Introduction
The parties agree that this Data Protection Agreement (“DPA”) sets forth each parties rights and obligations with respect to the processing and security of Customer Personal Data in connection with the Software and Services provided by MetaCompliance Ltd. The DPA is incorporated by reference into the General Terms and Conditions (Commercial Terms). The parties also agree that, unless a separate DPA signed by the parties exists, this DPA governs the processing and security of Customer Personal Data.
The provisions of the DPA Terms supersede any conflicting provisions of the MetaCompliance Privacy Statement that otherwise may apply to processing of Customer Personal Data. For clarity, consistent with the 2021 Standard Contractual Clauses defined below, when the 2021 Standard Contractual Clauses are applicable, the 2021 Standard Contractual Clauses prevail over any other term of the Data Processing Agreement.
DATA PROCESSING AGREEMENT EFFECTIVE FROM 1st May 2022
-
Parties
The Customer as defined in the General Terms and Conditions (the “Customer”) and
1.1.1 MetaCompliance Limited incorporated and registered in Northern Ireland with company number NI049166 whose registered office is at Third Floor Old City Factory 100 Patrick Street, Londonderry BT48 7EL (the ”Supplier”).
-
Background
The Customer and the Supplier have entered into a Contract that may require the Supplier to process Personal Data on behalf of the Customer.
This Data Processing Agreement (“DPA”) sets out the additional terms, requirements and conditions on which the Supplier will process Personal Data when providing Services under the Contract. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679 and UK GDPR legislation) for contracts between controllers and processors.
This DPA is subject to the terms of the Contract and is incorporated into the Contract. The terms used in this DPA shall have the meanings set out in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions of the Contract.
The Annexes form part of this DPA and will have effect as if set out in full in this DPA. Any reference to this DPA includes Annexes.
In the event of a conflict between any provision of this DPA and any term(s) of the Contract, with respect of the subject matter of this Agreement, the provisions of this DPA shall prevail.
-
Definitions
The following terms in this DPA shall have the following meaning:
“Data Protection Laws”
“Customer Personal Data”
“Standard Contractual Clauses”
“Sub-processor”
“Controller”, “Data Subject”, “Processor”, “Process or Processing”, “Personal Data”, “Personal Data Breach”
4. Processing of Personal Data
4.1 The parties acknowledge and agree that, for the purpose of the Data Protection Laws and with regard to the Processing of Customer Personal Data, the Supplier is the Processor and the Customer is the Controller.
4.2 The Customer warrants and represents: (i) the transfer of Customer Personal Data to Supplier complies in all respects with Data Protection Laws (including without limitation in terms of its collection and use); and (ii) fair processing and all other appropriate notices have been provided to the Data Subjects of the Customer Personal Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities which may be undertaken by the Supplier and its Sub-processors in accordance with this Agreement;
4.3 The Supplier undertakes to Process Customer Personal Data only: (i) as needed to provide the Services; (ii) in accordance with written instructions from the Customer; and (iii) in accordance with the requirements of the Data Protection Laws.
4.4 The Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws. The Customer shall ensure that any instructions to the Supplier in relation to the Processing of Customer Personal Data comply with the Data Protection Laws.
4.5 The Customer’s instructions to the Supplier regarding the subject matter and duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are described in Annex A. For the avoidance of doubt, the parties acknowledge and agree that the Processing instructions set out in this DPA and Annex A constitute the complete set of instructions from the Customer to the Supplier as they apply.
4.6 The Supplier shall immediately notify the Customer if, in the Supplier’s reasonable opinion, any instruction given by the Customer is likely to infringe the Data Protection Laws.
4.7 The Supplier shall not process, transfer, modify, amend or alter the Customer Personal Data or disclose or permit to disclose the Customer Personal data to any third party outside of the instructions detailed within this DPA unless this is specifically authorised in writing by the Customer.
4.8 The Supplier’s personnel engaged in the Processing of Customer Personal Data shall be informed of the confidential nature of the Customer Personal Data and will receive appropriate training on their responsibilities. Such personnel shall be subject to appropriate confidentiality undertakings.
4.9 Taking into account the nature of Processing of Personal data in the Services provided, the Supplier shall as required by UK and EU GDPR Article 32, maintain appropriate technical and organisational measures, to ensure the security of Processing, including protection against unauthorised or unlawful Processing, and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Customer Personal Data. The parties acknowledge and agree that the security measures specified in this DPA and more specifically in Annex B constitute appropriate technical and organisational security measures to ensure a level of security appropriate to the risk.
4.10 The Supplier shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible and taking into account the nature of the Processing of the Customer Personal Data, in fulfilling the Customer’s compliance obligations under the Data Protection Laws, including in relation to Data Subject’s rights, data protection impact assessments (related to Customer’s use of MetaCompliance Services) and reporting to and consulting with supervisory authorities (in connection with a data protection impact assessment related to the MetaCompliance Services).
4.11 If Data Subjects, competent authorities or any other third parties request information from the Supplier regarding the Processing of Customer Personal Data, the Supplier shall refer such request to the Customer unless required otherwise to comply with the Data Protection Laws, in which case the Supplier shall provide prior notice to the Customer of such legal requirement, unless that law prohibits this disclosure on important grounds of public interest.
5. Sub-processors
5.1 The Customer acknowledges and agrees that the Supplier may, in connection with the provision of Services, engage Sub-Processors that may be affiliates of the Supplier and/or third parties as more specifically described in Annex C.
5.2 The Supplier shall not engage a new Sub-processor to Process the Customer Personal Data without a written contract with such Sub-processor which imposes on them equivalent data protection obligations as those set out in this DPA with respect to the protection of the Customer Personal Data to the extent applicable to the nature of the services provided by such Sub-processor.
5.3 If the Supplier proposes to add to the number of Sub-processors engaged by it or to replace any of them, it shall inform the Customer in accordance with clause 5.5 below and the Customer shall have the opportunity to object to any such change on reasonable grounds.
5.4 In the event the Customer objects to a new Sub-processor, the Supplier will use reasonable efforts to make available to the Customer a change in Services or recommend a commercially reasonable change in Services to avoid Processing of the Customer Personal Data by the relevant new Sub-processor. If no alternative is possible, the parties have a right to terminate the Contract between them.
5.5 The Supplier shall inform the Customer of changes in the use of Sub-processors in writing with at least 30 days notice of such change and shall provide to the Customer an updated Annex C. The Supplier shall keep Annex C up-to-date.
5.6 The Supplier shall remain liable to the Customer for the performance of the Sub-processors’ obligations.
6. Data Transfers
6.1 In accordance with UK and EU GDPR Article 28(3)(a), the Supplier shall not, and shall not permit any Sub-processor to, transfer any Customer Personal Data outside the EEA or the UK (as applicable) without the prior consent of the Customer. For the avoidance of doubt, the Customer hereby consents to the transfer and processing of the Personal Data as specified in Annex A, as it applies.
6.2 The Supplier acknowledges that in accordance with the UK and EU GDPR, adequate protection for the Personal Data must exist after any transfer outside the UK or EEA (either directly or via onward transfer) and shall enter into an appropriate agreement with the Customer and/or any sub-processor to govern such a transfer. This will include the applicable Standard Contractual Clauses unless another adequacy mechanism for the Transfer exists.
7. Personal Data Breach
In the event of any Personal Data Breach involving the Customer Personal Data the Supplier shall:
7.1.1 Notify the Customer without undue delay to enable Customer to comply with UK and EU GDPR reporting obligations and to provide reasonable assistance to the Customer when it is required to communicate a Personal Data Breach to a Data Subject.
7.1.2 Use reasonable efforts to identify the cause of such Personal Data Breach and take those steps as the Supplier deems reasonably practicable in order to remediate the cause of such Personal Data Breach.
7.1.3 Subject to the terms of this DPA, provide reasonable assistance and cooperation as requested by the Customer, in the furtherance of any correction or remediation of any Personal Data Breach.
8. Records of Processing
8.1 To the extent applicable to the Supplier’s Processing for the Customer, the Supplier shall maintain all records required by Article 30(2) of the UK and EU GDPR and shall make them available to the Customer upon request.
9. Audit Rights
9.1 The Supplier shall, and shall procure that its Sub-Processors, make available to the Customer on request reasonable information necessary to demonstrate compliance with its data protection obligations under this DPA and shall allow for and contribute to audits, including inspection at its premises, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data, provided that any such auditor is not a competitor to the Supplier
10. Term
10.1 This DPA shall remain in full force and effect so long as:
10.1.1 The Contract remains in effect; or
10.1.2 The Supplier retains any Customer Personal Data in its possession or control.
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Contract in order to protect Customer Personal Data will remain in full force and effect.
11. Data Return and Destruction
11.1 The Supplier shall, at the Customer’s discretion and with any such request being provided by the Customer in writing, delete or return all the Customer Personal Data to the Customer after the end of the provision of Services relating to Processing, and delete existing copies unless applicable EEA or Member State law requires storage of the Customer Personal Data. If no written request is received from the Customer, the Supplier shall delete Customer Personal Data 90 days after the termination of the Contract.
11.2 On request by the Customer, the Supplier shall provide a written notice of the measures taken regarding the Customer Personal Data.
12. Indemnification
12.1 The Supplier agrees to indemnify the Customer against all direct costs, claims, damages or expenses incurred by the Customer due to any failure by the Supplier or its employees, sub-processors, subcontractors or agents to comply with any of its obligations under this DPA or the Data Protection Laws in accordance with Article 82 of UK and EU GDPR.
12.2 Notwithstanding anything to the contrary in this DPA or in the Contract (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
12.3 Subject to the obligations at law outlined in clause 12.1 and the limitations detailed in clause 12.2, the liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Contract. Any reference to any “limitation of liability” of a party in the Contract shall be interpreted to mean the aggregate liability of a party and all of its Subsidiaries and Affiliates under the Agreement and this DPA.
Annex A
Personal Data Processing Purposes and Details
Subject matter of processing
Details
Applies to:
Purpose
Policies, Knowledge Assessments
Privacy Surveys
Incident Reviews
Types of Personal Data
Categories of Data Subjects
Customer Employees, Contractors, Suppliers, Partners and/or Affiliates.
Processing operations
To communicate with Customer LMS and evaluate licence count.
Location of Processing operations
Retention requirements
| Subject matter of processing | Details | Applies to: |
|---|---|---|
|
Purpose |
System access System administration Delivery of system content according to modules subscribed to. See below:
|
All Customers |
|
|
Policies, Knowledge Assessments |
Customers subscribing to Policy modules (PolicyLite, MetaEngage and MetaPolicy)
|
|
|
eLearning, other Media |
Customers subscribing to Elearning modules (MetaLearning Fusion) |
|
|
Privacy Surveys |
Customers subscribing to MetaPrivacy module |
|
|
Incident Reviews |
Customers subscribing to MetaIncident module |
|
|
Simulated Phishing Campaigns |
Customers subscribing to MetaPhish |
|
|
SCORM transfer to Customer LMS |
Customers subscribing to SCORM transfer |
| Subject matter of processing | Details | Applies to: |
|---|---|---|
|
Types of Personal Data |
First Name, Last Name, E-mail Address, Department, Training Record |
All Customers |
|
|
Active Directory Organisation Unit (OU) |
Customers using Azure AD or on premise AD |
|
|
LMS ID |
Customers with subscriptions to SCORM transfer |
|
Categories of Data Subjects |
Customer Employees, Contractors, Suppliers, Partners and/or Affiliates. |
All Customers in accordance with the Data Subject data provided to Supplier. Customer can limit this depending on their intended use of the Services. |
| Subject matter of processing | Details | Applies to: |
|---|---|---|
|
Processing operations |
Processing and storage of Customer Personal Data in order to set up and maintain Authorised Users accounts on the MyCompliance platform. Distribution of various notification emails initiated by the MetaCompliance MyCompliance system.
|
All Customers |
|
|
Distribution of simulated phishing emails specified initiated by the Customer via the MetaCompliance MyCompliance platform. |
Customers subscribing to MetaPhish module
|
|
|
Storage of Personal Data where it is input by the customer via the MetaCompliance MetaPrivacy module. |
Customers subscribing to MetaPrivacy module |
|
Categories of Data Subjects |
Storage of Personal Data where it is input by the customer via the MetaCompliance MetaPrivacy module. |
Customers subscribing to SCORM transfer |
| Subject matter of processing | Details | Applies to: |
|---|---|---|
|
Location of Processing operations |
United Kingdom (MetaCompliance) Ireland (MetaCompliance, Microsoft Azure, AWS Europe). AWS Europe is a transactional email provider which will be used dependent upon Customer location – see Annex C. Holland (Microsoft Azure) U.S.A (Twilio for Sendgrid Services – transactional email provider option based on Customer location – see Annex C) |
All Customers as applicable. Please refer to Annex C for further details. |
|
Retention requirements |
When a Customer subscription has expired or is terminated, all associated Customer Personal Data is held for 90 days before it is actually deleted in order to recover from accidental subscription cancellation. |
All Customers
|
Annex B
Security Arrangements
The Supplier shall, in order to assist the Customer to fulfil its legal obligations including but not limited to; security measures and privacy risk assessments, be obliged to take appropriate technical and organisational measures to protect the Customer Personal Data which is Processed. The measures shall at least result in a level of security which is appropriate taking into consideration:
(a) existing technical possibilities;
(b) the costs for carrying out the measures;
(c) the particular risks associated with the Processing of Customer Personal Data; and
(d) the sensitivity of the Customer Personal Data which is Processed.
The Supplier shall maintain adequate security for the Customer Personal Data. The Supplier shall protect the Customer Personal Data against destruction, modification, unlawful dissemination, or unlawful access. The Customer Personal Data shall also be protected against all other forms of unlawful Processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organisational measures to be implemented by Supplier shall include as appropriate:
(a) the pseudonymisation and encryption of Customer Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services Processing Customer Personal Data;
(c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
Further to the technical and organisational measures mentioned above, the Supplier shall implement the following measures:
(a) physical access protection whereby computer equipment and removable data containing Customer Personal Data at the Supplier’s premises shall be locked up when not under supervision in order to protect against unauthorised use, impact and theft.
(b) a process for testing read back after Customer Personal Data has been restored from backup copies.
(c) authorisation control whereby the Supplier’s access to the Customer Personal Data is managed through a technical system from authorisation control. Authorisation shall be restricted to those who need the Customer Personal Data for their work. User IDs and passwords shall be personal and may not be transferred to anyone else. There shall be procedures for allocating and removing authorisations.
(d) keep records of who has access to the Customer Personal Data.
(e) secure communication whereby external data communication connections shall be protected using technical functions ensuring that the connection is authorised as well as content encryption for data in transit in communication channels outside systems controlled by the Supplier.
(f) a process for ensuring secure data destruction when fixed or removable storage media shall no longer be used for their purpose.
(g) routines for entering into confidentiality agreements with suppliers providing repair and service of equipment used to store Customer Personal Data.
(h) routines for supervising the service performed by suppliers at the premises of the Supplier. Storage media containing the Customer Personal Data shall be removed if supervision is not possible.
Annex C
Approved Sub-Processors
Sub-Processor
Location
Applies to:
Holland
Dublin
| Sub-Processor | Location | Applies to: |
|---|---|---|
|
Microsoft Azure (Hosts the Services in the Cloud) |
Holland |
All Customers |
|
AWS Europe (transactional email provider) |
Dublin |
All Customers based in the U.K or EEA countires. |
|
Twilio for Sendgrid Services (transactional email provider) |
USA |
All Customers based outside of the U.K or EEA countries |
Customer will only utilise one transactional email provider as dictated by the address provided at the time of contracting unless they submit a written request to change provider.
All Customers who contracted with MetaCompliance prior to 1st May 2022 who do not have a signed DPA in place will be using the transactional email services of Twilio for Sendgrid Services. Please contact your Customer Success Manager should you wish to use the services of AWS Europe.