Data Protection Addendum
Forming part of and incorporated into the Engagement between you and Cultiv8tiv.The Engagement comprises both the Order and the Terms and Conditions.
This Data Protection Addendum sets out the provisions that will govern the processing of personal data by the parties to the Engagement and its provisions take precedence over every other term in the Engagement unless expressly stated otherwise.
1.1 In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Engagement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:
|
Appropriate Safeguards |
means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time; |
|
Controller |
has the meaning given to that term in Data Protection Legislation; |
|
Data Protection Legislation |
means the UK Data Protection Legislation and any other European Union legislation relating to Personal Data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); |
|
Data Protection Losses |
means all liabilities, including all: a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and b) to the extent permitted by Data Protection Legislation: i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and iii) the reasonable costs of compliance with investigations by a Supervisory Authority; |
|
Data Subject |
has the meaning given to that term in Data Protection Legislation; |
|
Data Subject Request |
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation; |
|
GDPR |
means the General Data Protection Regulation, Regulation (EU and UK) 2016/679; |
|
International Recipient |
means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without your prior written authorisation; |
|
List of Sub-Processors |
means the latest version of the list of Sub-Processors used by Cultiv8tiv, as updated from time to time; |
|
Onward Transfer |
means a Transfer from one International Recipient to another International Recipient; |
|
Personal Data |
has the meaning given to that term in Data Protection Legislation; |
|
Personal Data Breach Personnel
Privacy Policy |
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
means any employee, officer, agent, consultant, auditor, subcontractor, Sub-Processor or other third party acting on behalf of Cultiv8tiv in connection with the provision of the Services; means Cultiv8tiv’s privacy policy in relation to the Services (as updated from time to time), the latest version is available at https://cultiv8tiv.com/privacy-policy |
|
Processing |
has the meaning given to that term in Data Protection Legislation (and related terms such as process have corresponding meanings); |
|
Processing Instructions |
has the meaning given to that term in paragraph 3.1.1; |
|
Processor |
has the meaning given to that term in Data Protection Legislation; |
|
Protected Data |
means Personal Data in Your Data; |
|
Sub-Processor |
means another Processor engaged by Cultiv8tiv for carrying out processing activities in respect of the Protected Data on your behalf; |
|
Supervisory Authority |
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Legislation; |
|
Transfer |
bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR. Without prejudice to the foregoing, this term also includes all Onward Transfers. Related expressions such as Transfers, Transferred and Transferring shall be construed accordingly; |
|
UK Data Protection Legislation |
all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; |
|
Your Data |
means all data (in any form) that is processed in the course of using or providing the Services and includes any copies included in back-ups made by or on behalf of Cultiv8tiv. |
1.2 The Annexes form part of this Data Protection Addendum and will have effect as if set out in full in the body of this Data Protection Addendum. Any reference to this Data Protection Addendum includes the Annexes.
1.3 In the case of conflict or ambiguity between:
1.3.1 any provision contained in the body of this Data Protection Addendum and any provision contained in the Annexes, the provision in the body of this Data Protection Addendum will prevail;
1.3.2 the terms of any accompanying documents annexed to this Data Protection Addendum and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
1.3.3 any of the provisions of this Data Protection Addendum and the provisions of the Engagement, the provisions of this Data Protection Addendum will prevail.
2. Processor and Controller
2.1 The parties agree that, for the Protected Data, you shall be the Controller and Cultiv8tiv shall be the Processor. Nothing in our Engagement relieves you of any responsibilities or liabilities under any Data Protection Legislation.
2.2 To the extent the you are not sole Controller of any Protected Data you warrant that you have full authority and authorisation of all relevant Controllers to instruct Cultiv8tiv to process the Protected Data in accordance with our Engagement.
2.3 You shall ensure (and are exclusively responsible for) the accuracy, quality, integrity and legality of Your Data and that its use (including use in connection with the Services) complies with all Data Protection Legislation and intellectual property rights.
2.4 Cultiv8tiv shall process the Protected Data in compliance with:
2.4.1 the obligations of Processors under Data Protection Legislation in respect of the performance of its and their obligations under our Engagement; and
2.4.2 the Terms and Conditions of our Engagement.
2.5 You shall ensure that your employees and other permitted third parties (as applicable), shall at all times comply with:
2.5.1 all Data Protection Legislation in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of your respective rights and obligations under our Engagement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Legislation; and
2.5.2 the Terms and Conditions of our Engagement.
2.6 You warrant, represent and undertake, that at all times:
2.6.1 all Protected Data (if processed in accordance with our Engagement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Legislation;
2.6.2 fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Legislation in connection with all processing activities in respect of the Protected Data which may be undertaken by Cultiv8tiv and our Sub-Processors in accordance with our Engagement;
2.6.3 the Protected Data is accurate and up to date;
2.6.4 you shall establish and maintain adequate security measures to safeguard the Protected Data in your possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure); and
2.6.5 all instructions given by you to Cultiv8tiv in respect of Personal Data shall at all times be in accordance with Data Protection Legislation.
3. Instructions and details of processing
3.1 Insofar as Cultiv8tiv processes Protected Data on your behalf, Cultiv8tiv:
3.1.1 unless required to do otherwise by Data Protection Legislation, shall (and shall take steps to ensure each person acting under our authority shall) process the Protected Data only on and in accordance with your documented instructions as set out in this paragraph 3.1 and paragraph 3.3 (including when making a Transfer of Protected Data to any International Recipient), as updated from time to time (Processing Instructions); and
3.1.2 if Data Protection Legislation requires us to process Protected Data other than in accordance with the Processing Instructions, we shall notify you of any such requirement before processing the Protected Data (unless Data Protection Legislation prohibits such information on important grounds of public interest).
3.2 You shall be responsible for ensuring all your employees and other permitted third parties (as applicable) read and understand the Privacy Policy.
3.3 Subject to the order form the processing of the Protected Data by Cultiv8tiv under our Engagement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Annex 1.
4. Technical and organisational measures
4.1 Taking into account the nature of the processing, Cultiv8tiv shall implement and maintain technical and organisational measures:
4.1.1 in relation to the processing of Protected Data by Cultiv8tiv, as set out in Annex 2 (Data Security Measures); and
4.1.2 subject to paragraph 6.1, to assist you insofar as is possible (taking into account the nature of the processing) in the fulfilment of your obligations to respond to Data Subject Requests relating to Protected Data. We reserve the right to charge you for reasonable costs incurred by us in the event the request for assistance will involve disproportionate effort by us.
5. Using staff and other Processors
5.1 You authorise Cultiv8tiv to appoint Amazon Web Services EMEA SARL as a Sub-Processor.
5.2 Cultiv8tiv shall:
5.2.1 prior to a relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, Cultiv8tiv will appoint each Sub-Processor under a written contract that complies with Data Protection Legislation; and
5.2.1 remain fully liable for all the acts and omissions of each Sub-Processor as if they were Cultiv8tiv’s own.
6. Assistance with compliance and Data Subject rights
6.1 Cultiv8tiv shall refer all Data Subject Requests we receive to you without undue delay.
6.2 Cultiv8tiv shall provide such assistance as you reasonably require (taking into account the nature of processing and the information available to us) to you in ensuring compliance with your obligations under Data Protection Laws with respect to:
6.2.1 security of processing;
6.2.2 data protection impact assessments (as such term is defined in Data Protection Legislation);
6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach.
6.3 We reserve the right to charge you for reasonable costs incurred by us in the event the request for assistance will involve disproportionate effort by us.
7. International data Transfers
7.1 Subject to paragraphs 7.2 and 7.4, Cultiv8tiv shall not Transfer any Protected Data:
7.1.1 from any country to any other country; and/or
7.1.2 to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without your prior written authorisation except where we are required to Transfer the Protected Data by the Data Protection Legislation (and shall inform you of that legal requirement before the Transfer, unless those laws prevent it doing so).
7.2 You hereby authorise us to Transfer any Protected Data for to any International Recipient(s), provided all Transfers by us of Protected Data to an International Recipient (and any Onward Transfer) shall be (to the extent required under Data Protection Laws) effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this Data Protection Addendum shall constitute your instructions with respect to Transfers in accordance with paragraph 3.1.1.
7.3 You acknowledge and accept that access and use of the Services by your authorised users may occur outside the EEA and, in such circumstances, the Protected Data may be viewed outside the EEA by the relevant user. Cultiv8tiv will not be in breach of paragraph 7.1 and paragraph 7.2 in such circumstances.
8. Information and audit
8.1 Cultiv8tiv shall maintain, in accordance with Data Protection Legislation, written records of all categories of processing activities carried out on your behalf.
8.2 On request, Cultiv8tiv shall provide you (or auditors mandated by you) with a copy of the third party certifications and audits to the extent made generally available to our customers. Such information shall be confidential to us and you shall maintain the confidentiality of such information and shall not without our prior written consent, disclose, copy or modify the information (or permit others to do so) other than that as is necessary for the performance of your express rights and obligations under our Engagement.
9. Breach notification
9.1 In respect of any Personal Data Breach involving Protected Data, Cultiv8tiv shall, without undue delay (and in any event within 72 hours):
9.1.1 notify you of the Personal Data Breach; and
9.1.2 provide you with details of the Personal Data Breach.
10. Deletion of Protected Data and copies
10.1 Following the end of the provision of the Services (or any part) relating to the processing of an Assessment Cultiv8tiv will delete Your Employee's names and e-mails (normally within one month).
11. Compensation and claims
11.1 Cultiv8tiv shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Engagement:
11.1.1 only to the extent caused by the processing of Protected Data under our Terms and Conditions and directly resulting from our breach of our Engagement;
11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Engagement by you (including in accordance with paragraph 3.1.3 (b)); and
11.1.3 any liability under this paragraph 11 (Compensation and claims) shall be subject to the limits of liability set out in the Terms and Conditions (Clause I Disclaimer and Limitation of Liability).
11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Engagement or the Services, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
11.2.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
11.2.2 consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under our Engagement for paying the compensation.
11.3 The parties agree that you shall not be entitled to claim back from us any part of any compensation paid by you in respect of such damage to the extent that you are liable to indemnify or otherwise compensate us in accordance with our Engagement.
11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Legislation to the contrary, except:
11.4.1 to the extent not permitted by Data Protection Legislation; and
11.4.2 that it does not affect the liability of either party to any Data Subject.
ANNEX 1
DATA PROCESSING DETAILS
Subject-matter of processing:
You have appointed Cultiv8tiv to provide certain Services. To facilitate the provision of these, Cultiv8tiv will need to Process Protected Data in respect of which you are the Controller.
Duration of the processing:
The processing will continue for the term of the Engagement (as the same may be terminated and/or extended in accordance with the Terms and Conditions of the Engagement).
Nature and purpose of the processing:
Protected Data will be Processed for the purpose of providing the Services to you in accordance with the Terms and Conditions of the Engagement.
Type of Personal Data:
The nature of our application is to summarise and analyse employee responses to survey questions. Employee responses are anonymised before they are sent to our AI Module for processing.
Categories of Data Subjects:
The provision of the Services may involve the Processing of Personal Data about any or all of the following Data Subjects:
- Your Employees acting as System Administrators
- Your Employees acting as participants
ANNEX 2
DATA SECURITY MEASURES
- Knowledge and resources. Cultiv8tiv will ensure that it has the appropriate knowledge to Process Your Data and has the necessary resources to implement the technical and organisational measures required under this Addendum.
- Security of Your Data. Cultiv8tiv will implement and maintain the following technical and organisational measures when Processing Your Data and you have determined and are satisfied that:
- a) these are sufficient to ensure compliance with the Data Protection Laws and the protection of the rights of data subjects; and
- b) they take into account the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Your Data when it is transmitted, stored or otherwise Processed.
Security measure and Details of the measure
Compliance framework
We have internal policies and procedures that are kept under review, a designated privacy officer and external specialist data protection advisers to support our compliance.
Training
All relevant personnel are trained to understand data protection and to apply its principles within their roles.
Firewalls
Network devices are managed within a secure management network and servers are secured by firewalls. In both instances SSL/TLS secure encryption protocols are used.
Anti virus
All of the servers we manage have antivirus and malware scanners installed and have updates applied frequently.
Encryption
Data in transit is always encrypted to a minimum standard of 256 bit
Access controls
We provide:
– email / password
– strong passwords
Data partitioning
Each client’s data is logically separated from that of other clients in our databases.
Access limitations
Your Data is only accessible by a small number of personnel in our development team on a ‘need to know’ basis.
Resilience
Our infrastructure is designed to be resilient. Our main database is ‘highly available’ such that, if one server goes offline, the other servers will pick up the work and contain replica data to ensure there is no downtime.
All servers that serve our application are load balanced and can distribute load/requests to at least 3 servers.
Monitoring
We perform daily port scanning on public IP addresses to ensure there are no unexpected changes. Configuration management is dealt with by scripts which are kept and managed in our private version control system.
Security testing
Our entire application is scanned by external technically skilled individuals to try to break, gain unsolicited access to, and “hack” our systems in a safe way in order to find flaws or potential weaknesses in our platform.
We have some continual end-to-end testing of our server cluster to ensure specific key indicators are working correctly and use software to log and track these with a combination of active checks and, for back-ups, passive checks. Team members are alerted if an expected behaviour has not executed as expected.
Critical events
Our code is written to log any critical events for our developers to address.
Back-ups
Our databases are backed-up continuously. Whilst our main datastore holds replicas of data at all times, we also run our other databases with duplicate data in them ready to swap over should the need arise.
Multiple snapshots of the entire database are taken daily and they are stored on a separate server from the one that holds live data.
From these various back-ups, we are able to restore the entire database in the event of a physical or technical incident in a timely manner.
Disaster recovery
We maintain a disaster recovery plan to test our disaster recovery which is tested at least annually.
Secure hosting
We currently use leading third parties to provide hosting services. They have all been vetted and authorised by a designated approver within Cultiv8tiv as part of our supplier on-boarding process and we have written contracts with each of them incorporating appropriate data protection provisions to protect your personal data.
Other Measures
If we agree any alternative or additional measures in writing specifically referring to this Annex 2 of the Data Protection Addendum, we will implement and maintain these accordingly