Data Processing Agreement

PARTIES

1.     Polarize Ltd a company incorporated in England and Wales (registration number 12944077) having its registered office at 20 – 22 Wenlock Road, London, N1 7GU, United Kingdom  (the “Processor“); and

2.     You the Customer (the “Controller“).

BACKGROUND

1.     Polarize Network the Data Processor provides managed hosting services.

2.     You, the Customer as the Data Controller looking to use the Polarize Network managed hosting services.

3.     The Processor and the Controller therefore wish to enter into a contract in accordance with the provisions of this Agreement.

AGREEMENT

1.      Definitions

1.1    In this Agreement, except to the extent expressly provided otherwise:

Agreement” means this agreement including any Schedules, and any amendments to this Agreement from time to time;

Business Day” means any weekday other than a bank or public holiday in England;

Business Hours” means the hours of 09:00 to 17:00 GMT/BST on a Business Day;

Controller Personal Data” means any Personal Data that is processed by the Processor on behalf of the Controller under or in relation to this Agreement;

Data Protection Laws” means the EU GDPR and the UK GDPR and all other applicable laws relating to the processing of Personal Data;

Effective Date” means the date of execution of this Agreement;

EU GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) and all other EU laws regulating the processing of Personal Data, as such laws may be updated, amended and superseded from time to time;

Main Contract” means the contract between the parties dated on the date of purchase of the service, as it may be amended and updated from time to time;

Personal Data” means personal data under any of the Data Protection Laws;

Schedule” means any schedule attached to the main body of this Agreement;

Term” means the term of this Agreement, commencing in accordance with Clause 3.1 and ending in accordance with Clause 3.2; and

UK GDPR” means the EU GDPR as transposed into UK law (including by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) and all other UK laws regulating the processing of Personal Data, as such laws may be updated, amended and superseded from time to time.

2.      Supplemental

2.1    This Agreement supplements the Main Contract.

2.2    Any capitalised terms that are:

(a)    used in this Agreement;

(b)    defined in the Main Contract; and

(c)    not defined in this Agreement,

        shall in this Agreement have the meanings given to them in the Main Contract.

2.3    If there is a conflict between this Agreement and the Main Contract, then the Main Contract shall take precedence.

2.4    Any breach of this Agreement shall be deemed to be a breach of the Main Contract.

2.5    Any breach of the Main Contract shall be deemed to be a breach of this Agreement.

2.6    This Agreement shall automatically terminate upon the termination of the Main Contract.

2.7    The Main Contract shall automatically terminate upon the termination of this Agreement.

3.      Term

3.1    This Agreement shall come into force upon the Effective Date.

3.2    This Agreement shall continue in force indefinitely, subject to termination in accordance with Clause 2.6, 2.7 or 6 or any other provision of this Agreement.

4.      Data protection

4.1    Each party shall comply with the Data Protection Laws with respect to the processing of the Controller Personal Data.

4.2    The Controller warrants to the Processor that it has the legal right to disclose all Personal Data that it does in fact disclose to the Processor under or in connection with this Agreement.

4.3    The Controller shall only supply to the Processor, and the Processor shall only process, in each case under or in relation to this Agreement:

(a)    the Personal Data of data subjects falling within the categories specified in Paragraph 1 of Schedule 1 (Data processing information) (or such other categories as may be agreed by the parties in writing); and

(b)    Personal Data of the types specified in Paragraph 2 of Schedule 1 (Data processing information) (or such other types as may be agreed by the parties in writing).

4.4    The Processor shall only process the Controller Personal Data for the purposes specified in Paragraph 3 of Schedule 1 (Data processing information).

4.5    The Processor shall only process the Controller Personal Data during the Term and for not more than 30 days following the end of the Term, subject to the other provisions of this Clause 4.

4.6    The Processor shall only process the Controller Personal Data on the documented instructions of the Controller (including with regard to transfers of the Controller Personal Data to a third country under the Data Protection Laws), as set out in this Agreement or any other document agreed by the parties in writing.

4.7    The Controller hereby authorises the Processor to make the following transfers of Controller Personal Data:

(a)    the Processor may transfer the Controller Personal Data internally to its own employees, offices and facilities in England, United Kingdom, providing that such transfers must be protected by appropriate safeguards, to protect Customer Data by virtue of making available Standard Contractual Clauses (Schedule 2) as a transfer mechanism.

(b)    the Processor may transfer the Controller Personal Data to its third party processors in the jurisdictions identified in Paragraph 5 of Schedule 1 (Data processing information) and may permit its third party processors to make such transfers, providing that such transfers must be protected by any appropriate safeguards identified therein; and

(c)    the Processor may transfer the Controller Personal Data to a country, a territory or sector to the extent that the competent data protection authorities have decided that the country, territory or sector ensures an adequate level of protection for Personal Data.

4.8    The Processor shall promptly inform the Controller if, in the opinion of the Processor, an instruction of the Controller relating to the processing of the Controller Personal Data infringes the Data Protection Laws.

4.9    Notwithstanding any other provision of this Agreement, the Processor may process the Controller Personal Data if and to the extent that the Processor is required to do so by applicable law. In such a case, the Processor shall inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.10  The Processor shall ensure that persons authorised to process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.11  The Processor and the Controller shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Controller Personal Data, including those measures specified in Paragraph 4 of Schedule 1 (Data processing information).

4.12  The Processor must not engage any third party to process the Controller Personal Data without the prior specific or general written authorisation of the Controller. In the case of a general written authorisation, the Processor shall inform the Controller at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Controller objects to any such changes before their implementation, then the Controller may terminate this Agreement on 7 days’ written notice to the Processor, providing that such notice must be given within the period of 7 days following the date that the Processor informed the Controller of the intended changes. The Processor shall ensure that each third party processor is subject to the same legal obligations as those imposed on the Processor by this Clause 4.

4.13  As at the Effective Date, the Processor is hereby authorised by the Controller to engage, as sub-processors with respect to Controller Personal Data, the third parties, and third parties within the categories, identified in Paragraph 5 of Schedule 1 (Data processing information).

4.14  The Processor shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Controller with the fulfilment of the Controller’s obligation to respond to requests exercising a data subject’s rights under the Data Protection Laws.

4.15  The Processor shall assist the Controller in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws. The Processor may charge the Controller at its standard time-based charging rates for any work performed by the Processor at the request of the Controller pursuant to this Clause 4.15.

4.16  The Processor must notify the Controller of any Personal Data breach affecting the Controller Personal Data without undue delay and, in any case, not later than 72 hours after the Processor becomes aware of the breach.

4.17  The Processor shall make available to the Controller all information necessary to demonstrate the compliance of the Processor with its obligations under this Clause 4 and the Data Protection Laws. The Processor may charge the Controller at its standard time-based charging rates for any work performed by the Processor at the request of the Controller pursuant to this Clause 4.17, providing that no such charges shall be levied with respect to the completion by the Processor (at the reasonable request of the Controller, not more than once per calendar year) of the standard information security questionnaire of the Controller.

4.18  The Processor shall, at the choice of the Controller, delete or return all of the Controller Personal Data to the Controller after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.

4.19  The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller in respect of the compliance of the Processor’s processing of Controller Personal Data with the Data Protection Laws and this Clause 4. The Processor may charge the Controller at its standard time-based charging rates for any work performed by the Processor at the request of the Controller pursuant to this Clause 4.19, providing that no such charges shall be levied where the request to perform the work arises out of any breach by the Processor of this Agreement or any security breach affecting the systems of the Processor.

4.20  If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under this Agreement, then the parties shall use their best endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.

5.      Limits upon exclusions of liability

5.1    Nothing in this Agreement will:

(a)    limit or exclude any liability for death or personal injury resulting from negligence;

(b)    limit or exclude any liability for fraud or fraudulent misrepresentation;

(c)    limit any liabilities in any way that is not permitted under applicable law; or

(d)    exclude any liabilities that may not be excluded under applicable law.

6.      Termination

6.1    Either party may terminate this Agreement by giving to the other party at least 30 days’ written notice of termination.

6.2    Either party may terminate this Agreement immediately by giving written notice of termination to the other party if the other party commits a material breach of this Agreement.

6.3    Subject to applicable law, either party may terminate this Agreement immediately by giving written notice of termination to the other party if:

(a)    the other party:

(i)     is dissolved;

(ii)    ceases to conduct all (or substantially all) of its business;

(iii)   is or becomes unable to pay its debts as they fall due;

(iv)   is or becomes insolvent or is declared insolvent; or

(v)    convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;

(b)    an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;

(c)    an order is made for the winding up of the other party, or the other party passes a resolution for its winding up (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under this Agreement); or

(d)    if that other party is an individual:

(i)     that other party dies;

(ii)    as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or

(iii)   that other party is the subject of a bankruptcy petition or order.

7.      Effects of termination

7.1    Upon the termination of this Agreement, all of the provisions of this Agreement shall cease to have effect, save that the following provisions of this Agreement shall survive and continue to have effect (in accordance with their express terms or otherwise indefinitely): Clauses 1, 2.2, 2.3, 2.4, 2.5, 4, 5, 7, 9 and 10.

7.2    Except to the extent expressly provided otherwise in this Agreement, the termination of this Agreement shall not affect the accrued rights of either party.

8.      Notices

8.1    Any notice from one party to the other party under this Agreement must be given by one of the following methods (using the relevant contact details set out in Clause 8.2):  

(a)    delivered personally or sent by courier, in which case the notice shall be deemed to be received upon delivery; or

(b)    sent by recorded signed-for post, in which case the notice shall be deemed to be received 2 Business Days following posting,

        providing that, if the stated time of deemed receipt is not within Business Hours, then the time of deemed receipt shall be when Business Hours next begin after the stated time.

8.2    The parties’ contact details for notices under this Clause 8 are as follows:

(a)    in the case of notices sent by the Controller to the Processor, hello@polarize.network; and

(b)    in the case of notices sent by the Processor to the Controller, hello@polarize.network.

8.3    The addressee and contact details set out in Clause 8.2 may be updated from time to time by a party giving written notice of the update to the other party in accordance with this Clause 8.

9.      General

9.1    No breach of any provision of this Agreement shall be waived except with the express written consent of the party not in breach.

9.2    If any provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this Agreement will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant provision will be deemed to be deleted).

9.3    This Agreement may not be varied except by a written document signed by or on behalf of each of the parties.

9.4    Neither party may without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.

9.5    This Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate, rescind, or agree any amendment, waiver, variation or settlement under or relating to this Agreement are not subject to the consent of any third party.

9.6    Subject to Clause 5, this Agreement shall constitute the entire agreement between the parties in relation to the subject matter of this Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.

9.7    This Agreement shall be governed by and construed in accordance with English law.

9.8    The courts of England shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this Agreement.

10.    Interpretation

10.1  In this Agreement, a reference to a statute or statutory provision includes a reference to:

(a)    that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and

(b)    any subordinate legislation made under that statute or statutory provision.

10.2  The Clause headings do not affect the interpretation of this Agreement.

10.3  References in this Agreement to “calendar months” are to the 12 named periods (January, February and so on) into which a year is divided.

10.4  In this Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.

EXECUTION

The parties have indicated their acceptance of this Agreement by executing it below.

SCHEDULE 1 (DATA PROCESSING INFORMATION)

1.      Categories of data subject

Customer may submit Customer Data in the course of its use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of the Customer (who are natural persons and legal entities);
  • Employees or contact persons of the Customer’s prospects, customers, business partners and vendors;
  • Employees, agents, advisors, freelancers of the Customer (who are natural persons);
  • Customer’s Users authorized by the Customer to use the Services;
  • Individuals who transmit data via the Services, including individuals collaborating and communicating with the Customer or Customer’s end users;
  • Individuals whose data is provided to Polarize Network via the Services by or at the direction of the Customer or by the Customer’s end users.

2.      Types of Personal Data

Customer may submit Customer Data in the course of its use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Personal Data:

  • Name
  • Address
  • Email address
  • Any personal data relating to individuals

3.      Purposes of processing

  1. Processing to provide the Services and related technical support in accordance with this DPA and applicable Order(s);
  2. Processing initiated by Users in their usage of the Services;
  3. Processing necessary to maintain and improve the Services.

4.      Security measures for Personal Data

Polarize Network shall implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Schedule 2 (the “Security Measures”). As described in Schedule 2, the Security Measures include measures to provide encrypted transmission of customer data outside the Service environment; to help ensure ongoing confidentiality, integrity, availability and resilience of Polarize Network’s systems and services; to help restore timely access to Customer Data from an available backup copy, provided either by Polarize Network Backup Services or Customer’s own backup copy following an incident; and for regular testing of effectiveness. Polarize Network may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

5.      Sub-processors of Personal Data

Available upon request.

SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)

This Schedule forms part of the Clauses. By purchasing Services from Polarize Network and agreeing the Data Processing Agreement, the parties will be deemed to have accepted and executed this Schedule 2.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The technical and organisational security measures implemented by the data importer are as described in the Data Processing Agreement and Annex 2 Security Measures.