Data Processing Agreement
Version Dated 17th January 2023
1. Contractual Interpretation
1.1. This data processing agreement (the “Data Processing Agreement”) specifies the data protection obligations of the Parties which arise in connection with the provision of the Services whilst the Customer is using the Services provided by Paiger. It applies to all activities performed in connection with the Customer’s use of the Services in which Paiger and, if and insofar permissible, a third party acting on behalf of Paiger may come into contact with personal data of the Customer (or its representatives.)
1.2. This Data Processing Agreement shall remain in force for such time as the Customer is using the Services.
1.3. This Data Processing Agreement is in addition to and compliments the Contract between the Parties and does not seek to replace the Contract. If any clause or provision of this Data Processing Agreement conflicts with or otherwise contradicts the Contract, the terms of the Data Processing Agreement shall prevail.
1.4. This data processing agreement shall be construed in accordance with the laws of England and Wales and the courts of England shall have exclusive jurisdiction to settle all disputes, claims or proceedings between the Parties.
1.5. In this Data Processing Agreement the following expressions shall apply (save where the context otherwise requires.) Capitalised terms that are not otherwise defined here shall have the meaning attributed to them in the Contract.
1.6. “Data Protection Legislation” means the UK General Data Protection Regulation, the Data Protection Act 2018 and all other applicable laws, regulations, code of practice or guidance issued by the ICO or any applicable UK regulator from time to time relating to the processing of personal data and privacy.
1.7. “Personal Data” means any information relating to an identified or identifiable natural individual as defined by the Data Protection Legislation.
1.8. “Processing” means processing of Personal Data on behalf of Controller as defined by the Data Protection Legislation.
1.9. “Instruction” means a written instruction, issued by Controller to Processor, and directing Processor to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). These instructions may from time to time or case to case thereafter, be amended, amplified or replaced by Controller in separate written Instructions (individual Instructions).
1.10. For the purposes of this Data Processing Agreement, both parties hereby acknowledge and confirm that the Customer is the Data Controller, (hereinafter “Controller”) and Paiger Limited is the Data Processor, (hereinafter “Processor”).
2.1. The Processor shall Process Personal Data on behalf of Controller and always in accordance with the Data Protection Legislation. The Processor shall only process the Personal Data to the extent necessary to perform the obligations in the Contract and in this Data Processing Agreement.
2.2. Both parties shall assist each other in complying with applicable obligations under the Data Protection Legislation.
2.2.1. Each Party shall at all times comply with the Data Protection Legislation with regards to the provision of the Services and shall under no circumstances knowingly place the other Party in breach of the Data Protection Legislation.
3. Obligations of Processor
3.1. Processor shall Process Personal Data only within the scope of Controller’s Instructions.
3.2. Processors interpretation of those Instructions in so far as it applies to the Services is set out below:
3.2.1. Personal Data is stored and processed to enable Paiger to personalise messaging and to communicate via social media, email and mobile notification with the user for notifications, system updates and support.
3.3. Controller hereby acknowledges that the processing specified above comprise it’s Instructions to the Processor.
3.4. If Processor is required to Process the Personal Data for any other purpose by applicable law, Processor will inform the Controller of this legal requirement, to the extent permitted to do so by the applicable law. Processor shall not Process Personal Data for its own purposes and shall keep Controller’ Personal Data logically separate to data processed on behalf of any third party. Processor shall notify Controller immediately if, in Processor’s reasonable opinion, an Instruction breaches the Data Protection Legislation.
3.5. Processor shall, having regard to the reasonably available state of the art of technological development, the nature of the Processing, the cost of implementation and the material risk to the rights of the affected Data Subjects take appropriate technical and organizational measures to adequately protect Controller’s Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure taking into account the nature of the Processing,
3.6. The Processor has set out below a summary of those technical and organizational measures adopted in the provision of the Services:
3.6.1. Passwords are encrypted, alongside offsite backups and the service itself can only
3.6.2. be accessed by a secure protocol (https); and
3.7. All authentication methods to end channels (social media) are implemented using official methods and APIs, with Processor never seeing the user’s credentials; and all equipment is physically secure.
3.8. The Controller acknowledges that the technical and organizational measures set out above are subject to technical progress and development. Processor may implement without advance notification to the Controller adequate alternative measures, providing these are no less adequate than the level of security provided by those they replace. Updated measures shall be incorporated into this Data Processing Agreement and made available on the Website of the Processor.
3.9. If Processor becomes aware of known or suspected breaches of security leading to or which may have led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that Processor has Processed (“Personal Data Breach,”) Processor shall as far as reasonably possible provide Controller with a description of the Personal Data Breach, the Personal Data that was the subject of the Personal Data Breach and the identity of each affected person as soon as such information can be collected or otherwise becomes available, as well as any other information Controller may reasonably request relating to the Personal Data Breach.
3.10. In the event of a Personal Data Breach, Processor will without undue delay
3.10.1. take action immediately to investigate the Personal Data Breach and to identify, prevent recurrence and make reasonable efforts to mitigate the effects of any such Personal Data Breach; and
3.10.2. to carry out any recovery or other action necessary to remedy the Personal Data Breach.
3.11. Processor shall not release or publish any filing, communication, notice, press release or report concerning any Personal Data Breach in respect of Controller’s Personal Data without Controller’s prior written approval.
3.12. Controller agrees that a security incident that that does not lead to any unauthorised access to Personal Data of the Controller will not be subject to disclosure pursuant to clause 3.9. Examples of such incidents are port scans, denial of service attacks, pings and other such broadcast attacks on firewalls and unsuccessful log-on attempts.
3.13. The Processor shall ensure that all personnel who have access to Personal Data belonging to Controller under the terms of this Data Processing Agreement maintain confidentiality and that such obligations are contractually imposed. Processor shall ensure that access to Controller’s Personal Data is limited to those persons who need access in order to meet the Processor’s obligations under this Data Processing Agreement and that such access is only granted to such parts of the Controller’s Personal Data as is strictly necessary in relation to that person’s particular duties. Processor shall ensure that all personnel who have access to the Personal Data are reliable and have undertaken training appropriate to their role in relation to the handling of Personal Data and applicable Data Protection Legislation.
3.14. Processor shall maintain records of all Personal Data Processing activities carried out on behalf of Controller.
3.15. Processor shall, on request, take reasonable steps to demonstrate to the Controller, to the extent that is reasonable given the nature of the Processing in question, that it complies with Data Protection Legislation.
3.16. Processor will immediately notify Controller of any monitoring, auditing or control activities and measures undertaken by a supervisory authority and shall as far as reasonably possible, assist the Controller in responding to such activities by the supervising authority.
3.17. The Personal Data will be processed and used by Processor exclusively within the UK or a territory of a member state of the European Union or the European Economic Area. Any transfer of Personal Data to a third country requires the prior written consent of Controller.
3.18. Processor acknowledges and agrees that all right, title and interest in Controller’s Personal Data (including all intellectual property rights subsisting therein) shall vest solely in Controller unless anonymised in accordance with the Contract.
3.19. Processor shall permit a supervisory authority to access its premises, computer and other information systems, records, documents and records (where permitted by applicable Data Protection Legislation) to enable the supervisory authority to satisfy themselves that Processor is complying with its obligations under this Data Processing Agreement and the Data Protection Legislation.
4. Obligations of Controller
4.1. Controller is responsible for ensuring that the processing of Personal Data is fair and lawful and in accordance with the data subjects’ rights. The Controller shall ensure that it has a lawful basis for the processing of the Personal Data at all time.
4.2. The Controller warrants that it is entitled to provide the Personal Data to the Processor and shall ensure that the Personal Data is accurate.
4.3. Controller hereby indemnifies Processor against all claims, and other applicable actions brought by any Data Subject where Controller has processed Personal Data other than in accordance with the Data Protection Legislation.
4.4. Any additional reasonable costs arising in connection with the return or deletion of Personal Data after the termination or expiration of this Contract shall be borne by Controller.
5. Enquiries by Data Subjects
5.1. Where Controller is obliged, under the Data Protection Legislation, to provide information to an individual or a government, regulatory or supervisory authority about the Processing of his or her Personal Data, Processor shall assist Controller in making this information available promptly and no later than 10 working days from receipt of such written request from the Controller and subject to the Controller reimbursing the Processor for the cost of the same.
5.2. If a Data Subject should apply directly to Processor to request access to, or the rectification, erasure, restriction or portability of, his Personal Data, or to object to the Processing of his Personal Data, Processor will forward this request to Controller without delay, and no later than 5 working days after receipt. Processor will only correct, delete or block the Personal Data Processed on behalf of Controller when instructed to do so in writing by the Controller and subject to the Controller reimbursing the Processor for the cost of the same.
6.1. A list of subcontractors used by the Processor in the Processing of the Personal Data is set out below:
- MailJet (USA) – https://www.mailjet.com – used to send email communications to customers.
- VooDoo SMS (UK) – https://voodoosms.com – used to send and receive SMS communications to/from customers
- Twilio (USA) – https://www.twilio.com/ – used to send and receive SMS communications to customers.
- Digital Ocean (USA) – https://www.digitalocean.com/ – used for data hosting and servers that power the Services
- Amazon Web Services (USA) – https://aws.amazon.com – used for data hosting and servers that power the Services
- SnapShooter (UK) – https://snapshooter.io – used for offsite database backups.
- Intercom (USA) – https://www.intercom.com – used for customer support (including live chat) and user onboarding
- Active Campaign – https://www.activecampaign.com/ – used for email marketing and lead capturing
- Google (Gmail & Data Studio) – used for email & reporting
- Mailtrack – used for email open tracking
- CapsuleCRM – used as a CRM
6.2. The Processor shall contractually require its subcontractors to comply with obligations that are substantially similar to those set forth in this Data Processing Agreement, including in particular, but not limited to, the contractual requirements for confidentiality, data protection and data security. Processor shall restrict subcontractor’s access to Personal Data of the Controller to the extent necessary for them to provide their services.
6.3. For the avoidance of doubt, where a subcontractor fails to fulfil its obligations under any sub-processing agreement, Processor will remain fully liable to Controller for the fulfilment of its obligations under this Data Processing Agreement.
7. Deletion and/or return of data and data retention
7.1. The Processor will retain all Personal Data of the Controller whilst the Controller maintains a contractual relationship with the Processor and utilises the Services of the Processor.
7.2. Within 30 days of the Controller ceasing to be a Customer of the Processor, the Processor will delete the Personal Data of the Controller in compliance with the Data Protection Legislation.
8.1. In the event that Processor;
8.1.1. is required by law, court order, warrant, subpoena, or other legal judicial process to disclose any of Controller’s Personal Data to any person other than Controller; or
8.1.2. receives any inquiry, communication, request or complaint from any governmental, regulatory or supervisory authority,
8.1.3. Processor shall immediately notify Controller in writing and shall subject to reimbursement of its costs, furnish all reasonable assistance in a timely manner to Controller to enable it to respond or object to, or challenge any such inquiries, communications, requests, or complaints and to meet applicable statutory or regulatory deadlines.
8.2. No change of or amendment to this Data Processing Agreement or any of its requirements, including any commitment issued by Processor, shall be valid and binding unless made in writing and unless they make express reference to being a change or amendment to this Data Processing Agreement. Any waiver of any provision of this Data Processing Agreement shall be recorded in written form.