Data Protection Addendum

Last updated 1st January 2023

This Data Protection Addendum forms part of the written or electronic agreement(s) between HC and the Processor (both as defined below), and sets out each party’s respective obligations with regard to the processing of personal data by HC.

Definitions

“Addendum”

This data protection addendum.

“Conditions”

The Customer Conditions and the Partner Conditions

“Controller”

The Customer (as defined in the Customer Conditions) or the Partner (as defined in the Partner Conditions), as appropriate.

“Customer Conditions”

The conditions under which HC permits customers to access the Platform, as located at control.hico.io, of which this Addendum forms part.

“Data Protection Law”

all applicable data protection legislation and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426); and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data and the privacy of electronic communications.

“HC”

HIGHCOHESION LIMITED, a company registered in England and Wales with company no. 12020025, whose registered office is at 3rd Floor 86-90 Paul Street, London, United Kingdom, EC2A 4NE.

“Partner Conditions”

The conditions under which HC permits third-party developers to develop on the Platform located at control.highcohesion.com of which this Addendum forms part.

“Personal data”

Personal data, data subject, processing, personal data breach, pseudonymisation, special categories of data, and supervisory authority as defined in Data Protection Law.

“Platform”

Has the meaning given to it in the Conditions.

“Standard Contractual Clauses”

The standard contractual clauses which the European Commission on the basis of Article 26 (4) of Directive 95/46/EC decided that these offer sufficient safeguards for the transfers of personal data to a third country, or the data protection clauses adopted by the European Commission or by a supervisory authority and approved by the European Commission in accordance with the examination procedure referred to in Article 93(2) of the  General Data Protection Regulation 2016/679. Data protection clauses so adopted shall replace and prevail over any standard contractual clauses adopted on the basis of Directive 95/46/EC to the extent that they intend to cover the same kind of data transfer relationship.

“UK GDPR”

Has the meaning given to it in the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

Conditions

  1. Unless the context otherwise requires, references to persons shall include natural persons, corporate bodies, unincorporated associations, governments, states, trusts and partnerships, in each case whether or not having a separate legal personality.  References to the words “include” or “including” are to be construed without limitation.

  2. References to Schedules and Clauses are to the schedules and clauses of this Addendum unless otherwise specified.

  3. References in this Addendum to any statute, statutory provision or EC Directive (“legislation”) include a reference to that legislation as amended, extended, consolidated or replaced from time to time and include any former legislation which it re-enacts, consolidates or replaces and any order, regulation, instrument or other subordinate legislation made under the relevant legislation. 

  4. Any reference to “writing” or “written” includes emails but does not include faxes.

    General

    1. The parties acknowledge that the nature of the Platform means that the subject matter, duration, nature and purpose of processing and the personal data categories and data subject types which HC may process to fulfil its obligations to the Controller cannot be defined with any degree of certainty. This Addendum shall apply to any personal data passing between the parties hereto.

    2. Whenever HC processes personal data on the Controller’s behalf:

      1. the Controller shall be the data controller (as defined by Data Protection Law) and HC shall be the processor in respect of such personal data; and 

      2. HC shall only process such personal data on the Controller’s documented instructions except insofar as required to do otherwise by applicable law.

    3. For the avoidance of doubt, any instruction to transfer data through a specific stream via the Platform shall be classed as an instruction for the purposes of clause 2.2.2 above. The Controller warrants and represents that it is and will at all times remain duly and effectively authorised to give the processing instructions to HC.

    4. HC shall inform the Controller on becoming aware of:

      1. any requirement of applicable law which requires HC to process personal data otherwise than on the Controller’s documented instructions, unless applicable law prohibits such information on important grounds of public interest; or 

      2. any instruction from the Controller in relation to the processing of personal data which, in HC’s reasonable opinion, infringes Data Protection Law.

    Security

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to the rights and freedoms of natural persons, HC shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. 

    2. In assessing the appropriate level of security measures to be taken under Clause 3.1 above, HC shall take account of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

    3. HC shall ensure that its employees, and any other persons with access to personal data HC processes on the Controller’s behalf are made aware of their data protection and security obligations and are subject to binding obligations of confidentiality.

    Sub-processing

  1. HC may engage another person to process any of the Controller’s personal data (a “sub-processor”) without the Controller’s prior general written authorisation.

  1. Where a sub-processor is engaged pursuant to Clause 4.1, HC shall:

    1. inform the Controller of any intended changes concerning the addition or replacement of any sub-processor (and allow the Controller 30 days to object to such change); 

    2. ensure that its sub-processor(s) are engaged on terms equivalent to those to which HC is itself subject under this Addendum (and any other confidentiality or similar obligations or addendums between HC and the Controller); 

    3. ensure that any sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Law (including the requirements relating to security, integrity and confidentiality); and

    4. where a sub-processor fails to fulfil its data protection or confidentiality obligations, remain fully liable to the Controller for the performance of (or failure to perform) those obligations.

  2. In the event the Controller objects to a new sub-processor, HC will use reasonable efforts to change the affected services or to recommend a commercially reasonable change to the Controller's use of the affected services to avoid the processing of personal data by the sub-processor concerned.

  3. Sub-processors in production and staging environments:

  • Amazon Web Services - Hosting and infrastructure

  • MongoDB - Databases

  • Sentry - Infrastrucute monitoring

  • DataDog - Monitoring

  • Quickbooks - Billing

  • Zoom - Communications

  • Klaviyo - CRM

  • Google Workspace - Email and file storage

  • Slack - Communications

    Requests from data subjects and supervisory authorities

If a data subject makes a request relating to the exercise of his or her legal rights in relation to personal data, HC shall, (Taking into account the nature of the processing and only to the extent that the relevant information or means are not otherwise at the Controller’s disposal, and at the Controller’s reasonable cost) provide the Controller with any information and assistance reasonably required by the Controller in order to respond to requests for exercising the data subject’s rights.

Personal data breaches and notification

  1. In the event of a personal data breach and irrespective of its cause, HC shall notify the Controller without undue delay after having become aware of such personal data breach, specifying where known or readily identifiable:

    1. the nature of the personal data breach;

    2. the categories and approximate number of data subjects and personal data records concerned;

    3. as the case may be, the remedial actions taken or proposed to be taken to address the personal data breach, to mitigate its effects and to prevent re-occurrence; and

    4. the identity and contact details of a Contact Person from whom more information can be obtained.

  2. The Controller must notify HC without undue delay about any possible misuse of its authentication credentials or any security issue related to its use of the Platform.

  3. The party responsible for the personal data breach shall without undue delay further investigate the personal data breach and shall keep the other party informed of the progress of the investigation and take reasonable steps to further minimize the impact. Both parties agree to fully cooperate with such investigation and to assist each other in complying with any notification and communication requirements set out in Data Protection Law.

  4. A party’s obligation to report or respond to a personal data breach is not and will not be construed as an acknowledgement by that party of any fault or liability with respect to the personal data breach.

    Privacy impact assessments

    Taking into account the nature of the processing and the information available to HC, HC shall, at the Controller’s cost, provide the Controller with such information and assistance as the Controller reasonably requires in order to: 

    1. carry out any privacy impact assessments;

    2. consult with a supervisory authority prior to processing; and/or

    3. meet any obligations under Data Protection Law which derive from the activities described in Clauses 7.1.1 and 7.1.2 above.

    Deletion and return of data

After completing any processing of personal data on the Controller’s behalf, HC shall (at the Controller’s option) delete or return all such personal data (and any copies of the same), unless HC is required to store such copies to comply with a requirement imposed by any applicable law (in which case HC may store such copies to the extent necessary to meet that requirement).  Where HC is required to delete personal data, to the extent that it is not practical for HC to do so immediately, HC shall do so as soon as possible, and in the meantime shall ensure appropriate safeguards are put in place and the data is not retained for a longer period than is appropriate.

International transfers

  1. Subject to Clause 4, personal data that HC processes on the Controller’s behalf may be Processed in any country in which HC and its authorized sub-processors’ maintained facilities, and the Controller authorizes HC to perform any such transfer of personal data to any such country and to Process personal data in such country in relation to the provision of access to the Platform.

  2. Any such transfer undertaken by HC from one territorial jurisdiction to and processing in another territorial jurisdiction (the EEA constituting one single jurisdiction for the purpose of this Clause will only be undertaken in compliance with Data Protection Law, such as the execution of Standard Contractual Clauses (as the case may be). The Controller hereby explicitly grants HC a mandate to execute and enforce the Standard Contractual Clauses on its behalf against HC’s relevant sub-processors, such Standard Contractual Clauses being governed by this Addendum.

    Audits

    1. HC shall (subject to the Controller providing appropriate confidentiality undertakings) make available to the Controller all assistance and information necessary to demonstrate compliance with Data Protection Law, and including reasonable cooperation, during business hours and upon reasonable notice, with audits and/or inspections conducted by or on behalf of the Controller or another auditor mandated by the Controller.

    2. Nothing in this Clause 10 shall require HC to disclose or permit access to any of its (or any third party’s) confidential or commercially sensitive information.

Conflict

  1. If there is an inconsistency between any of the provisions of this Addendum and the provisions of:

    1. the Conditions; or 

    2. any later supply, purchase or other agreement entered into between the parties in relation to matters of data protection, the provisions of this Addendum shall remain in force and take priority, unless expressly disapplied. 

Variation  

  1. No variation of this Addendum shall be of any effect unless it is agreed in writing and signed by or on behalf of each party.

Third Party Rights 

  1. No third party shall have the right to enforce any provision of this Addendum pursuant to the Contracts (Rights of Third Parties) Act 1999.

Waiver

  1. No waiver of any right or remedy under this Addendum shall be deemed to be a waiver of any subsequent or other right or remedy and no failure to exercise or delay in exercising any right or remedy under this Addendum shall constitute a waiver of that right or remedy.  No single or partial exercise of any such right or remedy shall preclude or impair any other or further exercise of it or the exercise of any other right or remedy provided by law or under this Addendum.  

Invalidity

  1. If any provision is or becomes illegal, invalid or unenforceable in any respect, the legality, validity or enforceability of the remaining provisions of this Addendum shall not in any way be affected or impaired by it and the provision shall apply with such deletions as are necessary to make it legal, valid and enforceable.  If any provision or part-provision is deemed deleted under this Clause, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

Entire Agreement

  1. This Addendum constitutes the entire agreement between the parties relating to its subject matter and supersedes and extinguishes any drafts, agreements, undertakings, representations, warranties and arrangements of any nature whatsoever, whether or not in writing, between the parties in connection with the subject matter of this Addendum.  Each of the parties acknowledges and agrees that in entering into this Addendum it does not rely on, and shall have no remedy in respect of, any undertaking, promise, assurance, statement, representation (whether innocent or negligent), warranty or understanding (whether in writing or not) or any person (whether party to this Addendum or not) other than as expressly set out in this Addendum.  

Governing Law and Jurisdiction 

  1. This Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of England. Each party irrevocably agrees that the courts of England shall have exclusive jurisdiction to settle any such dispute or claim.