Data Processing Agreement

1. Background

1.1 The Customer and Outflo Ltd ("Outflo", "we", "our" or "us") entered into a pricing plan incorporating our terms and conditions (together, the "Agreement").

1.2 This DPA is between Outflo and the Customer (each a "Party" and collectively the "Parties"), pursuant to the Agreement.

1.3 This Personal Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors [and the General Data Protection Regulation ((EU) 2016/679)].

2. Agreed Terms

The following definitions and rules of interpretation apply in this Agreement.

2.1 Definitions

Authorised Persons: the persons or categories of persons that the Customer authorises to give the Provider written personal data processing instructions and from whom the Provider agrees to accept such instructions.

Business Purposes: the services to be provided by the Provider to the Customer.

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Data Processor, Supervisory Authority and Processing: shall have the respective meaning given to them in the UK GDPR or EU GDPR (as applicable).

Controller: has the meaning given to it in section 6, DPA 2018.

Data Protection Legislation:: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; [and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications);][and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party

OR

Data Protection Legislation: a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data. b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of Personal Data.]

Data Subject: the identified or identifiable living individual to whom the Personal Data relates.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

Data Protection Laws means the UK Data Protection Legislation and any other European Union legislation (including the EU GDPR) relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

EEA: the European Economic Area.

Ex EEA Transfer: the export of Personal Data to a country or territory outside the EEA other than a country or territory ensuring an adequate level of protection of Personal Data as determined by the European Commission.

Ex UK Transfer: the export of Personal Data to a country or territory outside the UK and such transfer is not governed by an adequacy decision made by the Secretary of State in the UK in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.

Security Incident: means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Authorised User Data and/or Customer End User Data.

Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of, or in connection with, the provision of the services under the Master Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties.

Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

UK SCCs: means the Standard Contractual Clauses (Processors) approved by European Commission Decision 2010/87/EU.

UK Data Protection Legislation: means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

Services: has the same meaning given in the Agreement.

Software: has the same meaning given in the Agreement

Sub-processor: means any sub-processor engaged by us who agrees to receive from us Authorised User Data and/or Customer End User Data.

3. Data Processing

3.1. Customer as Controller. The Customer and Outflo acknowledge that for the purpose of Data Protection Laws, the Customer is the controller and Outflo is the processor.

3.2. Customer Compliance. The Customer retains control of the personal data and remains responsible for its compliance obligations under applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Outflo.

3.3. Nature and Purpose of Processing. Annex A describes the subject matter, duration, nature and purpose of processing and the personal data categories and data subject types in respect of which Outflo may process personal data in order to provide the Services and fulfil its obligations under the Agreement.

3.4. Instructions for Data Processing.

  • We will only process Authorised User Data and/or Customer End User Data in accordance with the Customer’s written instructions, unless processing is required by UK, European Union or Member State law to which we may be subject, in which case we shall, to the extent permitted by UK, European Union or Member State law, inform the Customer of that legal requirement before processing such data. The Agreement and this DPA shall be the Customer’s complete and final instructions to us in relation to the processing of such data.
  • We will comply with the Customer's written instructions requiring us to amend, transfer, delete or otherwise process Authorised User Data/Customer End User Data, or to stop, mitigate or remedy any unauthorised processing, unless legally prohibited from doing so.
  • We will notify the Customer if, in our opinion, the Customer’s instructions would not comply with Data Protection Laws.

3.5. Additional processing. Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and us regards additional instructions for processing.

3.6. Required consents. Where required by applicable Data Protection Laws, Customer will ensure that it has obtained or will obtain all necessary consents for the processing of Authorised User Data and/or Customer End User Data by us in accordance with the Agreement.

4. Transfer of Personal Data

4.1. Authorised Sub-processors. The Customer agrees that we may use the Sub-processors set out in Annex B (and gives general consent for us to appoint future Sub-processors).

  1. We shall not permit, allow or otherwise facilitate Sub-processors to Process Authorised User Data and/or Customer End User Data unless we enter into a written agreement with the Sub-processor which imposes substantially similar obligations on the Sub-processor with regard to their Processing of Authorised User Data, and/or Customer End User Data as are imposed on us under this DPA.
  2. We shall notify the Customer from time to time of the identity of any changes/additions to the Sub-processors we engage.
  3. If the Customer (acting reasonably) does not approve of a new Sub-processor, the Customer may request that we move the Authorised User Data and/or Customer End User Data to another Sub-processor. We shall, within a reasonable period of time following receipt of such request, use all reasonable endeavours to ensure that the relevant Sub-processor does not process any further Authorised User Data and/or Customer End User Data, and help identify an alternative.

4.2. Liability of Sub-processors. We will at all times remain responsible for compliance with our obligations under the DPA and will be liable to the Customer for the acts and omissions of any Sub-processor approved by the Customer as if they were our acts and omissions (subject to the terms of the Agreement).

4.3. Transfers of Personal Data.

  • The Customer agrees to the transfer of personal data outside of the UK/EEA as set out in Annex B (as updated from time-to-time).
  • Where the processing of Authorised User Data and/or Customer End User Data by us involves an Ex UK Transfer, such transfer shall be governed by the UK SCCs or such other legally recognised transfer method in force.
  • Where the processing of Authorised User Data and/or Customer End User Data by us involves an Ex EEA Transfer, such transfer shall be governed by the EU SCCs or such other legally recognised transfer method in force.

The EU SCCs are amended as follows:

  • All explanatory notes and footnotes deleted.
  • As the Ex EEA Transfer is a controller to processor transfer, only the provisions relating to Module 2 apply to such Ex EEA Transfer, and the provisions relating only to Modules 1, 3 and 4 are deleted and shall not apply to such Ex EEA Transfer.
  • Clause 7 shall be included and the references to it being “optional” in the Clauses shall be deleted.
  • In respect of Clause 9 (sub-processors), Option 2 general written authorisation applies, and the minimum time period for the data importer to specifically inform the data exporter in writing of any intended changes to that list in accordance with Clause 9 shall be 14 days.
  • The “OPTION” in Clause 11(a) shall not apply and the wording in square brackets in that Clause shall be deleted.
  • In respect of Clause 13(a) (supervision), the following wording shall apply: The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
  • In respect of Clause 17 (governing law), Option 1 shall apply and the Member State governing law shall be the law of Ireland.
  • In respect of Clause 18 (choice of forum and jurisdiction), the relevant courts shall be the courts of Ireland.

d. To the extent an international transfer is governed by either the EU SCCs or UK SCCs and there is a conflict between the applicable standard contractual clauses, this DPA and the Agreement, the applicable standard contractual clauses shall prevail.

5. Security, Audits and Security Notifications

5.1. The Provider must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in ANNEX C.

5.2. Outflo Security Obligations. Outflo will implement measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

5.3. Outflo will permit the Customer and its third-party representatives (not more than once annually) to audit Outflo’s compliance with its obligations, on giving at least 30 days’ notice, during the term of the Agreement. Outflo will give the Customer and its third-party representatives only such assistance as is necessary to conduct such audits.

5.4. If we or any Sub-processor become aware of a Security Incident we will:

  • notify the Customer of the Security Incident within 72 hours;
  • investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident; and
  • take steps to remedy any non-compliance with this DPA.

5.4. Security Incident Notification. If we or any Sub-processor become aware of a Security Incident we will:

5.5. Outflo Employees and Personnel. We will treat the Authorised User Data and Customer End User Data as confidential information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Authorised User Data and Customer End User Data.

5.6. Assistance. We will provide reasonable assistance in meeting the Customer's compliance obligations under Data Protection Laws, taking into account the nature of our processing and the information available to us, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with relevant data protection authorities.

6. Access Requests and Data Subject Rights

6.1. Data Subject Requests. Save as required or where prohibited (as applicable) under applicable law, we will notify the Customer of any request received by us or any Sub-processor from a data subject in respect of personal data included in the Authorised User Data or Customer End User Data, and will not respond to the data subject. The Customer shall be solely responsible for responding substantively to any such data subject request or communications involving personal data.

6.2. Changes. We will provide the Customer with the ability to correct, delete, block, access or copy the Authorised User Data or Customer End User Data in accordance with the functionality of the Services.

6.3. Disclosure. We will maintain the confidentiality of Authorised User Data and Customer End User Data and will not disclose such data to third parties unless the Customer or the Agreement specifically authorises such disclosure, or as required by domestic law, court or regulator. If a domestic law, court or regulator requires us to process or disclose personal data to a third party, we must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless we are legally prohibited from giving such notice.

7. Data Return and Destruction

7.1. Return. We will at the Customer's request return any Customer Data/Authorised User Data in our standard format.

7.2. Deletion/Destruction. On termination of the Agreement for any reason or expiry of its term we will immediately cease processing Authorised User Data and Customer End User Data and will within 30 days of being instructed in writing by the Customer either securely delete or destroy or return (and not retain, except as required for record keeping purposes), all of the personal data related to this Agreement in our possession.

8. Data Protection impact Assessment

8.1. To the extent required under applicable Data Protection Laws, we will provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any supervisory authority of the Customer, in each case solely in relation to Processing of Authorised User Data or Customer End User Data and taking into account the nature of the processing and information available to us.

9. Termination

9.1. This DPA will remain in full force and effect so long as the Agreement remains in effect and will terminate immediately upon termination of the Agreement.

ANNEX A

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

Data Exporter: Customer

Data importer: Outflo

Subject matter of processing: The processing is needed in order to enable the provision of Services pursuant to the Agreement.

Duration of processing: For the duration of the Agreement, unless otherwise agreed in writing.

Nature of processing: Storage, transmission and use in order to provide the Services.

Business purpose: For the provision of Services, pursuant to the Agreement.

Personal data categories:

Name, email address and online identifiers (such as IP address) of each Authorised User.

Information contained in feedback, chat transcripts or other format collected by the Customer and provided to Outflo relating to each Customer End User.

Data subjects: Authorised User and Customer End User.

ANNEX B

SUB-PROCESSORS

Authorised User Data

Sub-processor Address Jurisdiction Purpose
Amazon Web Services Services Amazon Web Services EMEA SARL, One Burlington Plaza EU Application hosting and data storage
Segment Segment Inc., 100 California Street Suite 700 San Francisco, CA 94111 United States US User analytics
Hubspot HubSpot, Inc., 25 First St., 2nd floor Cambridge, Massachusetts 02141 US Customer relationship management
Amplitude Amplitude, Inc., 631 Howard Street, Floor 5 San Francisco, California 94105 US User analytics
Paragon 1700 Sawtelle Blvd 102, Los Angeles, California, 90025, United States US Application services

ANNEX C

TECHNICAL AND ORGANISATIONAL MEASURES

Introduction

We maintain internal policies and procedures, or procure that our Sub-processors do so, which are designed to:

  • secure any personal data Processed by us against accidental or unlawful loss, access or disclosure;
  • identify reasonably foreseeable internal risks to secure any unauthorised access to the personal data Processed by us;
  • minimise security risks, including through risk assessment and regular testing.

We will conduct periodic reviews of the security of our network and the adequacy of our information security program as measured against industry security standards and our policies and procedures (including our security policy), and will use all practical efforts to procure that our Sub-processors do so as well.

We will periodically evaluate the security of our network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews, and will use reasonable efforts to procure that our Sub-processors do so as well.

Access controls

We limit access to personal data by implementing appropriate access controls.

Availability and back-up of personal data

We regularly back-up data. Back-ups are stored separately and are encrypted at rest.

Disposal of IT equipment

We have in place processes to securely remove all personal data before disposing of IT systems (for example, by using appropriate technology to purge equipment of data and/or destroying hard disks).

Encryption

We use encryption technology where appropriate to protect personal data held electronically.

Transmission or transport of personal data

We will implement appropriate controls to secure personal data during transmission or transit.

Device hardening

We will remove unused software and services from devices used to process personal data. Default passwords that are provided by hardware and software producers will not be used.

Physical security

We implement appropriate physical security measures to safeguard personal data.

Staff training and awareness

We carry out staff training on data security and privacy issues relevant to their job role and ensure that new starters receive appropriate training before they start their role.

Staff are subject to disciplinary measures for breaches of our policies and procedures relating to data privacy and security.

Last updated: 13 February 2023

Features
Workflows Integrations
Resources
Pricing Support
Legal
Terms of Use Privacy Security Data Processing Agreement

Copyright © 2023 Outflo. All rights reserved