In the course of providing the SaaS Offering to the Customer pursuant to the Agreement, Supplier shall Process Personal Data on behalf of the Customer. Supplier agrees to comply with the following provisions with respect to any Personal Data provided to Supplier by Customer or otherwise Processed by Supplier on behalf of Customer.
1. DEFINITIONS AND INTERPRETATION
“Data Controller” means the entity or person, alone or jointly with other persons or entities, which a) determines the purposes and means of the Processing of Personal Data, and/or b) has control over or authorises the Processing of any Personal Data.
“Data Processor” means the entity or person, other than the Data Controller or Data Controller’s employees or agents, who Processes Personal Data on behalf of the Data Controller and does not Process Personal Data for its own purposes.
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable person where such data is submitted to the SaaS Offering as Personal Data or otherwise Processed by Supplier on behalf of Customer in the course of performing the SaaS Offering.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, correction, blocking, erasure or destruction by the Data Processor.
“Security Incident” means actual or reasonably suspected accidental, unlawful or unauthorized access, acquisition, loss, alteration, destruction or disclosure of Personal Data, including Personal Data, by Supplier or its Subprocessors.
Standard Contractual Clauses: the UK’s International Data Transfer Agreement for the transfer of personal data from the UK and/or the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914, or such alternative clauses as may be approved by the European Commission or by the UK from time to time
“Subprocess” or “Subprocessing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, correction, blocking, erasure or destruction by a Data Subprocessor.
“Subprocessor” means the entity or person, engaged by the Supplier who Processes Personal Data on behalf of the Supplier and does not Process Personal Data for its own purposes
“Subprocessor List” has the meaning given to it in clause 3.2 and the current list is available at https://mentorloop.com/terms/subprocessors.
1.1 This Data Processing Addendum is subject to the terms of the Agreement and is incorporated into the Agreement.
1.2 The Annexes form part of this Data Processing Addendum and will have effect as if set out in full in the body of this Data Processing Addendum. Any reference to this Data Processing Addendum includes the Annexes.
1.3 A reference to writing or written includes email.
1.4 In the case of conflict or ambiguity between:
1.4.1 any provision contained in the body of this Data Processing Addendum and any provision contained in the Annexes, the provision in the body of this Data Processing Addendum will prevail;
1.4.2 the terms of any accompanying invoice or other documents annexed to this Data Processing Addendum and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
1.4.3 any of the provisions of this Data Processing Addendum and the provisions of the Agreement, the provisions of this Data Processing Addendum will prevail;
1.5 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer shall act as Data Controller, Supplier shall act as Data Processor.
1.6 Customer’s Processing of Personal Data. Customer shall, in its use of the SaaS Offering, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws.
1.7 Supplier’s Processing of Personal Data. Supplier shall only Process Personal Data on behalf of and in accordance with Customer’s instructions including as set forth in the Agreement, in compliance with Applicable Data Protection Laws, and shall treat Personal Data as Confidential Information. A description about such Processing is also set forth in Annex 1, as applicable. Supplier shall maintain records of Processing activities to the extent required by Applicable Data Protection Laws. Customer instructs Supplier to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable order form(s); (ii) Processing initiated by users in their use of the SaaS Offering; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. Supplier shall immediately inform Customer if, in Supplier’s opinion, an instruction by Customer infringes Applicable Data Protection Laws.
1.8 Security. The Supplier shall implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
2. ASSISTANCE AND DATA SUBJECT RIGHTS
2.1 Correction, Blocking and Deletion. To the extent Customer, in its use of the SaaS Offering, does not have the ability to correct, amend, block or delete Personal Data, as required by Applicable Data Protection Laws, Supplier shall comply with requests by Customer to facilitate such actions, within timelines that reasonably enable Customer to comply with its legal obligations, to the extent Supplier is legally permitted to do so.
2.2 Data Subject Requests. Supplier shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Supplier shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights.
2.3 Assistance Necessary for Compliance. Supplier shall assist Customer to the extent reasonably necessary for Customer to fulfill its compliance obligations including, but not limited to, completing Data Protection Impact Assessments, Data Subject Rights, reporting to and consulting with a supervisory authority and incorporating principles of privacy by design and default.
2.4 Personal Data Breach. The Supplier shall within 24 hours and in any event without undue delay notify the Customer if it becomes aware of:
2.4.1 the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;
2.4.2 any accidental, unauthorised or unlawful processing of the Personal Data; or
2.4.3 any Personal Data breach.
Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data breach, the parties will co-ordinate with each other to investigate the matter. Further, the Supplier will reasonably co-operate with the Customer (and where instructed by the Customer, the Data Controller) in the handling and resolution of the matter.
3.1 Appointment of Subprocessors. Customer acknowledges and agrees that (a) Supplier’s Affiliates may be retained as Subprocessors; and (b) Supplier and Supplier’s Affiliates respectively may engage third-party Subprocessors to Subprocess the Personal Data in connection with the provision of the SaaS Offering. Supplier shall require all Subprocessors to agree in writing to Subprocess Personal Data in compliance with the requirements set forth in this Data Processing Addendum.
3.2 List of Current Subprocessors and Notification of New Subprocessors. Supplier shall make available to Customer a current list of Subprocessors for the respective SaaS Offering with the identities of those Subprocessors (“Subprocessor List”). Supplier shall provide Customer with updates to the relevant Subprocessor List (such as the ability to subscribe to an automated mailing list) and shall provide such updates before authorizing any new Subprocessor(s) to Subprocess Personal Data in connection with the provision of the SaaS Offering.
3.3 Objection Right for new Subprocessors. If Customer has a reasonable basis to object to Supplier’s use of a new Subprocessor on grounds of such Subprocessor’s non-compliance with this Data Processing Addendum, Customer shall notify Supplier in writing within 45 days after receipt of Supplier’s notice.
3.3.1 In the event Customer objects to a new Subprocessor(s) and that objection is not unreasonable Supplier will use reasonable efforts to make available to Customer a change in the affected SaaS Offering or recommend a commercially reasonable change to the SaaS Offering to avoid Subprocessing by the objected-to Subprocessor without unreasonably burdening Customer. If Supplier is unable to make available such change within a reasonable period of time, which shall not exceed 60 days, Customer may terminate the applicable Order Form(s) in respect only to those SaaS Offering which cannot be provided by Supplier without the use of the objected-to new Subprocessor, by providing written notice to Supplier. Any termination by Customer under this Clause 3.3.1 shall be in accordance with the terms of the Agreement.
3.4 Liability. Supplier shall be liable for the acts and omissions of its Subprocessors to the same extent Supplier would be liable if Supplier itself performed such acts and omissions.
3.5 Supplier Agreements. The parties agree that, where Supplier must provide Customer with copies of Subprocessor agreements to comply with Applicable Data Protection Laws, such agreements may have all commercial information and clauses unrelated to such compliance removed by Supplier and that such copies will be provided by Supplier only upon Customer’s reasonable request.
4.1 The Supplier will ensure that all of its employees:
4.1.1 are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
4.1.2 have undertaken training on the Applicable Data Protection Laws relating to handling Personal Data and how it applies to their particular duties; and
4.1.3 are aware both of the Supplier's duties and their personal duties and obligations under the Applicable Data Protection Laws and this Agreement.
4.2 The Supplier will take reasonable steps to ensure the reliability, integrity and trustworthiness of its employees with access to the Personal Data.
5.1 Notification of Non-Compliance. Supplier shall promptly notify Customer if, at any time, it is unable to comply with the terms of this Data Processing Addendum or Applicable Data Protection Laws. If Supplier is unable to remedy such noncompliance within a reasonable period of time, not to exceed 30 days, Customer may terminate any SaaS Offering for which Supplier’s Processing is non-compliant upon written notice to Supplier.
5.2 Security Incidents. In addition to any obligations as set forth in the Agreement, Supplier shall promptly notify Customer of any Security Incident of which it becomes aware. Such notice shall not in any case be more than 24 hours after Supplier becomes aware of a Security Incident.
5.3 International Data Transfers. Supplier shall disclose to Customer in writing all geographic locations where Personal Data will be Processed by Supplier and any Sub-processors. Supplier shall not, and shall ensure that Sub-processers do not, transfer Personal Data out of the disclosed locations without 1) written approval by Customer, and 2) ensuring that such transfer complies with all Applicable Data Protection Laws.
5.4 Standard Contractual Clauses. To the extent necessary to comply with Applicable Data Protection Laws in the EU and UK, the transfer of Personal Data from the EU and UK to countries which do not ensure an adequate level of protection within the meaning of the Applicable Data Protection Laws, the Supplier shall enter into Standard Contractual Clauses with the Customer and Subprocessors.
6. AUDITS AND CERTIFICATIONS
6.1 Audit Procedures. In addition to any obligations set forth in the Agreement, the parties agree that Customer shall, subject to the Customer paying the Supplier’s costs associated with the audit, have the right to audit Supplier’s compliance with the terms of this Data Processing Addendum and Applicable Data Protection Laws according to the following procedures:
6.1.1 Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Supplier shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Supplier) information sufficient to establish Supplier’s compliance with the obligations set forth in this Data Processing Addendum and Applicable Data Protection Laws (“Compliance Obligations”). Such information shall include any documentation reasonably necessary to confirm Supplier’s compliance with its Compliance Obligations.
6.1.2 Audit requests by Customer shall be provided to Supplier in writing and no more frequently than once in any 12-month period, with the exception that Customer may request an audit following any Supplier notification of a Security Incident under Clause 5.2 of this Data Processing Addendum or as necessary to demonstrate Customer’s compliance with Applicable Data Protection Laws pursuant to a regulatory investigation, inquiry, or lawsuit.
7. RETURN AND DELETION OF PERSONAL DATA
In addition to any obligations set forth in the Agreement, Supplier shall cease to retain any documents containing Personal Data on the instruction of Customer or when the purpose for which that Personal Data was collected is no longer being served by retention of the Personal Data. Nothing in this Clause 7 shall prevent Supplier from retaining Personal Data to the extent required by law. Supplier shall provide Customer with a certification of deletion of Personal Data upon Customer’s request.
8. TERM AND TERMINATION
8.1 This Data Processing Addendum will remain in full force and effect so long as:
8.1.1 the Agreement remains in effect; or
8.1.2 the Supplier retains any of the Personal Data related to the Agreement in its possession or control (Term).
8.2 Any provision of this Data Processing Addedum that expressly or by implication should come into or continue in force on or after termination of the Agreement to protect the Personal Data will remain in full force and effect.
8.3 If a change in any Applicable Data Protection Laws prevents either party from fulfilling all or part of its obligations, the parties may agree to suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the parties are unable to bring the Personal Data Processing into compliance with the Applicable Data Protection Laws within 60 days, either party may terminate the Agreement on no less than 30 days’ written notice to the other party and in accordance with the terms of the Agreement.
9.1 Each party acknowledges and agrees that a violation of this Data Processing Addendum constitutes a material breach of the Agreement.
9.2 The Customer will cover all reasonable expenses associated with the performance of the obligations under 2, 6 and 7 unless the matter arose from the Supplier’s negligence, wilful default or breach of this Agreement, in which case the Supplier will cover all reasonable expenses.
9.3 Each party shall bear its own costs in relation to the execution of this Data Processing Agreement.
9.4 Indemnity. The Customer shall defend, indemnify and hold the Supplier harmless against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with the Customer’s breach of this Data Processing Addendum (including without limitation a breach of the Applicable Data Protection Legislation.)
Annex 1: Personal Data Processing Details
Subject matter of Processing:
- IT solution to support mentoring
Duration of Processing:
- Duration of Agreement plus statutory archiving periods
Nature of Processing:
- Technical processing for the purposes of automating (as far as possible) mentor programmes
- Managing user accounts and permissions
- To fulfil a contract
Personal Data Categories:
- Identity data
- Contact data
- Employment and education history data
- Personal preferences and goals data
Data Subject Types:
- Private individuals
- Business persons on behalf of corporate customers