Whenever
Cintelli Limited (“Cintelli”) handles any personal data from subscribers (as
described below), and either (i) this data is about
individuals in the European Economic Area (EEA) or (ii) the subscriber is based
in the EEA, then the rules of this Data Processing Addendum ("DPA")
will apply to how this personal data is processed. If there's any disagreement
between the rest of the agreement and this DPA, this DPA's rules will take
priority.
Both Cintelli
Limited and the Customer are each a “Party”; together “The Parties”,
WHEREAS
(A) The Customer
acts as a Data Controller.
(B) The Customer
wishes to subcontract certain Services, which imply the processing of personal
data, to Cintelli the Data Processor (the Processor) pursuant to the Master Service and License Agreement (MSLA) and the Statement of Work (SOW), where applicable.
(C) The
Parties seek to implement this data processing agreement to comply with the
requirements of Data Protection Laws (as defined below).
IT IS
AGREED AS FOLLOWS:
1.
Definitions
and Interpretation
Except for definitions otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:
1.1.
“Agreement”
means this Data Processing Agreement and all Schedules;
1.2.
“Approved Subprocessor” means the
Subprocessors set out in Schedule 1 of this Agreement.
1.3.
“Customer
Personal Data” means any Personal Data Processed by a Subprocessor on behalf of
Customer pursuant to or in connection with the Master Service and License Agreement (MSLA) and the Statement of Work (SOW), where applicable.;
1.4.
“Data
Protection Law” means the California Consumer Privacy Act (CCPA), the UK Data
Protection Law, the Swiss Data Protection Law, the EU General Data Protection Regulation (GDPR) and laws implementing
or supplementing the GDPR (each as applicable), as amended, replaced
or superseded from time to time.
1.5.
“EEA”
means the European Economic Area;
1.6.
“EU
Standard Contractual Clauses” means the European Commission-approved standard
contractual clauses for processors or any amendment or replacement thereto.
1.7.
“GDPR”
means EU General Data Protection Regulation 2016/679;
1.8.
"Restricted
Transfer” means a transfer of Customer Personal Data:
1.8.1.
(a)
from a data exporter subject to the GDPR which is only permitted in accordance
with the GDPR if a Transfer Mechanism is applicable to that transfer,
("EEA Restricted Transfer");
1.8.2.
(b)
from a data exporter subject to the UK GDPR which is only permitted in
accordance with UK Data Protection Law if a Transfer Mechanism is applicable to
that transfer ("UK Restricted Transfer"),
1.8.3.
from
a data exporter subject to Swiss Data Protection Law which is only permitted in
accordance with the Swiss Data Protection Law if a Transfer Mechanism is
applicable to that transfer (“Swiss Restricted Transfer”).
For the avoidance of doubt, if the data exporter exports
personal data from the EEA, the United Kingdom, or Switzerland, there will not
be a Restricted Transfer where:
1.8.4.
the
jurisdiction to which the personal data is transferred has been approved by the
European Commission pursuant to Article 25(6) of the EC Directive 95/46 or
Article 45 of the GDPR or, as applicable, an equivalent provision under UK Data
Protection Law or Swiss Data Protection Law, as ensuring an adequate level of
protection for the processing of personal data (an "Adequate
Country"); or
1.8.5.
the
transfer falls within the terms of a derogation as set out in Article 49 of the
GDPR, the UK GDPR or similar provision under Swiss Data Protection Law (as
applicable);
1.8.6.
insofar
as and to the extent that the GDPR applies to a particular transfer, the data
importer falls within the territorial scope of application of the GDPR in
accordance with Article 3 of the GDPR.
1.9.
“Services”
means the services the Processor provides pursuant to the Master Service and License Agreement (MSLA) and the Statement of Work (SOW), where applicable, between the Customer
and the Data Processor.
1.10.
“Standard
Contractual Clauses” means the Standard Contractual Clauses (processors)
approved by European Commission Decision (EU) 2021/914 of 4 June 2021 or any
subsequent version thereof released by the European Commission (which will
automatically apply).
1.11.
“Subprocessor” means any person appointed by
Data Processor to process Customer Personal Data on behalf of the Customer in
connection with the Agreement.
1.12.
"UK
Data Protection Law" means all laws relating to data protection, the
processing of personal data, privacy, and/or electronic communications in force
from time to time in the United Kingdom, including the UK GDPR, the UK Data
Protection Act 2018 and the UK Privacy and Electronic Communications
Regulations 2003.
1.13.
"UK
GDPR" has the meaning defined in the UK Data Protection Act 2018.
1.14.
"UK
Standard Contractual Clauses" means the International Data Transfer
Agreement Version A1.0, in force from 21 March 2022 and issued by the
Information Commissioners Office.
1.15.
“writing”, and any cognate expression,
includes a reference to any communication effected by electronic or facsimile
transmission or similar means.
1.16.
The
terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal
Data Breach”, “Processing” and “Supervisory Authority” shall have the same
meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2.
Processing
of Customer Personal Data
2.1.
Data
Processor shall, and to the extent relevant shall ensure its personnel and
Subprocessor shall:
2.1.1.
comply
with all applicable Data Protection Laws in the Processing of Customer Personal
Data;
2.1.2.
not
Process Customer Personal Data other than on the Customer’s documented
instructions as set out in the Master Service and License Agreement (MSLA) and the Statement of Work (SOW), where applicable, this Agreement and which may be provided
in writing from time to time;
2.1.3.
take
reasonable steps to ensure the reliability of any employee, agent or contractor
of any Subprocessor who may have access to the Customer Personal Data, ensuring
in each case that access is strictly limited to those individuals who need to
know / access the relevant Customer Personal Data, as strictly necessary for
the purposes of the Master Service and License Agreement (MSLA) and the Statement of Work (SOW), where applicable, and to comply with Data Protection Laws in the
context of that individual’s duties to the Subprocessor, ensuring that all such
individuals are subject to confidentiality undertakings or professional or
statutory obligations of confidentiality;
2.1.4.
taking
into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of Processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons, in
relation to the Customer Personal Data implement appropriate technical and
organisational measures to ensure a level of security appropriate to that risk,
including, as appropriate, the measures referred to in Article 32(1) of the
GDPR In assessing the appropriate level of security, Data Processor shall take
account in particular of the risks that are presented by Processing, in
particular from a Personal Data Breach.
2.1.5.
not
appoint (or disclose any Customer Personal Data to) any Subprocessor without:
(a) undertaking appropriate due diligence to ensure such Subprocessor can meet
the security obligations set out in Clause 2.1.4; [FM1] [FM2] [FM3] and (b) ensuring the Subprocessor is
engaged pursuant to a contract with terms no less restrictive then this Clause 2. For the avoidance of doubt, the Customer
authorises the Approved Subprocessors listed in Schedule 1. Data Processor
shall remain liable all times during the course of
this Agreement for the acts and omissions of all Subprocessors. Cintelli will
post a notice of the appointment of any new Subprocessor, including details of
the Processing to be undertaken by the Subprocessor, on its website.
2.1.6.
taking
into account the nature of the Processing, Data Processor shall assist the Customer
by implementing appropriate technical and organisational measures, insofar as
this is possible, for the fulfilment of the Customer obligations to respond to
requests to exercise Data Subject rights under the Data Protection Laws;
2.1.7.
promptly
notify the Customer if it receives a request from a Data Subject under any Data
Protection Law in respect of Customer Personal Data and ensure that it does not
respond to that request except on the documented instructions of the Customer
or as required by applicable laws to which the Data Processor is subject, in
which case Data Processor shall to the extent permitted by applicable laws
inform the Customer of that legal requirement before the Data Processor
responds to the request;
2.1.8.
notify
Customer without undue delay upon Data Processor becoming aware of a Personal
Data Breach affecting Customer Personal Data, providing Customer with
sufficient information to allow the Customer to meet any obligations to report
or inform Data Subjects of the Personal Data Breach under the Data Protection Laws;
2.1.9.
co-operate
with the Customer and take reasonable commercial steps as required are directed
by Customer to assist in the investigation, mitigation and remediation of each
such Personal Data Breach;
2.1.10.
provide
reasonable assistance to the Customer with any data protection impact
assessments, and prior consultations with Supervising Authorities or other
competent data privacy authorities, which Customer reasonably considers to be
required by article 35 or 36 of the GDPR or equivalent provisions of any other
Data Protection Law, in each case solely in relation to Processing of Customer
Personal Data by, and taking into account the nature of the Processing and
information available to, the Data Processor.
2.1.11.
promptly
and in any event within 20 business days of the date of cessation of any
Services involving the Processing of Customer Personal Data, delete and procure
the deletion of all copies of those Customer Personal Data including from all
Subprocessors; Processing will only be considered to
have ceased after 60 days from the end of a subscription to allow the download
of Customer Personal Data by the Customer.
2.1.12.
make
available to the Customer on request all information necessary to demonstrate
compliance with this Agreement, and shall allow for and contribute to audits,
including inspections, by the Customer or an auditor mandated by the Customer
in relation to the Processing of the Customer Personal Data by the Data
Processor or Subprocessors. The information and audit rights of the Customer
under this clause 2.1.12 only arise to the extent that the Agreement does not
otherwise give the Customer information and audit rights meeting the relevant
requirements of Data Protection Law;
3.
Restricted
Transfers
3.1.
The
Parties will have in effect a Transfer Mechanism in respect of any Restricted
Transfer.
3.2.
Without
prejudice to Clause 3.1, in the event of an EEA Restricted
Transfer or a Swiss Restricted Transfer whereby Customer Personal Data is
transferred from a data exporter acting as a controller to a data importer
acting as a processor, the Parties shall comply with the EEA Controller to Processor
SCCs provided that, for any Swiss Restricted Transfer, the EEA Controller to
Processor SCCs.
3.3.
Without
prejudice to Clause 3.1, in the event of an EEA Restricted
Transfer or Swiss Restricted Transfer whereby Customer Personal Data is
transferred from a data exporter acting as a processor to a data importer
acting as a controller, the Parties shall comply with the EEA Processor to Controller
SCCs provided that, for any Swiss Restricted Transfer, the EEA Processor to
Controller SCCs shall apply.
3.4.
Without
prejudice to Clause 3.1, in the event of a UK Restricted
Transfer, whereby Customer Personal Data is transferred from a data exporter
acting as a controller to a data importer acting as a processor, the applicable
UK Standard Contractual Clauses shall apply.
3.5.
Without
prejudice to Clause 3.1, in the event of a UK Restricted
Transfer, whereby Customer Personal Data is transferred from a data exporter
acting as a processor to a data importer acting as a controller, the applicable
UK Standard Contractual Clauses shall apply.
3.6.
The
Customer agrees that where Cintelli engages a Subprocessor in accordance with Clause
2 for carrying out specific processing
activities (on behalf of the Customer) and those processing activities involve
a transfer of Customer Personal Data within the meaning of Chapter V of the
GDPR or the UK GDPR, Cintelli and Subprocessor can ensure compliance with
Chapter V of the GDPR by using EEA Processor to Processor SCCs and ii) Chapter
V of the UK GDPR by using the applicable UK Standard Contractual Clauses,
provided the conditions for the use of those Standard Contractual Clauses are met.
Where any updates or amendments to, or replacement of, a Transfer Mechanism is
approved by the competent authority/ies (including,
where applicable, the European Commission, a UK Government Department or a
competent regulatory authority) during the Term ("New Transfer
Mechanism"), the New Transfer Mechanism will be deemed to replace the
applicable Transfer Mechanism under this Addendum from the date on which Cintelli
issues notice to Customer and shall be deemed to take effect and be binding on
the parties from the date stipulated in such notice.
4.
General
Terms
4.1.
Confidentiality.
Each Party must keep this Agreement and information it receives about the other
Party and its business in connection with this Agreement confidential and must
not use or disclose such Information without the prior written consent of the other
Party except to the extent that:
(a)
disclosure is required by law;
(b) the relevant information is already in the public domain.
4.2.
Notices.
All notices and communications given under this Agreement must be in writing
and will be delivered personally, sent by post or sent
by email to the address or email address set out in the heading of this
Agreement at such other address as notified from time to time by the Parties
changing address.
4.3.
Governing
Law and Jurisdiction. This Agreement is governed by the laws of England and
Wales. Any dispute arising in connection with this Agreement, which the Parties
will not be able to resolve amicably, will be submitted to the exclusive
jurisdiction of the courts of England and Wales.
4.4.
Term.
This Agreement shall commence on the date written on the signature page and
shall continue for such time until Data Processor and Subprocessors cease
Processing Customer Personal Data under the terms of the Master Service and License Agreement (MSLA) and the Statement of Work (SOW), where applicable.
5.
Severability
5.1.
If
any provision of this Agreement is held invalid, illegal, or unenforceable for
any reason by any Court of competent jurisdiction, such provision shall be
severed and the remainder of the provisions of this Agreement shall continue in
full force and effect as if this Agreement had been executed with the illegal
or unenforceable provision eliminated.
6.
Conflict
of Clauses
6.1.
Should
any clause of this agreement be found to conflict with any clause or other
provision contained within the relevant Standard Contractual Clauses, then the
clause or provision contained within the relevant Standard Contractual Clauses shall
prevail.
6.2.
No
clause or provision contained within this agreement or any other agreement
between the parties shall change the meaning of any definition nor change the
effect of any clause or provision contained within the relevant Standard
Contractual Clauses.
7.
Assignment
7.1.
Neither
party shall have the right to assign or subcontract any of its obligations or
duties under this agreement, without the prior written consent of the other
party, which consent shall be in the sole determination of the party with the
right to consent.
8.
Survival
of Causes of Action
8.1.
The
termination of this Agreement howsoever occurring shall not affect the rights
and liabilities of the parties already accrued at such time nor affect the
continuance in force of such of its provisions as are expressed as or capable
of having effect after such termination.
9.
Liability
and Indemnity
9.1.
The
liability limits mentioned in the Agreement will also cover this Addendum. This
means that Cintelli's total responsibility under this Addendum, including
anything related to the Standard Contractual Clauses, plus any other
liabilities under the Agreement, won't exceed the monetary limits and liability
restrictions stated in the Agreement.
A. List of Parties
Data exporter:
Name:
The Customer, as defined in the Matters.Cloud Terms
of Service (on behalf of itself and Permitted Affiliates)
Address:
The Customer's address, as set out in the Order Form
Contact
person’s name, position and contact details: The
Customer's contact details, as set out in the Order Form and/or as set out in
the Customer’s Matters.Cloud Account
Activities
relevant to the data transferred under these Clauses: Processing of Personal
Data in connection with Customer's use of the Matters.Cloud
Subscription Services under the Matters.Cloud Terms
and Conditions.
Role
(controller/processor): Controller (either as the Controller; or acting in the
capacity of a Controller, as a Processor, on behalf of another Controller)
Data importer:
Name: Cintelli
Limited
Address: 1 Cedar Office Park, Cobham
Road, Wimborne, England, BH21 7SB, United Kingdom.
Contact
person’s name, position and contact details: Fraser
Mayfield, CEO, Cintelli Limited, 1 Cedar Office Park,
Cobham Road, Wimborne, England, BH21 7SB, United Kingdom.
Activities
relevant to the data transferred under these Clauses: Processing of Personal
Data in connection with Customer's use of the Matters.Cloud
Subscription Services under the Matters.Cloud Terms
of Service
Role (controller/processor): Processor
B.
Description of Transfer
Categories of Data Subjects whose
Personal Data is Transferred
You
may submit Personal Data in the course of using the
Subscription Service, the extent of which is determined and controlled by you
in your sole discretion, and which may include, but is not limited to Personal
Data relating to the following categories of Data Subjects:
Your
Contacts and other end users including your employees, contractors,
collaborators, customers, prospects, suppliers and
subcontractors. Data Subjects may also include individuals attempting to
communicate with or transfer Personal Data to your end users.
Categories of Personal Data
Transferred
You may submit Personal Data to the
Subscription Services, the extent of which is determined and controlled by you
in your sole discretion, and which may include but is not limited to the
following categories of Personal Data:
1. Contact Information
2. Any other Personal Data submitted
by, sent to, or received by you, or your end users, via the Subscription
Service.
Sensitive Data transferred and applied
restrictions or safeguards
The parties do not anticipate the
transfer of sensitive data.
Frequency of the transfer
Continuous
Nature of the Processing
Personal
Data will be Processed in accordance with the Agreement (including this DPA)
and may be subject to the following Processing activities:
1. Storage and other Processing
necessary to provide, maintain and improve the Subscription Services provided
to you; and/or
2. Disclosure in accordance with the
Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further
processing
We
will Process Personal Data as necessary to provide the Subscription Services
pursuant to the Agreement, as further specified in the Order Form and/or
Statement of Work, and as further instructed by you in your use of the
Subscription Services.
Period for which Personal Data will be
retained
Subject
to the 'Deletion or Return of Personal Data' section of this DPA, we will
Process Personal Data for the duration of the Agreement, unless otherwise
agreed in writing.
We
currently observe the Security Measures described in this Annex 2.
a) Access Control
ii) Preventing
Unauthorised Product Access
Preventing Unauthorised Product Access
Hosted
service: We host our Service with outsourced cloud infrastructure providers. We
rely on contractual agreements, privacy policies, and vendor compliance
programs in order to protect data processed by these
vendors.
Physical
and environmental security: We host our product infrastructure with
multi-tenant, outsourced infrastructure providers. We do not own or maintain
hardware located at the outsourced infrastructure providers’ data centers. Production servers and client-facing applications
are logically and physically secured from our internal corporate information
systems.
Authentication:
We implement a uniform password policy for our customer products. Customers who
interact with the products via the user interface must authenticate before
accessing non-public customer data.
Authorisation:
Customer Data is stored in multi-tenant storage systems accessible to Customers
via only application user interfaces and application programming interfaces.
Customers are not allowed direct access to the underlying application
infrastructure. The authorisation model in each of our products is designed to
ensure that only the appropriately assigned individuals can access relevant
features, views, application options.
Authorisation
to certain data sets is performed through validating the user’s permissions
against the attributes associated with each data set.
Application
Programming Interface (API) access: Public product APIs may be accessed using
an API key or through OAuth authorisation.
ii) Preventing
Unauthorised Product Use
We
implement industry standard access controls and detection capabilities for the
internal networks that support its products.
Access
controls: Network access control mechanisms are designed to prevent network
traffic using unauthorized protocols from reaching the product infrastructure.
The technical measures implemented differ between infrastructure providers and
include, security group assignment, and traditional firewall rules.
Intrusion
detection and prevention: We implement a firewall solution to protect hosted
customer websites and other internet-accessible applications. The firewall is
designed to identify and prevent attacks against publicly available network
services.
iii) Limitations of
Privilege & Authorisation Requirements
Product
access: A subset of our employees have access to the products and to customer
data via controlled interfaces. The intent of providing access to a subset of
employees is to provide effective customer support, product development and
research, to troubleshoot potential problems, to detect and respond to security
incidents and implement data security.
Background
checks: Where permitted by applicable law, employees undergo a third-party
background or reference checks background check. All employees are required to
conduct themselves in a manner consistent with company guidelines,
non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit:
We require HTTPS encryption (also referred to as SSL or TLS)
on all login interfaces and for free on every customer site hosted on
the Matters.Cloud system. Our HTTPS implementation
uses industry standard algorithms and certificates.
At-rest:
We store user passwords following policies that follow industry standard
practices for security. We have implemented technologies to ensure that
stored data is encrypted at rest.
c) Backup
Backup:
Backup strategies are designed to ensure redundancy and fail-over protections
during a significant processing failure. Customer data is backed up to on a
regular basis within the chosen data region.
To
help deliver the Subscription Service, we engage Sub-Processors to assist with
our data processing activities.
A
list of our Sub-Processors and our purpose for engaging them is located on our Matters.Cloud Sub-Processors Page available at www.matters.cloud/sub-processors