DATA PROTECTION AGREEMENT
- Definitions and interpretation
The following definitions and rules of interpretation apply in this Data Protection Agreement (DPA).
- Definitions:
“Agreement” | either (a) the online terms and conditions or (b) an Enterprise Agreement between the Customer and the Supplier (whichever applies) depending upon the subscription and service level the Customer has selected, including the Terms |
“Application” | the online software and tools known as Cyclr or ConnectorEngine (as applicable) provided by the Supplier including any updates the Supplier may make from time to time |
“Authorised Persons” | the persons or categories of persons that the Customer authorises to give the Supplier personal data processing instructions |
“Business Purposes” | the services described in the Agreement |
“Customer” | a party to the Agreement with the Supplier |
“Customer Client” | a client of the Customer |
“Customer Client Data” | Personal Data owned and controlled by the Customer Client |
“Data Protection Legislation” | to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data including the UK GDPR, the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or provider is subject, which relates to the protection of Personal Data |
“Data Subject” | an individual who is the subject of Personal Data |
“EU GDPR” | the General Data Protection Regulation ((EU) 2016/679) |
“EU Standard Contractual Clauses (EU SCCs)” | the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries, as set out in the ‘Annex to the Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679’ (or such alternative clauses as may be approved by the European Commission from time to time), a link to which is set out in Annex 2. |
“ICO” | the Information Commissioner’s Office, which is the UK’s independent body set up to uphold information rights and promote good practice in handling personal data and guidance on data protection |
“International Data Transfer Addendum to the EU SCCs (the Addendum)” | the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses as set out in EU Commission Decision 2010/87/EU, issued by the UK ICO, for the transfer of Personal Data from the UK to processors established in third countries (controller-to-processor transfers) issued under Section 119A(1) of the Data Protection Act 2018 and in compliance with Article 46 of the UK GDPR (or such alternative clauses as may be approved by the ICO from time to time) a link to which is set out in Annex 2. |
“Personal Data” | any information relating to an identified or identifiable natural person that is processed by the Supplier as a result of, or in connection with, the provision of the services under the Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person |
“Processing, processes and process” | either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties |
“Personal Data Breach” | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed |
“Supplier” | Cyclr Systems Limited, 12-16 Addiscombe Road, C/O Sussex Innovation Centre, Office 6-10, Croydon, England CR0 0XT |
“Terms” | the terms and conditions between the Supplier and Customer |
“UK GDPR” | has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 |
- This DPA is subject to the Terms of, and is incorporated into, the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.
- The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
- A reference to writing or written includes email.
- In the case of conflict or ambiguity between:
- any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
- the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail;
- any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail; and
- any of the provisions of this DPA and any executed SCCs, the provisions of the executed SCCs will prevail.
- The Customer and the Supplier have entered into the Agreement pursuant to which the Supplier provides to the Customer the Application for the Customer to incorporate into its product or service offering in order to facilitate application integration.
- Under certain situations as described herein the Customer may require the Supplier to process Personal Data on behalf of the Customer.
- This DPA sets out the additional terms, requirements and conditions on which the Supplier will process Personal Data when providing services under the Agreement. This DPA contains the mandatory clauses required by the Data Protection Legislation for contracts between controllers and processors.
- Personal data types and processing purposes
- The parties acknowledge that Supplier’s Application hosts data including Personal Data on behalf of the Customer in the United Kingdom, Germany, Australia or United States according to the Customer’s hosting choice. Under an Enterprise Agreement the Customer may, subject to availability, also elect alternative geographic hosting locations that the Supplier will deliver as directed by the Customer. The Customer (or the Customer’s Clients) may give instructions through the Application to transfer Personal Data to and from third party-hosted environments. For the purposes of the Data Protection Legislation the Customer is the Data Controller and the Supplier and Customer may each be a Data Processor, depending on the processing activity: the Supplier is the Data Processor for Personal Data while it is hosted and processed on behalf of the Customer in the Application, and the Customer is a Data Processor in so far as it provides instructions regarding the adaptation of Personal Data and the transfer of Personal Data to and from third party-hosted environments (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
- Without prejudice to the generality of clause 3.1, the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including ensuring that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this Agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this Agreement on the Customer’s behalf and, without limitation, the Customer shall ensure that all Customer Clients have been informed of, and have given and maintained their consent to permit access, monitoring, use and disclosure of all Customer Client Data by the Customer or the Supplier in accordance with this Agreement and for the processing instructions it gives to the Supplier.
- Annex 1 describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Supplier may process to fulfil the Business Purposes of the Agreement.
- The Supplier will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Supplier will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. In relation to Personal Data processed by the Supplier, the Supplier shall notify the Customer if, in its opinion, the Customer’s instruction to process would not comply with the Data Protection Legislation. However the Customer hereby acknowledges that where pursuant to clause 3.1 the Customer is the Data Processor in relation to instructions to transfer Personal Data into and out of the Application environment, the Customer is responsible for monitoring compliance with the Data Protection Legislation.
- The Supplier will promptly comply with any Customer request or instruction requiring the Supplier to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
- The Supplier will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Supplier to process or disclose Personal Data, the Supplier must first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
- The Supplier will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Supplier’s processing and the information available to the Supplier, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
- The Supplier will promptly notify the Customer of any changes to Data Protection Legislation that may adversely affect the Supplier’s performance of the Agreement.
- The Supplier will ensure that all employees:
- are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
- have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
- are aware both of the Supplier’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
- The Supplier will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of the Supplier’s employees with access to the Personal Data.
- The Supplier will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annex 3. The Supplier shall implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of security measures.
- The Supplier will promptly and without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable.
- The Supplier will immediately and without undue delay notify the Customer if it becomes aware of:
- any accidental, unauthorised or unlawful processing of the Personal Data; or
- any Personal Data Breach.
- Where the Supplier becomes aware of 7.2.1 and/or 7.2.2 above, it shall, without undue delay, also provide the Customer with the following information:
- description of the nature of 7.2.1 and/or 7.2.2, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
- the likely consequences; and
- description of the measures taken, or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
- Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter.
- The Supplier will not inform any third party of any Personal Data Breach without first obtaining the Customer’s prior written consent, except when required to do so by law.
- The Supplier agrees that the Customer has the sole right to determine:
- whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and
- whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
- The Supplier will cover all reasonable expenses associated with the performance of its obligations under clause 7.2 and clause 7.4 unless the matter arose from the Customer’s specific instructions, negligence, wilful default or breach of this DPA, in which case the Customer will cover all reasonable expenses.
- The Supplier shall only be liable for damages incurred by the Customer in relation to a Personal Data Breach where the Supplier’s breach of its obligations under this DPA or the Data Protection Legislation has directly led to the event giving rise to the damages.
- Cross-border transfers of personal data
- Personal Data may be instructed to be transferred to a territory outside the UK or EEA by the Customer or Customer’s Client’s use of the Application. For the avoidance of doubt this is not a transfer by the Supplier and Supplier has no control of such a transfer made by the Customer or Customer’s Client using the Application for this purpose.
- The Supplier shall not itself transfer or otherwise process Personal Data outside the UK and European Economic Area (EEA) without obtaining the Customer’s prior written consent, in the form of a signed Agreement to supply Services or other written (including email) instruction from the Customer.
- Where such consent is granted under clause 8.2, the Supplier may only process, or permit the processing, of Personal Data in territories outside the UK or EEA under the following conditions:
- the Supplier is processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. The Supplier must identify in Annex 1 the territory that is subject to such an adequacy finding; or
- the Supplier participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Supplier (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR or the EU GDPR. The Supplier will identify in Annex 1 the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Supplier must immediately inform the Customer of any change to that status; or
- the transfer otherwise complies with the Data Protection Legislation for the reasons set out in Annex 1.
- The Supplier may only authorise a third party (subcontractor) to process the Personal Data if:
- the Customer is provided with an opportunity to object to the appointment of each subcontractor within 30 days after the Supplier supplies the Customer with full details regarding such subcontractor;
- the Supplier has entered into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures;
- the Supplier maintains control over all Personal Data it entrusts to the subcontractor; and
- the subcontractor’s contract terminates automatically on termination of this DPA for any reason.
- Those subcontractors approved as at the commencement of this DPA are as set out in Annex 1.
- Where the subcontractor fails to fulfil its obligations under such written agreement, the Supplier remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.
- Complaints, data subject requests and third party rights
- The Supplier will, at no additional cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
- the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
- information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.
- The Supplier must notify the Customer immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
- The Supplier must notify the Customer within 10 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
- The Supplier will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
- The Supplier must not disclose the Personal Data to any Data Subject or to a third party other than at the Customer’s request or instruction, as provided for in this DPA or as required by law.
- This DPA will remain in full force and effect so long as:
- the Agreement remains in effect; or
- the Supplier retains any Personal Data related to the Agreement in its possession or control (Term).
- Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.
- Data return and destruction
- At the Customer’s request, the Supplier will give the Customer a copy of or access to all or part of the Customer’s Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
- On termination of the Agreement for any reason or expiry of its term, the Supplier will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this DPA in its possession or control.
- If any law, regulation, or government or regulatory body requires the Supplier to retain any documents or materials that the Supplier would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
Annex 1 Personal Data Processing Purposes and Details
Subject matter of Processing: to enable the Customer to provide integrations between its own application and any other application of its choosing using the Application. The functions of the Application are as described in the Agreement.
Duration of Processing: for the duration of the Agreement.
Nature of Processing: as determined by the Customer through their use of the Application.
Business Purposes: as determined by the Customer through their use of the Application.
Personal Data Categories: as determined by the Customer through their use of the Application.
Data Subject Types: as determined by the Customer through their use of the Application.
Authorised Persons: as determined by the Customer through their use of the Application.
Cross-border transfers
If relevant, the Supplier’s legal basis for processing Personal Data between the EEA and third countries in order to comply with cross-border transfer restrictions would be module 3 of the EU Standard Contractual Clauses between Customer as “data exporter” and Supplier as “data importer” per Annex 2.
If relevant, the Supplier’s legal basis for processing Personal Data between the UK and third countries in order to comply with cross-border transfer restrictions would be the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses as per Annex 2.
Approved Subcontractors:
Hosting Services – Start-Up and Growth Plans: Start-Up and Growth Plans are offered in the Supplier’s shared service environments for which Cyclr uses Amazon Web Services – the Customer has the option to choose between multiple locations: UK (London), USA (North Virginia), Europe (Frankfurt) and Australia (Sydney).
Hosting Services – Scale Plans: Scale Plans are typically Private Cloud deployments and the Customer can select between Amazon Web Services or Microsoft Azure. Geographic location of hosting is determined directly by Customer selection. Where a Customer selects Microsoft Azure the Supplier additionally deploys elastic.co in proximity to the geographic location selected for Microsoft Azure.
Supporting the Customer from within the Application: Zendesk
Charging the Customer (if applicable): Chargebee
Annex 2 Standard Contractual Clauses
According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries and from the UK to third countries. This includes model contract clauses, the standard contractual clauses (SCCs) that have been “pre-approved” by the European Commission.
EU SCCs
On 4 June 2021, the Commission issued the following modernised standard contractual clauses under the EU GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR):
https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf
UK SCCs
The International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international transfers (the Addendum) was issued by the ICO under Section 119A(1) of the Data Protection Act 2018, on 21 March 2022.
The Addendum replaces use of the UK Standard Contractual Clauses (based on the old set of EU SCCs) as a transfer tool for organisations transferring personal data outside the UK. The Addendum takes into account the binding judgement of the European Court of Justice (in the case commonly referred to as ‘Schrems II’) and complies with Article 46 of the UK GDPR.
https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf
Annex 3 Security Measures
Physical Access Controls
The Application runs in secure data centres operated by Amazon Web Services. Amazon Web Services policy in regards to Physical Access is as follows: Physical data centre access is granted only to approved employees and third parties. Such individuals who need data centre access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. Requests are reviewed and approved by authorised personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
System & Data Access Controls
Access to the Application is controlled by username and password. All passwords are stored in an encrypted form. Two factor authentication, requiring two separate, distinct forms of identification, is a mandatory procedure for all Customers when accessing the Application.
Supervisory and administrator access is restricted to authorised members of Cyclr staff with permission being granted by the CTO on demonstration of a legitimate customer support or system management requirement.
User access is controlled by the Customer themselves
Cyclr acts as a Data Processor when it comes to providing services to, and enacting the instructions of, our Customers. Customers are companies with a direct paid subscription to the Application, who in turn provide integration functionality to their own clients (the Customer Client).
Our obligations to Customers are either covered by our online terms and conditions or an independent Enterprise Agreement depending upon the subscription and service level the Customer has with Cyclr. We endeavour to regularly review and update our terms and conditions and contracts, and communicate any such amendments in a timely fashion.
Transmission Controls
We always encourage the use of https:// or TLS where possible when Customers are connecting to Cyclr or third party APIs, such that data is encrypted on the way into and out of the Application.
Whilst in the Application environment all data is encrypted.
Input Controls
The Application does not allow the direct input of data. The Application moves data provided through API calls – Get, Put Delete etc, inbound ‘webhook’ posts or FTP transfer.
Data Backups
There are daily data backups. Backup copies of the data are made to a secure location.
Data Segregation
Data for each Customer using the Application is segregated in such a way that transactions being processed for one Customer cannot be seen by another Customer.