Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

The Parties agree that this DPA sets forth their obligations with respect to the Processing of Personal Data.

Definitions.

“Controller”	means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Law, the Controller or the specific criteria for its nomination may be provided for by such Law.
“Data Importer” and “Data Exporter”	have the meanings set forth in the Standard Contractual Clauses, in each case irrespective of whether such Standard Contractual Clauses, European Data Protection Legislation or Non-European Data Protection Legislation applies.
“Data Protection Legislation”	means, as applicable: (a) European Data Protection Legislation, and (b) Non-European Data Protection Legislation which applies to the Processing of Personal Data.
“Data Subject”	means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“European Data Protection Legislation”	means, as applicable, data protection and privacy legislation in force inside the European Economic Area, including the General Data Protection Regulation and any national Laws implementing such legislation.
“General Data Protection Regulation” or “GDPR”	Means Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.
“Non-European Data Protection Legislation”	means data protection and privacy legislation in force outside the European Economic Area, including without limitation such legislation as is in force in the UK (including the UK GDPR and the Data Protection Act 2018 and national implementing legislation).
“Personal Data”	means any information Processed by Azets that relates to a Data Subject.
“Processing”	means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process” and “Processed” have correlative meanings.
“Processor”	means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of a Controller.
“Pseudonymisation”	means the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
“Standard Contractual Clauses”	Means as applicable: (a)     the standard contractual Clauses available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR (“EU SCCs”); and (b)     the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office under S119A(1) of the Data Protection Act available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”).
“Sub-Processor”	means Processors used by Azets to Process Personal Data.
“Supervisory Authority”	means an independent public authority that has been established by a governmental body and is responsible for monitoring the application of applicable Data Protection Legislation, to protect the fundamental rights and freedoms of natural persons in relation to Processing and to facilitate the free flow of Personal Data.
“UK GDPR”	means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1  Roles and Scope.

1.1  This DPA only applies to the Processing of Personal Data by Azets on behalf of Customer pursuant to the Engagement Letter.

1.2  Customer and Azets agree that with respect to Personal Data, Customer is the Controller of such Personal Data and Azets is a Processor of such Personal Data, except when Customer acts as a Processor or Sub-Processor of such Personal Data, in which case Azets is a Sub-Processor of such Personal Data. Nothing in the preceding sentence alters the obligations of either Azets or Customer under this DPA, as Azets acts as a Processor with respect to Customer in all events. In any instance where the Customer is a Processor or Sub-Processor, Customer warrants to Azets that Customer’s instructions, including appointment of Azets as a Processor or sub-Processor, have been authorised by the relevant Controller.

1.3  This DPA does not limit or reduce any data protection commitments Azets makes to Customer in the Terms of Business.

1.4  Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by Azets provide a level of security appropriate to the risk with respect to its Personal Data.

2  Details of the Processing.

2.1  Data Subjects. The categories of Data Subjects whose Personal Data may be Processed in connection with the Services are determined and controlled by Customer in its sole discretion and may include but are not limited to: Customer’s representatives and end users, such as employees, contractors, collaborators, clients, prospects, and customers; and employees or contractors of Customer’s clients, prospects, and customers.

2.2  Categories of Personal Data. The categories of Personal Data to be Processed in connection with the Services are determined by Customer in its sole discretion and may include but are not limited to: first and last name, employer, role, professional title, and contact information (e.g., email, phone numbers, and physical address).

2.3  Special Categories of Personal Data. Special categories of Personal Data, if any, to be Processed in connection with the Services are determined by Customer in its sole discretion and may include, but are not limited to, information revealing racial or ethnic origin; political, religious, or philosophical beliefs; trade union membership; or health data.

2.4  Processing Operations. Azets shall Process Personal Data only as described and subject to the limitations herein:

2.4.1  to provide Customer the Services in accordance with the Documented Instructions (as defined below); and

2.4.2  for business operations incidental to providing the Services to Customer, which may include:

2.4.2.1  delivering functional capabilities as licensed, configured, and used by Customer and its Authorised Users, and

2.4.2.2  preventing, detecting, and repairing problems, including Security Incidents (as defined below), and providing technical support, professional planning, advice and guidance.

3  Obligations of Azets.

3.1  Processing by Azets shall be governed by the Engagement Letter and this DPA. In particular, Azets shall:

3.1.1  Process Personal Data only on Documented Instructions (as defined below) from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable Data Protection Legislation; in such a case, Azets shall notify Customer of said legal requirement before Processing, unless said Data Protection Legislation prohibits such notification on important grounds of public interest;

3.1.2  inform Customer if, in its opinion, an instruction given by Customer with regard to Processing of Personal Data infringes any applicable Data Protection Legislation; in such a case, Azets may suspend the relevant Processing without penalty or liability until Customer gives Azets relevant written instructions that in Azets’ opinion do not infringe Data Protection Legislation;

3.1.3  ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.1.4  provide periodic and mandatory data privacy and security training and awareness to Azets Personnel with access to Personal Data in accordance with applicable Data Protection Legislation;

3.1.5  taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including, any detailed in the Engagement Letter related to Personal Data and, inter alia, as appropriate:

3.1.5.1  the Pseudonymisation and encryption of Personal Data;

3.1.5.2  the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing

3.2  Systems and services: Azets shall ensure:

3.2.1  the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

3.2.2  a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;

3.2.3  in assessing the appropriate level of security for purposes of Clause 4 above, take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed;

3.2.4  take steps to ensure that any natural person acting under the authority of Azets who has access to Personal Data does not Process such Personal Data except on instructions from Customer, unless he or she is required to do so by applicable Data Protection Legislation; and

3.2.5  adhere to the conditions set forth in Clauses 5 and 6 below for engaging or changing a Sub-Processor.

3.3  The Parties agree that this DPA and the Engagement Letter (including the provision of instructions made available by Azets for the provision of Cozone) constitute Customer’s documented instructions regarding Azets’ Processing of Personal Data (“Documented Instructions”). Azets shall Process Personal Data only in accordance with Documented Instructions, and for business operations incidental to providing the Services. Customer hereby grants all such rights and permissions in or relating to Personal Data to Azets and its Sub-Processors, as are necessary to perform the Services. Azets shall not retain, use, disclose or otherwise Process Personal Data other than for the purposes set out in this DPA and the Engagement Letter. Azets shall not derive information from Personal Data for any advertising or similar commercial purposes. In no event shall Azets sell Personal Data.

3.4  Additional instructions outside the scope of the Documented Instructions (if any) require a prior written Engagement Letter between Azets and Customer, including Engagement Letter on any additional fees payable by Customer to Azets for carrying out such instructions.

4  Security Incident Management.

4.1  Notice. Azets shall notify Customer of any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data while Processed by Azets (a “Security Incident”) without undue delay after becoming aware of the Security Incident and, in any event, within 48 hours of becoming aware of such Security Incident. Notification of a Security Incident shall be delivered to one or more of Customer’s administrators by any means Azets selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information. Customer is solely responsible for complying with its obligations under incident notification Laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident. Azets’ obligation to report or respond to a Security Incident is not an acknowledgement by Azets of any fault or liability with respect to the Security Incident. Similarly, Customer’s failure to comply with notification provisions hereunder or otherwise and any liabilities arising therefrom shall not be attributed to Azets.

4.2  In the event of a Security Incident, Azets shall (i) investigate the Security Incident; (ii) provide Customer with information about the Security Incident (including, where possible, the nature of the Security Incident, the contact from whom more information can be obtained, and the likely consequences of the Security Incident), which information may be provided in phases as it becomes available; and (iii) take reasonable steps to mitigate the effects of, and to help minimise any damage resulting from, the Security Incident. In the event that a Security Incident was not due to the fault of Azets, Azets shall cooperate with Customer with reasonable costs and expenses to be covered by Customer.

4.3  Azets shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation under GDPR Article 33 or other applicable Data Protection Legislation to notify the relevant Supervisory Authority and Data Subjects about such Security Incident.

4.4  Customer shall notify Azets promptly about any possible misuse of its accounts or authentication credentials or any potential security incident related to Cozone.

5  Sub-Processors.

5.1  Azets may engage subcontractors and Sub-Processors to provide services on its behalf.

5.2  In addition to Azets’ Affiliates, Customer consents to Azets engaging the Sub-Processors listed at https://www.azets.co.uk/about-us/policies-legal/privacy-policy/processors/ or https://www.blickrothenberg.com/privacy-policy/privacy-policy-processors/ as applicable for the Processing of Personal Data in accordance with this DPA. The preceding authorisations shall constitute Customer’s prior written consent to the subcontracting by Azets of the Processing of Personal Data if such consent is required.

5.3  Where Azets engages a Sub-Processor for carrying out specific Processing activities on behalf of Customer, the same data protection obligations as set out in this DPA shall be imposed on such Sub-Processor by way of contract or other legal act to the extent required by applicable Data Protection Legislation, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing shall meet the requirements of applicable Data Protection Legislation. Where a Sub-Processor fails to fulfil such data protection obligations, Azets shall remain fully responsible and liable for the performance of such Sub-Processor’s obligations.

6  Changes to Sub-Processors.

6.1  Unless otherwise agreed by the Parties, at least sixty (60) days before authorising any new Sub-Processor to access Personal Data, Azets shall provide notice of such change by posting to https://www.azets.co.uk/about-us/policies-legal/privacy-policy/processors/ or https://www.blickrothenberg.com/privacy-policy/privacy-policy-processors/ as applicable. Within thirty (30) days of such notice being posted, Customer may object to the appointment of an additional Sub-Processor on reasonable grounds, provided in writing to Azets, in which case Azets shall have the right to cure the objection through one of the following options (to be selected at Azets’ sole discretion):

6.2  Azets shall cancel its planned use of Sub-Processor or shall offer an alternative plan to provide the Services without using such Sub-Processor;

6.3  Azets shall take the corrective steps, if any, identified by Customer in its objection as sufficient to remove Customer’s objection, and proceed to use the Sub-Processor; or

6.4  Azets may cease to provide, or Customer may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such Sub-Processor, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering the reduced scope of the Services.

6.5  If none of the above options are reasonably available or the objection otherwise has not been resolved to the mutual satisfaction of the Parties within thirty (30) days after Azets’ receipt of Customer’s objection pursuant to this DPA, either Party may terminate the Engagement Letter.

6.6  Emergency Replacement of a Sub-Processor. Azets may replace a Sub-Processor at any time if the need for the change is urgent and necessary, and the reason for the change is beyond Azets’ reasonable control. In such instance, Azets shall notify Customer of the replacement Sub-Processor as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-Processor pursuant to Clause 6.1 above. Customer shall not be entitled to any remuneration or accrue any rights of termination due to the emergency replacement.

7  Cooperation with Requests from Data Subjects.

7.1  Azets shall assist the Customer, in a manner consistent with the functionality or performance of the Services and Azets’ role as a Processor, in respect of any Data Subject requests to exercise one or more of their rights under applicable Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Azets’ provision of such assistance beyond the existing functionality or performance of the Services.

7.2  If Azets receives a request from one of Customer’s Data Subjects to exercise one or more of its rights under applicable Data Protection Legislation, Azets shall instruct the Data Subject to make its request directly to Customer. Customer shall be responsible for responding to any such request.

7.3  Supervisory Authorities. Azets shall notify Customer without undue delay if a Supervisory Authority makes any inquiry or request for disclosure regarding Personal Data provided by Customer to Azets.

8  Other Cooperation.

8.1  Taking into account the nature of Processing and the information available to Azets, Azets shall provide reasonable assistance to Customer in ensuring compliance with obligations:

8.1.1  to ensure an appropriate level of security;

8.1.2  in cases of a Security Incident, to provide appropriate notifications to Supervisory Authorities and Data Subjects, in accordance with applicable Data Protection Legislation;

8.1.3  where required under applicable Data Protection Legislation, to carry out assessments of the impact of envisaged Processing operations on the protection of Personal Data;

8.1.4  where required under applicable Data Protection Legislation, to consult with Supervisory Authorities with regard to matters related to such Processing; and

8.1.5  to demonstrate compliance with the obligations concerning Processing of Personal Data carried out on behalf of a Controller and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer pursuant to Clause 10.1 below.

9  Retention and Deletion of Personal Data.

9.1  Personal Data. Subject to Clause 9.2 below, Azets shall delete or return Personal Data in accordance with the mutual agreement of the Parties save to the extent that Azets is required by any applicable Law to retain some or all of the Personal Data. In such event, Azets shall extend the protections of the Engagement Letter and this DPA to such retained Personal Data and limit any further Processing of such Personal Data only to those limited purposes for which, and only for so long as, such retention is required by applicable Law.

9.2  Cozone. At all times during the applicable Term, Customer shall have the ability to access, extract, and delete Personal Data held in Cozone. Azets shall retain Personal Data stored in Cozone for ninety (90) days after expiration or termination of Customer’s Engagement Letter so that Customer may extract Personal Data. After said 90-day period ends, Azets shall disable Customer’s account and delete all Personal Data (within thirty (30) days) and, where required by Law, shall certify to Customer that it has done so, save to the extent that Azets is required by any applicable Law to retain some or all of such Personal Data. In such event, Azets shall extend the protections of the Engagement Letter and this DPA to such retained Personal Data and limit any further Processing of such Personal Data only to those limited purposes for which, and only for so long as, such retention is required by applicable Law. Nothing contained herein shall require Azets to alter, modify, delete, or destroy backups or other media created in the ordinary course of business for purposes of disaster recovery and business continuity, so long as such backups or other media are kept solely for such purposes and are overwritten, recycled, or otherwise remediated in the ordinary course of business and, in any event, not longer than ninety (90) days after creation. Azets has no liability for the deletion of any data, including Personal Data as described in this Clause 9.2.

10  Security Reports, Audits and Records.

10.1  To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through (i) audit reports provided by Azets, (ii) documentation, or (iii) other compliance information that Azets makes generally available to its customers, Azets shall, not more than one time per calendar year, promptly respond to Customer’s audit requests. Before the commencement of an audit, Customer and Azets shall mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree shall not permit Azets to unreasonably delay performance of the audit. To the extent needed to perform the audit, Azets shall make the processing systems, facilities and supporting documentation relevant to the Processing of Personal Data by Azets, its Affiliates, and its Sub-Processors (where possible) available. Such an audit shall be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to Azets (not less than twenty days), and subject to reasonable confidentiality and security procedures. Neither Customer nor the auditor shall have access to any data from Azets’ other customers or to Azets systems or facilities not involved in the Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Azets expends for any such audit, in addition to the rates for services performed by Azets. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Azets and Azets shall promptly cure any material non-compliance.

10.2  If the Standard Contractual Clauses apply, then this Clause is in addition to Clause 5 paragraph f and Clause 12 paragraph 2 of the Standard Contractual Clauses. Nothing in this Clause varies or modifies the Standard Contractual Clauses or affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses or Data Protection Legislation.

10.3  Records of Processing Activities. Azets shall maintain, to the extent and in the manner required by applicable Data Protection Legislation, a record of all categories of Processing activities carried out on behalf of Customer and, to the extent applicable to the Processing of Personal Data on behalf of Customer, make such record available to Customer upon request.

11  Obligations of Customer.

11.1  Customer acknowledges that:

11.1.2  Customer shall comply with all applicable Data Protection Legislation (including its obligations thereunder);

11.1.3  Customer is responsible for determining whether Cozone is appropriate for storage and Processing of Personal Data;

11.1.4  Customer has the right to transfer, or provide access to, Personal Data to Azets and its Sub-Processors for Processing in accordance with the terms of the Engagement Letter and this DPA;

11.1.5  Customer is solely responsible for fulfilling any third-party notification obligations related to a Security Incident; and

11.1.6  Customer specifically acknowledges that its use of the Services shall not violate the rights of any Data Subject, including, without limitation, those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Legislation.

11.2  Personal Data Sharing.

11.2.1  The use of Cozone may enable Authorised Users to share Personal Data or invite third party users to use and access Cozone. Such third-party users may access, view, download, and share Personal Data. Customer understands and agrees that:

11.2.1.1  it is solely Customer’s and its Authorised Users’ choice to share Personal Data;

11.2.1.2  Azets cannot control third parties with whom Customer or Authorised Users have shared Personal Data; and

11.2.1.3  Customer and/or its Authorised Users are solely responsible for their sharing of any Personal Data through Cozone.

12  Modification, Supplementation, and Term.

12.1  Azets may modify or supplement this DPA, with notice to Customer:

12.1.1  if required to do so by a Supervisory Authority or other government or regulatory entity;

12.1.2  if necessary to comply with applicable Data Protection Legislation;

12.1.3  to implement Standard Contractual Clauses, or

12.1.4  to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 of the GDPR or analogous provisions of other applicable Data Protection Legislation. In the event that such required modification or supplement results in Customer becoming non-compliant with Law that is applicable to Customer, Customer may terminate the Engagement Letter, and Customer shall be entitled to a pro-rata refund for prepaid Fees for Services not performed as of the date of termination.

12.2  This DPA is effective upon Customer’s use of the Services for which Azets is a Processor or Sub-Processor.

12.3  This DPA shall remain in force as long as Azets Processes Personal Data on behalf of Customer.

13  Transfers of Personal Data and Location.

13.1  Customer acknowledges that Azets and its Sub-Processors may Process Personal Data in countries that are outside of the European Economic Area (“EEA”) and the United Kingdom, including, but not limited to, the United States, India and/or Sri Lanka. This shall apply even where Customer has agreed with Azets to host Personal Data in the EEA or the United Kingdom, if such Processing is necessary to provide services requested by Customer.

13.2  Azets shall abide by the requirements of the Data Protection Legislation regarding the collection, use, transfer, retention, and other Processing of Personal Data from the EEA and the United Kingdom. All transfers of Personal Data to a third country or an international organisation (including any relevant Sub-Processor) that does not ensure an adequate level of protection shall be subject to appropriate safeguards as described in Article 46 of the GDPR and UK GDPR, and such transfers and safeguards shall be documented according to Article 30(2) of the GDPR or UK GDPR (as applicable).

13.3  All transfers of Personal Data out of the EEA and the United Kingdom shall be governed by the Standard Contractual Clauses, except for transfers (a) to and from any country which has a valid adequacy decision from the European Commission or the UK Government (as applicable), or (b) to and from any organisation which ensures an adequate level of protection in accordance with the applicable Data Protection Legislation. Subject to the foregoing and where indicated as applicable in Schedule 1 of this DPA, or this DPA, by Customer includes execution of the Standard Contractual Clauses. In the event any Standard Contractual Clauses include a transition period for implementation, Azets shall ensure the updated Standard Contractual Clauses shall be implemented prior to the expiration of such transition period (including in respect of transfers to any Sub-Processors which rely on the Standard Contractual Clauses).

13.4  Location of Personal Data

13.4.1  All Personal Data processed by Azets shall be stored in the UK or EEA, Customer acknowledges that Azets may employ Sub-Processors based in other regions, including but not limited to, the United States, India and/or Sri Lanka and, thus, Personnel of Sub-Processors in such locations may have access to Personal Data. Notwithstanding the foregoing, Azets does not control or limit the region or regions from, in, or to which Customer or Authorised Users may access, move, store or otherwise Process Personal Data.

13.5  Miscellaneous.

13.5.1  Azets and its Affiliates have appointed a data protection officer, EU representative, and UK representative. These are documented in the Privacy Policy at https://www.azets.co.uk/about-us/policies-legal/privacy-policy/ or https://www.blickrothenberg.com/privacy-policy/ as applicable.

13.5.2  If there is a conflict or inconsistency between the Engagement Letter and this DPA, the terms of this DPA shall prevail. If there is a conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

13.5.3  To the fullest extent permitted by Law, any claims brought under this DPA and/or the Standard Contractual Clauses shall be subject to the Terms of Business, including but not limited to, any applicable exclusions and limitations set forth therein. For the sake of clarity, Azets’ aggregate liability arising out of this DPA and/or the Standard Contractual Clauses shall in no event exceed the limitations set forth in the Terms of Business.

 

Schedule 1 to Data Processing Agreement

Standard Contractual Clauses

The Parties agree that the applicable Standard Contractual Clauses are incorporated into the DPA by reference, as if they had been set out in full, and are populated as follows. Unless expressly stated below, any optional Clauses contained within the Standard Contractual Clauses shall not apply.

The following Standard Contractual Clauses shall apply where Personal Data is transferred to a third country (unless the transfer is permitted on the basis of an adequacy decision):

1. a) CONTROLLER → PROCESSOR (Module Two) (“Controller to Processor Standard Contractual Clauses”) if Customer, acting as a Controller, is making a restricted transfer of Personal Data subject to the GDPR and/or the UK GDPR (as applicable) to Azets, acting as a Processor;
2. b) PROCESSOR → PROCESSOR (Module Three) (“Processor to Processor Standard Contractual Clauses”) if Customer, acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and/or the UK GDPR (as applicable) to Azets acting as a Processor; and/or
3. c) PROCESSOR → CONTROLLER (Module Four) (“Processor to Controller Standard Contractual Clauses”) if Azets, acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and/or the UK GDPR (as applicable) to Customer, acting as a Controller.

UK Addendum

The Parties agree that the UK Addendum is incorporated into the DPA by reference, as if it had been set out in full, and is populated and shall be read against the EU SCCs as follows. Unless expressly stated below, any optional Clauses contained within the UK Addendum shall not apply.

Start Date

The UK Addendum is effective from the effective date of the Engagement Letter.

1. Table 1: Parties

Exporter and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

Importer and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

2. Table 2: Selected SCCs, Modules and Clauses

As applicable, Module 2, Module 3 or Module 4 of the EU SCCs as incorporated by reference into Schedule 1 of this DPA including any supplementary Clauses set out within Schedule 1 of this DPA.

3. Table 3: Appendix Information

As set out in Annex 1 and Annex 2 of the of the Standard Contractual Clauses below.

4. Table 4: Ending this Addendum when the Approved Addendum Changes

In the event the Commissioner issues a revised Approved Addendum, in accordance with Section 18 of the UK Addendum which as a direct result of such changes has a substantial, disproportionate and demonstrable increase in: (a) the data importer’s direct costs of performing its obligations under the Addendum; and/or (b) the data importer’s risk under the Addendum, the data importer may terminate this UK Addendum on reasonable written notice to the data exporter in accordance with Table 4 and paragraph 19 of the UK Addendum.

Supplementary Clauses for Module Two and Module Three:

Erasure and deletion: For the purposes of Clause 8.5, Section II of Module Two and Module Three of the Standard Contractual Clauses the data importer shall delete the Personal Data in accordance with Clause 9.1 of the DPA.

Audit: The Parties acknowledge that the data importer complies with its obligations under Clause 8.9, Section II of Module Two and Module Three of the Standard Contractual Clauses by (i) acting in accordance with Clause 8.1.5 of the DPA and (ii) exercising its contractual audit rights it has agreed with its Sub-Processors. For the purposes of Clause 8.9(e), Section II of Module Three of the Standard Contractual Clauses, the data exporter shall ensure the results are provided to the relevant controller(s) on a confidential basis and that the controller(s) have committed themselves to confidentiality in respect of the same.

Notifications: For the purposes of Clause 8, Section II of Module Three of the Standard Contractual the data exporter shall use all reasonable endeavours to ensure any instructions provided by the relevant controller(s) are directed via the data exporter. The data exporter shall be responsible for ensuring any notifications provided by the data importer are promptly notified to the relevant controller(s) to fulfil the data importer’s notification obligations pursuant to Clause 8.

Sub-Processors: For the purposes of Clause 9, Section II of Module Two and Module Three of the Standard Contractual Clauses, the Parties agree that option 2: general written authorisation shall apply, and the data importer shall notify the data exporter of any changes in accordance with Clause 6.1 of the DPA. For the purposes of Clause 9, Section II of Module Three of the Standard Contractual Clauses, the data importer shall notify the data exporter of any changes to a Sub-Processor and the data exporter shall be responsible for ensuring such notifications are provided to the relevant controller(s) and shall inform the data importer of any objections within the time frames specified. Copies of any Sub-Processor Engagement Letters (redacted as appropriate) requested from the data importer shall be provided to the data exporter for onward provision to the relevant controller, as applicable.

Data Subject Rights: For the purposes of Clause 10(a) to (c) Section II of Module Three of the Standard Contractual Clauses, the Parties acknowledge that given the nature of the Processing by the data importer it would not be appropriate for the data importer to notify or assist the controller directly in respect of any requests received from a Data Subject.

Transfer impact assessment: For the purposes of Clause 14(c), Section III of Module Two and Module Three of the Standard Contractual Clauses, the data exporter acknowledges that Azets may transfer Personal Data to the countries listed at https://www.azets.co.uk/about-us/policies-legal/privacy-policy/processors/ or https://www.blickrothenberg.com/privacy-policy/privacy-policy-processors/ as applicable. The data exporter acknowledges a transfer impact assessment has been made available by the data importer on or prior to the date of the Engagement Letter which the data exporter accepts as sufficient to fulfil the data importer’s obligations pursuant to Clause 14(c) and 14(a) of the Standard Contractual Clauses.

For the purposes of Clause 14(c), 15.1(b) and 15.2, Section III of Module Two and Module Three of the Standard Contractual Clauses, the Parties agree that “best efforts” and the obligations of the data importer under Clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

Governing law and Jurisdiction: For the purposes of Clause 17 and 18, Section IV of Module Two and Module Three of the EU SCCs, the Parties agree that the laws and courts of Norway shall apply. For the purpose of the UK Addendum, the Parties acknowledge and accept that the laws and courts of England and Wales shall apply.

Supplementary Clauses for Module Four:

Erasure and Deletion: For the purposes of Clause 8.1(d), Section II of Module Four of the Standard Contractual Clauses, the data exporter shall delete the Personal Data in accordance with Clause 9.1 of the DPA.

Governing law and Jurisdiction: For the purposes of Clauses 17 and 18, Section IV of Module Four of the EU SCCs and the UK Addendum, the Parties agree that the laws and courts of England and Wales shall apply.

 

 

Annex 1 to the Standard Contractual Clauses (Module Two and Module Three)

1. List of Parties

Data exporter: Customer is the data exporter. The data exporter is a user of the Services.

The data exporter’s data protection contact (and EU/UK representative if applicable) is as detailed in the Engagement Letter or as otherwise provided to the data importer.

Data importer: The data importer is the Azets entity identified in the Engagement Letter. The data importer provides the Services.

The data importer’s data protection contact details are as specified in the DPA.

1. Description of Transfer

Data Subjects: The categories of Data Subjects whose Personal Data may be Processed in connection with the Services are determined and controlled by data exporter in its sole discretion and may include but are not limited to: data exporter’s representatives and end users, such as employees, contractors, collaborators, and customers, customers and prospects of data exporter, and employees or contractors of data exporter’s prospects and customers.

Categories of data: The categories of Personal Data are determined by data exporter in its sole discretion and may include but are not limited to: first and last name, employer, role, professional title, and contact information (e.g., email, phone, physical address).

Special categories of data: Special categories of Personal Data, if any, are determined by data exporter in its sole discretion and may include, but are not limited to, information revealing racial or ethnic origin, political, religious, or philosophical beliefs, trade union membership or health data. Any such special category Personal Data is subject to strict purpose limitation controls, access restrictions (including access only for staff having followed specialised training) and security measures.

Frequency, duration, and retention: The Personal Data is transferred on a continuous basis determined by the data exporter. The data importer shall Process the Personal Data for the duration of the Engagement Letter and shall retain the Personal Data in accordance with Clause 9.1 of the DPA.

Nature and purpose of the Processing: Azets shall Process Personal Data only as described and subject to the limitations herein (a) to provide Customer the Services in accordance with the Documented Instructions, and

(b) for business operations incident to providing the Services to Customer, which may include (i) delivering functional capabilities as ting, and repairing problems, including Security Incidents, and (iii) providing support, advice and guidance.

Sub-Processors: Any Sub-Processor appointed by the data importer shall Process the Personal Data to assist the data importer in providing the Services as described above for the duration of the Engagement Letter.

1. Competent Supervisory Authority:

The competent Supervisory Authority shall be detailed in the Engagement Letter or otherwise determined in accordance with Clause 11, Section II of Module Two and Module Three of the EU SCCs. In respect of the UK Addendum, the competent supervisory authority shall be read as the Commissioner.

 

Annex 1 to the Standard Contractual Clauses (Module Four)

1. List of Parties

Data exporter: The data exporter is the Azets entity identified in the Engagement Letter. The data exporter provides the Services.

The data exporter’s data protection contact details are as specified in the DPA.

Data importer: Customer is the data importer. The data importer is a user of the Services.

The data importer’s data protection contact (and EU/UK representative if applicable) is as detailed in the Engagement Letter or as otherwise provided to the data exporter.

1. Description of Transfer

Data Subjects: The categories of Data Subjects whose Personal Data may be Processed in connection with the Services are determined and controlled by data importer in its sole discretion and may include but are not limited to: data importer’s representatives and end users, such as employees, contractors, collaborators, and customers, customers and prospects of data importer, and employees or contractors of data importer’s prospects and customers.

Categories of data: The categories of Personal Data are determined by data importer in its sole discretion and may include but are not limited to: first and last name, employer, role, professional title, and contact information (e.g., email, phone, physical address).

Special categories of data: Special categories of Personal Data, if any, are determined by data importer in its sole discretion and may include, but are not limited to, information revealing racial or ethnic origin, political, religious, or philosophical beliefs, trade union membership or health data. Any such special category Personal Data is subject to strict purpose limitation controls, access restrictions (including access only for staff having followed specialised training) and security measures.

Frequency, duration, and retention: The Personal Data is transferred on a continuous basis determined by the data importer. The data exporter shall Process the Personal Data for the duration of the Engagement Letter and shall retain the Personal Data in accordance with Clause 9.1 of the DPA.

Nature and purpose of the Processing: Azets shall Process Personal Data only as described and subject to the limitations herein (a) to provide Customer the Services in accordance with the Documented Instructions, and (b) for business operations incident to providing the Services to Customer, which may include (i) delivering functional capabilities as licensed, configured, and used by Customer and its Authorised Users, (ii) preventing, detecting, and repairing problems, including Security Incidents, and (iii) providing support, advice and guidance.

Sub-Processors: Any Sub-Processor appointed by the data exporter shall Process the Personal Data to assist the data exporter in providing the Services as described above for the duration of the Engagement Letter.

C. Competent Supervisory Authority:

The competent Supervisory Authority shall be detailed in the Engagement Letter or otherwise determined in accordance with Clause 13, Section II of Module Two and Module Three of the EU SCCs. In respect of the UK Addendum, the competent supervisory authority shall be read as the Commissioner.

 

Annex 2 to the Standard Contractual Clauses

Security measures implemented by the data importer

The data importer has implemented and shall maintain the following security measures intended to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Security Measure	Practices
Pseudonymisation and Encryption	Where data is processed and how it is Secured The data, systems and applications used are hosted in public cloud services. Use is made of AWS where the systems and data are hosted in Dublin and the UK and Office 365 data is stored within the UK. The native facilities within the cloud platforms are used to encrypt all data at rest and in transit. Key management is undertaken using the in-built platform functionality.   As part of our comprehensive supplier due diligence process, the location and protection of our data that the supplier is storing/processing is addressed. In all cases, data is encrypted in transit, at rest and when backed up.   Where data is stored on an external system (e.g. SaaS provider), we ensure that this is encrypted. The majority of external applications that we use store and process data within the UK and/or EEA. Should data reside in a different jurisdiction, confirmation is obtained that appropriate and approved agreements are in place in compliance with Data Protection Legislation.   Data Protection Controls Data transmitted between Azets and any external party uses one of the following mechanism’s: Email – our email system is configured to send all emails encrypted by default where supported by the receiving party. Where the email contains sensitive information, we have a secure email facility that would be used. This shall result in the recipient receiving a notification that a secure email is waiting for them and they shall need to log in to a secure portal to retrieve it. The same facility can be used by the external party to send and/or reply to emails to/from Azets We have a secure file exchange facility that can be used to exchange data between an external party and Azets. All data is encrypted in transit and when stored on the file exchange server. A dedicated repository shall be created for the external party to ensure that no unauthorised user is able to gain access to their data. The external party’s users shall be added to the file exchange solution on an individual basis and only the necessary access rights shall be assigned to each user. Removeable media. This is an option that is rarely used but should it prove necessary, then the following shall apply: Only IT approved and issued encrypted USB devices can be used. This is controlled via the device control application within our endpoint management software If we were to receive a USB device from an external party, the recipient’s device would be configured to permit access to the USB device such that they could download the content and then this would be disabled. Our A/V software would automatically scan the device before any data is read from it
Ongoing Confidentiality, Integrity, Availability and Resilience.	Standards. Commercially reasonable and appropriate methods and safeguards are utilised to protect the confidentiality, availability, and integrity of Personal Data.   Confidentiality. Azets ensures that Azets Personnel authorised to access Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.   Training. All Azets Personnel with access to Personal Data receive annual training.   Backups. 24/7 managed backup services are provided that include Personal Data stored in the primary site backed up on at least a daily basis to a secondary site. Azets provides backup services for all components included in the Services. Backups are maintained for a period of ninety days in the primary data centre, and ninety days in the secondary data centre.   Disaster Recovery. Azets maintains disaster recovery capabilities designed to minimise disruption to the Services. Included within these plans is disaster recovery incident management, procedures for the recovery of access to Personal Data in the secondary data centre, as well as the periodic testing/exercising of the disaster recovery plan.
Regularly Testing, Assessing and Evaluating the Effectiveness of the Measures	Penetration Testing. Azets undergoes penetration testing of its IT infrastructure, conducted by an independent third-party organisation, on an annual basis.
IT Security Controls	Authentication Users are forced to use complex passwords (via system configuration settings) with a minimum length of 14 characters. As detailed below, this is supplemented with multi-factor authentication. Infrastructure Security Controls The following measures are in place: All end user devices (EUD) and servers have a hardened build applied to them Firewalls are enabled on all EUDs and within our server/cloud environment. Additionally, network security groups are also in place Anti-virus software is installed on all EUDs and servers. These are updated as soon as an update is issued by the vendor and we proactively check for currency of the installed A/V products With the exception of Microsoft Office, minimal software is installed on the EUD. As Remote Desktop Service (RDS) or Citrix is used to access the servers/line of business applications, any additional software is installed within the respective environment Whitelisting has been applied on all devices to define what applications users are permitted to run Users do not have local admin rights to their machines so are limited as to the changes that they can make to their machine An email gateway scans all inbound, outbound and internal email. If an email fails any of the checks, it is quarantined. In most cases, the email would need to be released by the IT support team (only emails identified as potentially spam can be released by the user) URL filtering is in place. Certain website categories are blocked unless there is a specific business requirement to access these. The following are some of categories that are blocked: gambling, adult themes, internet file storage services, web-based email. Where exceptions are made, these would be on a per-user basis We have a managed Extended Detection and Response (XDR) service which monitors all activity within our network, EUDs and servers. If a significant event is identified, this is investigated by the XDR provider and following investigation is either sent to Azets to undertake remedial activity. Logs from all our systems are ingested into the XDR service which also includes integration with AWS, Office365, firewalls and our secure email gateway Access to our line of business applications is via our RDS or Citrix solutions. Authentication is via the user’s network credentials and if accessing from outside an office, multi-factor authentication (MFA) is required. All data remains within this environment and there is no access to the user’s local hard drive when using an RDS/Citrix session Every user has their own network account. MFA is also required when accessing externally provided services. To minimise the number of accounts users shall use, single sign-on has been implemented where this is supported by the vendor Access to Azets systems is obtained solely via a corporate issued device.   Network Controls The following measures are in place: Network management of each office is undertaken by the IT department Firewalls have been implemented in all offices Minimal IT infrastructure resides within each office, typically just network devices The Guest wireless network has no connectivity to the corporate network Personal devices (e.g. mobile phones) cannot connect to the corporate wireless network Within our AWS deployment, extensive use is made of Network Access Control Test environments are segregated from the Production environment Backup/Resilience Measures The following measures are in place: All data within our environment is encrypted at rest and in transit. Various backup methods are in place depending on the system that is being backed up. This includes traditional daily/weekly/monthly backups, 30 minute snapshots and log file shipping Immutable backups are in place and are stored in a different location to our Production systems Our cloud hosting provider has various resilience facilities in place (i.e. availability zones) Cloud native backup solutions are in use All backed-up data is encrypted The backup solutions are automated and an alert would be generated if there was a failure in any of these. Processes/scripts are in place to restore data should there be a system failure, loss of data or data corruption Restore testing is undertaken to ensure that the business Recovery Time/Point Objective can be achieved   Access Control A role-based access control model has been implemented and access is provided on a need-to-know basis based on the user’s role requirements; users are only provided with the minimum level of access required to undertake their job. All application and IT system administration is undertaken by the IT team – users cannot administrate for business applications. There is an internal service desk system where access requests can be made which requires approval by the line manager and/or the system/ business owner.   System Maintenance and Vulnerability Management A patching policy and process is in use within the business which includes patching timescales based on severity. This is supplemented with a vulnerability management application which scans devices on a daily and/or weekly basis (dependent on the device type). The security team proactively work with IT to ensure that patches are applied to the devices in a suitable timeframe (in accordance with the policy) and based on the severity. Patching progress/mitigation measures are closely monitored by the security team.   Additionally, vendor websites are monitored and/or we receive notifications when vulnerabilities have been identified with their product and their recommended actions shall be followed. The managed XDR service also provides threat information which supplements the vulnerability management measures in place.   Where appropriate, patches are tested on a sample number of systems to ensure that there are no adverse impacts before being rolled out to the rest of the estate. A system management tool is in place which is used to push out software and/or configuration updates to all systems.   Third Party Access There are very few instances whereby third parties have access to our systems. Where this is in place, it is to provide support services. Access is provided only as and when required and is disabled when no longer needed. Confirmation would be obtained from the third party
Protection of Personal Data During Transmission	Encryption. Personal Data in transit is transferred across encrypted network connections and/or protocols (i.e., hypertext transfer protocol secure (HTTPS) and/or virtual private network (VPN)).
Protection of Personal Data During Storage	Encryption. Personal Data at rest is encrypted using ciphers at least as strong as 256-bit advanced encryption standard (AES).   Encryption of Backups. Backups of Personal Data are encrypted and stored in a secondary data centre.
Physical security.	Security Safeguards. Physical security safeguards are maintained at any facilities where Azets hosts Personal Data. Physical access to such facilities is only granted following a formal authorisation procedure and access rights are reviewed periodically.   Facilities. Such facilities are rated as Tier 3 data centres or greater, and access to such facilities are limited to identified and authorised individuals. Such facilities use a variety of industry standard systems to protect against loss of Personal Data due to power supply failure, fire, and other natural hazards.
Event Logging	Network Security. Azets utilises an enterprise-class security information and event management (SIEM) system and maintains firewalls and other control measures (e.g., security appliances, network segmentation) to provide reasonable assurance that access from and to its networks is appropriately controlled.   Event Logging. Azets logs access and use of information systems containing Personal Data.
System Configuration	Malicious Software. Anti-malware controls are maintained to help prevent malicious software from causing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.   Asset Inventory. Asset inventories of computing equipment and media used in connection with the processing of Personal Data are maintained. Access to such inventories is restricted to authorised Azets Personnel.
Governance and Management	Information Security and data protection Information security and associated data protection is taken extremely seriously within the business. The following are in place: A dedicated Cyber Security team is in place covering all cyber technical, procedural and governance processes. These individuals work across the business to ensure that all processes incorporate adequate security measures and that appropriate technical controls are in place and their configuration is suitably robust. The UK Security Director has overall responsibility for Cyber within the UK. Data privacy is included within the Risk and Compliance team where the Group’s Data Protection Officer resides. The Privacy and Cyber team work very closely to ensure that both of these aspects are fully addressed across the business. This includes day-to-day operation, projects, third-party suppliers/vendors and regulatory requirements. Updates pertaining to Cyber and data privacy are provided to the Groups monthly Exco forum.   Security Policies Group wide security policies are place along with an Information Governance Framework. These documents are reviewed at least annually and are available to all staff. Supplementary policies and supporting procedures are created on a country basis where necessary.   Risk Management There is a defined process supporting risk assessments. These are undertaken at the start of a project, prior to any major upgrade and as part of our wider supplier due diligence approach and on a continual basis. Any residual risk is managed and tracked. A GRC tool is in place which is used for capturing, tracking and managing all risks. Risks are regularly reviewed for status, accuracy and change in impact. Major/significant risks are reported to the Exco and the risk & audit committee.   Security Working Group The security working group meets on a monthly basis. This includes representation from IT, business units, the Risk and Compliance team (which includes privacy) and the security team. This is a critical activity to ensure that all key stakeholders are aware of any security issues and also allows them to raise any concerns that they have become aware of.   Incident Management A detailed incident management process is in place and shall be followed in the event of a security incident. This incorporates a lessons learned activity which shall capture any remedial activity/recommendations. The process includes details of communications with customers in the event that their data may be affected.   Scenario based tests have and shall continue to be undertaken.   Azets Personnel. Azets maintains written policies and procedures that address the roles and responsibilities of Azets personnel, including both technical and non-technical personnel, who have access to Personal Data in connection with providing the Services.
Certification of Processes	Standards. Azets Holdings and Blick Rothenberg hold Cyber Essential certification. The details relating to these certifications are:   Certificate Number Date Obtained Expiry Date Azets Holdings IASME-CE-037202 28/02/2022 28/02/2023 Blick Rothenberg IASME-CE-045481 07/07/2022 07/07/2023   The AWS and Microsoft data centres that are used by Azets have undergone numerous certifications; details are available on their respective vendor’s Trust Portal.   Independent Assessments. On an annual basis, Azets has an independent third-party organisation conduct an independent assessment of security standards. A business continuity plan is maintained that is compliant with ISO 22301.
Training of Personnel	Security Awareness Training. Azets uses an externally provided security training and awareness platform which also includes an email phishing component. Security training courses are sent to staff on a frequent basis throughout the year and the completion of such training is monitored and followed up if necessary. Phishing emails are also sent to staff on a periodical basis. Should a user fail a phishing test, details are provided to them of the “red flags” that they should have picked up on. Repeat phishing test failures by a member of staff would be followed up by the security team.   In addition to the training platform, security/awareness related information is included in staff bulletins and emails and is also contained on the Intranet.   All staff are required to sign an acceptable use policy. Mandatory training is also undertaken annually covering staff’s responsibility relating to data and GDPR.   All new starters undergo an induction session which includes security and privacy related training. This also includes acceptance of the acceptable use policy and undertaking core security training modules.   Regardless of where the member of staff works (office, home), all users receive the same training. The training also reflects the changed working environment and the measures that staff take when working from home.
Accountability	Accountability. Azets defines accountability as holding individuals accountable for their internal control responsibilities.   Control Activities. Specific control activities that Azets has implemented in this area are described below. An employee sanction procedure is in place and documented to communicate that an employee may be terminated for noncompliance with a policy and/or procedure; and A performance review of employees is conducted on an annual basis to evaluate the performance of employees against expected levels of performance and conduct and hold them accountable for their internal control responsibilities.
Data Minimisation / Data Quality	Data Minimisation. Azets shall make reasonable efforts to use the minimum necessary Personal Data to provide the Services.   Data Quality. At all times during the applicable Term, Customer shall have the ability to amend Personal Data to assist the Customer with its data quality obligations.
Data Retention	Data Retention. Azets shall retain Personal Data stored in Cozone for ninety (90) days after expiration or termination of the Engagement Letter so that Customer may extract Personal Data. After said 90-day period ends, Azets shall disable Customer’s Cozone account and delete all Personal Data (within thirty (30) days) and, where required by Law, shall certify to Customer that it has done so, save to the extent that Azets is required by any applicable Law to retain some or all of such Personal Data.
Portability and Erasure	Portability. At all times during the applicable Term, Customer shall have the ability to access, extract, and delete Personal Data in Cozone.   Erasure. Azets destroys, deletes, or otherwise makes irrecoverable Personal Data upon the disposal or removal of storage media. Personal Data for each Customer is logically separated from data of other Azets customers.