; and
b. whether to offer any type of a remedy to the affected Data Subjects, including the nature and extent of such remedy.
5.7. The Processor shall cover all reasonable expenses associated with the performance of the obligations under Clauses 5.2 and 5.4 hereof, unless the matter arose from the Controller’s specific instructions, negligence, wilful default or breach of this Agreement, in which case the Controller shall cover all reasonable expenses.
Cross-border transfers of the Personal Data
6.1. The Controller hereby authorises the Processor to transfer or otherwise Process the Personal Data outside the European Economic Area (the "EEA") subject to conditions laid down in this Agreement.
6.2. The Processor may only Process, or permit the Processing of, the Personal Data outside the EEA under one of the following conditions:
a. the Processor Processes the Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals.
b. the Processor takes, where appropriate, one of the safeguards specified by the Data Protection Legislation, notably by Article 46 GDPR.
6.3. If any Personal Data transfer between the Controller and the Processor requires the execution of the SCCs or the IDTA in order to comply with the Data Protection Legislation, the Parties shall complete all relevant details and take all other actions required to legitimise the transfer.
7.1. The Processor may not authorise a third party (subprocessor) to Process the Personal Data, unless all of the following conditions are met:
a. the Controller has given a specific or general written authorisation to the engagement of the subprocessor(s);
b. the Processor shall enter into a written agreement with each of the authorised subprocessors, which shall contain terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures;
c. at the Controller's request, the Processor shall provide to the Controller a copy of such an agreement with the subprocessor and any subsequent amendments. To the extent necessary to protect a business secret or other confidential information, including Personal Data, the Processor may redact the text of the agreement prior to sharing the copy;
d. the Processor shall maintain control over all the Personal Data it entrusts to the subprocessor(s).
7.2. The Controller hereby gives a general authorisation to involve subprocessors to Process the Personal Data under this Agreement. In case the Processor intends to update the list of subprocessors engaged, the Processor shall inform the Controller in advance and provide the Controller with the information necessary to enable the Controller to exercise the right to object.
7.3. Where the subprocessor fails to fulfil its obligations under a such written agreement, the Processor remains fully liable to the Controller for the subprocessor's performance of its obligations.
7.4. Where the Processor fails to fulfil its guarantees under Clause 7.1 hereof, the Processor shall indemnify all of the Controller's arising direct and indirect damages.
Complaints, the Data Subjects requests and third-party rights
8.1. The Processor shall, at no additional cost, take such technical and organisational measures as may be appropriate and promptly provide such information to the Controller, as the Controller may reasonably require, to enable the Controller to comply with:
a. the rights of the Data Subjects under the Data Protection Legislation, including the Data Subjects' access rights, the rights to rectify and erase the Personal Data, object to the Processing and automated Processing of the Personal Data, and restrict the Processing of the Personal Data; and
b. information or assessment notices served on the Controller by any supervisory authority under the Data Protection Legislation.
8.2. The Processor shall notify the Controller immediately and without undue delay if the Processor receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either Party's compliance with the Data Protection Legislation.
8.3. The Processor shall notify the Controller immediately and without undue delay when the Processor receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
8.4. The Processor shall provide the Controller with the Processor's full cooperation and assistance in responding to any complaint, notice, communication or the Data Subject's request in connection with the Personal Data Processed.
8.5. The Processor shall not disclose the Personal Data to any Data Subject or to a third party other than at the Controller's request or instructions, as provided for in this Agreement or as required by law.
This Agreement shall remain in full force and effect so long as:
a. the Master Agreement remain in effect, or
b. the Processor retains any Personal Data related to the Master Agreement in the Processor's possession or control (the "Term").
Non-compliance with the Agreement and termination
10.1. Without prejudice to any provisions of the GDPR and/or the Regulation (EU) 2018/1725, in the event that the Processor is in breach of its obligations under this Agreement, the Controller may instruct the Processor to suspend the Processing of the Personal Data until the Processor complies with its obligations under this Agreement or the Agreement is terminated.
10.2. The Controller shall be entitled to terminate the Agreement if:
a. the Processing of the Personal Data by the Processor has been suspended by the Controller pursuant to Clause 10.1 hereof and if compliance with the obligations under this Agreement is not restored within a reasonable time and in no event later than within 1 (one) month following suspension;
b. the Processor is in substantial or persistent breach of its obligations under this Agreement or its obligations under the GDPR and/or the Regulation (EU) 2018/1725;
c. the Processor fails to comply with a binding decision of a competent court or a competent supervisory authority regarding its obligations pursuant to this Agreement or the GDPR and/or the Regulation (EU) 2018/1725.
10.3. The Processor shall be entitled to terminate the Agreement where, after having informed the Controller that the Controller's instructions infringe applicable legal requirements in accordance with Clause 3.1 hereof, the Controller insists on compliance with the instructions.
10.4. Any provision of this Agreement, which expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data, shall remain in full force and effect.
10.5. If a change in any Data Protection Legislation prevents either Party from fulfilling all or part of its Master Agreement obligations, the Parties shall suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the Parties are unable to bring the Processing of the Personal Data into compliance with the Data Protection Legislation within 2 (two) months, a Party may terminate the Master Agreement on written notice to the other Party.
Data return and destruction
11.1. At the Controller's request, the Processor shall give the Controller a copy of or access to all or part of the Controller's Personal Data in the Processor's possession or control in the format and on the media reasonably specified by the Controller.
11.2. Upon termination of the Master Agreement for any reason or expiry of their term, the Processor shall securely delete or destroy or, if directed in writing by the Controller, return and not retain all or any Personal Data related to this Agreement in the Processor's possession or control.
11.3. If any law, regulation or governmental or regulatory body requires the Processor to retain any documents or materials that the Processor would otherwise be required to return or destroy, the Processor shall notify the Controller in writing of that retention requirement, giving details of the documents or materials that the Processor shall retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
11.4. Upon the request from the Controller, the Processor shall certify in writing that the Processor has destroyed the Personal Data.
12.1. If the Controller is required to show its compliance with the Data Protection Legislation, or the Controller reasonably believes that a Personal Data Breach occurred or is occurring, or the Processor is in breach of any of its obligations under this Agreement or any Data Protection Legislation, the Processor shall permit an assigned and eligible third-party representative of the Controller to audit the Processor's compliance with its obligations under this Agreement on at least 15 (fifteen) days' notice during the Term. The Processor shall give the third-party representative of the Controller all necessary assistance reasonably required to conduct such audits. The assistance may include, but is not limited to:
a. physical access to, remote electronic access to any information held at the Processor's premises or on systems storing the Personal Data;
b. access to and meetings with any of the Processor's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
c. necessary inspection of all infrastructure, electronic data or systems, facilities, equipment or application software used to store, Process or transfer the Personal Data.
12.2. If a Personal Data Breach occurred or is occurring, or the Processor becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, the Processor shall:
a. promptly conduct its own audit to determine the cause;
b. produce a written report that includes a detailed plan to remedy any deficiencies identified by the audit;
c. provide the Controller with a copy of the written audit report; and
d. promptly remedy any deficiencies identified by the audit.
12.3. The Processor shall promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Processor's management.
12.4. The Controller shall cover all reasonable expenses incurred by the Processor in connection with performing its obligations under Clause 12.1 hereof.
This Agreement shall be governed by, construed and interpreted in accordance with the laws of England and Wales.
FLOWPOINT ANALYTICS LTD
Company Number 14068900
83-86 Prince Albert Road, London, UK
© 2023. All rights reserved @Flowpoint