Upon execution, this DPA shall form an addendum to the terms of service between the Buyer and channelcentral. Any capitalised terms used herein that are not specifically defined in this DPA shall have the meaning set out in the Buyer Terms.
This DPA has been approved for release and is pre-signed using DocuSign by an authorised signatory of channelcentral. It has been published for the specific attention of channelcentral customers.
If the signatory is a Buyer at the time and date that this DPA is countersigned then this DPA shall form part of the Buyer Terms, otherwise this DPA shall not be valid or legally binding.
HOW TO EXECUTE THIS DPA FOR YOUR ORGANISATION
- If channelcentral processes personal data on behalf of the Buyer, an entity which qualifies or may qualify as a Data Controller with respect to Personal Data as is defined within the EU General Data Protection Regulation (“GDPR”) (Regulation 2016/679), then the Buyer may elect to execute this DPA as an addendum to its Buyer Terms.
- To complete this DPA, the authorized signatory of the Buyer must:
- Download a copy of this pre-signed DPA;
- Complete the information as requested in the signature box on Page 1 of the DPA;
- Countersign and date the DPA;
- Submit a PDF copy of the completed and signed DPA to us at firstname.lastname@example.org
- Upon receipt of a completed and signed copy of this DPA in accordance with the instructions above, this DPA will become legally binding.
This DPA is entered into between channelcentral.net Limited (“channelcentral”) and the Buyer and is incorporated into and governed by the terms of the Buyer Terms.
In the event of a conflict between this DPA and the Buyer Terms, the Buyer Terms shall prevail.
Any capitalised term not defined in this DPA shall have the meaning given to it in the Buyer Terms.
|“Buyer Data”||means all data processed by the Seller or provided to the Seller for processing or otherwise processed as part of the Service.|
|“Buyer Terms”||means the existing Agreement between channelcentral and the Buyer for the provision of the Services.|
|“Buyer”||means an organisation that has elected to subscribe to channelcentral’s Service(s).|
|“Controller”||means the Buyer.|
|“Data Controller”||shall have the meaning of ‘data controller’ set out in section 1(1) of the Data Protection Act 1998 and, from the time of its implementation into law in England and Wales the meaning set out in Article 4(7) of the GDPR.|
|“Data Processor”||shall have the meaning of ‘data processor’ set out in section 1(1) of the Data Protection Act 1998 and, from the time of its implementation into law in England and Wales the meaning of ‘processor’ set out in Article 4(8) of the GDPR|
|“Data Protection Legislation”||means, for such time as they are in force in England and Wales, the Data Protection Act, the GDPR and all related legislation which may supplement, amend or replace them and which relates to the protection of individual’s rights in their personal data and the protection of their privacy.|
|“Data Subject”||shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 as amended from time to time or its replacement by subsequent legislation.|
|“GDPR”||means Regulation (EU) 2016/679 and/or such legislation as may give effect to its terms in England and Wales.|
|“Personal Data”||shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 as amended from time to time or its replacement by subsequent legislation.|
|“Processing” and “Process”||have the meaning set out in section 1(1) of the Data Protection Act 1998 and, from the time of its implementation into law in England and Wales the meaning set out in Article 4(2) of the GDPR.|
|“Standard Contractual Clauses”||means the EU model clauses for Personal Data transfer from controllers to processors c2010-593 - Decision 2010/87EU.|
|“Sub-Processor”||means any person or entity engaged from time to time by channelcentral to process Personal Data in connection with the provision of the Services.|
2.1 The Processor has agreed to provide the Services to the Controller in accordance with the terms of the Buyer Terms. In providing the Services, the Processor shall process Buyer Data on behalf of the Controller.
2.2 Buyer Data may include Personal Data. The Processor will process and protect such Personal Data in accordance with the terms of this DPA.
3. Term and Termination
3.1 The term of this DPA shall coincide with the commencement of the Buyer Terms and this DPA shall terminate automatically together with termination or expiry of the Buyer Terms.
4. Controller and Processor
4.1 channelcentral and the Buyer agree that for the Purposes of Data Protection Legislation that the Buyer is and shall remain the Data Controller and that channelcentral shall be a Data Processor in respect of any Personal Data which is transferred to it from the Buyer as part of the Buyer Data during its performance of its obligations pursuant to this Contract.
4.2 As a Data Processor, channelcentral shall process the Personal Data only in accordance with the Buyer’s instructions from time to time and shall not process the Personal Data for any purpose other than enabling it to fulfil its obligations pursuant to this Contract or to perform any other activity which may be expressly authorised by the Buyer from time to time.
4.3 For the avoidance of doubt, the Software provided by channelcentral may use Personal Data entered into it by the Buyer to perform functions of the following nature (the precise nature of which will depend on the configuration of the Software):
4.3.1 the facilitation of data entry and the management of records;
4.3.2 enable the sending by the Buyer of correspondence, the content of which shall be determined solely by the Buyer;
4.3.3 enable the generation of reports by the Buyer and channelcentral and the Tier 1 Manufacturers; and
4.3.4 such other operations as the Buyer may configure and require from time to time.
4.4 channelcentral shall take steps to ensure that its employees are informed of their obligations in relation to Personal Data and that they hold and shall process such information in confidence and in accordance with all relevant Data Protection Legislation.
5. Data Protection Warranties
5.1 Each party warrants to the other that it will comply with all applicable Data Protection Legislation.
5.2 For the avoidance of doubt the Buyer warrants that the Buyer Data, and in particular all Personal Data inherent therein, has been collected and stored in compliance with all applicable law, and that it has all necessary consents, permissions and authorisations to provide it to channelcentral for the purposes contemplated by this Contract and all further purposes that the Buyer may instruct from time to time
5.3 In accordance with its function as a Data Processor pursuant to this Contract channelcentral warrants that:
5.3.1 having regard to the current state of technological development, the nature of the processing in question, and the material risk to the rights of affected Data Subjects, it shall take appropriate and reasonable technical and organisational measures to secure relevant Personal Data against the unauthorised or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data;
5.3.2 to the extent that the Software does not enable the Buyer to extract such information independently, it will assist the Buyer, insofar as reasonably possible in responding to any requests made by any relevant Data Subject which concern the exercise of that Data Subjects rights under the GDPR;
5.3.3 it shall report to the Buyer any suspected data breach concerning the Personal Data and shall assist the Buyer to inform the relevant regulator and affected Data Subjects; and
5.3.4 it shall, on reasonable request and with adequate notice, demonstrate to the Data Controller, to the extent that is reasonable given the nature of the processing in question, that it complies with Data Protection Legislation.
6.1 The limitations on liability set out in the Buyer Terms apply to all claims made pursuant to any breach of the terms of this DPA.
7. Data Protection Indemnity
7.1 Each party agrees to indemnify and keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses incurred by the other party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations pursuant to this DPA and/or the Buyer Terms.
7.2 In order to avail itself of this indemnity the claiming party must: promptly notify the indemnifier of any relevant claim of which the indemnified party becomes aware; not make any admission of liability or offer to settle in respect of any relevant claim without the prior written permission of the indemnifier; grant the indemnifier full control of all relevant proceedings on request, and; provide the indemnifier with such assistance in dealing with such claims as it may reasonably request.
7.3 The parties acknowledge that channelcentral is reliant on the Buyer for direction as to the extent to which channelcentral is entitled to use and process Personal Data which it receives from the Buyer. Consequently, channelcentral will not be liable to the Buyer for any claim brought by a Data Subject arising from any action or omission by channelcentral Data Processor, to the extent that such action or omission resulted directly from the Buyer’s instructions.
8.1 The Controller acknowledges and agrees that channelcentral may utilise certain Sub-Processors to deliver its Services.
8.2 All Sub-Processors that process Personal Data in the provision of the Services shall comply with the obligations of the Processor similar to those set out in this DPA.
8.3 The current list of Sub-Processors (including for clarity those located within the EEA) is as set out in Schedule 1 to this DPA.
8.4 If an active Sub-processor is located outside of the EEA, the Processor confirms that each Sub-Processor:
8.4.1 Is located in a country or territory recognised by the EU Commission to have an adequate level of protection; or
8.4.2 Has other appropriate safeguards in place, such as the EU-US Privacy Shield; or
8.4.3 Has entered into an appropriate Data Processing DPA with the Processor.
8.5 The parties agree that the Processor shall be liable for any breaches of this DPA that are caused by the acts and omissions or negligence of its Sub-Processors, to the same extent as the Processor would be liable had it been performing the work itself under the Buyer Terms, subject always to the limitations on liability that are as set out in Buyer Terms.
8.6 The Controller has the right to object to the use of Sub-Processor, or to the introduction of a new or replacement Sub-processor. In this case,
8.6.1 The Controller may terminate the Buyer Terms with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub-processor;
8.6.2 The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Buyer Terms following the effective date of termination with respect to such terminated Services.
9.1 This clause does not modify or limit the rights of audit of the Controller.
9.2 The Processor shall on request make available to the Controller such information as it deems is reasonably necessary to
9.2.1 demonstrate compliance with its processing obligations; and
9.2.2 allow it to contribute to audits and inspections.
9.3 Any audit conducted under this DPA may consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions as is set out in the Buyer Terms.
9.4 The Controller may at its own expense and with reasonable cause, request the Processor to collaborate in a more extensive audit. Any such audit will conform to the following:
9.4.1 It will be limited in scope to matters specific to the Controller;
9.4.2 It will be agreed in advance with the Processor;
9.4.3 It will be executed during UK business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen;
9.4.4 It shall not interfere with the Processor’s day-to-day business.
9.5 The Processor may charge a fee based on its standard Rate Card, plus costs arising, the details of which shall be agreed in advance.
10. Deletion of Personal Data
10.1 Whilst Service is active
10.1.1 The Controller will enable the Processor to delete Personal Data either (a) by using functionality provided by the Service, or (b) by means of a Service Request or (c) by any other reasonable means that it may offer.
10.1.2 Due to the nature of the Processor’s Service(s), the Controller acknowledges that deletion of Personal Data from the Service may result in that service losing some or all of its functionality.
10.2 After Termination of Service
10.2.1 The Processor will respond to a request from the Controller to request the return or deletion of Personal Data. This request must be made within 14 days of termination of Service.
10.2.2 The Processor will provide the data in a machine-readable format for download by the Controller.
10.2.3 After 14 days, the Processor will permanently delete the Personal Data from the live system.
10.3 Following the permanent deletion of Personal Data from the live systems, partial data may reside on the Processor’s backup service and / or Disaster Recovey service, for a period of up to 4 weeks. Upon request from the Controller, the Processor may be able to assist with recovery of partial data from these archives during this period. A fee will be charged for this service.
11. Notification of a Data Breach
11.1 The Processor shall promptly (and in any event within 72 hours) notify the Controller if it becomes aware of any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Personal Data (“Data Breach”).
11.2 The Processor will take commercially reasonable measures to limit the effects of any Data Breach, to secure the Personal Data against further exposure, and to assist the Controller in meeting the Controller’s obligations under applicable law.
11.3 Any notification of or response by the Processor to a Data Breach under this Section will not be construed as an acknowledgement by the Processor of any fault or liability with respect to the Data Breach.
11.4 The Processor will not analyse or review the Controller’s data to identify information that may be subject to any specific Controller data breach.
11.5 It is agreed that the Controller is solely responsible for
11.5.1 complying with data breach notification laws applicable to the Controller; and
11.5.2 fulfilling any third-party notification obligations related to any Data Breach(es).
12.1 The Processor will notify the Controller promptly of any request or complaint regarding the processing of Personal Data, which adversely impacts the Controller (unless prohibited by law).
12.2 If the Processor receives a request from a Data Subject in relation to Personal Data, the Processor will refer the Data Subject to the Controller (unless prohibited by law).
12.3 If the Processor is legally required to respond to the Data Subject, the Controller will fully cooperate with the Processor as applicable.
13. Keeping of Copies
13.1 The Processor may make copies of and/or retain Personal Data to:
13.1.1 comply with its legal or regulatory requirement including, but not limited to, retention requirements;
13.1.2 ensure continued operation of its Service(s).
14. Notification of Amendments Required
14.1 The parties acknowledge that the Controller shall notify the Processor within a reasonable time of any changes to applicable laws that may affect the contractual duties of the Processor.
14.2 The Processor shall respond to such notification within a reasonable timeframe in respect of any changes that it determines must be made to this DPA, or to its approach to technical or organisational compliance.
14.3 If the parties agree that amendments are required but the Processor cannot reasonably accommodate the necessary changes, the Controller may elect to terminate those part(s) of the Services which may give rise to the non-compliance. The provision of Services unaffected by this shall continue unchanged.
15.1 This DPA sets out the entire understanding of the parties with regards to the subject matter herein.
15.2 Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.
15.3 This DPA shall be governed by the laws of England and Wales. The courts of England shall have exclusive jurisdiction for the settlement of all disputes arising under this DPA.
Schedule 1: LIST OF SUB-PROCESSORS
1.1 Located in the United Kingdom
1.2 Office365 services.
2.1 Located in the United States of America.
2.2 Provision of bulk email services used for sending of service announcements and marketing.
3.1 Located in the United Kingdom.
3.2 Hosting of servers, firewalls, load balancers, data storage systems and all related ancillary and support services.
4. Phoenix 47 with First Option Technologies.
4.1 Located in the United Kingdom
4.2 First line helpdesk. Read and respond to support emails from customers of the channelcentral services.
5. Zestia Limited.
5.1 Located in the United Kingdom.
5.2 Customer Relationship Management (CRM) system.
6. Xero Limited.
6.1 Located in New Zealand.
6.2 Financial Accounting system.
7. Stripe Inc.
7.1 Located in the United States of America.
7.2 Provision of credit card processing services.
8. PayPal Inc.
8.1 Located in the United States of America.
8.2 Provision of payments processing services.