This Data Processing Addendum (the “Addendum”) is made by and between Tactful Ltd, a company having its principal place of business at Stirling House Business Centre, Cambridge Innovation Park, Waterbeach, Cambridge CB25 9QE, United Kingdom (“Company”) and the counterparty agreeing to these terms (“Client” or “Customer”).
1. INTRODUCTION
1.0. The purpose of this Data Processing Agreement (the “DPA”) is to describe the specific terms and conditions applicable to the processing of End Customer Personal Data by:
1.0.1. Company where products and services are purchased directly from the website/self-service.
1.0.2. Company, where products and services are purchased directly from the enterprise sales team; or
1.0.3. Company, where products and services are purchased from managed service directly from TacfulAI; or
1.0.4. the relevant re-selling partner of Company’s products and services (the “Partner”),
as applicable for the purposes of this DPA, the “Processor”.
2. CLASSIFICATION
2.0. For the purpose of this DPA:
2.0.1. the Customer will be the Controller of the Customer Personal Data;
2.0.2. where Company is the “Supplier” for the purposes of an Order Form, Company will be the Processor of Customer Personal Data; and
2.0.3. where the Partner is the “Supplier” for the purposes of an Order Form, the relevant Partner will be the Processor of Customer Personal Data and Company acts as the Partner’s sub-Processor.
3. DEFINITIONS
3.0. In this DPA:
Data Processor Activities | means the processing activities described in Appendix 1. |
Data Protection Legislation | means, as applicable, the Data Protection Act 2018, the UK retained version of General Data Protection Regulation (2016/679) (GDPR), and the Privacy and Electronic Communications (EC Directive) Regulations 2000 and any applicable replacement legislation governing the use and security of personal data. |
New Sub-processor | means a new Sub-processor to the Sub-processor List. |
Sub-processor | means a subcontractor engaged by the Processor to process the Customer Personal Data on the Processor’s behalf and Sub-processors shall be construed accordingly. |
Controller (Customer) | means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. |
Processor | means a natural or legal person, public authority, agency or other body which processed personal data on behalf of the controller (customer). |
Data Breach | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
Processing | means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Sub-processor List | means the list of Sub-processors set out and/or identified in Appendix 2. |
Customer Personal Data | means all personal data controlled by the Customer and which is processed by the Processor in order to provide the Services and personal data, controlled, and processed shall each have their respective meanings given in the GDPR. |
4. APPLICABILITY AND DURATION
4.0. This DPA is established by the parties’ signature on (date = date of main contract), in respect of the processing operations to be performed by Processor, on behalf of the Customer, under this DPA.
4.1. This DPA shall terminate at such time as Personal Data are no longer processed under this DPA.
4.2. This DPA cannot be terminated prematurely.
5. CUSTOMER PERSONAL DATA
5.0. The parties acknowledge and agree that the Customer is the data controller in respect of the Customer Personal Data requiring the contractual relations with regard to the Enterprise Sales Team and the Website/Self-service and, subject to paragraph 5.2, the Processor shall process such Customer Personal Data as an independent data controller (subject to the restrictions set out in this Agreement).
5.1. The Processor shall process the Customer Personal Data on the Customer’s behalf as the Customer’s data processor when performing the Data Processor Activities.
5.2. The Customer shall:
5.2.1. comply with the Data Protection Legislation; and
5.2.2. ensure that all instructions it gives to the Processor in respect of the Customer Personal Data are and shall be lawful and in compliance with the Data Protection Legislation; and
Data Processor Activities
5.3. The Processor shall, when processing Customer Personal Data as part of the Data Processor Activities:
5.3.1. only process Customer Personal Data in accordance with the Customer’s documented instructions unless required to do otherwise by applicable laws. In which event, the Processor shall inform the Customer of the legal requirement before processing the Customer Personal Data otherwise than in accordance with the Customer’s written instructions, unless legally prohibited from doing so. The Customer instructs the Processor to process the Customer Personal Data to the extent and in such manner as is reasonably necessary for the performance of the Processor’s obligations under this Agreement or as required by Data Protection Legislation;
5.3.2. ensure that its representatives are subject to appropriate obligations of confidentiality;
5.3.3. taking into account the nature of the services, provide reasonable assistance to the Customer, insofar as this is possible and at the Customer’s cost, for the fulfillment of the Customer’s obligations under the Data Protection Legislation in respect of data security; data breach notification; data protection impact assessments; prior consultation with supervisory authorities; and the fulfillment of data subject’s rights; and
5.3.4. at the Customer’s written request, return or delete the Customer Personal Data and delete any existing copies of such Customer Personal Data in its possession unless required to retain such Customer Personal Data under applicable laws.
6. DATA BREACH
6.0. Each party will notify the other without undue delay or in any case within 48 hours of becoming aware of a confirmed data breach affecting the data covered by this DPA. The Processor must also provide all relevant information (or at least the information as stipulated in article 33.3 GDPR) regarding the Customer Personal Data Breach to the Controller.
6.1. The Controller has the responsibility, if necessary, to report data breaches to the Customer Personal Data Authority and (possibly) data subject(s). The Processor will provide the Controller with assistance in reporting the Data Breach related to the Customer Personal Data and handling it. The Processor is entitled to charge the Controller reasonable costs for this cooperation.
6.2. The Controller has the responsibility to keep the register of data breaches up to date.
6.3. If, despite the fact that Processor has implemented measures as agreed with the Controller, a Data Breach occurs, the Controller cannot hold Processor liable for any damage suffered by the Controller as a result.
7. SUB-PROCESSORS
7.0. In the event of a transfer of Personal Data by the Processor to a Sub-processor in accordance with the provisions of the present Agreement, with the exception of a transfer in the context of a legal obligation, the Processor will ensure that:
a) the Sub-processor signs a Sub-processor’s agreement with obligations that are equivalent to or stricter than those that apply for the Processor on the grounds of this Processor Agreement and the Privacy laws and regulations. The Processor will ensure the Sub-processor’s compliance in this respect.
b) if the data is processed outside of the EEA: that an EU Standard Contract is signed by the Sub-processor.
7.1. In the event of planned changes in the Sub-processor engaged by the Processor, the Processor will notify the Controller in advance of the intended changes. The Controller has the right to object within thirty (30) business days after being notified to any Sub-processor engaged by the Processor. If it happens that the Processor is unable to execute the Principal Agreement by calling upon the services of the Sub-processor in question, the Processor is entitled to terminate the Principal Agreement, or any part of it, with immediate effect, without any liability in this regard.
8. TRANSFER TO THIRD COUNTRIES
8.0. The Processor may process the Customer Personal Data in countries within the EEA. The Processor may also process the Customer Personal Data outside the EEA, as long as the Processor shall implement a data transfer solution to ensure any such transfers are compliant with the Data Protection Legislation and shall provide the Customer with all reasonably requested information concerning the data transfer solution promptly following the Customer’s written request.
9. TECHNICAL AND ORGANISATIONAL MEASURES
9.0. In accordance with the Privacy laws and regulations, the Processor will take demonstrable, appropriate and effective technical and organisational security measures, which, given the current state of technology and the associated costs, correspond to the nature of the Personal Data to be processed (specified in Appendix 3). The purpose of these measures is to protect the Personal Data against loss, unauthorized disclosure or any form of unlawful Processing, and to guarantee the availability of the Personal Data.
9.1. Upon written request, the Processor shall make available to the Controller such information as is reasonably necessary to demonstrate the Processor’s compliance with its obligations under this DPA.
9.2. The Controller shall, in respect of the Data Processor Activities, have the right to audit and inspect the Processor’s premises (excluding the premises of third parties) to ascertain compliance with this DPA, provided such an audit is carried out:
9.2.1. during the Processor’s normal business hours and upon not less than seven (7) business days’ notice;
9.2.2. not more than once in each successive period of twelve (12) months;
9.2.3. in a manner that causes minimal disruption to the Processor’s business and excludes from its scope any internal pricing information, information relating to other customers of the Processor or other the Processor’s own internal reports; and
9.2.4. at the Controller’s own cost.
9.3. If, as a result of the Audit, adjustments must be made to the security policy or measures, it is exclusively the Processor who will decide on making the relevant adjustments or implementing them. The Controller will provide the Processor with a copy of the report of the Audit.
9.4. In addition to the Controller, the Data Protection Authority may oversee the compliance with the security measures. The Processor will allow the Data Protection Authority to audit the Processing (or have it audited).
10. CONFIDENTIALITY AND SECRECY
10.0. Processor, as well as all its employees and any sub-processors who have access to the Customer Personal Data, shall keep the Customer Personal Data of which they have knowledge confidential, unless a legal requirement obliges them to disclose it.
10.1. The provisions of article 10, paragraph 1, shall not apply insofar as the Controller has given explicit consent to provide the Customer Personal Data to third parties, if the provision of the information to third parties is logically necessary, given the nature of the assignment provided and the performance of this DPA, or if there is a legal obligation to provide the Customer Personal Data to third parties.
10.2. Processor has contractually stipulated with its employees, or third parties engaged by it, in the employment contract, that the same confidentiality, where applicable, must be observed in relation to the Execution of the DPA as mentioned under Article 10 paragraph 1. Processor shall take all measures necessary to ensure compliance with this duty of confidentiality. Processor may require Certificate of Conduct to be applied for. The Processor shall inform the Controller by return of any request to inspect, provide or otherwise communicate the Customer Personal Data in violation of the obligation of confidentiality mentioned in this article unless legally prohibited from doing so.
11. PROVISION AND DELETION
11.0. The Controller will determine whether and, as applicable, how long the data will be retained.
11.1. The Processor will not retain the Personal Data for longer than is strictly necessary, and this includes the statutory retention periods and the retention periods agreed between the Parties as described in Appendix 1.
11.2. The Processor shall ensure that Customer Personal Data and any copies are handed over via secure connection to the Controller, within a reasonable timeframe after the termination of the agreed activities or earlier as possible, or (after expiry of the applicable statutory retention period) are destroyed, unless storage of Customer Personal Data is required under applicable laws and regulations. At the first request of the Customer, Processor shall demonstrate compliance with this article.
11.3. The costs of collecting and transferring Customer Personal Data upon termination of this DPA shall be borne by the Customer.
12. LIABILITY AND INSURANCE
12.0. Parties shall ensure that the Processing of Personal Data on the basis of this DPA is not unlawful and does not infringe the rights of Data Subject(s). Parties are each responsible and liable for their own actions.
12.1. The Processor shall only be liable for direct damages suffered by the Customer as a result of a breach and/or wrongful act attributable to the Processor. If the liability is limited according to the Principal Agreement, then this limitation will also apply to this Processor Agreement. In the event that the Principal Agreement does not place any limitation on the liability of the Processor, all liability of the Processor in the execution of the Processor Agreement is in any case limited to direct damage for a maximum cumulative amount of €500,000. Liability for indirect damage and/or consequential damage, including damage to reputation, loss or turnover, loss of customers, is explicitly excluded. Compensation for any fine imposed on the Controller by the supervisory authorities in relation to the Customer Personal Data and the execution of this Agreement cannot be claimed from the Processor, unless it is a case of deliberate acts or gross negligence on the part of the Processor.
12.2. Without prejudice to the above stipulations, the liability between the Parties is regulated in accordance with article 82 of the GDPR.
13. AMENDMENT OF THE AGREEMENT
13.0. The Processor may update the terms of this Addendum from time to time, provided, however, that the Processor will provide at least thirty (30) days prior notice to the Client, and Client will have an opportunity to object to such changes on reasonable grounds within thirty (30) business days after being notified.
13.1. In the event any provision of the DPA is nullified or annulled or it appears that an amendment to (a provision of) the DPA due to changed circumstances is necessary for compliance with applicable privacy laws and regulations, the other provisions will remain in full force and effect. The parties shall determine a new provision to replace the void/annulled provision or amend the DPA to bring it into line with the applicable laws and regulations in the area of privacy, taking into account as much as possible the purport of the void/annulled provision.
13.2. If an amendment results in significant changes to the underlying assignment, or if the Processor cannot provide an appropriate level of protection, this may be grounds for the Processor to terminate this DPA.
14. OTHER PROVISIONS
14.0. The DPA is governed by UK law.
14.1. Disputes between Customer and Processor shall be submitted exclusively to the competent court in the UK.
14.2. In the event of a conflict between (one or more provisions of) the DPA and (one or more provisions of) other agreements between the Customer and the Processor, the DPA shall prevail.
Appendix 1
Description of Processing Activities
1. Categories of data subjects whose personal data is transferred
Business end users and private end users.
2. Categories of personal data transferred
Company provides the following services, which process the following data:
- Bot Services (Greeting): name.
- Bot services (Ordering): name, address, e-mail, phone number, registering order.
- Bot services (FAQ answering): no personal data involved.
- Bot services (Browse and search): no personal data involved.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
There is no sensitive data involved in the processing of personal data.
4. The frequency of the transfer
The frequency of the transfer is continuous (for as long as the Customer uses the Services);
5. Nature of the processing
The Processor processes the personal data for the (i) support and maintenance with respect to Customer Personal Data hosted on the Product; (ii) hosting management with respect to Customer Personal Data on the Product; and (iii) such other purposes where the Processor processes Customer Personal Data on behalf of the Customer as its data processor.
6. Purpose(s) of the data transfer and further processing
The purpose of the processing of the Personal Data is delivery of a service.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The Personal Data will be retained until the business deletes their own account.
Appendix 2
Sub-Processor List
The list of sub-processors is located at https://tactful.ai/sub-processors.
Appendix 3
Technical & Organisational Measures
Company is committed to maintaining the privacy, confidentiality and security of Customer Personal Data. The Company uses industry best practices, technology and security measures designed to protect the confidentiality of personal data that is transferred to it and to secure its networks, data centers and servers. The security measures adopted by the Company include, without limitation:
- The maintenance of physical, electronic and procedural measures designed to safeguard the confidentiality of personal data in compliance with applicable data protection, privacy and data security laws and regulations. These include, without limitation:
- Restricting access by the Company’s personnel and subcontractors on a role-based, need to know basis.
- Performing background checks on Company’s personnel.
- The implementation and enforcement of corporate policies and standards relating to the protection of information and security (failure to adhere to these policies and the standards will result in disciplinary action, which can include dismissal).
- Adopting a multi-layered approach to information security controls, which is designed to protect against security breaches.
- Compliance with applicable laws, regulations and security standards applicable to information security.
- The employment of highly trained staff who have relevant and up to date knowledge of data protection and data security risk management practices.
- Regular reviews and controls against compliance with the above-mentioned technical and organizational security measures.
- 1. Access Control
Data processing systems shall be prevented from being used without authorization. All systems are protected by the use of personally identifiable access keys that expire on employee change of role or departure from the organization. - 2. Change Control
Persons authorized to use a data processing system have access only to those data they are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. - 3. Order Control
Personal data processed on behalf of Customer is processed pursuant to the Customer’s instructions as set out in the Addendum. Company encrypts all personal data that it possesses both at rest and in transit, including electronic messages and attachments. - 4. Availability Control
Company adopts measures designed to protect against accidental destruction or loss. - 5. Company Personnel
Company requires Company Personnel who access Customer Personal Data to commit to protect the confidentiality of the information and undergo security training on at least an annual basis. - 6. Testing
Company conducts regular internal automated and manual security testing and vulnerability assessments. - 7. Adequate alternative measures
The technical and organizational security measures are subject to technical progress and development, and Company may implement adequate alternative measures. Any material changes to technical and organizational measures will be documented. Company must provide Customer with reasonable information in order to support Customer’s reporting upon written request by the Customer. Company will provide to Customer any security assessments/certifications previously performed.
Last Updated: 5 January 2024