Data Protection Addendum

Acceptable Use Policy Data Protection Addendum ModelMill Terms & Conditions Privacy Policy for Recruiting Privacy Policy for Website Security Trademarks Website Terms & Conditions

This data protection addendum ("DPA") forms part of, as is incorporated by reference into, the end-user licence agreement, software-as-a-service subscription agreement, software licence agreement, order form, or other written or electronic agreement between You ("You" and "Your") and LITERAL LABS LTD, 3rd Floor Maybrook House, 27–35 Grainger Street, Newcastle upon Tyne NE1 5JE, United Kingdom ("Literal Labs", "We", "Us", or "Our") pursuant to which We make the Software and any related documentation available to You (the "Agreement"), and reflects the agreement between You and Us with regard to Our Processing of Personal Data. In the course of providing the Software and related services to You pursuant to the Agreement, We may Process Personal Data on Your behalf, and You and We agree to comply with the following provisions with respect to any such Personal Data.

  1. Additional definitions.
    Capitalised terms not defined in this DPA are defined in the remainder of the Agreement, and a reference in this DPA to a "paragraph" refers to a particular paragraph of this DPA. Unless expressly stated otherwise, for the purposes of this DPA:
    1. "Controller", "Personal Data", "Personal Data Breach", "Processing", and "Processor" are each defined in the Data Protection Legislation (and "Process" and "Processed" will be interpreted accordingly);
    2. "Data Protection Legislation" means all applicable data protection and privacy laws and regulations, including without limitation the GDPR and the Data Protection Act 2018;
    3. "Data Protection Losses" means any and all losses, liabilities, costs, claims, and/or damages including (without limitation and to the extent permitted by law): (i) administrative fines, penalties, sanctions, liabilities, or other remedies imposed by a Supervisory Authority; (ii) compensation which a Supervisory Authority orders be paid to a data subject; and (iii) the costs of compliance with investigations by any and all Supervisory Authorities;
    4. "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
    5. "GDPR" means, as applicable, the EU GDPR and/or the UK GDPR;
    6. "Protected Data" means the Personal Data that We or Our Subprocessors Process on Your behalf in the course of performing Our obligations under this Agreement;
    7. "Restricted Data" means any and all biometric data, data subject to financial-services, payment-card, credit-reporting, or securities-regulation legislation applicable in any relevant jurisdiction, and/or any special-category Personal Data (within the meaning of Article 9 of the GDPR).
    8. "Subprocessor" means any agent, subcontractor, or other third party (excluding its employees) engaged by Us to carry out any Processing activities on Your behalf in respect of the Protected Data pursuant to this Agreement;
    9. "Supervisory Authority" means the competent governmental, statutory, or regulatory body in the relevant territory having regulatory or supervisory authority, jurisdiction, or control over either party in respect of the Processing of the Protected Data; and
    10. "UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
  2. Compliance with Data Protection Legislation.
    1. You acknowledge and agree that You are a Controller and We are a Processor for the purposes of Processing the Protected Data pursuant to this Agreement. Each party will at all times comply with its respective obligations under the Data Protection Legislation in connection with the Protected Data. This paragraph 2.1 is in addition to, and does not relieve, remove, or replace, either party's obligations or rights under the Data Protection Legislation.
    2. For the purposes of this DPA, the details of the Processing of the Protected Data pursuant to this Agreement are as follows:
      1. the subject matter and purpose of the Processing is Our performance of Our obligations under this Agreement and the provision of the Software's services to Users;
      2. the nature of the Processing is the collection, storage, recording, disclosure by transmission, retrieval, consultation, erasure, and destruction of the Protected Data;
      3. the Processing will continue for the duration of the Agreement; and
      4. the categories of data subjects to which such Protected Data relates and the relevant types of Personal Data Processed are as stipulated in the relevant order form that forms part of the Agreement, or, where no order form has been entered into between You and Us, as otherwise agreed in writing between the parties or as reasonably determined by reference to the nature of the services provided under the Agreement.
    3. Without prejudice to the generality of paragraph 2.1, You warrant, represent, and undertake that:
      1. You will, throughout the duration of the Agreement, maintain (at Your own cost and expense) all relevant regulatory registrations and notifications as required from time to time under the Data Protection Legislation;
      2. all data or information provided by You to Us under or in connection with this Agreement or Services will comply in all respects with the Data Protection Legislation;
      3. You have all necessary appropriate consents and notices in place to enable the lawful transfer of the Protected Data to Us for the duration and purposes of this Agreement;
      4. You will not, without Our prior express and specific consent, enter, submit, upload, or transmit into or via the Software (or allow anyone else to do so) any Restricted Data, and You will on first demand fully indemnify Us from and against any losses, costs, damages, fines, penalties, expenses, and liabilities arising from Your breach of this prohibition; and
      5. all instructions that You give to Us in respect of the Protected Data (including the terms of this Agreement) will at all times fully comply with the Data Protection Legislation.
    4. You will not unreasonably withhold, delay, or make conditional Your agreement to any change or amendment requested by Us to ensure compliance with the Data Protection Legislation.
  3. Our Processing obligations.
    1. Without prejudice to the generality of paragraph 2.1, We will:
      1. only Process (and will ensure that Our staff will only Process) the Protected Data in accordance with this DPA and, subject to paragraph 3.1(ii), with Your reasonable prior written instructions to Us (and not otherwise unless alternative Processing instructions are agreed beforehand between the parties in writing), except where otherwise required by applicable laws;
      2. immediately inform You if We believe that any instruction received by Us from You infringes or may infringe the Data Protection Legislation, and We will be entitled to cease performing Our obligations under this Agreement until We and You have agreed appropriate amended instructions which are not infringing (but, where We do not cease performing such obligations, then, to the maximum extent permitted by law and subject to clause 10.1 of this Agreement, We will have no liability for any losses (including without limitation Data Protection Losses) suffered or incurred by You and which arise directly or indirectly from or in connection with any Processing in accordance with such instruction after We have informed You of the relevant infringement or potential infringement in accordance with this paragraph 3.1(ii));
      3. implement and maintain technical and organisational measures to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure, or access (and a list of such measures will be available to You upon request);
      4. ensure that all Our staff and subcontractors who have access to and/or Process the Protected Data are obliged to keep the Protected Data confidential (except where disclosure is required under law in which case We will, where practicable and not prohibited by law, notify You of any such requirement prior to such disclosure); and
      5. following the termination or expiry of the Agreement, destroy or delete the Protected Data in Our possession.
  4. Subprocessing.
    1. You hereby consent to Our appointment of the Subprocessors identified in Our list of Subprocessors that is effective at the date of this Agreement to Process the Protected Data during the term of the Agreement. Such list is available from Us upon Your request.
    2. If, during the term of the Agreement, We wish to appoint an additional or replacement Subprocessor, We will notify You in writing, providing You with details of the proposed new or replacement Subprocessor and the right for You (acting reasonably) to object to such appointment by giving written notice to Us. If You do not exercise such right to object within 14 days of Our written notification to You concerning such proposed new or replacement Subprocessor, such proposed Subprocessor will be deemed to have been authorised by You to Process the Protected Data for the purpose described in paragraph 2.2(i) (provided always that such Processing will be subject to and in accordance with the provisions of this DPA). If You object to the appointment of such proposed Subprocessor within the aforementioned 14-day period, We will not appoint such proposed Subprocessor in connection with this Agreement and may, without liability to You, terminate this Agreement by way of written notice to You, such notice having immediate effect.
    3. We will:
      1. prior to any Subprocessor carrying out any Processing activities in respect of the Protected Data, appoint each Subprocessor under a written contract containing obligations upon such Subprocessor concerning the processing of the Protected Data that are materially similar to those under this DPA;
      2. remain liable to You under this Agreement for all the acts and omissions of each Subprocessor as if they were Our own; and
      3. ensure that all persons authorised by Us or any Subprocessor to Process Protected Data are subject to an obligation to keep the Protected Data confidential.
  5. Assistance.
    1. We will, at Your own cost and expense and always taking into account the nature of Processing by and information available to Us, provide to You such reasonable assistance as You may reasonably require in:
      1. responding to any request from a data subject whose Protected Data is Processed by Us under this Agreement; and
      2. reasonably ensuring Your compliance with Your obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with Supervisory Authorities.
    2. Notwithstanding anything to the contrary in this Agreement, We reserve the right to disclose Your identity to any relevant data subject following any request from such data subject.
  6. Personal Data Breaches. We will notify You without undue delay on becoming aware of any Personal Data Breach in respect of any Protected Data.
  7. International transfers.
    1. If We transfer any Protected Data to a Subprocessor outside of the United Kingdom, We will provide appropriate safeguards in relation to the transfer and comply with Our obligations under the Data Protection Legislation by:
      1. ensuring that the transfer is to a territory that is the subject of adequacy regulations under the Data Protection Legislation; or
      2. putting in place appropriate safeguards in accordance with Article 46 of the GDPR.
    2. To the extent that any Protected Data is transferred by Us to You (or at Your direction to a third party) in the performance of Our obligations under this Agreement, You shall ensure that any onward transfer of such Protected Data to a country or territory outside the United Kingdom that is not the subject of adequacy regulations under Article 45 of the GDPR is made subject to appropriate safeguards in accordance with Article 46 of the GDPR, and You shall be solely responsible for putting such safeguards in place.
    3. To the extent that any transfer of Protected Data pursuant to this paragraph 7 (International transfers) requires the execution of supplementary agreements or transfer mechanisms in order to comply with the Data Protection Legislation (including, without limitation, standard contractual clauses adopted pursuant to Article 46(2)(c) of the GDPR (the "SCCs"), the UK International Data Transfer Agreement (or related addendum to the SCCs), each as issued by the Information Commissioner from time to time, or any equivalent or successor mechanism approved under the Data Protection Legislation), the parties shall promptly negotiate and enter into such agreements or mechanisms in good faith.
  8. Records and audits.
    1. We will maintain complete and accurate records and information ("Records") to demonstrate Our compliance with Our obligations under this DPA.
    2. No more than once during any twelve-month (12-month) period, You may request that We provide You with the relevant information from Our Records and any audit of Our compliance with this DPA conducted by Us or Our authorised auditor. We will provide such information to You within a reasonable time of receiving a valid request in respect thereof pursuant to this paragraph 8.2. Except where We are required by a Supervisory Authority to allow inspections by You (or another professionally qualified auditor mandated by You (an "Auditor")) for the purposes of verifying that We are Processing the Protected Data in accordance with this DPA, the rights stipulated in this paragraph 8.2 constitute Your sole and exclusive contractual rights (and Our entire contractual obligations) in connection with the auditing or inspection of Our Processing of the Protected Data (save that nothing in this paragraph 8.2 is intended to undermine the rights and powers respectively granted under the Data Protection Legislation to data subjects and Supervisory Authorities).
    3. Where We are required by a Supervisory Authority to permit an inspection by You or an Auditor for the purposes of verifying that We are Processing the Protected Data in accordance with Our obligations under the Data Protection Legislation and this DPA, We will permit and contribute to such inspection subject to You:
      1. giving at least 2 months' written notice to Us of any request to conduct an audit or inspection under this paragraph 8 (Records and audits);
      2. ensuring that all information obtained or generated by You or an Auditor in connection with any such audit and inspection is kept strictly confidential (save for disclosure to the relevant Supervisory Authority or as otherwise required by law);
      3. ensuring that any such inspection will be undertaken during normal business hours and with minimal disruption to Our business and the business of Our affiliates and other customers;
      4. promptly (and in any event within 30 days of such audit or inspection) reimbursing to Us, in full and cleared funds, the reasonable costs and expenses incurred by Us in enabling, facilitating, and contributing to such audits and inspections and assisting with the provision of information to You pursuant to such audits and inspections; and
      5. requesting no more than one (1) such audit or inspection under this paragraph 8 (Records and audits) in any 12-month period.