Master Agreement Data Processing Addendum

Definitions

1.1       In this agreement, unless the text specifically notes otherwise, the following definitions have the meanings given below:

Consent is as defined in the Data Protection Laws

Contract  means the Master Agreement between the Controller and Processor for the provision of services

Controller is the Customer as defined in the Contract and where they are also an organisation based in the UK or in a member state of the European Union

Data Protection Laws  is the UK Data Protection Legislation and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications)

UK Data Protection Legislation: The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019,  The Data Protection Act 2018, the Privacy & Electronic Communications (EC Directive) Regulations 2003 and any other applicable UK laws or replacement legislation coming into effect from time to time

Personal Data any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services under the Contract; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Personal Data Breach  a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed

Processing, processes, process means any activity that involves the use of Personal Data or as the Data Protection Laws may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to a third party

Processor is the Supplier as defined in the Contract and is the Data Processor for this project, which is Keri Systems UK Ltd., 4 Grenville Avenue, Broxbourne, Hertfordshire, EN10 7DH, UK.  Company registration number 03842772

Services                       the services set out in Schedule 1 and the Contract

Sub-Processor             means another processor engaged by the Processor for carrying out processing activities in relation to this agreement

Supervisory Authority means the Information Commissioner’s Office (ICO) in the United Kingdom

Terms of Agreement

2.1       The parties agree the above definitions of Controller and Processor and accept the roles described.

2.2       All processing of personal data by the Processor on behalf of the Controller shall be governed by this agreement and the terms obligations and rights set forth in this agreement relate directly to the data processing activities described in Schedule 1.

Obligations and Rights of the Processor

3.1       The Processor shall comply with the Data Protection Laws at all times and must:

  1. only process the Personal Data to the extent, and in such a manner, as is necessary for the Provision of the Services in accordance with the Controller’s written instructions. The Processor will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Laws;
  2. promptly notify the Controller if, in its opinion, the Controller’s instruction would not comply with the Data Protection Laws;
  3. maintain the confidentiality of all Personal Data and not disclose Personal Data to third parties unless the Controller specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Processor to process or disclose Personal Data, the Processor must first inform the Controller of the legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice;
  4. ensure that any people or Sub-Processors processing the Personal Data are subject to a duty of confidentiality and that such persons comply at all times with the terms of this Agreement;
  5. Ensure that any natural person acting under their authority who has access to personal data does not process that data except on written instructions from the Controller;
  6. Use its best endeavours to safeguard and protect all Personal Data from unauthorised or unlawful processing including but not limited to accidental loss destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Schedule 1 of this agreement;
  7. Ensure all processing meets the requirements of applicable Data Protection Laws;
  8. Ensure that where a Sub-Processor is used they
    1. Only engage a new Sub-Processor with the prior written consent of the Controller
    2. Inform the Controller of any intended changes regarding the addition or replacement of Sub-Processors;
  • Implement a written contract containing the same data protection obligations as set out in this agreement in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws;
  1. Understand that where any Sub-Processor is used on their behalf that any failure on the part of the Sub-Processor to comply with the Data Protection Laws or relevant data processing agreement the Processor remains fully liable to the Controller for the performance of the Sub-Processor’s obligations;
  1. The Controller gives the Processor general authorisation to utilise Sub-Processors that provide general information technology and technical support including data storage and transmission services such as Microsoft office 365, provided that obligations equivalent to the obligations set out in this clause 3 are included in all contract(s) between the Processor and the permitted Sub-Processors who will be processing Personal Data.
  2. Assist the Controller is providing subject access and allowing Data Subjects to exercise their rights under the Data Protection Laws insofar as the Processor holds Personal Data relating to the Data Subjects;
  3. Assist the Controller in meeting its data protection obligations in relation to:
    1. The security of processing by the Processor;
    2. Data Protection Impact Assessments for the provision of this service;
  • The investigation and notification of personal data breaches caused by the Processor’s Processing; and
  1. Delete or return all personal data to the Controller as requested at the end of the agreement, or at such other time as the Controller may request;
  2. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Laws and allow for and contribute to one audit annually conducted by the Controller at the Controller’s cost;
  3. Tell the Controller immediately if they have done something or being asked to do something which infringes the Data Protection Laws;
  4. Cooperate with the Supervisory Authority in accordance with the Data Protection Laws;
  5. Notify the Controller of any personal data breaches as soon as reasonably possible and in accordance with the Data Protection Laws.

3.2       Nothing within this agreement relieves the Processor of their own direct responsibilities obligations and liabilities under the Data Protection Laws

3.3       The Processor is responsible for ensuring that each of its employees agents subcontractors or vendors are made aware of its obligations regarding the security and protection of the personal data and terms set out in this agreement

3.4       The Processor shall maintain induction and training programmes that adequately reflect the Data Protection Law requirements and ensure that all employees are afforded the time resources and budget to undertake such training on a regular basis

3.5       Any transfers of personal data to a third country or an international organisation shall only be carried out on written  instructions from the controller unless required to do so by law and where such a legal requirement exists the Processor will inform the Controller of that legal requirement before processing

3.6       Where required under the Data Protection Laws the Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller containing:

  1. The name and contact details of the Processor and of each Controller on behalf of which the Processor is acting and where applicable the Data Protection Officer;
  2. The categories of processing carried out on behalf of each Controller;
  3. Transfers of personal data to a third country or an international organisation including the identification of that third country or international organisation and the documentation of suitable safeguards;
  4. A general description of the technical and organisational security measures referred to in the Data Protection Laws

3.7       Where required under the Data Protection Laws the Processor shall maintain records of processing activities in writing including in electronic form and shall make the record available to the Supervisory Authority on request

3.8       When assessing the appropriate level of security and the subsequent technical and organisational measures the Processor shall consider the risks presented by any processing activities in particular from accidental or unlawful destruction loss alteration unauthorised disclosures of or access to personal data transmitted stored or otherwise processed

Obligations and Rights of the Controller

4.1       The Controller is responsible for determining the means and purpose of processing and the lawful basis for processing and for meeting its obligations to the data subjects under the Data Protection Laws including providing the data subjects with an appropriate privacy notice

4.3       The Controller reserves the right to verify that the Processor has adequate and documented processes for data breaches data retention and data transfers in place

4.4       The Controller reserves the right to obtain evidence from the Processor as to the:

  1. Verification and reliability of the employees used by the Processor
  2. Technical and organisational measures described in Schedule 1 of this agreement
  3. Procedures in place for allowing data subjects whose data are Processed under this agreement to exercise their rights in accordance with the Data Protection Laws

4.5       Where the Controller has authorised the use of any Sub-Processors by the Processor the Controller may verify that similar data protection agreements are in place between the Processor and Sub-Processor

Warranties

5.1       The Processor warrants and represents that:

  1. its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Laws relating to the Personal Data;
  2. it has no reason to believe that the Data Protection Laws prevents it from providing any of the Services; and
  3. considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:
    1. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage;
    2. the nature of the Personal Data protected; and
  • comply with all applicable Data Protection Laws.

Indemnification

6.1       The Processor has professional indemnity insurance and agrees to indemnify, keep indemnified and defend at its own expense the Controller against costs, claims, damages or expenses incurred by the Controller for which the Controller may become liable due to any failure by the Processor or its employees, subcontractors or agents to comply with any of its obligations under this Agreement or the Data Protection Laws. These costs shall be capped at the level of insurance cover.

Termination

7.1       This Agreement shall remain in full force and effect for so long as the Processor is providing the Services or the Processor retains Personal Data on behalf of the Controller.

7.2       The Processor’s failure to comply with any of its obligations in clause 3 of this Agreement or if any of the warranties in clause 5 are found to be untrue or misleading then this shall be considered a material breach and the Controller may terminate effective immediately without further liability or obligation.

Governing Law

8.1       This Agreement is governed by the laws of England and Wales.

8.2       This Agreement, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) is governed by and shall be construed and interpreted in accordance with the laws of England and Wales, and the Parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.

Schedule 1

Subject Matter of Processing

Provision of the Borealis cloud based access control system, including hosting of all associated data

Duration of the Processing

Until such time as the contract between the Controller and Processor for the provision of service ends.

Nature and Purpose of Processing

Provision of the Borealis cloud based access control system for the purpose of managing site security and access records

Type of Personal Data

User account credentials and administrator permissions, classification of user (Owner, Operator User, Systems Operators), unique identifier of access control fobs and name of associated individual, site access records, customer created custom fields

User credentials for the Controller’s staff

Categories of Data Subjects

Employees agents, subcontractors and customers of the Controller

Special Categories of Personal Data

No special categories of personal data are processed

International Transfers

The transfers of data to and from the Processor are enabled by the UK deemed to be an adequate nation for data protection by the EU

Technical and Organisational Measures

The Processor agrees that they shall implement the following suitable measures to preserve the security of the data collected:

  • No copies of data are to be held by the Processor without the Controller’s permission
  • Any such copies data will be held in secure, password protected IT systems
  • Multi factor authentication shall be enabled on any systems where it is available
  • The Processor shall ensure that their IT systems use modern software that is kept up-to-date
  • When personal data is deleted this will be done safely such that the data is irrecoverable
  • Appropriate back-up and disaster recovery solutions are in place
  • Where multi-factor authentication exists for the tools used to deliver the service the Processor shall have enabled it
  • All data will be encrypted in transit

Sub-Processors

List of Sub-Processors used by the Processor to deliver the agreed services which the Controller consents to

Name of Sub-Processor Address Nature of processing activity
Keri Systems Inc

302 Enzo Dr Suite 190, San Jose, California 95138, USA.

 

International transfer facilitated by International Data Transfer Agreement in place with Sub-Processor

Provision and hosting of Borealis system