Data Processing Agreement

Data Processing Agreement concerning intheOffice's Processing of Personal Data on behalf of the Controller.

1. Purpose and Background

1.1 The Controller has agreed to appoint the Processor to provide software and services to the Controller under the terms of the Contract.
1.2 As part of performing the software and services the Processor will be required to Process Personal Data that may be linked to specific natural persons as described in Appendix A.
1.3 The Data Processing Agreement sets out the terms and conditions which apply to the Processor’s Processing of Personal Data.

2. Definitions and interpretations

2.1 The following words and expressions have the meanings stated below in the Data Processing Agreement, unless the context requires otherwise.
Appendix/Appendices - means appendices to this Data Processing Agreement.
Business Day - a day other than Saturday, Sunday or public holiday
Business Hours - 9:00 am to 5:00 pm on a Business Day
Contract - means the customer agreement between the Processor and Customer regarding delivery of services, and Processor’s general terms and conditions, including any schedules, appendices and amendments hereto.
Controller - the Customer as defined in the Contract and in accordance with the definition in the applicable Data Protection Law.
Data Processing Agreement - this agreement with Appendices.
Data Processing Services - the services described in Appendix A
Data Protection Law - the legislation, as amended, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a Controller in the EEA country where the Controller is established, including the GDPR as per 25 May 2018. A reference to Data Protection Law is a reference to it as amended, extended or reenacted from time to time.
Data Subject - an identified or identifiable natural person (an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
Destroy/Destruction - means that Personal Data is irrevocably deleted from all storage media on which it has been held and that the Personal Data cannot in any way be restored, including by any Sub-processors. This applies to all storage media used in connection with the Processing and include all existing copies.
EEA - the European Economic Area.
End User Licence - the agreement between intheOffice and any Data Subject who accesses the office capacity software named “intheOffice” and/or any related software.
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Personal Data - any information, in whatever form, relating to the Data Subject.
Personal Data Breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Process/Processing - any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processing Operations - As defined in Appendix A
Processor - means intheOffice Limited, company number: 13539107, registered office: First Floor, Lipton House, Stanbridge Road, Leighton Buzzard, England, LU7 4QQ.
Return - means that all Personal Data is returned physically or electronically to the Controller and that any copies thereof etc. which may be in the Processor’s possession, or which the Processor may have at its disposal, including Personal Data handed over to Sub-processors, is subject to Destruction.
Sub-processor - means another processor engaged by the Processor with the purpose of carrying out specific processing activities on behalf of the Controller.
intheOffice - any information technology system or systems developed and/or sold by the Processor on which the Data Processing Services are performed in accordance with this Data Processing Agreement.
2.2 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
2.3 Any words following the terms “including”, “include”, “in particular” or “for example” or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
2.4 Any exclusion or cap on liability in the Contract shall also apply to the Processor’s liability under this Data Processing Agreement.

3. Scope

3.1 The Data Processing Agreement applies to any Processing of Personal Data performed by the Processor in connection with the performance of the Data Processing Services to the Controller as defined in Appendix A (the subject-matter).
3.2 The Customer and intheOffice acknowledge that the Customer is the Controller and intheOffice is the Processor in respect of any Personal Data supplied to intheOffice by or on behalf of Customer, including Personal Data described in Appendix A, in the course of the supply of the Data Processing Services.
3.3 The nature and purpose of the Processing, the types of Persona Data and categories of Data Subjects are set out in Appendix A.
3.4 Nothing in this Data Processing Agreement shall prejudice intheOffice’s rights and obligations set out in the End User Licence.

4. Obligations of the Processor

4.1 The Processor shall:
a) Process Personal Data only on documented instructions from the Controller as specified in this Data Processing Agreement and for the purposes set out in Appendix A;
b) discharge its operations under this Data Processing Agreement with all due skill, care and diligence;
c) keep a record as described in art. 30 of the GDPR at its normal place of business of any Processing of the Personal Data carried out in the course of the Data Processing Services and of its compliance with its obligations set out in this Data Processing Agreement (“Records”);
d) ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
e) implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of Processing, including the requirements with respect to such measures under the Data Protection Law, as specified in clause 6;
f) only make copies of the Personal Data to the extend reasonably necessary, which among other things may include back-up, mirroring, security, disaster recovery and testing of the Personal Data;
g) only subcontract with Sub-processors in accordance with the requirements of clause 7;
h) immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Law;
i) assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s non-exclusive rights to access, rectification, erasure and data portability, as these are stated in the Data Protection Law;
j) at the choice of the Controller Destroy or Return all the Personal Data to the Controller either during or after the term of this Data Processing Agreement, cf. clause 11;
k) make available to the Controller all information necessary to demonstrate compliance with the Data Protection Law, e.g. annual audit certificate from the Processor’s third party accountants, if any;
l) in connection with clause 4.1(k), if legally and technically possible allow for and contribute to audits, including inspections conducted by the Controller or another mandated by the Controller as set out in clause 8;
m) comply with its obligations under Data Protection Law including, where applicable, appointing a data protection officer.
4.2 If the Processor receives any complaint, notice or communication which relates directly or indirectly to the Processing of Personal Data or to either party’s compliance with Data Protection Law, it shall immediately notify the Controller and it shall provide the Controller with full co-operation and assistance in relation to any such complaint, notice or communication.
4.3 The Processor’s liability under the Contract, including the Data Processing Agreement, is capped and disclaimed according to the terms of the Contract.
4.4 The Processor shall inform the Controller without undue delay if the Processor comes to know/aware of any Personal Data Breach.
4.5 The Processor shall be entitled to charge the Controller separately for any cost (including internal resources at the Processor’ standard rates) that may incur in relation to assistance as referred to in clause 4.1(a)-(m).

5. Obligations of the Controller

5.1 The Controller will be solely responsible and liable for its compliance with applicable law as Controller. The Controller will ensure before using the software and receive services under the Contract in a way that includes Processing of Personal Data that it complies with all Data Protection Law, e.g. in relation to the provision of required information/notification to and/or approvals from Data Subjects and/or regulatory authorities related to the Processing.
5.2 The Controller will promptly notify the Processor if it becomes aware that Processing of the Controller’s Personal Data may be contrary to Data Protection Law.
5.3 The Controller warrants that the Processor’s strict compliance with any instruction from the Controller with respect to the Processing of Personal Data, shall not result in a violation of applicable Data Protection Law.
5.4 The Controller will indemnify the Processor from any loss resulting from the Controller’s failure to comply with its obligations hereunder.

6. Security measures

6.1 The Processor is obligated to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks, that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, including inter alia as appropriate:
a) the pseudonymisation and encryption of Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
6.2 The Processor shall take steps to ensure that any natural person acting under the authority of the Processor who has access to the Personal Data does not Process the Personal Data except on instructions of the Controller, unless he or she is required to do so under Data Protection Law.
6.3 The specific technical and organisational security measures implemented by the Processor are set out in appendix B (Security Measures).

7. Sub Processors

7.1 The Controller hereby authorizes the Processor to engage Sub-processors, including without limitation the Sub-processors as stated in Appendix A, to perform Processing of Personal Data, provided that the Processor enters into a written agreement with each Sub-processor which imposes the same obligations on the Sub-processors as are imposed on the Processor under this Data Processing Agreement.
7.2 The Processor will inform the Controller by email about any intended addition or replacement of a sub-processor in advance allowing the Controller/Data Subject the opportunity to object and/or render its informed consent, such not to be unreasonably withheld. Controller cannot object without a bona fide and objective reason, unless required by mandatory law. If the Controller object to any addition or replacement of any sub-processor, provided that such objection is based on a bona fide and objective reason, the Processor is entitled to (i) terminate the Data Processing Agreement with immediate effect by written notice.
7.3 Where a Sub-processor fails to fulfil its data protection obligations under the Data Processing Agreement referred to in clause 7.1, the Processor shall remain fully liable to the Controller for the performance of the Sub-processor’s fulfilment of its data protection obligations in general.

8. Audits

8.1 For the purpose of auditing the Processor’s compliance with its obligations under this Data Processing Agreement, the Processor shall allow for the Controller on reasonable written notice of not less than thirty (30) days to Processor during Business Hours, but without notice in case of any reasonable suspected breach of this Data Processing Agreement by the Processor, to perform an Audit, including but not limited to:
a) gain access to inspect, and take copies of, the records and any other information held at the Processor’s premises or on the Processor System related to the Data Processing Services, and;
b) gain access to inspect the Processor System.
8.2 The written notice shall include a proposed audit plan. If part of the requested audit scope is covered by the scope of an audit report by a qualified third party auditor within the last 12 months, the Processor may request the Controller to consider whether it could rely on such report instead of an audit. The Processor will be entitled to suggest the date and time of the audit to minimize business disruption and may suggest the audit to be combined with audits from other Controllers. Controller cannot deny such suggestions from the Processor, unless it has a bona fide objective reason to do so.
8.3 At the request of Controller according to Clause 8.1 and 8.2, the Controller (or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality appointed by the Controller or Regulator) will be entitled to perform audits of the Processor’s facilities and security practices directly related to the Processing of Personal Data under the Contract in order to monitor compliance with this Data Processing Agreement. Unless in case of any reasonable suspected breach of this Data Processing Agreement or as otherwise permitted by mandatory law, such audit shall be limited to 1 audit per 12 months’ period.
8.4 The Controller will bear any costs related to audits and the Processor shall be entitled to charge the Controller separately for any cost (including internal resources at the Processor’s standard rates) the Processor may incur in relation to its assistance with such audits.
8.5 Any audit shall be conducted in accordance with the Processor’s internal policies and all participants shall be subject to adequate written confidentiality obligations. To the extent allowed under applicable law, the Controller shall deliver to the Processor a copy of the audit report and the Processor be entitled to use such report free of charge in relation to other Controllers.
8.6 The Controller may use the information obtained during any audit, including any audit report, only for the purpose of meeting its audit obligations under Data Protection Law. For the avoidance of doubt, the Controller is not allowed to disclose to the public any parts of the audit report, without prior written consent from the Processor, unless required by mandatory law.
8.7 The Processor shall give all necessary assistance to the conduct of such audits during the term (as set out in clause 11) of this Data Processing Agreement.
8.8 The Controller, or its third-party representatives as specified in clause 8.3, is allowed to conduct audits with the Processor’s Sub-processors to the extent this is possible according to the terms and conditions in the then currently valid and applicable version of the Sub-processor’s terms and conditions.

9. Third country transfers

9.1 The Processor may only process the Personal Data in countries outside EEA subject to documented instructions from the Controller as specified in Appendix A.
9.2 If the Processor has the intention to process Personal Data in another third country, the Processor will inform the Controller of such intended transfer in advance allowing the Controller the opportunity to object.

10. Confidentiality

10.1 The Processor acknowledges that the persons authorized to Process the Personal Data are committed to confidentiality including all information related to the Contract and the Parties business.
10.2 The provisions of confidentiality shall continue to apply after termination of this Data Processing Agreement.

11. Term and termination

11.1 This Data Processing Agreement will take effect from the effective date as specified in the Contract or the date of the Controller’s signature on the signature page, whichever is earliest, and shall continue in force during the Term as defined in the Contract.
11.2 Upon termination of the Contract, this Data Processing Agreement shall also terminate.
11.3 Notwithstanding clause 11.2 above, this Data Processing Agreement shall not lapse until the Controller has received and accepted the documentation regarding deletion described in clause 11.6(b), unless the Controller specifically accepts otherwise.
11.4 Any provision of this Data Processing Agreement that expressly or by implication is intended to come into or continue in force or after termination of this Data Processing Agreement shall remain in full force and effect.
11.5 Termination of this Data Processing Agreement, for any reason, shall not affect the accrued rights, remedies, obligations or liabilities of the Parties existing at termination.
11.6 On any termination of this Data Processing Agreement for any reason:
a) the Processor shall as soon as reasonably practicable Destroy all Personal Data and all information and other materials provided to it by or on behalf of the Controller in connection with this Data Processing Agreement;
b) the Processor shall as soon as reasonably practicable ensure that all such data are destroyed and that all Personal Data is deleted from the Software.
Notwithstanding the above, Destruction shall not take place until the Processor has informed the Controller of the contemplated method of Destruction and received the Controller’s confirmation that Destruction shall take place in accordance with such method. Should the Controller not find the contemplated method of Destruction sufficiently effective, the Controller will inform the Processor of what method is considered sufficiently effective.
11.7 The Processor shall provide written confirmation of compliance with clause 11 (a) no later than 28 working days after termination of this Data Processing Agreement.

12. Changes due to changes in mandatory law

12.1 If there are changes in mandatory Data Protection Law, the Processor is entitled to change this Data Processing Agreement accordingly.

13. Governing law

13.1 This Data Processing Agreement is governed by and will be interpreted in accordance with English law. However, the conflict of laws rules must be disregarded to the extent that such rules are non-mandatory.
13.2 Any dispute arising out of this Data Processing Agreement, including any dispute concerning the existence or validity of this Data Processing Agreement shall be brought before the English courts.

14. Appendix A

In connection with the Processor’s provision of services and hosting the Personal Data on behalf of the Controller, the Controller gives the Processor the instruction and grants consent to Process the following Personal Data for the purposes set out below:

1. General description and purpose of the Processing Operations

Processing Operations:
The Processor processes the Personal Data of the Controller for the purpose of delivering office attendance services

2. Categories of Data Subjects

The Data Subject categories may be adjusted from time to time, to the extent that the processing of Personal Data and the purposes thereof continue to fall under the general description.
Potential employees
Former employees
Office visitors

3. Types of Personal Data

Description of the types of Personal Data for each category of Data Subjects
Full name & initials, email address, and data entered into custom fields created by Customer which may contain sensitive Personal Data including medical data.

4. Who at the Processor has access to Personal Data?

Only persons engaged with the purposes for which the Personal Data is Processed will be authorised to access and Process the Personal Data, including employees providing:
Support services,
Maintenance and backup,
Operational system/support staff

5. Which external parties have access to all or part of the Personal Data (sub-processors), for which purpose(s) and their geographical location (including if outside the EEA)?

Sub Processor - Firebase, owned by Google LLC.
Purpose description - Providing hosting services, Authentication layer, database and data storage, and other backend infrastructure-as-a-service.
Geographical locations - London, Belgium, Frankfurt

Appendix B - Security Measures

The Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. These measures include but are not limited to:
1. Access control to systems (virtual)
1.1 Processor will establish and maintain safeguards against accidental or unauthorized access to, destruction of, loss of, or alteration of the Personal Data on its systems which are used to Process Personal Data:
1.1.1 access will be granted to personnel through documented access request procedures. The employees’ managers or other responsible individuals must authorise or validate access before it is given;
1.1.2 access controls are enabled at the operating system, database, or application level;
1.1.3 administrative access will be restricted to prevent changes to systems or applications;
1.1.4 users will be assigned a single account and prohibited from sharing accounts.
2. Access control to devices and laptops
2.1 Processor will implement and maintain commercially reasonable security measures with respect to mobile devices and laptops that are used to Process Personal Data.
3. Access control to Personal Data
3.1 Access will be granted only after Processing an approved “access control form”, i.e. LAN Logon ID, application access ID, or other similar identification.
3.2 Unique User IDs and passwords will be issued to the users.
3.3 Users, once authenticated, will be authorised for access levels based on their job functions.
4. Transmission and disclosure control
4.1 Processor will implement and maintain measures to prevent Personal Data from being read, copied, modified or removed without authorisation during electronic transmission or transport and to enable Processor to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged.
4.2 Processor will maintain technology and processes designed to minimize access for illegitimate Processing, including technology for the encryption of Personal Data.
5. Input control
5.1 Processor will maintain system and database logs for access to all Personal Data under its control;
5.2 Customer/Processor will maintain input controls on its systems.
6. Job control
6.1 Processor will implement procedures to ensure the reliability of its employees and any other person acting under its supervision that may come into contact with, or otherwise have access to and Process, Personal Data.
6.2 Processor will implement procedures to ensure that its personnel is aware of its responsibilities under the Agreement. Processor shall instruct and train all persons it authorises to have access to the Personal Data on the Data Protection Legislation as well as on all relevant security standards and shall commit them in written form to comply with the data secrecy, the Data Protection Legislation and other relevant security standards.
6.3 Processor will promptly act to revoke access to Personal Data of Customer/Processor due to termination, a change in job function, or in observance of user inactivity or extended absence.
6.4 Processor shall have in place a data protection policy and a document retention policy, with which its personnel must comply.
7. Incident management
7.1 Should a security breach (potentially) affect personal data, Processor shall notify Controller in accordance with Claues 4 in the Data Processing Agreement.
7.2 Processor should implement a process to learn from the incidents/attacks and improve the existing security level.
8. Availability control
8.1 Processor will protect Personal Data against accidental destruction or loss by ensuring:
8.1.1 Workstations will be protected by commercial anti-virus and malware prevention software receiving regular definition updates;
8.1.2 Upon detection of a virus or malware, Processor will take immediate steps to arrest the spread and damage of the virus or malware and to eradicate the virus or malware.
8.1.3 Servers will be protected by commercial firewalls and intrusion protection prevention systems.
9. Control of instructions
9.1 Processor will implement and maintain procedures to ensure that Personal Data is processed only in accordance with Controller’s instructions.
10. Separation control
10.1 Processor will implement and maintain procedures to ensure that personal data collected for different purposes will be processed separately to the extent that Processor has been expressly notified about such different purposes and requested to do so and under the condition that Processor may invoice its time and expenses for complying with this request.
11. Regular testing of security measures
11.1 Processor will frequently test, assess and evaluate the effectiveness of its technical and organisational security measures.