Data Processing Agreement - 1st February 2018
- 1.1 This data processing agreement (the “Data Processing Agreement”) specifies the data protection obligations of the Parties which arise in connection with the provision of the Services whilst the Customer is using the services provided by Paiger. It applies to all activities performed in connection with the Customer use of the Services in which Processor and, if and insofar permissible, a third party acting on behalf of Processor may come into contact with personal data of the Customer.
- 1.2 The relevant types of personal data, the individuals these personal data refer to and the types of processing of personal data being undertaken are set out below:
Users details including the name and contact details are stored to provide access to the system and personalisation. The mobile telephone number is used for interaction and notifications, while the email is additionally used to identify the user in the system. Where jobs are shared, the email may be used to provide a call to action or application path. All connections to 3rd party systems made by the user are made through official APIs and 3rd party tokens are stored.
- 1.3 This Data Processing Agreement shall remain in force for such time as the Customer is using the Services.
- 1.4 For the purposes of this Data Processing Agreement, both parties hereby acknowledge and confirm that the Customer is the Data Controller, (hereinafter “Controller”) and Paiger Limited is the Data Processor, (hereinafter “Processor”).
- 1.5 This data processing agreement shall be construed in accordance with the laws of England and Wales and the courts of England shall have exclusive jurisdiction to settle all disputes, claims or proceedings between the Parties.
2 Definitions
- “Data Protection Legislation” means the UK General Data Protection Regulation, the Data Protection Act 2018 and all other applicable laws, regulations, code of practice or guidance issued by the ICO or any applicable UK regulator from time to time relating to the processing of personal data and privacy.
- “Personal Data” means any information relating to an identified or identifiable natural individual as defined by applicable Data Protection Legislation.
- “Processing” means processing of Personal Data on behalf of Controller as defined by applicable Data Protection Legislation.
- “Instruction” means a written instruction, issued by Controller to Processor, and directing Processor to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). These instructions may from time to time or case to case thereafter, be amended, amplified or replaced by Controller in separate written Instructions (individual Instructions).
- “Services” shall be software provided by Paiger Limited to the Customer
- “Customer” shall be the entity named on the order form completed when signing up for the Services.
3 Scope and responsibility
- 3.1 Both parties shall assist each other in complying with its applicable obligations under the Data Protection Legislation. Each Party shall at all times comply with the Data Privacy Applicable Laws and Regulatory Requirements with regards to the provision of the Services under this Order and shall under no circumstances make the other Party in breach with these laws, rules or regulations.
- 3.2 Processor shall Process Personal Data on behalf of Controller and always in accordance with the Data Protection Legislation and codes of practice applying to the Processor.
4 Obligations of Processor
4.1 Processor shall Process Personal Data only within the scope of Controller’s Instructions.
4.2 Processors interpretation of those instructions in so far as it applies to the Services is set out below:
4.2.1 Personal Data is held to enable the service to personalise messaging and to communicate via social media, email and mobile notification with the user for notifications, system updates and support.
4.3 Controller hereby acknowledges that the processing specified above comprise it’s instructions to the Processor. If Processor is required to Process the Personal Data for any other purpose by applicable law, Processor will inform the Controller of this legal requirement, to the extent permitted to do so by the applicable law. Processor shall not Process Personal Data for its own purposes and shall keep Controller’ Personal Data logically separate to data processed on behalf of any third party.Processor shall notify Controller immediately if, in Processor’s reasonable opinion, an Instruction breaches the Data Protection Legislation.
4.4 Processor shall take appropriate technical and organizational measures to adequately protect Controller’s Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure taking into account the nature of the Processing,
4.5 The processor has set out below a summary of those measures adopted in the provision of the services:
4.5.1 Passwords are encrypted, alongside offsite backups and the service itself can only
4.5.2 be accessed by a secure protocol (https). All authentication methods to end channels (social media) are done so using official methods and APIs, with Paiger never seeing the user’s credentials.
4.6 The Controller acknowledges that the technical and organizational measures set out above are subject to technical progress and development. Processor may implement without advance notification to the Controller adequate alternative measures, providing these are no less adequate than the level of security provided by those they replace. Updated measures shall be incorporated into this data processing agreement and made available on the website of Paiger Limited.
4.7 If Processor becomes aware of known or suspected breaches of security leading to or which may have led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that Processor has Processed (“Personal Data Breach”). Processor shall provide Controller with a description of the Personal Data Breach, the types of data that was the subject of the Personal Data Breach and the identity of each affected person as soon as such information can be collected or otherwise becomes available, as well as any other information Controller may reasonably request relating to the Personal Data Breach.
4.8 In the event of a Personal Data Breach, Processor will without undue delay
4.8.1 take action immediately to investigate the Personal Data Breach and to identify, prevent recurrence and make reasonable efforts to mitigate the effects of any such Personal Data Breach and
4.8.2 to carry out any recovery or other action necessary to remedy the Personal Data Breach. Processor shall not release or publish any filing, communication, notice, press release or report concerning any Personal Data Breach in respect of Controller’s Personal Data without Controller’s prior written approval.
4.9 Controller agrees that an unsuccessful security incident will not be subject to disclosure as per clause 4.7. An unsuccessful Security incident is one that does not lead to any unauthorised access to Personal Data of the Controller or to any of the hardware or facilities of the Processor used for storing Personal Data of the Controller. This includes but is not limited to port scans, denial of service attacks, pings and other such broadcast attacks on firewalls and unsuccessful log-on attempts.
4.10 The Processor shall ensure that all personnel who have access to Personal Data belonging to Controller under the terms of this Data Processing Agreement maintain confidentiality, such obligations are contractually imposed. Processor shall ensure that access to Controller’s Personal Data is limited to those persons who need access in order to meet the Processor’s obligations under this Data Processing Agreement and that such access is only granted to such parts of the Controller’s Personal Data as is strictly necessary in relation to that person’s particular duties. Processor shall ensure that all personnel who have access to the Personal Data are reliable and have undertaken training appropriate to their role in relation to the handling of Personal Data and applicable Data Protection Legislation.
4.11 Processor shall maintain records of all Personal Data Processing activities carried out on behalf of Controller containing the information prescribed in applicable Data Protection Legislation (including but not limited to the type of Personal Data Processed and the purposes for which they are processed). The Processor has made these records available a:
4.12 Processor will immediately notify Controller of any monitoring, auditing or control activities and measures undertaken by a supervisory authority.
4.13 The Personal Data will be processed and used by Processor exclusively within the territory of a member state of the European Union or the European Economic Area. Any transfer of Personal Data to a third country requires the prior written consent of Controller.
4.14 Processor acknowledges and agrees that all right, title and interest in Controller’s Personal Data (including all intellectual property rights subsisting therein) shall vest solely in Controller.
4.15 Processor shall permit a supervisory authority to access its premises, computer and other information systems, records, documents and records (where permitted by applicable Data Protection Legislation) to enable the supervisory authority to satisfy themselves that Processor is complying with its obligations under this Data Processing Agreement and applicable Data Protection Legislation.
4.16 During the term of the Order the Controller is authorised to audit the technical and organisational measures taken by the processor (hereinafter “Audit”) in order to ensure Processor complies with its obligations under this Data Processing Agreement.
4.17 All Audits are defined by the Controller, who shall be responsible for all costs. Audits may be carried out by
4.17.1 Controllers suitably qualified employees,
4.17.2 External auditors of the Controller,
4.16.3 Regulators of the Controller,
4.17.4 independent consultants appointed by the Controller and /or
4.17.5 voluntary disclosures from the Processor.
4.18 Should the Controller wish the Audit to be performed by an external auditor or an independent consultant, the Controller must inform the Processor to allow it to raise the potential situation of conflicts of interest with the proposed external auditor or this independent Consultant. The absence of an issue raised by Processor within 5 days following the date of notice will amount to a tacit approval.
4.19 During the Audit, Processor will provide with no undue delay information, reasonable assistance and access to its premises as may be necessary in order that those conducting the Audit may fully and promptly carry out each Audit. Where Controller intends to access the premises of the Processor it shall provide the latter with a prior written notice a minimum of ten (10) working days before the beginning of the Audit.
4.20 The Controller acknowledges that due to security constraints physical access to the subcontracted hosting facilities utilized by Processor may not be possible and this will not be considered a breach of the Controllers right to audit:
5 Obligations of Controller
5.1 Controller and Processor shall each be responsible for complying with their applicable obligations under the Data Protection Legislation.
5.2 Controller is responsible for securing data subject’s rights.
5.3 Any additional reasonable costs arising in connection with the return or deletion of Personal Data after the termination or expiration of this Order shall be borne by Controller.
5.4 Controller is solely responsible for securing ALL necessary consents from any Data Subjects in respect of the Personal Data it collects and requires the Processor to Process. Controller hereby indemnifies Processor against all claims, and other applicable actions brought by any Data Subject/s where Controller has failed to obtain the correct and necessary consents.
6 Enquiries by Data Subjects to Controller
6.1 Where Controller is obliged, under the Data Protection Legislation, to provide information to an individual or a government, regulatory or supervisory authority about the Processing of his or her Personal Data, Processor shall assist Controller in making this information available promptly and no later than 10 working days from receipt of such written request from the Controller.
6.2 If a data subject should apply directly to Processor to request access to, or the rectification, erasure, restriction or portability of, his personal data, or to object to the Processing of his Personal Data, Processor will forward this request to Controller without delay, and no later than 5 working days after receipt. Processor will only correct, delete or block the Personal Data Processed on behalf of Controller when instructed to do so in writing by the Controller.
7 Subcontractors
7.1 The engagement of subcontractors by Processor requires Controller’s prior written consent.
7.2 A list of subcontractors used by the Processor in the Processing of Controllers data is set out below:
MailJet (USA) – https://www.mailjet.com – used to send email communications to Paiger customers.
VooDoo SMS (UK) – https://voodoosms.com – used to send and receive SMS communications to/from Paiger customers
Twilio (USA) – https://www.twilio.com/ – used to send and receive SMS communications to Paiger customers.
Digital Ocean (USA) – https://www.digitalocean.com/ – used for data hosting and servers that power the Paiger service
Amazon Web Services (USA) – https://aws.amazon.com – used for data hosting and servers that power the Paiger service
SnapShooter (UK) – https://snapshooter.io – used for offsite database backups.
Intercom (USA) – https://www.intercom.com – used for customer support (including live chat) and user onboarding
ProductStash (UK) – https://productstash.io – used for collecting user feedback
Active Campaign – https://www.activecampaign.com/ – used for email marketing and lead capturing
Google (Gmail & Data Studio) – used for email & reporting
Mailtrack – used for email open tracking
CapsuleCRM – used as a CRM
7.3 In signing this order form Controller hereby gives consent to Processor to use these subcontractors.
7.4 Where Processor engages subcontractors with consent of Controller, Processor shall contractually require such subcontractors to comply with obligations that are substantially similar to those set forth herein, including in particular, but not limited to, the contractual requirements for confidentiality, data protection and data security. Processor shall restrict subcontractor’s access to Personal Data of the Controller to the extent necessary for them to provide their services.
7.5 For the avoidance of doubt, where a subcontractor fails to fulfil its obligations under any sub-processing agreement, Processor will remain fully liable to Controller for the fulfilment of its obligations under this Data Processing Agreement.
8 Deletion and/or return of data and data retention
8.1 Within 30 days of the Controller ceasing to be a Customer of the Processor, the Processor will delete the Personal Data of the Controller in compliance with the Data Protection Legislation.
8.2 The processor will retain all personal data of the Controller whilst the controller maintains a contractual relationship with the Processor and utilises the Services of the Processor.
9 Duties to Inform, Mandatory Written Form
9.1 In the event that Processor
9.1.1 is required by law, court order, warrant, subpoena, or other legal judicial process to disclose any of Controller’s Personal Data to any person other than Controller or
9.1.2 receives any inquiry, communication, request or complaint from any governmental, regulatory or supervisory authority, Processor shall immediately notify Controller in writing and shall furnish all reasonable assistance in a timely manner to Controller to enable it to respond or object to, or challenge any such inquiries, communications, requests, or complaints and to meet applicable statutory or regulatory deadlines.
9.2 No change of or amendment to this Data Processing Agreement or any of its requirements, including any commitment issued by Processor, shall be valid and binding unless made in writing and unless they make express reference to being a change or amendment to this Data Processing Agreement. Any waiver of any provision of this Data Processing Agreement shall be recorded in written form.
10 Request To Have Your Data Deleted
Please email datadeletion@paiger.co with your full name, business name (if applicable) and the email address you used when completing any demo request or other online signup with Paiger and we will ensure your data is deleted within 72 hours of receiving your request.
Version Dated 17th January 2023
1. Contractual Interpretation
1.1. This data processing agreement (the “Data Processing Agreement”) specifies the data protection obligations of the Parties which arise in connection with the provision of the Services whilst the Customer is using the Services provided by Paiger. It applies to all activities performed in connection with the Customer’s use of the Services in which Paiger and, if and insofar permissible, a third party acting on behalf of Paiger may come into contact with personal data of the Customer (or its representatives.)
1.2. This Data Processing Agreement shall remain in force for such time as the Customer is using the Services.
1.3. This Data Processing Agreement is in addition to and compliments the Contract between the Parties and does not seek to replace the Contract. If any clause or provision of this Data Processing Agreement conflicts with or otherwise contradicts the Contract, the terms of the Data Processing Agreement shall prevail.
1.4. This data processing agreement shall be construed in accordance with the laws of England and Wales and the courts of England shall have exclusive jurisdiction to settle all disputes, claims or proceedings between the Parties.
1.5. In this Data Processing Agreement the following expressions shall apply (save where the context otherwise requires.) Capitalised terms that are not otherwise defined here shall have the meaning attributed to them in the Contract.
1.6. “Data Protection Legislation” means the UK General Data Protection Regulation, the Data Protection Act 2018 and all other applicable laws, regulations, code of practice or guidance issued by the ICO or any applicable UK regulator from time to time relating to the processing of personal data and privacy.
1.7. “Personal Data” means any information relating to an identified or identifiable natural individual as defined by the Data Protection Legislation.
1.8. “Processing” means processing of Personal Data on behalf of Controller as defined by the Data Protection Legislation.
1.9. “Instruction” means a written instruction, issued by Controller to Processor, and directing Processor to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). These instructions may from time to time or case to case thereafter, be amended, amplified or replaced by Controller in separate written Instructions (individual Instructions).
1.10. For the purposes of this Data Processing Agreement, both parties hereby acknowledge and confirm that the Customer is the Data Controller, (hereinafter “Controller”) and Paiger Limited is the Data Processor, (hereinafter “Processor”).
2. General
2.1. The Processor shall Process Personal Data on behalf of Controller and always in accordance with the Data Protection Legislation. The Processor shall only process the Personal Data to the extent necessary to perform the obligations in the Contract and in this Data Processing Agreement.
2.2. Both parties shall assist each other in complying with applicable obligations under the Data Protection Legislation.
2.2.1. Each Party shall at all times comply with the Data Protection Legislation with regards to the provision of the Services and shall under no circumstances knowingly place the other Party in breach of the Data Protection Legislation.
3. Obligations of Processor
3.1. Processor shall Process Personal Data only within the scope of Controller’s Instructions.
3.2. Processors interpretation of those Instructions in so far as it applies to the Services is set out below:
3.2.1. Personal Data is stored and processed to enable Paiger to personalise messaging and to communicate via social media, email and mobile notification with the user for notifications, system updates and support.
3.3. Controller hereby acknowledges that the processing specified above comprise it’s Instructions to the Processor.
3.4. If Processor is required to Process the Personal Data for any other purpose by applicable law, Processor will inform the Controller of this legal requirement, to the extent permitted to do so by the applicable law. Processor shall not Process Personal Data for its own purposes and shall keep Controller’ Personal Data logically separate to data processed on behalf of any third party. Processor shall notify Controller immediately if, in Processor’s reasonable opinion, an Instruction breaches the Data Protection Legislation.
3.5. Processor shall, having regard to the reasonably available state of the art of technological development, the nature of the Processing, the cost of implementation and the material risk to the rights of the affected Data Subjects take appropriate technical and organizational measures to adequately protect Controller’s Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure taking into account the nature of the Processing,
3.6. The Processor has set out below a summary of those technical and organizational measures adopted in the provision of the Services:
3.6.1. Passwords are encrypted, alongside offsite backups and the service itself can only
3.6.2. be accessed by a secure protocol (https); and
3.7. All authentication methods to end channels (social media) are implemented using official methods and APIs, with Processor never seeing the user’s credentials; and all equipment is physically secure.
3.8. The Controller acknowledges that the technical and organizational measures set out above are subject to technical progress and development. Processor may implement without advance notification to the Controller adequate alternative measures, providing these are no less adequate than the level of security provided by those they replace. Updated measures shall be incorporated into this Data Processing Agreement and made available on the Website of the Processor.
3.9. If Processor becomes aware of known or suspected breaches of security leading to or which may have led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that Processor has Processed (“Personal Data Breach,”) Processor shall as far as reasonably possible provide Controller with a description of the Personal Data Breach, the Personal Data that was the subject of the Personal Data Breach and the identity of each affected person as soon as such information can be collected or otherwise becomes available, as well as any other information Controller may reasonably request relating to the Personal Data Breach.
3.10. In the event of a Personal Data Breach, Processor will without undue delay
3.10.1. take action immediately to investigate the Personal Data Breach and to identify, prevent recurrence and make reasonable efforts to mitigate the effects of any such Personal Data Breach; and
3.10.2. to carry out any recovery or other action necessary to remedy the Personal Data Breach.
3.11. Processor shall not release or publish any filing, communication, notice, press release or report concerning any Personal Data Breach in respect of Controller’s Personal Data without Controller’s prior written approval.
3.12. Controller agrees that a security incident that that does not lead to any unauthorised access to Personal Data of the Controller will not be subject to disclosure pursuant to clause 3.9. Examples of such incidents are port scans, denial of service attacks, pings and other such broadcast attacks on firewalls and unsuccessful log-on attempts.
3.13. The Processor shall ensure that all personnel who have access to Personal Data belonging to Controller under the terms of this Data Processing Agreement maintain confidentiality and that such obligations are contractually imposed. Processor shall ensure that access to Controller’s Personal Data is limited to those persons who need access in order to meet the Processor’s obligations under this Data Processing Agreement and that such access is only granted to such parts of the Controller’s Personal Data as is strictly necessary in relation to that person’s particular duties. Processor shall ensure that all personnel who have access to the Personal Data are reliable and have undertaken training appropriate to their role in relation to the handling of Personal Data and applicable Data Protection Legislation.
3.14. Processor shall maintain records of all Personal Data Processing activities carried out on behalf of Controller.
3.15. Processor shall, on request, take reasonable steps to demonstrate to the Controller, to the extent that is reasonable given the nature of the Processing in question, that it complies with Data Protection Legislation.
3.16. Processor will immediately notify Controller of any monitoring, auditing or control activities and measures undertaken by a supervisory authority and shall as far as reasonably possible, assist the Controller in responding to such activities by the supervising authority.
3.17. The Personal Data will be processed and used by Processor exclusively within the UK or a territory of a member state of the European Union or the European Economic Area. Any transfer of Personal Data to a third country requires the prior written consent of Controller.
3.18. Processor acknowledges and agrees that all right, title and interest in Controller’s Personal Data (including all intellectual property rights subsisting therein) shall vest solely in Controller unless anonymised in accordance with the Contract.
3.19. Processor shall permit a supervisory authority to access its premises, computer and other information systems, records, documents and records (where permitted by applicable Data Protection Legislation) to enable the supervisory authority to satisfy themselves that Processor is complying with its obligations under this Data Processing Agreement and the Data Protection Legislation.
4. Obligations of Controller
4.1. Controller is responsible for ensuring that the processing of Personal Data is fair and lawful and in accordance with the data subjects’ rights. The Controller shall ensure that it has a lawful basis for the processing of the Personal Data at all time.
4.2. The Controller warrants that it is entitled to provide the Personal Data to the Processor and shall ensure that the Personal Data is accurate.
4.3. Controller hereby indemnifies Processor against all claims, and other applicable actions brought by any Data Subject where Controller has processed Personal Data other than in accordance with the Data Protection Legislation.
4.4. Any additional reasonable costs arising in connection with the return or deletion of Personal Data after the termination or expiration of this Contract shall be borne by Controller.
5. Enquiries by Data Subjects
5.1. Where Controller is obliged, under the Data Protection Legislation, to provide information to an individual or a government, regulatory or supervisory authority about the Processing of his or her Personal Data, Processor shall assist Controller in making this information available promptly and no later than 10 working days from receipt of such written request from the Controller and subject to the Controller reimbursing the Processor for the cost of the same.
5.2. If a Data Subject should apply directly to Processor to request access to, or the rectification, erasure, restriction or portability of, his Personal Data, or to object to the Processing of his Personal Data, Processor will forward this request to Controller without delay, and no later than 5 working days after receipt. Processor will only correct, delete or block the Personal Data Processed on behalf of Controller when instructed to do so in writing by the Controller and subject to the Controller reimbursing the Processor for the cost of the same.
6. Subcontractors
6.1. A list of subcontractors used by the Processor in the Processing of the Personal Data is set out below:
- MailJet (USA) – https://www.mailjet.com – used to send email communications to customers.
- VooDoo SMS (UK) – https://voodoosms.com – used to send and receive SMS communications to/from customers
- Twilio (USA) – https://www.twilio.com/ – used to send and receive SMS communications to customers.
- Digital Ocean (USA) – https://www.digitalocean.com/ – used for data hosting and servers that power the Services
- Amazon Web Services (USA) – https://aws.amazon.com – used for data hosting and servers that power the Services
- SnapShooter (UK) – https://snapshooter.io – used for offsite database backups.
- Intercom (USA) – https://www.intercom.com – used for customer support (including live chat) and user onboarding
- Active Campaign – https://www.activecampaign.com/ – used for email marketing and lead capturing
- Google (Gmail & Data Studio) – used for email & reporting
- Mailtrack – used for email open tracking
- CapsuleCRM – used as a CRM
- June – https://www.june.so/ – used to collect metrics on user interactions with out software
6.2. The Processor shall contractually require its subcontractors to comply with obligations that are substantially similar to those set forth in this Data Processing Agreement, including in particular, but not limited to, the contractual requirements for confidentiality, data protection and data security. Processor shall restrict subcontractor’s access to Personal Data of the Controller to the extent necessary for them to provide their services.
6.3. For the avoidance of doubt, where a subcontractor fails to fulfil its obligations under any sub-processing agreement, Processor will remain fully liable to Controller for the fulfilment of its obligations under this Data Processing Agreement.
7. Deletion and/or return of data and data retention
7.1. The Processor will retain all Personal Data of the Controller whilst the Controller maintains a contractual relationship with the Processor and utilises the Services of the Processor.
7.2. Within 30 days of the Controller ceasing to be a Customer of the Processor, the Processor will delete the Personal Data of the Controller in compliance with the Data Protection Legislation.
8. General
8.1. In the event that Processor;
8.1.1. is required by law, court order, warrant, subpoena, or other legal judicial process to disclose any of Controller’s Personal Data to any person other than Controller; or
8.1.2. receives any inquiry, communication, request or complaint from any governmental, regulatory or supervisory authority,
8.1.3. Processor shall immediately notify Controller in writing and shall subject to reimbursement of its costs, furnish all reasonable assistance in a timely manner to Controller to enable it to respond or object to, or challenge any such inquiries, communications, requests, or complaints and to meet applicable statutory or regulatory deadlines.
8.2. No change of or amendment to this Data Processing Agreement or any of its requirements, including any commitment issued by Processor, shall be valid and binding unless made in writing and unless they make express reference to being a change or amendment to this Data Processing Agreement. Any waiver of any provision of this Data Processing Agreement shall be recorded in written form.