Data Processing Addendum

INTRODUCTION

  1. This DPA sets out additional terms, requirements and conditions which apply where Armalytix processes Personal Data on behalf of the Customer when providing the Services. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (‘UK GDPR’) for contracts between Data Controllers and Data Processors.
  2. This DPA is incorporated into the Customer Terms of Service (the Terms).  In the event of conflict between the two, the provisions of the DPA shall prevail.
  3. Defined terms in this DPA unless indicated otherwise shall have the same meaning as in Data Protection Legislation or as within the Terms as the context suggests.
  4. Data Protection Legislation shall mean “all applicable data protection and privacy legislation in force from time to time including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).
  5. Armalytix and the Customer will comply with the requirements of Data Protection Legislation.
  6. Armalytix and the Customer acknowledge that for the purposes of the Data Protection Legislation, to the extent that Armalytix is processing Personal Data on behalf of the Customer through its performance of the Services (the ‘Personal Data’) the Customer is the Data Controller and Armalytix is the Data Processor. The Customer retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents to or from data subjects, and for the written processing instructions it gives to Armalytix under this Clause 6, which are outlined below in ’Details of Data Processing’.

Details of Data Processing:

    • Scope: Processing of the Personal Data in the provision of the Services to the Customer.
    • Nature and purpose of processing: Armalytix shall be processing the Personal Data, received from the Customer for the purpose of providing the Services to the Customer.
    • Duration of processing: the duration of the Terms.
    • Types of personal data: information uploaded to Armalytix by the Customer including, but not limited to, bank and payment account details (e.g. sort codes, account numbers and other unique identifiers), transaction and asset descriptions, history, balance information, details of regular payments (such as Direct Debits and standing orders), addresses, details of payment cards and other payment Instruments.
    • Categories of data subject: Customer’s end clients and other individuals referenced in transactional history.
  1. Armalytix shall, in relation to the Personal Data:

(a) process the Personal Data only on written instructions of the Customer.  The scope, nature purpose and duration of the processing and the Personal Data categories and Data Subject types are described above in the ‘Details of Data Processing’;

(b) keep the Personal Data confidential;

(c) comply with the Customer’s reasonable instructions with respect to processing the Personal Data;

(d) not transfer the Personal Data outside of the UK unless it ensures that:

(i) the transfer is to a country approved as providing an adequate level of protection for the Personal Data; or

(ii) there are appropriate safeguards in place for the transfer of the Personal Data; or

(iii) binding corporate rules are in place; or

(iv) one of the derogations for specific situations applies to the transfer.

(e) assist the Customer in responding to any data subject access request and to ensure compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, privacy impact assessments and consultations with supervisory authorities or regulators;

(f) notify the Customer without undue delay on becoming aware of a Personal Data Breach or communication which relates to the Customer’s or Armalytix’s compliance with the Data Protection Legislation;

(g) at the written request of the Customer, delete or return the Personal Data (and any copies of the same) to the Customer on termination of the Terms unless required by the Data Protection Legislation to store the Personal Data; and

(h) maintain complete and accurate records and information to demonstrate compliance with this Schedule and allow for audits by the Customer or the Customer’s designated auditor on provision of reasonable notice.

  1. Armalytix shall ensure that it has in place appropriate technical or organisational measures, to protect against unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
  2. The Customer acknowledges and consents generally to the appointment by Armalytix of third parties as sub-processors of the Personal Data being processed under this Agreement.
  3. Armalytix confirms that a) it shall impose on all sub-processors the same data protection obligations as set out in this DPA and shall remain liable for the actions of its sub-processors.
  4. Armalytix shall give the Customer notice of the appointment of any new sub-processors by updating the list of sub-processors held at https://armalytix.com/sub-processors/ at least 1 week prior to the appointment of said sub-processor. The Customer shall regularly check this list for any changes and shall thereby be given the opportunity to object to such appointment. If the Customer objects to such changes by notifying Armalytix in writing, the Customer will be entitled to terminate only that portion of the Services that is reliant on the appointment of such sub-processor (i.e. only where Armalytix is acting as Data Processor) without liability for either party, and such termination will be deemed to be a no-fault termination. This termination right only applies the Customer has reasonable grounds for objecting to such changes by reason of the changes causing or being likely to cause the Customer to be in breach of the Data Protection Legislation.
  5. Subject to the limits of liability within the Terms, both parties agree to indemnify, keep indemnified and defend at their own expense the other party against all costs, claims, damages or expenses incurred by the other party or for which the other party may become liable due to any failure by the first party or its employees, subcontractors or agents to comply with any of its obligations under this Agreement and/or the Data Protection Legislation.

 

 

Data Processing Addendum Last Updated 21 October 2024.