This Data Processing Agreement (“DPA”) forms part of the Specifier Terms and Conditions (“Specifier Terms”) entered into by and between Subscriber and Hubexo, pursuant to which Subscriber has purchased a subscription to Hubexo’s Services (as described in the Contract).
The purpose of this DPA is to reflect the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of applicable Data Protection Legislation.
This DPA consists of two parts: (1) the main body of the DPA, and (2) Annex A – Personal Data Processing Purposes and Details.
By signing an Order Form you agree to be bound by this DPA. If you do not agree to this DPA then you must not sign the Order Form.
In the course of providing the Services to Subscriber pursuant to the Contract, Hubexo may Process Personal Data on behalf of Subscriber and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
This DPA shall not replace any comparable or additional rights relating to Processing of Personal Data contained in the Specifier Terms.
1. DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this DPA.
1.1 Definitions:
Authorised Persons: the persons or categories of persons that the Subscriber authorises to give Hubexo written Personal Data processing instructions and from whom Hubexo agrees to accept such instructions.
Business Purposes: the services to be provided by Hubexo to the Subscriber as described in the Contract and any other purpose specifically identified in Error! Bookmark not defined.Error! Reference source not found..
Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018).
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
Data Protection Legislation:
(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Subscriber or Hubexo is subject, which relates to the protection of Personal Data.
Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
EEA: the European Economic Area.
Standard Contractual Clauses (SCC): the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), or such alternative clauses as may be approved by the European Commission or by the UK from time to time.
Term: this DPA's term, as defined in Clause 10.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
1.2 This DPA is subject to the terms of, and is incorporated into, the Specifier Terms. Interpretations and defined terms set forth in the Specifier Terms apply to the interpretation of this DPA.
1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
1.4 A reference to writing or written includes email.
1.5 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this DPA, and any provision contained in the Annexes, the provision in the body of this DPA will prevail; and
(b) any of the provisions of this DPA and the provisions of the Contract, the provisions of this DPA will prevail.
2. PERSONAL DATA TYPES AND PROCESSING PURPOSES
2.1 The Subscriber and Hubexo agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) the Subscriber is the controller and Hubexo is the processor.
(b) the Subscriber retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Hubexo.
(c) Error! Bookmark not defined.Error! Reference source not found. describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Hubexo may process the Personal Data to fulfil the Business Purposes.
3. PROCESSING OF SUBSCRIBER PERSONAL DATA
3.1 Hubexo will comply with all applicable Data Protection Legislation in the Processing of Subscriber Personal Data; and not Process Subscriber Personal Data other than on the Subscriber’s documented instructions, unless Processing is required by Applicable Laws to which Hubexo is subject, in which case Hubexo will, to the extent permitted by Applicable Laws, inform the Subscriber of that legal requirement before Processing.
3.2 The Subscriber instructs Hubexo (and authorises Hubexo to instruct each Subprocessor) to Process and transfer Subscriber Personal Data to any country or territory as reasonably necessary for the provision of the Services provided one of the following conditions is met:
3.2.1 Hubexo is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. The territory that is subject to such adequacy regulations is set out in Annex A; or
3.2.2 Hubexo participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Hubexo (and, where appropriate, the Subscriber) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR. Such mechanism is identified in Annex A and Hubexo shall update Annex A should that status change.
3.3 Hubexo will not act on any specific instructions given by Subscriber from time to time unless they are documented and given by an Authorised Person.
3.4 Hubexo will Process the Subscriber Personal Data in accordance with the Agreement and disclose Subscriber Personal Data to:
(a) Subscriber's Users; and
(b) Subscriber's Authorised Persons.
3.5 Annex A to this DPA sets out certain information as required by article 28(3) of the UK GDPR. The parties may make reasonable amendments to Annex A by written agreement between them from time to time as necessary to meet those requirements.
4. SUBSCRIBER OBLIGATIONS
4.1 Subscriber warrants that:
(a) the Processing of Subscriber Personal Data has been carried out and will at all times be carried out by the Subscriber in compliance with Data Protection Legislation;
(b) Subscriber has made all necessary disclosures and obtained all necessary consents from Data Subjects to fulfil all of its obligations under this DPA, including the ability to disclose Subscriber Personal Data to Hubexo;
(c) it is and will remain duly and effectively authorised to give instructions to Hubexo under this DPA;
(d) all Subscriber Personal Data is necessary in relation to the purposes for which it is Processed, accurate and where necessary up-to-date; and
(e) any notification that it is required to be made to the Commissioner or other supervisory authority has been made, and is complete and correct.
5. CONFIDENTIALITY
5.1 Hubexo will maintain the confidentiality of the Subscriber Personal Data and will not disclose the Subscriber Personal Data to third parties unless the Subscriber or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner).
5.2 Hubexo will ensure that persons authorised to Process the Subscriber Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
6. SECURITY
6.1 Hubexo shall at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Subscriber Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Subscriber Personal Data including, but not limited to, the security measures set out in Error! Bookmark not defined.Error! Reference source not found..
7. SUBPROCESSING
7.1 The Subscriber authorises Hubexo to appoint Subprocessors in accordance with this Clause 7. Hubexo may continue to use those Subprocessors identified in Annex A as at the date of this DPA. Hubexo will inform Subscriber of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Subscriber the opportunity to object to such changes as set out in Annex A.
7.2 With respect to each Subprocessor, Hubexo shall ensure that the arrangement between Hubexo and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Subscriber Personal Data as those set out in this DPA and meet the requirements of Article 28(3) of the UK GDPR.
8. ASSISTANCE
8.1 Hubexo shall assist the Subscriber in ensuring compliance with the Subscriber's obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to Hubexo, including as set out in section 8.3.
8.2 Hubexo will promptly notify the Subscriber if it receives a request from a Data Subject under any Data Protection Legislation in respect of Subscriber Personal Data and will, taking into account the nature of the processing, assist the Subscriber by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Subscriber's obligation to respond to requests.
8.3 Hubexo shall promptly notify the Subscriber if it becomes aware of a Personal Data Breach affecting Subscriber Personal Data and will co-operate with the Subscriber and take such commercially reasonable steps as the Subscriber requests to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. DELETION OF SUBSCRIBER PERSONAL DATA
9.1 The Subscriber chooses, and Hubexo agrees, that on the termination of the provision of data processing services, Hubexo will delete Subscriber Personal Data from Hubexo's systems two years from the date of termination, except to the extent that Applicable Laws require it to retain copies of such data.
9.2 Subscriber acknowledges that it bears the sole responsibility for exporting any Subscriber Personal Data it wishes to retain prior to such deletion.
10. TERM AND TERMINATION
10.1 This DPA will remain in full force and effect so long as:
(a) the Order Form and Specifier Terms remain in effect; or
(b) Hubexo retains any of the Personal Data related to the Order Form and Specifier Terms in its possession or control (Term).
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Order Form and Specifier Terms in order to protect the Personal Data will remain in full force and effect.
11. INFORMATION & AUDIT RIGHTS
11.1 Hubexo will make available such information as is reasonably requested by the Subscriber to demonstrate compliance with the obligations laid down in Article 28 UK GDPR. The Subscriber will be entitled to conduct an audit for that same purpose, provided (a) the Subscriber gives Hubexo no less than fourteen (14) days’ prior written notice, (b) the audit is conducted remotely, and (c) such audits are conducted no more than once per calendar year, excluding any audit required by the Commissioner.
11.2 Hubexo shall immediately inform the Subscriber if, in its opinion, the Subscriber's instruction to Hubexo infringes Data Protection Legislation or other Applicable Laws relating to data protection.
11.3 No audit under section 11.1 will provide the Subscriber with any access to Hubexo’s code base, data centres, detailed network schematics or detailed records of security vulnerabilities unless such access is required by the Commissioner or by Applicable Law.
11.4 Subscriber shall bear the costs of any audit under section 11.1, unless such audit reveals that Hubexo is responsible for a Personal Data Breach or has otherwise materially failed to comply with its obligations under this DPA, the Specifier Terms, or the Data Protection Legislation, in which case Hubexo shall bear the cost.
12. GENERAL
12.1 Nothing in this DPA is intended to impose upon Hubexo any obligations materially more burdensome that those required by Article 28 of the UK GDPR as it relates to Processors.
12.2 In the event of conflict between the terms set out in this DPA and the Specifier Terms, the terms set out in this DPA shall prevail solely to the extent of such conflict.
12.3 No other terms or conditions of the Specifier Terms shall be amended as a result of this DPA.
12.4 The parties will cooperate in good faith to amend this DPA where required by any change in the Data Protection Legislation applicable to either party.
12.5 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by the law governing the Agreement, without regard to any conflicts of law principles that would require a different result. Each party irrevocably submits to the jurisdiction of the same courts, arbitrators, or other dispute resolution bodies as set out in the Specifier Terms, under the same terms set out in the Specifier Terms.
