Data Protection Addendum

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

Legal Documents

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

This current consolidated Data Protection Addendum was published on [11th May 2023].

  1. Definitions
  1. This Data Protection Addendum is part of our Master SaaS Agreement and the other documents referred to within our Agreement and applies only to the extend applicable to the jurisdiction relevant to where we provide Services.
  2. The defined terms within the Master SaaS Agreement shall have the same meanings within this document, and the same rules of interpretation shall apply. In addition, in this Data Protection Addendum the following definitions have the meanings given below:

Controller
  1. has the meaning given to that term in Data Protection Laws;

Data Protection Laws
  1. means, as applicable to either party or the Services:
  1. the EU GDPR;
  2. the UK GDPR and the UK DPA 2018;
  3. the California Consumer Privacy Act 2018;
  4. the California Privacy Rights Act 2020;
  5. Virginia’s Consumer Data Privacy Act 2021
  6. the Australian Privacy Act 1988
  7. the Australian Privacy Principles;
  8. the Singapore Personal Data Protection Act 2012;
  9. any laws which implement or supplement any such laws; and
  10. any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;

Data Protection Losses
  1. means all liabilities arising directly or indirectly from any breach or alleged breach of any of the Data Protection Laws or of this Data Protection Addendum, including all:
  1. costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage);
  2. administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
  3. compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and/or
  4. costs of compliance with investigations by a Supervisory Authority;

Data Subject
  1. has the meaning given to that term in Data Protection Laws;

Data Subject Request
  1. means a request made by a Data Subject to exercise any rights of Data Subjects under applicable Data Protection Laws in relation to any Protected Data;

International Recipient
  1. means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph Error! Reference source not found. without the Customer’s prior written authorisation;

Lawful Safeguards
  1. means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

List of Sub-Processors
  1. means the latest version of the list of Sub-Processors used by the Supplier, as Updated from time to time, the list of which is available upon request;

Personal Data
  1. has the meaning given to that term in Data Protection Laws;

Personal Data Breach
  1. means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

processing
  1. has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);

Processing Instructions
  1. has the meaning given to that term in paragraph 3.1.1;

Processor
  1. has the meaning given to that term in Data Protection Laws;

Protected Data
  1. means Personal Data in the Customer Data;

Sub-Processor
  1. means a Processor engaged by the Supplier or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer;

Supervisory Authority
  1. means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;
  1. Processor and Controller
  1. The parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier shall be the Processor. Nothing in our Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.
  2. To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier to process the Protected Data in accordance with our Agreement.
  3. The Supplier shall process Protected Data in compliance with:
  1. the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under our Agreement; and
  2. the terms of our Agreement.
  1. The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with all Data Protection Laws relevant to the processing activities that are carried out within the relevant jurisdiction within which we provide our Services to the Customer.
  2. The Customer warrants, represents and undertakes, that at all times:
  1. the processing of all Protected Data (if processed in accordance with our Agreement) shall comply in all respects with all Data Protection Laws, including in terms of its collection, use and storage;
  2. fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by all Data Protection Laws in connection with all processing activities in respect of the Protected Data that may be undertaken by the Supplier and its Sub-Processors in accordance with our Agreement;
  3. the Protected Data is accurate and up to date;
  4. it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person;
  5. all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
  6. it has undertaken due diligence in relation to the Supplier’s processing operations and commitments and it is satisfied (and at all times it continues to use the Services remains satisfied) that the Supplier’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Supplier to process the Protected Data.
  1. If the Supplier is subject to any applicable laws at any time that conflict with any of its obligations under this Data Protection Addendum, it may immediately terminate our Agreement by notice unless the conflict has been resolved to the Supplier’s satisfaction prior to such notice of termination.
  1. Instructions and details of processing
  1. Insofar as the Supplier processes Protected Data on behalf of the Customer, the Supplier:
  1. unless required to do otherwise by Data Protection Laws, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in our Agreement, as Updated from time to time (Processing Instructions);
  2. shall promptly inform the Customer if the Supplier becomes aware of a Processing Instruction that, in the Supplier’s opinion, infringes Data Protection Laws, provided that:
  1. this shall be without prejudice to paragraphs 2.4 and 2.5; and
  2. to the maximum extent permitted by applicable law, the Supplier shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph 3.1.2.
  1. The Customer agrees that:
  1. the Supplier (and each Sub-Processor) is not obliged to undertake any processing of Protected Data that the Supplier believes infringes any of the Data Protection Laws and shall not be liable (or subject to any reduction or set-off of any Fees otherwise payable to the Supplier) to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under our Agreement as a result of not undertaking any processing in such circumstances; and
  2. without prejudice to any other right or remedy of the Supplier, in the event the Customer has not resolved any Processing Instruction notified to it under paragraph 3.1.2 such that it is lawful in the Supplier’s opinion within 14 days of such notification then such circumstances are a material breach of our Agreement by the Customer that cannot be remedied and the Supplier may terminate our Agreement in accordance with its terms.
  1. The Customer shall be responsible for ensuring all Authorised Affiliates and Authorised Users read and understand the Privacy Policy (as updated from time-to-time).
  2. The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Subscribed Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the User Manual). The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command the Supplier is under no obligation to seek to restore it.
  3. Subject to applicable Subscribed Service Specific Terms or the Order Form the processing of the Protected Data by the Supplier under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the schedule.
  1. Technical and organisational measures
  1. The Supplier shall implement and maintain technical and organisational measures in relation to the processing of Protected Data by the Supplier.
  2. The Supplier agrees to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with the Supplier’s Standard Pricing Terms. The parties have agreed that (taking into account the nature of the processing) the Supplier’s compliance with paragraph 6.1 shall constitute the Supplier’s sole obligations under this paragraph 4.2.
  1. Using staff and other Processors
  1. Subject to paragraph 5.2, the Supplier shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data in connection with our Agreement without the Customer’s prior written authorisation. The Customer shall not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors).
  2. The Customer:
  1. authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as at Order Acceptance; and
  2. authorises the appointment of each Sub-Processor (or any change to any of the Sub-Processors) identified on the List of Sub-Processors as updated from time to time. The Customer’s right to object to the appointment of a new Sub-Processor (or any change to any of the Sub-Processors).
  1. Assistance with compliance and Data Subject rights
  1. The Supplier shall refer all Data Subject Requests it receives to the Customer without undue delay. The Customer shall pay the Supplier for all work, time, costs and expenses incurred by the Supplier or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at the Supplier’s rates applicable from time-to-time.
  2. The Supplier shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
  1. security of processing;
  2. notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,

provided the Customer shall pay the Supplier for all work, time, costs and expenses incurred the Supplier or any Sub-Processor(s) in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis at the Supplier’s rates applicable from time-to-time.

  1. International data transfers
  1. The Customer hereby authorises the Supplier (or any Sub-Processor) to transfer any Protected Data for the purposes for which such data may be processed under our Agreement to any International Recipient(s) in accordance with paragraph Error! Reference source not found., provided all such transfers of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws and our Agreement. The provisions of our Agreement (including this Data Protection Addendum) shall constitute the Customer’s instructions with respect to transfers in accordance with paragraph 3.1.1.
  2. The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to recipients or other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that the Supplier does not control such processing and the Customer shall ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to recipients or other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with Data Protection Laws.
  1. Information and audit
  1. The Supplier shall maintain, in accordance with Data Protection Laws binding on the Supplier, written records of all categories of processing activities carried out on behalf of the Customer.
  1. Breach notification
  1. In respect of any Personal Data Breach, the Supplier shall, without undue delay (and in any event within 72 hours of the Supplier confirming that a Personal Data Breach has occurred):
  1. notify the Customer of the Personal Data Breach; and
  2. provide the Customer with details of the Personal Data Breach.
  1. Deletion of protected data and copies

Following the end of the provision of the Services (or any part) relating to the processing of Protected Data the Supplier shall dispose of Protected Data in accordance with its obligations under our Agreement. The Supplier shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement.

  1. Compensation and claims
  1. THE SUPPLIER SHALL NOT BE LIABLE FOR DATA PROTECTION LOSSES (HOWSOEVER ARISING, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE) UNDER OR IN CONNECTION WITHIN OUR AGREEMENT, UNLESS AND ONLY TO THE EXTENT THAT:
  1. such loss is caused by the processing of Protected Data under our Agreement and directly resulting from the Supplier’s breach of our Agreement; and
  2. in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by the Customer (including in accordance with paragraph 3.1.2(b)).
  1. The parties agree that the Customer shall not be entitled to claim back from the Supplier any part of any compensation paid by the Customer to the extent that the Customer is liable to indemnify or otherwise compensate the Supplier in accordance with our Agreement.
  2. This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
  1. to the extent not permitted by Data Protection Laws; and
  2. that it does not affect the liability of either party to any Data Subject.
  1. Survival

This Data Protection Addendum (as Updated from time to time) shall survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in the possession or control of the Supplier or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.


  1. DATA PROCESSING DETAILS

Subject-matter of processing:

The provision of the Services to the Customer by the Supplier.

Duration of the processing:

From the date of Order Acceptable until the earlier of final termination or final expiry of our Agreement, except as otherwise expressly stated in our Agreement.

Nature and purpose of the processing:

Processing in accordance with the rights and obligations of the parties under our Agreement; and as is reasonably required to provide the Services.

Type and Category of Personal Data:

Types of personal data

Where/Who we collect it from

Your contact details, including:

  • Name
  • Address
  • Email address
  • Telephone number/s
  • You

Personal information, including:

  • Date of birth
  • Gender
  • Lifestyle and social circumstances
  • You
  • Third parties with your consent

Identity information, including:

  • Moving images, still images and photographs
  • Videos
  • You
  • Third party service providers
  • Sanction screening providers
  • Publicly available registers

System and Platform usage and communication information, including:

  • User IDs and password information
  • IP addresses and device identifiers
  • Information about accounts you link to us e.g., LinkedIn
  • IP address, survey responses and how you use our website
  • Cookies on our website
  • You
  • Your use of our systems, software, apps, platforms, and via our IT systems (including automated monitoring)

Information collected during the administration activities of our business, including:

  • Complaints
  • Queries
  • Preferences regarding our use of your personal data
  • You
  • Third party service providers, such as healthcare providers and hospitals

 Special categories of Personal Data:

Special categories of personal data

Where/Who we collect it from

Sensitive personal information, including:

  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Health Data (including physical and mental health, test results, health concerns and conditions/diseases, dietary requirements, allergies, prescription drugs history and other drug taking history, activity levels)
  • Biometric data
  • You
  • Third parties with your consent