Data Processing Agreement
Updated: 14th July 2024
This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service, Privacy Policy, and any other applicable policies or addenda (the “Agreement”) between DataPress (“we”, "us" or "our") and any user who accesses or uses our website and services, or otherwise interacts with us. Unless otherwise stated, or where the context requires, all capitalized terms not defined in this DPA shall have the meanings set forth in the Terms of Service.
The purpose of this DPA is to ensure that the processing of Personal Data by the Data Processor on behalf of the Data Controller complies with the General Data Protection Regulation (GDPR) and any other applicable data protection laws and regulations.
By accessing or using our website and services, or otherwise interacting with us, you are deemed to have read, understood and agreed to our Processing of your Personal Data and Customer Data (as defined in the DPA) as outlined in this DPA. This DPA applies to any user who accesses or uses our website and services, and you hereby acknowledge that you are entering into this DPA on behalf of yourself and, to the extent required under Data Protection Laws, in the name and on behalf of your Authorized Affiliates (as defined below).
1. Overview
Capitalized terms used in this DPA have the meanings set forth below. Other capitalized terms not defined in this DPA shall have the meanings ascribed to them in the Agreement.
"Agreement" means the agreement between DataPress and the Customer for the provision of the Services, consisting of the Terms of Service, Privacy Policy, and any other applicable policies or addenda.
"Authorized Affiliates" means any entity that directly or indirectly controls, is controlled by, or is under common control with the Customer, where "control" means the ownership or control of more than fifty percent (50%) of the shares or other voting securities entitled to vote for the election of directors or other managing authority.
"Customer" means the individual or entity that has agreed to the terms of the Agreement and has created an account with DataPress to use the Services.
"Customer Data" means data you submit to, store on or send to us via the Service.
"Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states, and the United Kingdom, applicable to the processing of Personal Data under this DPA.
"Europe" means, for the purposes of this DPA, the member states of the European Economic Area, Switzerland, and the United Kingdom.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by DataPress as part of the Services.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Services" means the data portal services and related functionality provided by DataPress to the Customer as described in the Agreement.
"Sub-processor" means any third-party processor engaged by DataPress to assist in the processing of Personal Data in connection with the Services.
"Supervisory Authority" means an independent public authority established by a European Union Member State, the European Economic Area, or the United Kingdom, pursuant to Data Protection Laws.
2. Scope and Applicability of this DPA
2.1 Roles and Scope of Processing: The parties acknowledge and agree that DataPress acts as both a data controller and a data processor of Personal Data. DataPress acts as a data controller for Personal Data collected through the Site, Services, or via email, and determines the purposes and means of the processing of that Personal Data. DataPress processes Customer Data as a data processor on behalf of the Customer.
2.2 Nature of the Personal Data: DataPress collects and uses certain Personal Data about Customers and their Users, as described in the Privacy Policy, for the purposes of providing and improving the Site and Services. Personal Data may include but is not limited to the following:
- Name, address, phone number, and email address
- IP address, device type, browser type, and operating system
- Usage information, such as pages accessed and links clicked
- Billing information, such as payment method and transaction details
2.3 Purpose of Processing Personal Data: DataPress may process Personal Data for the following purposes:
- Providing and improving the Services
- Administering Customer accounts
- Contacting Customers with Service-related information
- Marketing and advertising the Services (with appropriate consent)
- Complying with applicable laws and regulations
2.4 Lawfulness of Processing Personal Data: DataPress will only process Personal Data where it has a lawful basis to do so, such as where:
- The Customer has given their explicit consent
- The processing is necessary for the performance of a contract with the Customer
- The processing is necessary for compliance with a legal obligation
- The processing is necessary for the legitimate interests pursued by DataPress or a third party, such as improving the Services or preventing fraud
2.5 Nature of the Customer Data: DataPress processes Customer Data provided by the Customer, which may include personal data that is subject to applicable Data Protection Laws. The Customer Data may be subject to the following processing activities:
- Storage and other processing necessary to provide, maintain, and improve the Services
- To provide customer and technical support
- To communicate with Customers regarding the Services and their account
- To comply with legal obligations.
DataPress shall only process Customer Data in accordance with documented instructions from the Customer, except where required by applicable law to do otherwise.
## 3. Obligations of the Data Processor
3.1 Confidentiality: DataPress shall ensure that its personnel engaged in the processing of Personal Data are bound by confidentiality obligations. This obligation shall survive the termination of the Agreement.
3.2 Data Retention: DataPress will retain Personal Data for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.
3.3 Sub-Processors: DataPress may engage sub-processors to assist in the processing of Personal Data. DataPress shall enter into written agreements with sub-processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure the protection of Personal Data. A list of current sub-processors engaged by DataPress is available upon request.
3.4 Data Subject Rights: Data subjects have certain rights under applicable data protection laws, such as the right to access, rectify, and erase their Personal Data. DataPress shall provide reasonable assistance to the Customer in responding to any requests from data subjects exercising their rights.
3.5 Data Breach Notification: In the event of a Security Incident involving Personal Data, DataPress shall notify the Customer without undue delay and provide all relevant information relating to the Security Incident.
3.6 Data Protection Impact Assessment: DataPress shall provide reasonable assistance to the Customer in carrying out any necessary data protection impact assessments related to the Services.
3.7 International Data Transfers: DataPress may transfer Personal Data outside of Europe to the extent necessary for the provision of the Services. DataPress will ensure that such transfers are subject to appropriate safeguards as required by applicable data protection laws, such as Standard Contractual Clauses or adequacy decisions.
3.8 Record Keeping: DataPress shall maintain complete and accurate records of all processing of Personal Data carried out under this DPA, including but not limited to the nature, scope, duration, and purpose of the processing, as well as the categories of Personal Data and data subjects involved.
3.9 Security Measures: DataPress will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. These measures may include, but are not limited to, pseudonymization and encryption of Personal Data, regular security assessments, and access controls.
4. Security Measures
4.1 Security Measures: DataPress shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. These measures shall be aimed at ensuring the confidentiality, integrity, and availability of Personal Data.
4.2 Security Assessments: DataPress shall regularly evaluate and test the effectiveness of its security measures and ensure that its personnel engaged in the processing of Personal Data are bound by confidentiality obligations.
4.3 Security Incidents: DataPress shall implement procedures for identifying and reporting Security Incidents to the Customer without undue delay and shall reasonably cooperate with the Customer in investigating and remedying any Security Incidents.
4.4 Access to Personal Data: DataPress shall take reasonable steps to ensure the reliability of any employee or contractor who may have access to the Personal Data, ensuring that all such individuals are subject to appropriate confidentiality and security obligations.
4.5 Sub-Processors: Where DataPress engages a sub-processor, it shall ensure by way of a written contract that the sub-processor is bound by obligations of confidentiality, data protection, and security that are no less onerous than those imposed on DataPress by this DPA.
4.6 Records of Processing Activities: DataPress shall maintain a record of its processing activities that involve Personal Data and shall make such record available to the Customer upon request.
4.7 Audits: Where the Agreement allows the customer to audit DataPress's compliance with this DPA, DataPress shall provide the Customer with all information necessary to demonstrate compliance with this Section 4 and shall allow the Customer or its authorized third-party auditor to conduct audits or inspections to verify DataPress's compliance with this Section 4. Any such audit or inspection shall be subject to the parties agreeing in advance on the scope, timing, and duration of the audit or inspection, as well as any confidentiality and security requirements that apply to the audit or inspection.
4.8 Updates to Security Measures: You hereby acknowledge that the Security Measures are subject to technical progress and development and that DataPress may update or modify the Security Measures from time to time without notifying you of the same provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
5. Data Breach Notification
5.1 Notification of Data Breach: In the event of a Data Breach, the Data Processor will notify the Data Controller without undue delay, and in any event, within 72 hours of becoming aware of the Data Breach.
5.2 Information to be Provided: The Data Processor will provide the Data Controller with all relevant information in its possession or control regarding the Data Breach, including the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences of the breach.
5.3 Cooperation and Assistance: The Data Processor will cooperate and assist the Data Controller in the investigation, mitigation, and remediation of the Data Breach, including providing all reasonable assistance necessary to allow the Data Controller to meet its notification obligations under applicable law.
5.4 Remediation: The Data Processor will take all necessary measures to remedy or mitigate the effects of the Data Breach, including implementing appropriate technical and organizational measures to prevent future breaches.
5.5 Reporting to Authorities: The Data Processor will report the Data Breach to the relevant supervisory authorities in accordance with applicable law, and will provide all necessary cooperation and assistance to the Data Controller in connection with any investigation or proceedings related to the Data Breach.
5.6 Records of Data Breaches: The Data Processor will keep a record of all Data Breaches, including the facts surrounding the breach, its effects, and the remedial action taken. The Data Processor will make these records available to the Data Controller upon request.
6. Termination
6.1 Termination: Either party may terminate this DPA immediately upon written notice if the other party breaches any material provision of this DPA and fails to cure such breach within 30 days after receiving written notice of such breach.
6.2 Deletion or Return of Personal Data: Upon termination of this DPA or upon request of the Customer, DataPress shall promptly delete or return all Personal Data processed under this DPA and certify in writing to the Customer that it has done so, unless applicable law requires further storage of such Personal Data. DataPress shall also delete all existing copies of Personal Data unless storage is required by applicable law.
6.3 Retention of Customer Data: Notwithstanding the termination of this DPA, DataPress may retain Customer Data to the extent required by applicable law or as necessary to comply with its legal obligations. In such cases, DataPress shall ensure the confidentiality of any such Customer Data and shall only use it as necessary to comply with such legal obligations.
6.4 Survival: The obligations of the parties under this Section 6 shall survive the termination or expiration of this DPA.
7. Miscellaneous
7.1 Governing Law: This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.
7.2 Modification: DataPress reserves the right to modify this DPA at any time by posting the modified terms on our website or by providing notice to the Customer. The modified terms will be effective upon posting or as otherwise stated in the notice. By continuing to use the Service after the effective date of any modifications to this DPA, the Customer agrees to be bound by the modified terms.
7.3 Notices: Any notices or other communications required or permitted hereunder, including those regarding modifications to this DPA, will be in writing and given by posting to our website, by email to [email protected] or by writing to our address. For the avoidance of doubt, notices provided to the Customer via the Service will be deemed given on the day the notice is posted.
7.4 Entire Agreement: This DPA, together with the Terms of Service and any other documents referenced herein, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous communications, negotiations and agreements (whether written or oral) relating to such subject matter.
7.5 Assignment: The Customer may not assign this DPA or any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of DataPress. DataPress may assign this DPA or any of its rights or obligations hereunder without the consent of the Customer.
7.6 No Waiver: No failure or delay by either party in exercising any right under this DPA will constitute a waiver of that right. Any waiver or consent must be in writing and signed by the waiving or consenting party.
7.7 Independent Contractors: The parties are independent contractors. Nothing contained in this DPA shall be construed to create a partnership, joint venture, employment, or agency relationship between the parties.
7.8 Severability: If any provision of this DPA is held to be unenforceable or invalid, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.
7.9 No Third-Party Beneficiaries: This DPA is intended for the benefit of the parties hereto and their respective permitted successors and assigns and is not for the benefit of, nor may any provision hereof be enforced by, any other person.