Data Processing Addendum

This Data Processing Addendum (this “Addendum”) supplements and forms part of the terms and conditions between the Customer and the Provider (the “Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as at the Effective Date of the Agreement and will remain in effect until termination of the Agreement; or the last Processing of Customer Personal Data carried out by or on behalf of the Customer under the Agreement.

1. Definitions

In this Addendum, the following words and expressions have the following meanings:

“Customer Personal Data” means Personal Data Processed by the Provider as Processor on behalf of the Customer pursuant to the performance of the Agreement.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Supervisory Authority”  and “Processing” all have the meanings given to those terms in Data Protection Laws (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings); and

“Data Protection Laws” means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under this Agreement, including without limitation, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the Data Protection Act 2018, and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time.

“Sub-Processor” means another Processor engaged by the Provider for carrying out Processing activities in respect of Customer Personal Data.

2. Data Processing Details and Compliance

2.1. The Parties acknowledge that in respect of Customer Personal Data, the Provider is a Processor Processing Personal Data on behalf of the Customer as Controller. Each Party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.

2.2. Details of Customer Personal Data Processed by Provider under this Agreement are as follows:

a. Subject Matter, Nature and Purpose of Processing. The Provider’s provision of the Services under this Agreement. In particular, providing the Customer with access to the Provider’s customer service platform.

b. Duration of Processing. Processing of Customer Personal Data by the Provider shall be for the term of this Agreement and in accordance with the Provider’s retention obligations under this Agreement and Addendum, provided that Customer Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).

c. Personal Data in Scope. Names, Communication details (Email, etc.), Contact details, Job role; Login data; Profile image; Technical details (Device information, IP addresses, cookies, etc.); Customer service-related data (such as not but not limited to account information, order information, subscriptions, chat and email messages); and

d. Category of Data Subjects. Customer’s end customers; Customer personnel (employee, contractors, etc) and Customer associated parties.

3. Data Processing Instructions

3.1 The Provider shall Process Customer Personal Data only on the written instructions of the Customer (including as set out in this Agreement) unless the Provider is required to otherwise Process Customer Personal Data by applicable laws. The Provider is hereby instructed to Process Customer Personal Data for the purposes of providing the Services. In the event the Provider is required by applicable laws to Process Customer Personal Data other than in accordance with the Customer’s instructions, prior to any such Processing and to the extent permitted by applicable laws, the Provider shall notify the Customer in writing of that legal requirement prior to Processing Customer Personal Data.

3.2 The Provider shall promptly inform the Customer if the Provider becomes aware of a written instruction given by the Customer under this Clause 3 that, in the Provider’s reasonable opinion, infringes Data Protection Laws.

4. Provider Personnel and Sub-Processors

4.1 The Provider shall ensure that all Provider personnel authorised to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.

4.2 The Customer authorises the Provider to engage (including the disclosure of Customer Personal Data under this Agreement to such Sub-Processors):

a. the Sub-Processors included in the Sub-Processor list provided to the Customer and set out in our Sub Processor List at plain.com/legal/subprocessors (“Sub-Processor List”); and

b. the Sub-Processors engaged in accordance with Clause 4.3 of this Addendum.

4.3 Where the Provider intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, the Provider shall notify the Customer of the proposed engagement of the Sub-Processor (and provide such information regarding the proposed Sub-Processor as the Customer may reasonably require) giving the Customer the opportunity to object. If the Customer does not make a reasonable objection to the proposed engagement within 14 days of the Provider providing notice to the Customer under this Clause, the Customer is deemed to have authorised the engagement of such Sub-Processor. The Provider shall keep the Sub-Processor List updated.

4.4 Where the Customer raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with Clause 4.3 of this Addendum, the Provider may, at its option:

a. use its reasonable endeavours to remedy the situation giving rise to the reasonable objection; or

b. propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Clause 4.3 of this Addendum,

provided that, in the event that the Provider is unable to remedy the situation in accordance with Clause 4.4(a) of this Addendum and no alternative Sub-Processor is proposed in accordance with clause 4.4(b) of this Addendum, then the Provider shall be entitled to terminate the Agreement without penalty or liability effective immediately on written notice to the Customer and the Customer shall pay the Provider any fees due for the Services performed prior to termination.

4.5 The Provider shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data, the Sub-Processor has entered into a binding written agreement with the Provider that imposes obligations substantially equivalent to the obligations imposed on the Provider as a Processor under this Agreement. The Provider shall remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations concerning Customer Personal Data in the event the Sub-Processor fails to fulfil those obligations.

5. Transfers

5.1 The Provider shall not transfer Customer Personal Data to any party in a country not deemed adequate for the transfer of Personal Data by the European Commission (for transfer concerning the EEA) and the equivalent UK authority (for transfers concerning the UK), including permitting access to Customer Personal Data from any party in such countries, without the prior written consent of the Customer, unless:

a. the transfer/access is to a Sub-Processor included in the Sub-Processor List or appointed in accordance with Clause 4 of this Addendum; and

b. the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).

6. Security and Personal Data Breach Notification

6.1 The Provider shall implement and maintain appropriate technical and organisational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

6.2 The Provider shall notify the Customer without undue delay on becoming aware of a Personal Data Breach and provide the Customer with details of the Personal Data Breach as required under Data Protection Laws. To the extent available, these details shall include:

a. the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned

b. the name and contact details of the data protection officer or other contact point of the Provider, where more information can be obtained

c. description of the likely consequences of the Personal Data Breach; and

d. description of the remedial actions taken or proposed to be taken to mitigate the effects and minimise any damage resulting from the Personal Data Breach.

7. Assistance

7.1 To the extent related to its Processing of Customer Personal Data (taking into account the nature of Processing and the information available to the Provider), the Provider shall promptly provide the Customer with reasonable assistance:

a. using appropriate technical and organisational measures, in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject rights under Data Protection Laws;

b. to enable the Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where the Customer is required to do so under Data Protection Laws, in connection with data protection impact assessments; and

c. in complying with its obligation to implement and maintain appropriate technical and organisational security measures to protect Customer Personal Data.

8. Deletion or Return of Data

8.1 The Provider shall, at the choice of the Customer delete or return all Customer Personal Data to the Customer once Processing by the Provider of any Customer Personal Data is no longer required for the purposes of this Agreement, and delete all existing copies unless required by applicable laws to store Customer Personal Data.

9. Information Requests and Audits

9.1 The Provider shall, on request from the Customer, make available to the Customer all information necessary to demonstrate the Provider’s compliance with its obligations under this Agreement. The Provider shall allow for audits (including inspections) conducted by the Customer or the Customer’s designated auditor on reasonable prior written notice, for the purpose of demonstrating the Provider’s compliance with its obligations under this Agreement. For the avoidance of doubt such audits shall be limited to once per calendar year. Any additional audit under this Clause 9.1 (in excess of the once per calendar year limitation) shall be at the cost of the Customer, and the Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 9.1.

9.2 The Provider’s obligations under Clause 9.1 of this Addendum are subject to the Customer:

a. giving the Provider reasonable prior notice of such information requests, audits and/or inspections being required by the Customer;

b. ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and

c. ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to the Provider’s business and the business of other customers of the Provider.

Last updated: November 2023