v010121
1.1 Unless defined otherwise in this DP Addendum, terms shall have the meaning set out in the other parts of this Agreement. In this DP Addendum:
‘Breach’ means a personal data breach involving the Customer PD. The UK and EU GDPR each defines ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
‘DSR Request’ means a request from a data subject to exercise a data subject right under the UK or EU GDPR or any applicable DP Law (‘DSR’) in respect of the Customer PD.
‘Sub-processor’ means any person who processes the Customer PD on behalf of Keepabl.
2.1 This DP Addendum applies exclusively to the processing by Keepabl, on behalf of the Customer, of the Customer PD. The Customer instructs Keepabl to process the Customer PD for the purposes of delivering the Services to the Customer (including customer and technical support) and the Customer’s use of the Services under this Agreement (‘Purpose’). This DP Addendum shall automatically terminate on the cessation of processing of the Customer PD by Keepabl.
2.2 The category of personal data to be processed by Keepabl is name and contact information of those individuals whom the Customer authorises to use the Services, and personal data incidental to the Customer’s use of Services. The categories of data subjects are the Customer’s officers, employees, consultants, agents, customers and investors.
3.1 As between the parties, the Customer is the controller of the Customer PD and the Customer shall determine the scope, purposes, and manner by which the Customer PD may be accessed or processed by Keepabl. The Customer warrants and represents that: it is, and will at all relevant times remain, duly and effectively authorised to give any and all instructions given to Keepabl under this Agreement; it has all necessary rights to provide the Customer PD to Keepabl for the processing to be performed; it has obtained any necessary data subject consents to the processing under this Agreement, and it shall maintain a record of such consents in compliance with applicable DP Laws.
3.2 The Customer acknowledges and agrees that:
3.2.1 the Customer is responsible for determining what personal data is entered into and removed from the Services, for backing up Customer PD, and for the security of any access credentials for the Services including any username and password;
3.2.2 Keepabl is not in a position to assess what measures are appropriate relating to specific Customer PD stored in or transmitted through the Services; and
3.2.3 as the Services comprise the offering of a one-to-many, software-as-a-service compliance platform and consulting services (not a data storage or transmission service), the Customer PD stored in or transmitted through the Services is likely to be low-level contact data of the Customer’s end users or employees.
3.3 Should any relevant consent be revoked by the data subject, the Customer is responsible for communicating the fact of such revocation to Keepabl. Keepabl’s responsibility for implementing any such instruction is limited to and solely regarding the provision of Services to the Customer.
4.1 Save that Keepabl is allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue the Purposes (subject to the requirements of this DP Addendum), Keepabl will only process the Customer PD on the Customer’s documented instructions in such manner as, and to the extent that this is appropriate for, the provision of the Services except as required to comply with a legal obligation to which Keepabl is subject. In such a case, Keepabl shall inform the Customer of that legal obligation before the processing, unless that law prohibits Keepabl providing such information to the Customer.
4.2 Keepabl will immediately inform the Customer if, in its opinion, a Customer’s instruction infringes the UK GDPR or EU GDPR.
4.3 Where not expressly dealt with by this DP Addendum, and taking into account the nature of processing and the information available to Keepabl, Keepabl shall assist the Customer, at the Customer’s cost and insofar as reasonably possible, for the fulfilment of the Customer’s obligations under Article 32 to 36 of the UK and EU GDPRs, including to provide reasonable assistance with any data protection impact assessment and prior consultation with Supervising Authorities or other competent data privacy authority which the Customer reasonably considers to be required by the UK or EU GDPR or equivalent provisions of any other DP Law.
5.1 Keepabl shall ensure that persons authorised to process the Customer PD have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.1 Taking into account the information available to each party, the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Customer and Keepabl shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Customer PD appropriate to the risk including, inter alia, as appropriate:
6.1.1 the pseudonymisation and encryption of personal data;
6.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
6.1.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
6.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
6.2 In assessing the appropriate level of security, account shall be taken in particular of all the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
6.3 The Customer has reviewed Keepabl’s security measures and agrees that Keepabl has implemented technical and organisational security measures that are appropriate to protect the Customer PD processed under this Agreement.
6.4 The Customer and Keepabl shall take steps to ensure that any natural person acting under their respective authority who has access to the Customer PD does not process them except on the Customer’s instructions unless they are required to do so by applicable UK, EU or Member State law.
7.1 On becoming aware of a Breach, Keepabl shall (without constituting acceptance of any liability for the Breach):
7.1.1 notify the Customer without undue delay and provide the Customer with such information as Keepabl is able to provide to allow the Customer to meet any obligations under applicable DP Laws to report to, or inform, regulators or data subjects of the Breach; and
7.1.2 cooperate with the Customer as reasonably requested with regard to any Breach to enable the Customer to perform a reasonable investigation into the Breach and formulate an appropriate response.
7.2 The notification in paragraph 7.1 shall contain at least:
7.2.1 a description of the nature of the Breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
7.2.2 the name and contact details of Keepabl’s data protection officer (if designated) or other contact point where more information can be obtained;
7.2.3 a description of the likely consequences of the Breach; and
7.2.4 a description of the measures taken or proposed to be taken by Keepabl to address the Breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.3 Where and insofar as it is not possible to provide the information in paragraph 7.2 at the same time, it shall be provided in phases without undue delay.
8.1 The Customer authorises Keepabl to engage the Sub-processors set out in Keepabl’s list of Sub-processors provided to the Customer as at the Effective Date. Keepabl shall inform the Customer of any proposed changes concerning the addition or replacement of Sub-processors, giving the Customer the opportunity to object to such changes. Keepabl remains liable under this Agreement for any Sub-processor that fails to fulfil its data protection obligations.
8.2 If, within thirty days of notification by Keepabl under paragraph 8.1 of any proposed addition to the Sub-processors or replacement of a Sub-processor, the Customer objects to the proposed change, Keepabl shall inform the Customer if (in Keepabl’s sole discretion) a change in the provision of the Services which avoids the use of that proposed Sub-processor is available. Where such a change cannot be made or agreed within thirty days from receipt of the Customer’s objection, notwithstanding anything in any other part of this Agreement, within a further period of thirty days either party may by notice to the other party terminate this Agreement with immediate effect as the sole remedy for such change or proposed change.
8.3 Where Keepabl engages a Sub-processor, the same data protection obligations as set out in this DP Addendum shall be imposed on that Sub-processor by way of a contract or other legal act under UK, EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the UK and EU GDPR as applicable.
9.1 Taking into account the nature of the processing, the Customer agrees that Keepabl has put in place appropriate technical and organisational measures to assist the Customer in the fulfilment of the Customer’s obligations to respond to DSR Requests, namely that Keepabl shall:
9.1.1 promptly notify the Customer if Keepabl or a Sub-processor receives a DSR Request;
9.1.2 provide functionality for the Customer to review, rectify, delete or export any of the Customer PD; and
9.1.3 not, and shall take reasonable steps to ensure that any Sub-processor does not, respond to that DSR Request except on the Customer’s documented instructions or as required by applicable DP Laws, in which case Keepabl shall (to the extent permitted by the applicable law) inform the Customer of that legal requirement before Keepabl or the Sub-processor responds to the DSR Request.
10.1 Customer agrees that Keepabl may transfer the Customer PD outside the UK (regarding the UK GDPR) and outside the European Economic Area (regarding the EU GDPR) as part of Keepabl’s arrangements to deliver the Services and its legitimate business interests provided that Keepabl gives prior notice to the Customer of any such transfer, identifying:
10.1.1 which of the Customer PD is transferred;
10.1.2 the jurisdiction to which it is transferred; and
10.1.3 the legal basis for the transfer to satisfy Chapter V of the respective GDPR, including an adequacy decision, binding corporate rules, and standard data protection clauses.
10.2 To the extent that Keepabl is relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held by a court of competent jurisdiction to be invalid, Keepabl shall identify and put in place a suitable alternate mechanism that can lawfully support the transfer or terminate the transfer.
11.1 Keepabl shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK and EU GDPR and, at the request and cost of the Customer, shall allow the Customer or another auditor mandated by the Customer who is not objected to by Keepabl on reasonable grounds (including that they are a competitor to Keepabl) and who has entered into a confidentiality agreement with Keepabl (‘Auditor’), to audit such measures. The Customer shall be entitled, on giving at least 14 days’ notice to Keepabl, to carry out or have carried out by an Auditor, an audit of Keepabl’s premises and operations to the extent they relate to the Customer PD.
11.2 Keepabl shall co-operate with such audits as reasonably requested and shall grant the Customer or its Auditor access to any person, premises, information and device involved with the processing of the Customer PD as may be reasonably required by the Customer or Auditor to ascertain Keepabl‘s compliance with this DP Addendum and Article 28 of the UK and EU GDPR (‘Access’). Such information is to be treated as Keepabl’s Confidential Information.
11.3 As conditions for any such audit: it may only be carried out during Business Hours and may not cause disruption to Keepabl’s business or provision of Services to another customer of Keepabl; it may only be carried out once in any twelve (12) month period unless (a) a Breach has occurred, or (b) the Customer is required or requested to carry out by a supervisory authority or any similar regulatory authority; and no individual will be granted Access unless he or she produces reasonable evidence of identity and authority and agrees to abide by Keepabl’s relevant policies and procedures.
12.1 The Customer instructs Keepabl to delete all the Customer PD on expiry or termination of the Agreement under which the Services are provided or, if earlier, on the Customer’s instruction. Such deletion shall be effected within ninety (90) days of such expiry, termination or instruction and include deletion of any copy of the Customer PD unless (and only to the extent) that either: UK, EU or Member State law requires retention by Keepabl of the Customer PD; or any of the Customer PD is processed for the provision of other products or services by Keepabl to the Customer. Keepabl shall notify all third parties supporting its own processing of the deletion or return of the Customer PD under this paragraph 12.1 and the Customer agrees that all such third parties shall delete or destroy the Customer PD as if this paragraph 12.1 applied to that third party.
12.2 Keepabl shall have no liability arising out of or as a result of deleting the Customer PD in accordance with paragraph 12.1 and the Customer agrees that it is solely responsible for downloading such of the Customer PD that the Customer wishes to retain prior to such expiry, termination or instruction.