Data Processing Agreement
- Data Processing Agreement
- Data Processing Agreement (“DPA”)
- 1. Background
- 2. Definitions
- 3. Processing of Customer Personal Data
- 4. Customer Obligations
- 5. Confidentiality
- 6. Security
- 7. Subprocessing
- 8. Assistance
- 9. Deletion of Customer Personal Data
- 10. Information & Audit Rights
- 11. General
- Appendix 1 - Details of Processing Personal Data
- Subject matter and duration of the Processing of Customer Personal Data
- The nature and purpose of the Processing of Customer Personal Data
- The types of Customer Personal Data to be Processed
- The categories of Data Subject to whom the Customer Personal Data relates
- The obligations and rights of Customer
- Subprocessors of Supplier
- Appendix 2 – Security Measures
- 1. Information Security Policies and Standards
- Security policies and standards include
- 2. Physical Security
- 3. Organizational Security
- 4. Network Security
- 5. Access Control
- 6. Virus and Malware Controls
- 7. Personnel
- 8. Business Continuity
- 9. Separation Control
- 10. Data Centres
Data Processing Agreement (“DPA”)
- Vialog Ltd, a company incorporated in England with Registered Number 08306815 and whose registered office is at Level 33, 25 Canada Square, London, England, E14 5LB (the "Supplier"); and
- [Name] of [Address] (the “Customer”).
IT IS AGREED AS FOLLOWS:
- This DPA forms part of the Agreement set out between Customer and Supplier (the “Agreement”).
- Pursuant to the Agreement, Supplier agrees to provide Services for Customer.
- Customer is the Controller and Supplier is the Processor of the Customer Personal Data.
- The parties now agree to the DPA, including:
- Appendix 1 – Details of Processing; and
- Appendix 2 – Security Measures in order to ensure ongoing compliance with Data Protection Laws.
- Capitalized terms not otherwise defined herein have the meanings given to them in the Agreement. In addition, the following terms have the meanings set out below:
- "Applicable Laws" means any Data Protection Laws and other applicable laws to which Supplier and any Customer Personal Data are subject;
- "Authorised Person" means Customer's contact with Supplier or any person with apparent authority to act on behalf of Customer;
- "Customer Personal Data" means any Personal Data Processed by Supplier on behalf of the Customer pursuant to or in connection with the Agreement as set out in Appendix 1;
- "Data Protection Laws" means UK data protection laws including the UK Data Protection Act 2018, the UK GDPR and, to the extent applicable, the data protection or privacy laws of any other country;
- "Delete" means, to change Customer Personal Data to a form which no longer permits identification of Data Subjects, including by deletion or by hashing (anonymising) identifiers such as IP addresses;
- "Services" means the performance marketing technology and payment services and other activities to be supplied to or carried out by or on behalf of Supplier for the Customer pursuant to the Agreement;
- "Subprocessor" means any person (including any third party, but excluding an employee of Supplier or any of its sub-contractors) appointed by or on behalf of Supplier to Process Customer Personal Data on behalf of the Customer in connection with the Agreement;
- "UK GDPR" means the United Kingdom General Data Protection Regulation;
- "User" means a person or system submitting valid login or API credentials to Supplier's system.
- The terms, "Commissioner", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", “Processor” and "Pseudonymisation" have the meanings given to them in the UK GDPR https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/.
3. Processing of Customer Personal Data
- Supplier will comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and not Process Customer Personal Data other than on the Customer’s documented instructions unless Processing is required by Applicable Laws to which Supplier is subject, in which case Supplier will, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before Processing.
- The Customer instructs Supplier (and authorises Supplier to instruct each Subprocessor) to Process Customer Personal Data and transfer Customer Personal Data to any country or territory as reasonably necessary for the provision of the Services.
- Supplier will not act on any specific instructions given by Customer from time to time unless they are documented and given by a Customer User or Authorised Person.
- Supplier will Process the Customer Personal Data in accordance with the Agreement and disclose Customer Personal Data to:
- Customer's Users;
- Customer's Authorised Persons; and
- the Users of Customer's partners, in respect of transactions which they facilitated.
- Appendix 1 to this DPA sets out certain information as required by article 28(3) of the UK GDPR. The parties may make reasonable amendments to Appendix 1 by written agreement between them from time to time as necessary to meet those requirements.
4. Customer Obligations
- Customer warrants that:
- the Processing of Customer Personal Data has been carried out and will at all times be carried out by the Customer in compliance with Data Protection Laws;
- Customer has made all necessary disclosures and obtained all necessary consents from Data Subjects to fulfil all of its obligations under the Agreement, including the ability to disclose Customer Personal Data to Supplier;
- it is and will remain duly and effectively authorised to give instructions to Supplier under this DPA;
- all Customer Personal Data is necessary in relation to the purposes for which it is Processed, accurate and where necessary up-to-date; and
- any notification that it is required to make to the Commissioner or other supervisory authority has been made, and is complete and correct.
- Where Customer requests that Supplier accept data parameters that Supplier considers may result in the attribution of Customer Personal Data to a Data Subject, Supplier may, at its own discretion:
- request formal confirmation of such instructions from an Authorised Person; or
- refuse such request pending amendment of this DPA.
Supplier will ensure that persons authorised to Process the Customer Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Supplier has implemented and will continue to implement in relation to the Customer Personal Data appropriate technical and organizational measures (as set out in Appendix 2) to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the UK GDPR. In assessing the appropriate level of security, Supplier has taken and will continue to take account of the risks that are presented by Processing, in particular from a Personal Data Breach.
- The Customer authorises Supplier to appoint Subprocessors in accordance with this Clause7. Supplier may continue to use those Subprocessors identified in Annex 1 as at the date of this DPA. Supplier will inform Customer of any intended changes concerning the addition or replacement of Subprocessors, including full details of the Processing to be undertaken by the new Subprocessor, thereby giving Customer the opportunity to object to such changes as set out in Appendix 1.
- With respect to each Subprocessor, Supplier shall ensure that the arrangement between Supplier, and the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this DPA and meet the requirements of Article 28(3) of the UK GDPR.
- Supplier shall assist the Customer in ensuring compliance with the Customer's obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to Supplier, including as set out in section 8.3.
- Supplier will promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data and will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests.
- Supplier shall promptly notify the Customer if it becomes aware of a Personal Data Breach affecting Customer Personal Data and will co-operate with the Customer and take such commercially reasonable steps as the Customer requests to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Deletion of Customer Personal Data
- The Customer chooses and Supplier agrees that on the termination of the provision of data processing services, Supplier will Delete Customer Personal Data from Supplier's systems as soon as reasonably practicable, except to the extent that Applicable Laws require it to retain copies of such data.
- Customer acknowledges that it bears the sole responsibility for exporting any Customer Personal Data it wishes to retain prior to such Deletion.
10. Information & Audit Rights
- Supplier will make available such information as is reasonably requested by the Customer to demonstrate compliance with the obligations laid down in Article 28 UK GDPR. The Customer will be entitled to conduct an audit for that same purpose, provided (a) the Customer gives Supplier no less than fourteen (14) days’ prior written notice, (b) the audit is conducted remotely, and (c) such audits are conducted no more than once per calendar year, excluding any audit required by the Commissioner.
- Supplier shall immediately inform the Customer if, in its opinion, the Customer's instruction to Supplier infringes Data Protection Laws or other Applicable Laws relating to data protection.
- No audit under section 10.1 will provide the Customer with any access to Supplier’s code base, data centres, detailed network schematics or detailed records of security vulnerabilities unless such access is required by the Commissioner or by Applicable Law.
- Customer shall bear the costs of any audit under section 10.1, unless such audit reveals that Supplier is responsible for a Personal Data Breach or has otherwise materially failed to comply with its obligations under this DPA, the Agreement, or the Data Protection Laws, in which case Supplier shall bear the cost.
- Nothing in this DPA is intended to impose upon Supplier any obligations materially more burdensome that those required by Article 28 of the UK GDPR as it relates to Processors.
- In the event of conflict between the terms set out in this DPA and the Agreement, the terms set out in this DPA shall prevail solely to the extent of such conflict.
- No other terms or conditions of the Agreement shall be amended as a result of this DPA.
- The parties will cooperate in good faith to amend the Agreement where required by any change in the Data Protection Laws applicable to either party.
- This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by the law governing the Agreement, without regard to any conflicts of law principles that would require a different result. Each party irrevocably submits to the jurisdiction of the same courts, arbitrators, or other dispute resolution bodies as set out in the Agreement, under the same terms set out in the Agreement.
SIGNED on behalf of the Customer
SIGNED on behalf of the Supplier
Name: David Sarlos
Company Name: Vialog Ltd
Company Number: 08306815
Official Address: Level 33, 25 Canada Square, London, E14 5LB, United Kingdom
Appendix 1 - Details of Processing Personal Data
This Appendix 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) UK GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter is:
- The provision of technology and infrastructure for embeddable video discussion tool (and associated support services
- The duration of the Processing of the Customer Personal Data is for the Term, including any transitional period on entrance or exit to the Agreement.
The nature and purpose of the Processing of Customer Personal Data
The provision of Services by Supplier to the Customer, and including any or all of the following Processing activities:
- Disclosure by transmission / dissemination or otherwise making available
- Alignment / combination
- Erasure / destruction
The types of Customer Personal Data to be Processed
- Information collected that relates to end customers, to the extent that information constitutes Personal Data.
The categories of Data Subject to whom the Customer Personal Data relates
- End consumers of the Customer that complete Conversions pursuant to applicable Customer marketing campaigns, and who are natural persons that can be identified directly or indirectly, in particular by reference to an identifier of that natural person; an IP address or cookie data may, depending on the circumstances, be an identifier.
- Individuals who are prospective Partners.
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and this DPA.
Subprocessors of Supplier
Customer authorises the following Subprocessors in accordance with clause 7.1 of this DPA:
- Customer generally authorises the engagement as Subprocessors of any of the third parties listed as current Subprocessors from time to time at the following URL: https://wiki.vialog.app/subprocessors (the “Subprocessor List”). Subprocessors
- Supplier will provide notice to Customer of its intention to engage third parties as Subprocessors by identifying such third parties in the Subprocessor List, such notice to be given not less than ten (10) days prior to the engagement of such Subprocessors.
Customer instructs Supplier to process Customer Personal Data as reasonably required for Supplier to provide the Services stated above to Customer including:
- providing campaign support, helpdesk and/or invoicing and payment services;
- fraud detection;
- system maintenance; and, where such Customer Personal Data is used in aggregated and anonymised form, for
- developing additional functionality.
Customer instructs Supplier to require partners to comply with applicable requirements of e-privacy law in respect of the storage of information in terminal equipment or access to information in terminal equipment where such storage or access is necessary for the Services.
Appendix 2 – Security Measures
Supplier has technological safeguards in place according to Article 32(1) of the UK GDPR and equivalent articles under current or equivalent Data Protection Laws to provide the following:
1. Information Security Policies and Standards
Supplier’s security measures shall include, at a minimum:
- Preventing unauthorized persons from gaining access to Personal Data processing systems (physical access control);
- Preventing Personal Data processing systems being used without authorisation (logical access control);
- Ensuring that persons entitled to use a Personal Data processing system gain access only to such Customer Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Customer Personal Data cannot be read, copied, modified or deleted without authorisation (data access control);
- Ensuring that Customer Personal Data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage, and that the target entities for any transfer of Customer Personal Data by means of data transmission facilities can be established and verified (data transfer control);
- Ensuring the establishment of an audit trail to document whether and by whom Customer Personal Data have been entered into, modified in, or removed from Customer Personal Data processing (entry control);
- Ensuring that Customer Personal Data are Processed solely in accordance with the Customer’s Instructions (control of instructions);
- Ensuring that Customer Personal Data are protected against accidental destruction or loss (availability control); and
- Ensuring that Customer Personal Data collected for different purposes can be processed separately (separation control).
These measures are kept up to date and revised whenever relevant changes are made to the information system that uses or houses Personal Data, or to how that system is organised.
Security policies and standards include
- Data breach investigation;
- System access control;
- User privilege control;
- Software development and change control;
- Data security;
- Business continuity planning;
- Electronic communication security;
- System administrative security;
- Access to computer facilities; and
- Anti-virus protection.
2. Physical Security
Supplier and its subsidiaries will maintain adequate security systems at all sites at which an information system that uses or houses Customer Personal Data is located. Supplier reasonably restricts access to such Personal Data appropriately.
3. Organizational Security
- When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval or any use of Customer Personal Data stored on them before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of Personal Data stored on them.
- All Personal Data security incidents are managed in accordance with appropriate incident response procedures.
4. Network Security
Supplier maintains network security using commercially available equipment and industry standard techniques, including firewalls, access control lists and routing protocols.
5. Access Control
- Only authorised staff can grant, modify or revoke access to an information system that uses or houses Customer Personal Data.
- User administration procedures define user roles and their privileges, how access is granted, changed and terminated; addresses appropriate segregation of duties; and defines the logging/monitoring requirements and mechanisms.
- All employees of Supplier are assigned unique User-IDs.
- Access rights are implemented adhering to the “least privilege” approach.
- Supplier implements commercially reasonable physical and electronic security to create and protect passwords.
6. Virus and Malware Controls
Supplier installs and maintains anti-virus and malware protection software on its workplace devices.
Supplier implements a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations; physical security controls; security practices and security incident reporting. Supplier conduct background screening on all prospective employees.
8. Business Continuity
Supplier implements appropriate disaster recovery and business resumption plans.
9. Separation Control
Supplier limits access and regularly rotates security logs.
10. Data Centres
- Infrastructure - Supplier maintains physically secure data centres in the UK and EU where all production data is stored.
- Redundancy - Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy.
- Power - The data centre electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions.