This Data Processing Agreement (the “DPA”) is incorporated into the Master Services Agreement (Agreement) issued by DSMN8 Limited (DSMN8). This DPA forms an integral part of the Agreement.
1. Definitions
Any defined terms not listed below will carry the same definition as those in the Agreement.
1.1. Controller: the party to the Agreement to which DSMN8 is providing Services.
1.2. Business Purposes: the Services and any other purpose specifically identified in the SoW or Appendix 1 .
1.3. Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of
Personal Data (including, without limitation, the privacy of electronic communications);
1.4. Personal Data: means any information relating to an identified or identifiable living individual that is processed by DSMN8 on behalf of the Customer as a result of, or in connection with, the provision of the services under the Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual
1.5. Services: the functionality offered by DSMN8’s software which can potentially maximise for the benefit of the Controller its employee’s social media presence and influencer activity.
1.6. SoW: the statement of work setting out the Services which is attached to the Agreement.
2. Subject of the DPA and Term
2.1. The Controller and DSMN8 agree and acknowledge that for the purpose of the Data Protection Legislation:
2.1.1. the Controller is the controller and DSMN8 is the processor.
2.1.2. the Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to DSMN8.
2.2. DSMN8 performs Services for the Controller as described in the SoW and Appendix 1. Appendix 1 details the subject-matter, type and purpose of processing, the types of data and categories of data subjects in compliance with the Data Protection Legislation in force.
2.3. The controller can nominate individuals to be notified about any updates, changes, and notifications in regards to this DPA separately by either notifying their Account Manager or emailing [email protected].
2.4. This DPA shall, unless otherwise agreed become effective after it has been signed by both parties and shall apply as long as DSMN8 processes Personal Data on behalf of the Controller under the Agreement.
3. Processing under instruction of the Controller
3.1. The Controller is responsible for compliance with the Data Protection Legislation, in particular for the admissibility of the data processing and for safeguarding the data subjects’ statutory rights, as stipulated by the applicable data protection regulation(s). Statutory or contractual liability provisions as set out in the Agreement or otherwise shall remain unaffected.
3.2. DSMN8 shall process the Personal Data disclosed by the Controller solely under the instructions of the Controller and within the scope of the agreed services and stipulations. Data must only be corrected, erased or blocked subject to the instruction of the Controller.
3.3. DSMN8 must only process data under the Controller’s instructions, unless processing of certain Personal Data is required by law of the relevant data protection authority to which DSMN8 is subject. In such a case, DSMN8 shall inform the Controller of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest.
3.4. The instructions of the Controller require no specific form. Verbal instructions may be documented by the Controller and all instructions will be confirmed in writing to DSMN8.
3.5. DSMN8 shall inform the Controller without undue delay, if it believes that an instruction given by the Controller infringes upon applicable Data Protection Legislation.
3.6. Notwithstanding the specific obligations and restrictions in clause 3 DSMN8 shall not
3.6.1. sell to or share with any third party the Personal Data;
3.6.2. use Personal Data for any other purpose commercial or otherwise, other than as described in the DPA
3.6.3. combine the Personal Data collected from the Controller with data DSMN8 collects elsewhere
4. Technical and Organisational Measures
4.1. DSMN8 shall implement adequate technical and organisational security measures for the agreed data processing as outlined in Appendix 3 which meets international industry standards such as ISO/IEC 27001 (Information Security Management Systems). These security measures should be appropriate to the risks involved with regards to the specific personal data processing operations.
4.2. The measures taken under clause 4.1 above may be modified to adapt to future technical and organisational developments. DSMN8 may only carry out these modifications, if they meet at minimum, the previous level of security. DSMN8 is only required to inform the Controller of substantial changes to the implemented measures, subject to the existence of other regulations to the contrary.
4.3. DSMN8 shall support the Controller in their compliance with its legal obligations as far as the technical and organisational measures are concerned in relation to this Agreement. DSMN8 shall, upon request, assist the Controller to create or maintain its record of processing activities. DSMN8 shall cooperate with the Controller for the creation of relevant data protection impact assessment and if necessary, with prior consultations with supervisory authorities. Upon request, DSMN8 shall make the agreed information and documents available to the Controller.
5. Obligations of DSMN8
5.1. DSMN8 confirms that it is aware of the Data Protection Legislation to which it is subject. DSMN8’s internal operating procedures shall comply with the specific requirements of an effective data protection management as required under applicable regulations.
5.2. DSMN8 has implemented appropriate technical and organisational measures, in a manner that ensures that its data processing is in compliance with the requirements of relevant data protection law and the rights of data subjects.
5.3. DSMN8 warrants and undertakes that all employees involved in the personal data processing procedures are familiar with the Data Protection Legislation. DSMN8 assures that those employees are bound to maintain confidentiality or are subject to an adequate legal obligation of secrecy. DSMN8 shall monitor compliance with Data Protection Legislation.
5.4. DSMN8 shall support the Controller with appropriate technical and organisational measures in the fulfilment of its obligations to data subjects in the exercise of their rights under the applicable data protection regulations. Such obligations include but are not limited to: the right to information, the right to rectification and to erasure, the right to restriction of processing, to data portability and to object to data processing.
5.5. In the event of a data breach, DSMN8 shall support the Controller in the fulfilment of any reasonable information obligations to which the Controller is subject and if there are no specific requirements DSMN8 and the Controller will adhere to the statutory requirements of the Data Protection Legislation regarding data breaches.
5.6. Information regarding the data processing carried out by DSMN8 may only be provided to data subjects or to other third parties with the prior approval of the Controller. If a data subject exercises his or her data subject’s rights in respect to DSMN8, DSMN8 shall forward this request to the Controller without undue delay.
6. Sub-Processing
6.1. The Sub-Processing relationship shall be established when DSMN8 appoints another processor in part or in whole, for the provision of services agreed upon in this DPA. Ancillary services that are provided to and on behalf of DSMN8 by third-party service providers and which may support DSMN8 in the exercise of its duties shall not be regarded as sub-processing within the meaning of this DPA. Such services may include, for example, provision of telecommunication services or facility management.
6.2. DSMN8 is obliged to ensure the protection and the security of the Controller’s data in respect to third party service providers, and to ensure appropriate and legally compliant contractual agreements and supervisory measures are in place.
6.3. DSMN8 may appoint or change Sub-Processor’s and will inform the Controller of intended appointment or change. Upon receipt of such information, the Controller may notify DSMN8 of any reasonable objection.
6.4. A Sub-Processor may only have access to the Personal Data which is the subject of this DPA once DSMN8 has ensured, by means of a written contract, that the provisions of this DPA are also binding on the Sub-Processor, and in particular adequate guarantees are provided as to the implementation of appropriate technical and organisational measures to ensure that the processing meets Data Protection Legislation.
6.5. The Sub-Processors listed in Appendix 2 of this DPA at the time of signature are deemed to have been approved by the Controller.
7. Data Transfers
7.1. DSMN8 will process personal data provided to it by the Controller under this DPA exclusively in the territory defined within the respective data protection authority. Any restricted transfer of personal data to a country with no adequacy decision will meet the requirements of GDPR.
8. Controller’s Audit Rights
8.1. DSMN8 agrees that the Controller or a person authorised by the Controller, shall be entitled to review compliance with the data protection provisions in this DPA using reasonable and appropriate means including requests for relevant documents and related information, the inspection of data processing systems and processes and shall be upon the provision of prior notice by the Controller and at the Controller’s sole cost.
8.2. Such documents, information and inspection shall be remotely reviewed, specific to the scope of the DPA and exclude highly classified information based upon DSMN8’s Information Classification System.
8.3. Controller shall not
8.3.1. exercise its audit rights under this DPA more than biannually, unless DSMN8 or DSMN8’s subcontractors experience a regulatory reportable Data Breach involving Controller’s Personal Data, nor
8.3.2. exercise such audit in a manner that disrupts or burdens DSMN8’s normal business operations or causes DSMN8 to breach any obligation of confidentiality to any other third party, whether imposed by regulation or contract.
9. Data Protection Violations by DSMN8
9.1. DSMN8 shall notify the Controller without undue delay about any disruption in its operations which result in a risk to the Personal Data provided by the Controller, as well as of any suspicion of data protection infringements concerning Personal Data provided by the Controller. The same applies if DSMN8 discovers that its security measures do not satisfy legal requirements.
9.2. DSMN8 is aware that the Controller is obligated to document all breaches of the security of Personal Data and, where necessary, to inform the supervisory authority and/or the data subjects. DSMN8 will report such breaches to the Controller without undue delay and will provide, at a minimum, the following information:
9.2.1. A description of the nature of the breach, the categories and approximate number of data subjects and personal data records concerned,
9.2.2. Name and contact details of a contact person for further information,
9.2.3. A description of the likely consequences of the breach, and
9.2.4. A description of the measures taken for the remedy or mitigation of the breach.
10. Termination of the DPA
10.1. The terms regulating the termination of this DPA shall be as contained in the Agreement. On termination or expiration of this DPA, DSMN8 shall return or erase all personal data, as determined by choice of the Controller, provided there is no duty to preserve records due to statutory retention periods.
11. Final Provisions
In case any of the Controller’s property rights are at risk in the premises of DSMN8 due to measures taken by third parties (e.g. through seizure or confiscation), insolvency proceedings or any other events, DSMN8 shall promptly inform the Controller hereof.
Any modifications, amendments and supplements to this DPA must be in writing, or in electronic format. Should a provision of this DPA become unenforceable, that shall not affect the validity or enforceability of any other provisions of this DPA.
Appendix 1:
CONTRACTED SERVICES
Type of data | Type of data subject | Type of processing | Purpose of processing | Type of recipient to whom
personal data is transferred |
Retention period |
Personal Data | Full Name | Electronic and Manual | To verify who you are | Internal and Third party service provider. | Term of agreement. |
Personal Data | Email Address | Electronic and Manual | To verify who you are | Internal and Third party service provider. | Term of agreement. |
Personal Data | Social
Accounts |
Electronic and Manual | To verify who you are and fulfil obligations in service agreement. | Internal and Third party service provider. | Term of agreement. |
Personal Data | Time Zone | Electronic | To verify where you are | Internal | Term of agreement. |
Personal Data | Location | Electronic | To verify where you are for using Events. | Internal | Term of agreement. |
Personal Data | Company Name | Electronic and Manual | To verify who you work for | Internal and Third party service provider. | Term of agreement. |
Appendix 2
SUB-PROCESSOR’S / ANCILLARY SERVICES
Name of
Sub- Processor / Ancillary Service |
Registered Business Address | Location of Processing | Processing Activities | Date of
Contract |
Ancillary |
Amazon Web
Services |
Amazon Web Services, Inc. P.O. Box 81226.
Seattle, WA 981081226 |
London | Platform hosting and data storage. | October 2016 | Yes |
1600 Amphitheatre
Parkway Mountain View, CA 94043 United States |
London | File and documentation creating and storage, Emails, Calendar. | February 2016 | Yes | |
HubSpot | 25 First Street, 2nd
Floor Cambridge, MA 02141United States |
London | Social media, blog, landing pages, campaign emails. Contacts for marketing leads, sales leads and customers. | June 2017 | Yes |
Appendix 3
TECHNICAL AND ORGANISATIONAL MEASURES
DSMN8 will maintain administrative and technical safeguards for the protection of the security, confidentiality, and integrity of Personal Data processed, as described below.
The technical and organisational measures will be subject to technical progress, development and improvements for the protection of Personal Data and any such measures shall automatically apply hereto. DSMN8 technical and organisational measures are continuously improved according to feasibility and state of the art technology – not least also in terms of the active ISO 27001 certification – and brought to a higher level of security and protection.
1. Access, input, and transmission controls, including the following
a) Establishing and maintaining staggered access authorisations for employees and third parties;
b) Identifying and reviewing all persons having access authority;
c) Running central data processing compute only in specially protected networks to which only selected employees (administrators) and Processors, who are committed to diligence and secrecy, have access;
d) Compliance rules for the use of mobile devices
e) Logical and physical protection of all data media
f) Authorising and enforcing a usage policy for the reading, alteration and deletion of stored data
g) Password controls such as using secure passwords; changing the passwords regularly;
h) Separation of test and production systems.
i) Maintaining policies and technology that regulate the transmission and transport of data;
j) Using the data processing equipment only after identifying and authenticating the user;
k) Employing data encryption in transit and at rest
l) Establishing documentation for all programs which encrypt, send or receive data;
2. Logical Access Control
a) Intrusion Detection Systems
b) Firewalls
c) Use of VPN for remote access
d) Automatic desktop lock
e) Encryption of mobile devices
f) User permission management
g) Information Security Policy
3. Data Protection
a) Central documentation of all data protection regulations with access for employees
b) Security certification according to ISO 27001
c) Internal data protection officer appointed: DPO
d) Staff trained and obliged to confidentiality/data secrecy
e) Regular awareness trainings at least annually
f) Internal Information Security Officer appointed:
g) Processes regarding information obligations according to Art 13 and 14 GDPR established
h) Formalised process for requests for information from data subjects is in place
4. Data Separation, including the following:
a) Logical separation of data of the Processor and/or the Processor’s clients and other data;
b) Using encryption for safety-critical files and files with Personal Data with different data keys depending on the files’ owner;
5. Incident Response Management
a) Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
b) Formalised procedure for handling security incidents
c) Involvement of DPO and ISO in security incidents and data breaches
d) Documentation of security incidents and data breaches via ticket system
e) A formal process for following up on security incidents and data breaches
f) Information Security Policy
g) Data Protection Policy