This Data Processing Agreement ("DPA") is entered into between the Client (the "Controller") and Estalytics Ltd trading as Stalytics (the "Processor").
This DPA is incorporated into and forms an integral part of the Master Terms & Conditions (the "Principal Agreement") between the Parties and applies to the processing of Personal Data by the Processor on behalf of the Controller in the course of providing the Services as defined in the Principal Agreement.
1. Definitions
- "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Principal Agreement, including but not limited to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller as a result of the Services.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Processing", "processed", or "process" have the meaning given in the Applicable Data Protection Law.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- Other capitalised terms used but not defined herein shall have the meanings set forth in the Principal Agreement.
2. Processing of Personal Data
2.1. Roles of the Parties
The Parties acknowledge and agree that for the purposes of the Applicable Data Protection Law, the Controller is the data controller and the Processor is the data processor of the Personal Data.
2.2. Processor's Obligations
The Processor shall only process Personal Data on behalf of and in accordance with the Controller's documented lawful instructions. The Controller's instructions are deemed to include the processing necessary to provide the Services as set out in the Principal Agreement. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
2.3. Details of Processing
- Subject-matter: The processing of Personal Data in the context of the web design, development, and maintenance services provided by the Processor.
- Duration: For the term of the Principal Agreement, unless otherwise agreed in writing.
- Nature and Purpose: To enable the Processor to provide the Services to the Controller, which may involve storing, managing, and displaying Personal Data on websites or applications developed for the Controller.
- Types of Personal Data: May include names, email addresses, phone numbers, IP addresses, and any other Personal Data the Controller chooses to collect through its website or application.
- Categories of Data Subjects: May include the Controller's clients, customers, website visitors, or employees.
2.4. Sub-processors
Processor shall notify Controller at least 14 days in advance of any intended addition or replacement of a sub-processor and will provide a mechanism for Controller to object on reasonable grounds.
2.5. Assistance with Data Protection
Processor shall provide reasonable assistance with DPIAs and consultations with supervisory authorities.
3. Security Measures
The Processor shall implement and maintain appropriate technical and organisational security measures to protect the Personal Data against a Personal Data Breach. These measures shall include, but are not limited to:
- Encryption of Personal Data where appropriate.
- Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems.
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.
4. Sub-processing
4.1. The Controller provides a general authorisation for the Processor to engage sub-processors to perform parts of the Services. The Processor shall maintain a list of its current sub-processors, which shall be made available to the Controller upon request.
4.2. The Processor shall ensure that any sub-processor is bound by a written agreement that imposes data protection obligations no less protective than those in this DPA. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.
5. International Transfers
The Processor shall not transfer Personal Data outside the UK or European Economic Area (EEA) unless expressly agreed in writing with the Controller.
6. Data Subject Rights
The Processor shall, to the extent legally permissible, provide reasonable assistance to the Controller to enable the Controller to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, and portability).
7. Personal Data Breaches
The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach. The notification shall include, at a minimum:
- A description of the nature of the breach.
- The categories and approximate number of Data Subjects and Personal Data records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to be taken to address the breach.
8. Data Deletion
Upon termination of the Principal Agreement, the Processor shall, at the Controller's instruction, delete or return all Personal Data to the Controller, and delete existing copies unless required by law to store the Personal Data.
9. Audits and Information
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, upon reasonable notice.
10. Contact Point
The Processor has designated a contact point for data protection matters: privacy@stalytics.com.
11. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over any dispute arising from or in connection with this DPA.