Data Processing Addendum

This Addendum will be effective as of the date on which the Customer accepted, or the parties otherwise agreed to, this Addendum and/or Master Services Agreement (whichever is earlier). 

This Data Processing Addendum (“DPA”) supplements the XM.WORKS Customer Terms and Conditions, or other agreement in place between Customer (“Controller) and XM.WORKS (“Processor”) covering Customer’s use of the Processor’s Products and related Services (the “Agreement”). Unless otherwise defined in this DPA or in the Agreement, all capitalised terms used in this DPA will have the meanings given to them in the Definitions and Interpretation section below. 

The provision of the Services by the Processor involves it processing the Personal Data described in Schedule 1 on behalf of the Customer.  

Under the General Data Protection Regulation (“GDPR”) (Article 28, paragraph 3), the Controller is required to put in place an agreement in writing between the Controller and any organisation which processes Personal Data on its behalf governing the processing of that data.  

The Parties have agreed to enter into this DPA to ensure compliance with the provisions of the GDPR in relation to all processing of the Personal Data by the Processor for the Customer.  

The terms of this DPA apply to all processing of Personal Data carried out for the Customer by the Processor and to all Personal Data held by the Processor in relation to such processing.  

Definitions and Interpretation  

 In this DPA, unless the context otherwise requires, the following expressions have the following meanings: 

 “Customer Account Data” means Personal Data relating to Customer’s relationship with the Processor, including: (i) account information (e.g. name, email address, or account ID); (ii) billing and contact information of individual(s) associated with Customer’s account (e.g. billing address, email address, or name); and (iii) device and website usage information (e.g. Browser type, IP address, device type (mobile/desktop), operating system, pages visited, time spent, bounce rate (leaving quickly), clicks, scrolls).  

“Customer Personal Data'' means Personal Data contained in Customer Data and/or Customer Materials that the Processor processes under the Agreement solely on behalf of the Customer (name, email address, survey response, EDI/Special Category Data (where applicable). For clarity, Customer Personal Data also includes any Personal Data provided in technical support requests.    

“Customer Usage Data” means Personal Data relating to or obtained in connection with the use, performance, operation, support or use of the Products, including via their connection to Third-Party Products. Customer Usage Data may include event name (i.e. what action Users performed), event timestamps, browser information, diagnostic data, data types, file sizes, and similar information associated with data from the Products and Third-Party Products that Customer connects to. For clarity, Customer Usage Data does not include Customer Personal Data.   

“Controller”, “Processor”, “Processing”, and “Data Subject” shall have the meanings given to the terms “Controller”, “Processor”, “Processing”, and “Data Subject” respectively in Article 4 of the GDPR; 

“GDPR” means either the UK General Data Protection Regulation or the EU General Data Protection Regulation (“EU GDPR” - EU Regulation 2016/679) (whichever is applicable); 

“ICO” means the UK’s supervisory authority, the Information Commissioner’s Office; 

“Personal Data” means all such “Personal Data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the Processor on behalf of the Controller (as described in Schedule 1); 

“Services” means those services which are provided by the Processor to the Controller and which the Controller uses for the purposes described in the Agreement; 

“Processor” means a sub-processor appointed by the Processor to process the Personal Data; and 

“Sub-Processing Agreement” means an agreement between the Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 7. 

Unless the context otherwise requires, each reference in this DPA to:  

• “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means; 

• a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time; 

• “this DPA” is a reference to this DPA and the attached Schedule as amended or supplemented at the relevant time; 

• a Schedule is a schedule to this DPA; and 

• a Clause or paragraph is a reference to a Clause of this DPA (other than the Schedule) or a paragraph of the relevant Schedule. 

• a "Party" or the "Parties" refer to the parties to this DPA. 

The headings used in this DPA are for convenience only and shall have no effect upon the interpretation of this DPA. 

Scope and Term  

Roles of the Parties   

Customer Personal Data – XM.WORKS will Process Customer Personal Data as Customer’s Processor in accordance with Customer’s instructions as outlined in Section 1 (Customer Instructions);   

Customer Account Data – XM.WORKS may Process Customer Account Data as a Controller for the following purposes: (i) to carry out core business functions such as accounting, billing, and filing taxes; (ii) to manage the Customer relationship (communicating with Customers in accordance with their account preferences, responding to Customer enquiries and providing technical support, etc.); (iii) to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; and (iv) to provide and improve its Services;  

Customer Usage Data -  XM.WORKS may Process Customer Usage Data as a Controller for the following purposes: (i) to provide, optimise, secure, and maintain the Services; (ii) to optimise the Customer experience; and (iii) to inform the XM.WORKS business strategy;    

Description of the Processing - Details regarding the Processing of Personal Data by the Processor are stated in Schedule 1 (Description of Processing).   

Term of the DPA - This DPA shall continue in full force and be in effect for so long as the Processor is processing Personal Data on behalf of the Customer, and thereafter as provided in Clause 9.  

Order of Precedence - The provisions of this DPA shall apply to the processing of the Personal Data described in Schedule 1, carried out for the Customer by the Processor, and to all Customer Personal Data held or accessed by th Prcoessor in relation to all such processing whether such Customer Personal Data is held at the date of this DPA or received afterwards. 

The provisions of this DPA supersede any other arrangement, understanding, or agreement including, but not limited to, the Master Services Agreement made between the Parties at any time relating to the Personal Data. 

1.Provision of the Services and Processing Personal Data 

The Processor is only to carry out the Services, and to process the Customer Personal Data received from the Controller: 

1.1 for the purposes of those Services and not for any other purpose; 

1.2 to the extent and in such a manner as is necessary for those purposes; and 

1.3 strictly in accordance with the express written authorisation and instructions of the Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Controller to the Processor). 

2.Data Protection Compliance 

2.1 All instructions given by the Controller to the Processor shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. The Processor shall act only on such written instructions from the Controller unless the Processor is required by law to do otherwise (as per Article 29 of the GDPR). 

2.2 The Processor shall promptly comply with any request from the Controller that requires the Processor to amend, transfer, delete, or otherwise dispose of the Personal Data. 

2.3 The Processor shall transfer all Personal Data to the Controller on the Controller’s request in the formats, at the times, and in compliance with the Controller’s written instructions. 

2.4 Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this DPA or any other agreement or arrangement between themselves in such a way as to cause either Party to breach any of its applicable obligations under the GDPR. 

2.5 The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this DPA are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO (or relevant supervisory authority). 

2.6 The Processor shall provide all reasonable assistance to the Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO (or relevant supervisory authority. 

2.7 When processing the Personal Data on behalf of the Controller, the Processor shall: 

2.7.1 not process the Personal Data outside the UK or European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) without the prior written consent of the Controller and, where the Controller consents to such a transfer to a country that is outside of the UK or EEA, to comply with the obligations of Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred; 

2.7.2 not transfer any of the Personal Data to any third party without the written consent of the Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 7; 

2.7.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as may be required by law (in which case, the Processor shall inform the Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law); 

2.7.4 implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against any unauthorised processing, including any accidental or unlawful loss, destruction, damage, alteration, disclosure or access. In assessing the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for Data Subjects. The Processor shall take all security measures necessary to meet the requirements of Article 32 on the security of processing and shall inform the Controller in advance of any material changes to such measures: 

2.7.5 if so requested by the Controller (and within the timescales required by the Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 

2.7.6 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the GDPR; 

2.7.7 make available to the Controller any and all such information as is reasonably required and necessary to demonstrate the Processor’s compliance with the GDPR; 

2.7.8 on reasonable prior notice, submit to audits and inspections and provide the Controller with any information reasonably required in order to assess and verify compliance with the provisions of this DPA and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under this DPA or under the law; and 

2.7.9 inform the Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation. 

3. Data Subject Rights, Complaints, and Breaches 

3.1 The Processor shall assist the Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject rights requests, complaints, and data breaches. 

3.2 The Processor shall notify the Controller without undue delay if it receives: 

3.2.1 a subject rights request from a data subject; or 

3.2.2 any other complaint or request relating to the processing of the Personal Data. 

3.3 The Processor shall cooperate fully with the Controller and assist as required in relation to any subject rights request, complaint, or other request, including by: 

3.3.1 providing the Controller with full details of the complaint or request; 

3.3.2 providing the necessary information and assistance in order to comply with a subject rights request; 

3.3.3 providing the Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Controller); and 

3.3.4 providing the Controller with any other information requested by the Controller. 

3.4 The Processor shall notify the Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data. 

4. Liability and Indemnity 

The Processor shall indemnify, keep indemnified and defend the Controller, at the Processor’s own expense, against all claims, liabilities, costs, expenses, damages and losses (including all interest, penalties and legal costs (calculated on a full indemnity basis) and all other professional costs and expenses) suffered or incurred by the Controller arising out of the failure by the Processor or its employees or agents to comply with any of its obligations under this DPA (“Claims”). Each party acknowledges that Claims include any claim or action brought by a data subject arising from the Processor’s breach of its obligations under this DPA. 

5. Intellectual Property Rights 

All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Controller or the Processor) shall belong to the Controller or to any other applicable third party from whom the Controller has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). The Processor is licensed to use such Personal Data under such rights only for the purposes of the Services, and in accordance with this DPA. 

6. Confidentiality 

6.1 The Processor shall maintain the Personal Data in confidence, and in particular, unless the Controller has given written consent for the Processor to do so, the Processor shall not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Controller to any third party. The Processor shall not process or make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of the Services to the Controller. 

6.2 The Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential. 

6.3 The obligations set out in in this Clause 6 shall continue for a period of six years after the cessation of the provision of Services by the Processor to the Controller. 

6.4Nothing in this DPA shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law. 

7. Appointment of Sub-Processors 

7.1 The Controller hereby provides the Processor with general written authorisation to engage Sub-Processors from an agreed list. The Processor shall specifically inform the Controller in writing of any intended changes to that list at least 30 days in advance, thereby giving the Controller sufficient time to object to those changes prior to the engagement of the Sub-Processors. The Processor shall provide the Controller with the information necessary for the Controller to object.   

7.2 In the event that the Processor appoints a Sub-Processor, the Processor shall: 

7.2.1 enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Processor by this DPA and which shall permit both the Processor and the Controller to enforce those obligations; and 

7.2.2 ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the GDPR. 

7.3 In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Processor shall remain fully liable to the Controller for failing to meet its obligations under this DPA. 

7.4 The Processor shall provide and maintain an up to date list of all Sub-Processors which can be viewed here. 

8. International Transfers 

8.1 The Controller hereby provides the Processor with general written authorisation to process the Personal Data outside the UK or European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) where: 

8.1.1 the Personal Data is processed in a country which the Secretary of State or European Commission has confirmed has an adequate level of protection (an adequacy decision); or 

8.1.2 the Processor enters into an International Data Transfer Agreement (“IDTA”) or uses the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (“SCCs) for international data transfers) with the receiving organization, and adopts supplementary measures where necessary; or 

8.1.3 the transfer of Personal Data is not considered to be a restricted transfer under the data protection legislation (e.g. UK entity employees working abroad). 

9. Deletion and/or Disposal of Personal Data 

9.1 The Processor shall, at the written request of the Controller, delete (or otherwise dispose of) the Personal Data or return it to the Controller in the format(s) reasonably requested by the Controller within a reasonable time after the earlier of the following: 

9.1.1 the end of the provision of the Services; or 

9.1.2 the processing of that Personal Data by the Processor is no longer required for the performance of the Processor’s obligations under this DPA or the Service Agreement. 

9.2 Following the deletion, disposal, or return of the Personal Data under sub-Clause 9.1.1, the Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Processor shall inform the Controller of such requirement(s) in writing. 

10. Law and Jurisdiction 

10.1 This DPA (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales. 

10.2 Any dispute, controversy, proceedings or claim between the Parties relating to this DPA (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.