Data Processing Agreement (DPA)

DATA PROCESSING SCHEDULE

1. Definitions

The following capitalised terms used in this Data Processing Schedule (“DPS”) shall have the meaning set out in DP Legislation (e.g. in Article 4 of UK GDPR) as applicable; Controller, Data Protection Officer, Data Subject, Processor, Processing (and Process and Processed shall be construed according to this definition of Processing), Personal Data, Personal Data Breach and Supervisory Authority

UK GDPR:

has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

Law: means the laws of England and Wales

2. General

  • The parties agree that:
    • this DPS is incorporated into the User Agreement;
    • if there is any conflict or inconsistency between this DPS and the terms and conditions in the Agreement that relate to the Processing and confidentiality of Personal Data, the provisions of this DPS shall prevail.
    • This DPS only applies where Tammwe Limited is the Processor under the Agreement and the User is the Controller.

1. Details about the processing

  1. The parties agree that Annex 1 is completed and accurate under this Agreement.

      1. The Processor will only Process Personal Data in accordance with the Controller's written instructions unless the Processor is required to act without such written instructions by Law.
      2. The Processor will ensure that only the Processor's employees, consultants, directors and officers who need to Process the Personal Data under the Agreement shall have access to it and provided that in each case they have prior entered into a written agreement with the Processor that contains an obligation that such employees, consultants, directors and officers are obligated to keep information (including Personal Data) made available to them confidential.
      3. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks relating to its Processing of the Personal Data and in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise Processed. The Processor agrees to use the appropriate technical and organisational measures set out in the Agreement or where these are inadequate to use those set out in Annex 2.
      4. The Controller authorises the Processor to employ any sub-processor(s) without the prior specific or general written authorisation of the Controller. The Processor shall however, notify the Controller of any changes it intends to make to the agreed sub-processor(s) and give the Controller a reasonable opportunity to object to such changes (should the controller not object within 14 days of notification, the Controller shall have been deemed to accept to such change in sub-processor), where the sub-processor is the hosting provider of the Services, the Controller acknowledges that should it object to the change in sub-processor, Tammwe may have to terminate the Processors account. The Processor shall enter into a written contract with each sub-processor which contains the same or substantially the same data protection obligations on the sub-processor as set out in this DPS. The Processor agrees that it shall be fully liable to the Controller for the performance of the sub-processor(s) obligations as required applicable data processing legislation and the contract entered into between the Processor and sub-processor.
      5. The Processor shall, subject to taking into account the nature of the Processing it carries out and by having appropriate technical and organisational measures in place, assist the Controller upon request to fulfil its obligations that relate to enabling Data Subjects to exercise their rights under UK GDPR, such as subject access requests, requests for rectification or erasure of Personal Data and making objections to Processing.
      6. The Processor shall, subject to taking into account the nature of the Processing it carries out and the information available to it, assist the Controller upon request in meeting its obligations under UK GDPR relating to:
        1. keeping the Personal Data secure;
        2. notifying Personal Data Breaches to the Supervisory Authority (in particular the Processor agrees to notify the Controller as soon as reasonably practicable upon receipt of any communication, notice, request or complaint from a Data Subject; and notifying the Controller of any Personal Data Breach without undue delay once the Processor becomes aware of the breach and providing the Controller with such reasonable assistance and information in relation to such Personal Data Breach as the Controller requests);c. advising the Data Subjects when there has been a Personal Data Breach;
        3. advising the Data Subjects when there has been a Personal Data Breach;
        4. carrying out data protection impact assessments (“DPIA”); and
        5. consulting with the Supervisory Authority where the DPIA indicates there is an unmitigated high risk to the processing.
    • Unless required by Law to retain the Personal Data, the Processor shall upon termination or expiry of the Agreement, at the Controller's choice, either delete or return to the Controller all of the Personal Data it has been Processing for the Controller.
    • The Processor shall in relation to the Processing it carries out:
      1. provide the Controller with all the information that is needed show that the Processor has met all of its obligations under this DPS;
      2. at the Controller's request submit and contribute to audits and inspections that the Controller or the Controller's appointed auditor carries out;
      3. Pursuant to Article 28.3(h) of UK GDPR immediately inform the Controller if, in its opinion, it has been given an instruction which does not comply with the UK GDPR.
  2. The Controller shall comply with its obligations under UK GDPR including in relation to its collection, processing and provision of Personal Data to the Processor in connection with the Agreement.

    1. Overseas transfers

      The Processor shall not transfer the Personal Data to any country or international organisation located outside the United Kingdom or the European Economic Area without the prior written consent of the Controller.

    2. Statutory obligations

      In addition to this DPS the Processor has direct obligations under UK GDPR which the Processor agrees to comply with

    3. Liability

      The Processor shall be liable to the Controller for any losses, damages and costs (including reasonable legal costs) arising from the Processor's breach of this DPS subject to Article 82 of UK GDPR and any limitations in the Agreement. The Processor shall only be liable for any payment to the Controller resulting from its breach of this DPS to the extent that such payment has been ordered by a competent court in the UK, a legally binding decision of the Supervisory Authority or other regulatory body in the UK, or by way of a written agreement between the Controller and Processor after the breach arises.

Annex 1

Details relating to the Personal Data and Processing pursuant to the Agreement.

The subject matter and duration of the processing of the Personal Data.For the provision of Services by Tammwe to the User. The duration of process shall be the duration that the User has a User Account plus (6) months – in accordance with Tammwe's data retention policy
The nature and purpose of the processing of the Personal Data.For the provision of Services to the User.
The types of Personal Data to be processed.Usage data - Pages visited, links clicked, actions taken on the website. Anonymised, and only when accepted for EU users. Ad-block will also block us from collecting this for users that have that enabled.
The categories of Data Subjects to whom the Personal Data relates.Users of the Tammwe Services.
The obligations and rights of the Controller.As set out in the GDPR, above and/or in the Agreement.
State the names of any subprocessors and confirm if a UK GDPR compliant data processing agreement has been entered into with such sub-processor.HubSpot, AWS, Google Workspace, Vercel, GitHub

Annex 2

Details of technical and organisational security measures to protect the Personal Data and the Processing of such data.