Data Processing Agreement
Last Updated 25 Apr, 2022
This Data Processing Agreement (“Agreement“) forms part of the Contract for Services under the Red Arc Terms & Conditions (“Principal Agreement“). This Agreement is an amendment to the Principal Agreement and is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this Agreement will form a part of the Principal Agreement.
The term of this Agreement shall follow the term of the Principal Agreement.
Terms not defined herein shall have the meaning as set forth in the Principal Agreement.
Capitalised terms used and not defined herein or in the Principal Agreement shall have the meanings given them in (a) the General Data Protection Regulation 2016/679 or any subsequent or enacting legislation applicable to the parties (“GDPR”) and (b) the UK Data Protection Act 2018 and the UK GDPR (together, “UK GDPR”).
With respect to any Processing of Personal Data by Red Arc in connection with the provision of the Services, You are the Controller and Red Arc is the Processor. Each party shall comply with its applicable obligations under GDPR and UK GDPR. You represent that You have all rights and authorisations necessary for Red Arc to Process Your Personal Data.
Red Arc shall Process Your Personal Data as necessary to provide the Services and in
accordance with Your instructions. You agree that applicable provisions of the Principal Agreement, Proposal, reasonable written instructions (such as creation of a support ticket) and Your use and configuration of the features within the Services constitute Your instructions with respect to Red Arc’s Processing of the Personal Data on Your behalf.
The subject matter of the Processing is the Personal Data You provide to Red Arc in connection with Your use of the Services. The duration of the Processing is for the term of the Principal Agreement. The nature and purpose of the Processing is to provide the Services as set forth in the Proposal. The types of Personal Data and categories of Data Subjects are those that are submitted into the Services or otherwise provided by You to Red Arc.
Red Arc Personnel
Red Arc shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
You are responsible for independently determining whether the data security provided for in the Subscription Service adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of the Subscription Service, including protecting the security of Personal Data in transit to and from the Subscription Service (including to securely backup or encrypt any such Personal Data).
We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described in our Security Attestation.
We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
Red Arc shall not disclose Your Personal Data to any third party, unless authorised by You or required by law or a Supervisory Authority, in any such case, notifying You prior to disclosure unless prohibited by law.
Red Arc shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by Controller.
Data Subject Rights
To the extent legally permitted, Red Arc shall notify You of requests addressed directly to us from Data Subjects exercising any of the rights granted to Data Subjects under GDPR and UK GDPR (collectively, “Data Subject Rights”). You shall be solely responsible for responding to such requests.To the extent that You cannot respond to the Data Subject’s request using information available to You through the Services, Red Arc shall make commercially reasonable efforts to assist You with responding to the exercise of Data Subject Rights, insofar as this is possible.
Personal Data Breach
Red Arc shall notify Controller without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Red Arc shall co-operate with Controller and take reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
Red Arc shall provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Deletion or return of Company Personal Data
Upon termination of the Principal Agreement or termination of the Services, Your Personal Data shall be handled in accordance with the Principal Agreement.
Subject to this section, Red Arc shall make available to Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Controller or an auditor mandated by Controller in relation to the Processing of the Company Personal Data by the Contracted Processors.
Information and audit rights of Controller only arise to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
Red Arc may transfer Personal Data to countries outside the EU and/or the European Economic Area (EEA) as necessary to provide the Services and/or otherwise fulfil its obligations. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.