1. The scope and purpose of the Data Processing Agreement

1.1 This Data Processing Agreement (the ‘Agreement’) governs this processing of Data pursuant to the Services Agreement between the Controller and the Processor. This Agreement complies with The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (together the ‘Data Protection Legislation’) to safeguard the protection of privacy and fundamental human rights and freedoms in connection with the Processor being granted access to process the Data. In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Service Agreement, the provisions of this Data Processing Agreement shall prevail

1.2 The tasks performed and supported by the Processor include the processing and storage of Data. The Processor is responsible for the appropriate safeguards to protect the storage, database, networking, computing and the infrastructure of the Processor necessary for the security of the Data. The Processor shall not be responsible for the storage, database, networking, computing or the infrastructure of salelesforce.org or other Controller tools or systems to which Processor is provided with access (“Controller Tools”) and necessary for the security of the Data. The provision of section 6.3 of the Services Agreement shall in addition limit the Processor’s liability under this Agreement.

1.3 Unless required due a breach of this Agreement by Processor or to comply with Processor’s legal obligations, the provision of information, assistance, access, facilitation or cooperation under this Agreement by Processor shall be at the sole cost of Controller at the rates set out in the Services Agreement or any applicable Statement of Work (as defined in the Services Agreement).

2. Data covered by the Data Processing Agreement 

2.1 This Agreement covers all personal data (‘Data’) necessary to perform the processing pursuant to the Service Agreement under the Data Protection Legislation. The Data might also include data which is not personal data as defined by the Data Protection Legislation.

3. Controller’s obligations

3.1 The Controller shall comply with its obligations under this Agreement and the Data Protection Legislation and it is solely responsible for the completeness and accuracy of the Data.

3.2 The Controller warrants to the Processor that it has all consents or other legal justifications necessary for the Processor to process the Data in accordance with the Service Agreement and the Controller agrees to indemnify and keep indemnified and defend at its own expense the Processor against all costs, claims, damages, fines or expenses incurred by the Processor as a result of a breach of this warranty.

4. General security and safeguards on the processing of Data

4.1 The extent of the tasks to be delivered and supported by the Processor may involve processing of Data, including viewing, search and usage.

4.2 The Processor shall act exclusively on documented instructions from the Controller. The Processor shall ensure that the Data is not used for other purposes or processed in any other way than as stated in the Controller’s instructions, including transfer outside the UK or EEA or to an international organisation, unless the Processor is required to do so by law. The Processor shall notify the Controller of any such legal obligation before commencing the processing.

4.3 The Processor shall process the Data in accordance with the law and regulations applicable to Processor in force at the time governing the processing of personal data. If the Processor deems an instruction to be in breach of such legislation or regulation, the Processor shall promptly inform the Controller accordingly. This shall not apply if the law prohibits such notification for reasons of substantial public interest.

4.4 To the extent that such processing takes place outside the Controller Tools, the Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller. The record shall include the following:

(a) The name and contact information of the specific Processor, any Sub-processor, the Controller, the data protection officer and, where relevant, the Processor’s representative;

(b) The categories of processing carried out by the Processor or any sub-processor on behalf of the Controller; and,

(c) General description of the technical and organisational security measures undertaken by the Processor to safeguard the Data.

4.5 The record shall be in writing, which may include electronic format. At the request of the Controller, the Processor shall at any time make the record available to the Controller.

4.6 Where the processing of Data, in whole or in part, takes place in home offices the Processor shall set guidelines for personnel processing Data in home offices to ensure the security of the Data. 

4.7 The Processor shall comply with the law applicable to data processors, and the Controller shall comply with the law applicable to data controllers in force at the time.

4.8 The Processor shall participate in any discussions with the Controller and/or the Information Commissioner’s Office (‘ICO’) and implement any reasonable recommendations and improvements either may make regarding the Data processing.

4.9 The Processor shall promptly notify the Controller:

(a) If the ICO contacts the Processor;

(b) Of any request by a public authority for the Processor to transfer covered by the Service Agreement, unless notifying the Controller is explicitly prohibited by law; or,

(c) Of any request for access received directly from the data subject or from a third party unless such procedure has been approved.

4.10 The Parties undertake to obtain and maintain for the duration of the Service Agreement the registrations and approvals which each is obliged to obtain and maintain in accordance with the law in force at the time.

5. Technical and organisational measures 

5.1 The Processor shall implement appropriate technical and organisational measures including storage, computing, networking access, transfer, input, order, availability, control and destruction to safeguard the Data. Protective measures include using appropriate software, computers and encryption methods adequate to the information security risks and adequate access controls, password procedures, automatic blocking, case specific authorisation concepts and logging and documentation of processes to ensure data security. The measures taken shall be adequate for the protection of the specific Data, and protect against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure, abuse or other processing in breach of the law in force at the time, including but not limited to the Data Protection Legislation. This shall also apply if the processing of Data takes place, in whole or in part, in home offices.

5.2 The Processor shall only process Data within the Controller Tools and not within Processor’s own computing or network environment.  Controller shall not provide Processor with access to Data outside Controller Tools. Processor shall keep its logon credentials to Controller Tools secure and shall not share them with any third party.  All processing of Data within Controller Tools shall be subject to the Controller’s technical and organisational measures to safeguard Data (“Controller TOMS”).  Controller shall make the Controller TOMS known to the Processor prior to commencement of processing of Data by Processor.

6. Monitoring of information security and data protection 

6.1 To the extent that such processing takes place outside the Controller Tools, at the Controller’s request, the Processor shall give the Controller sufficient information for the Controller’s monitoring and documentation of the Processor’s implementation of the necessary technical and organisational security measures. 

6.2 The determination of the necessary technical and organisational security measures shall be with due observance of: 

(a) The requirements on information security of this Agreement and specifically clause 5.2.

(b) The Controller’s reasonable instructions based on the data protection impact assessment in force pursuant the Data Protection Legislation and this Agreement.

6.3 The Processor is obliged, on being given reasonable notice and proof of identity, to give the Controller and bodies with appropriate legal authority, or the representatives acting on behalf of either, access to the Controller’s and the Processor’s facilities.

7. Information security breach and Data breach 

7.1 The Processor shall inform the Controller in writing without undue delay of any infringements of this Agreement or of any contractual, legal or regulatory obligations. This shall also apply if there are substantial disruptions to the normal course of operations or grounds to suspect data privacy infringements. The Processor shall provide the Controller with all information to demonstrate the Processor’s compliance with the Data Protection Legislation.

7.2 If the Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the Controller and provide the Controller with all such reasonable and timely assistance in order to conduct a data protection impact assessment.

7.3 The Processor shall, without undue delay and no later than 24 hours after becoming aware of the information security breach, notify the Controller of the background to and the extent of the breach and the initiatives the Controller has taken to mitigate the effects of the breach and will take to safeguard against future security breaches. The Processor may, within reason, provide this information at a later stage, if obtaining it would unnecessarily delay the timely initial notification to the Controller.

8. Correction, deletion and blocking/specific obligations to assist the Controller

8.1 Upon instruction by the Controller and pursuant to any contractual, legal or regulatory obligations, the Processor shall facilitate the correction, deletion and restriction on processing of Data processed by Processor on behalf of the Controller until the relevant Data are ultimately deleted. The Processor shall support the Controller in safeguarding the rights of the data subjects concerning correction, deletion or restriction on processing of the Data by upholding valid requests, making available to the Controller any information the Controller has requested and implementing the Controller’s instructions in a timely manner which will enable to Controller to meet any applicable regulatory deadlines for responding to and actioning such requests. When a Data Subject contacts the Processor directly, the Processor shall promptly notify the Controller. 

8.2 The Processor shall promptly assist the Controller with handling any inquiry from a Data Subject, including requests to access, correct, delete or restrict the processing of Data if the Processor processes the relevant Data.

8.3 The Processor shall at the Controller’s request assist the Controller in observing any obligations that may be incumbent on the Controller pursuant to the Data Protection Legislation. 

9. Agreement with another Data Processor

9.1 If the Processor engages another Data Processor (‘Sub-processor’) to fulfil any part of this Agreement, the Processor shall enter into a written sub-processing agreement with the Sub-processor. In such a sub-processing agreement, the Processor shall ensure that the Sub-processor as a minimum accepts the same data protection obligations as those set out in this Agreement in respect of processing the Controller’s Data.

9.2 If the Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable towards the Controller for the fulfilment of the Sub-processor’s obligations. The fact that the Controller has consented to the Processor entering into a sub-processing agreement with a Sub-processor shall not affect the Processor’s obligation to comply with this Agreement.

9.3 The Processor shall bear all the costs of entering into a sub-processing agreement, including costs incurred in drawing up the agreement.

10. Transfer of Data

10.1  The Processor shall not transfer or authorise the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) unless safeguards complying with the Data Protection Legislation are in place.

11. Further Obligations of the Processor

11.1 For the performance of the obligations pursuant to this Agreement, the Processor shall inform Processor personnel who process Data under this Agreement of all relevant data privacy obligations and instruct them to comply with data security measures pursuant to this Agreement and other contractual, legal or regulatory obligations. The personnel shall be trained in order to be able to comply with these obligations. The Processor shall have in place suitable controls to ensure an adequate level of training.

12. The Controller’s rights of control

12.1 To the extent that such processing takes place outside the Controller Tools, the Controller may monitor the technical and organisational measures taken by the Processor at any time. Upon request made upon reasonable notice, the Processor shall provide the Controller with the necessary information and permit and facilitate the monitoring review. Upon notifying the Processor in advance, the Controller may appoint a third-party to review and recommend or implement technical or organisational controls. In advance of the monitoring review, the Controller shall notify the third-party in writing of the confidentiality requirements set out in this Agreement which shall be binding upon the third-party. The Processor shall also support the Controller in cases of inquiries and monitoring reviews conducted by the responsible supervisory authority. Any changes to the Processor’s technical or organisational controls which are required to comply with the law applicable to the Processor shall be implemented at the Processor’s expense.

12.2 To the extent that such processing takes place outside the Controller Tools, prior to processing Data under this Agreement, the Processor has l provided the Controller with documentation of the technical and organisational measures taken in compliance with this Agreement. Officially recognized information security certifications (such as ISO 27001) may serve as documentation.

12.3 The Controller may request annually evidence of officially recognised information security certifications held by the Processor.

12.4 The Controller’s rights to carry out monitoring reviews shall remain unaffected by the Processor’s provision of documentation and certification pursuant to clauses 12.2 and 12.3 of this Agreement.

13. Return and deletion of the Data

13.1 To the extent that such processing takes place outside the Controller Tools  upon instruction by the Controller and pursuant to any contractual, legal or regulatory obligations, the Processor shall facilitate the correction, deletion and restriction on processing of Data processed by the Processor on behalf of the Controller until these Data are ultimately deleted.

13.2 Upon termination of the Service Agreement and this Agreement, the Processor shall, at the Controller’s request, transfer to the Controller or securely dispose of all of the Controller’s Data, including Data in emails, from communication servers, clients’ or production computers, intermediate files created in the course of the data processing, and manual files.  After receiving the Controller’s confirmation of the receipt of the Data, subject to any lawful requirement for retaining data, the Processor shall delete the Data permanently from all electronic files and media and destroy all the Data held in non-electronic files in the possession of the Processor and ensure such deletion and destruction of the Data in the possession of any personnel undertaking the processing on behalf of the Processor. The Processor shall provide the Controller with written confirmation that all the Data has been deleted or destroyed. Upon written instructions from the Controller, the Processor shall carry out the deletion or destruction of Data without prior transfer of the Data. 

13.3  Data shall be considered deleted when put beyond further use by any person at any time by the application of appropriate technical measures.

14. Duty of confidentiality 

14.1 The Processor and the Processor’s personnel and Sub-processors are subject to a duty of confidentiality in relation to processing the Data except as required to comply with any legal obligations and are only entitled to process the Data pursuant to this Agreement.

14.2 The Processor warrants that the Processor’s personnel and the personnel of any Sub-processor who are authorised to process Data under this Agreement will be subject to the duty of confidentiality of Data which may come to their knowledge in connection with the performance of this Agreement.

15. Duration

15.1 This Agreement shall commence upon the signature of the parties to the Agreement and shall remain in force for as long as the Processor processes the Data on behalf of the Controller, or upon the date of expiration or termination of the Service Agreement,

15.2 Upon expiry or termination of this Agreement, regardless of the reasons for the expiry or termination, the Processor shall provide the necessary services to the Controller to fulfil the Agreement.