Last Updated: 21st May 2018
1.1.
In the event that Brisqq Ltd. ("Brisqq", "we", "us", "our") Processes Client Personal Data (each as defined below) in its performance of the Agreement, and (i) the Client Personal Data relates to Data Subjects (as defined below) located in the EEA (as defined below), or (ii) the Client is established in the EEA, this Data Processing Addendum (the "DPA") apply to the Processing of such Client Personal Data. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
1.2.
Brisqq and the Client shall comply with all applicable requirements of the Data Protection Laws (as defined below). This DPA is in addition to, and does not relieve, remove or replace, Brisqq's or the Client's obligations under the Data Protection Laws.
2.1.
Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following capitalised terms used in this DPA shall be defined as follows:
(a) "Agreement". means the agreement between the Client and Brisqq comprising the Terms of Service (and, where applicable, the Order Form) for the provision of the Brisqq Service and, if applicable, the Integration Services;
(b) "Client" or "you" means a customer of Brisqq that has created an Account to use the Brisqq Service;
(c) "Client Personal Data" means the "personal data" (as defined in the GDPR) described in ANNEX 1 and any other personal data that Brisqq processes on behalf of the Client in connection with Brisqq's provision of the Brisqq Service;
(d) "Controller" has the meaning given in the GDPR;
(e) "Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and any applicable national implementing legislation, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Client Personal Data, in each case as amended, replaced, or superseded from time to time;
(f) "Data Subject" has the meaning given in the GDPR;
(g) "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
(h) "Processing" has the meaning given in the GDPR, and "Process" shall be interpreted accordingly;
(i) "Processor" has the meaning given in the GDPR;
(j) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Client Personal Data;
(k) "Standard Contractual Clauses" means the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will automatically apply);
(l) "Subprocessor" means any Processor engaged by Brisqq that agrees to receive from Brisqq and Process any Client Personal Data; and
(m) "Supervisory Authority" has the meaning given in the GDPR;
3.1.
Instructions for Data Processing. Brisqq will only Process Client Personal Data in accordance with the Client's written instructions, unless Processing is required by European Union or Member State law to which Brisqq is subject, in which case Brisqq shall, to the extent permitted by European Union or Member State law, inform the Client of that legal requirement before Processing that Client Personal Data. The Agreement (including this DPA) shall be the Client's complete and final instructions to Brisqq in relation to the processing of Client Personal Data.
3.2.
Processing outside the scope of the Agreement (including this DPA) will require prior written agreement between the Client and Brisqq on additional instructions for Processing.
3.3.
Required consents. Where required by applicable Data Protection Laws, the Client will ensure that it has obtained/will obtain all necessary consents, and has provided/ will provide all necessary notifications, for the Processing of Client Personal Data by Brisqq in accordance with the Agreement.
4.1.
Authorised Subprocessors. The Client agrees that Brisqq may use the following service providers as Subprocessors to Process Client Personal Data:
(a) Amazon Web Services, Inc.
(b) GoCardless Ltd.
(c) Google, Inc.
(e) Inspectlet, Inc.
(f) LogRocket, Inc.
(g) Mixpanel, Inc.
(h) MongoDB, Inc.
(i) OneSignal, Inc.
(j) Rollbar, Inc.
(k) SendGrid, Inc.
(l) Stripe Payments UK Ltd
(m) Xero Limited
(n) Zendesk Inc.
4.2.
The Client agrees that Brisqq may use subcontractors to fulfil its contractual obligations under the Agreement. Brisqq shall notify the Client from time to time of the identity of any Subprocessor it engages. If the Client (acting reasonably) does not approve of a new Subprocessor, then without prejudice to any right to terminate the Agreement, the Client may request that Brisqq moves the Client Personal Data to another Subprocessor and Brisqq shall, within a reasonable time following receipt of such request, use all reasonable endeavours to ensure that the Subprocessor does not Process any of the Client Personal Data.
4.3.
Save as set out in clauses 4.1 and 4.2, Brisqq shall not permit, allow or otherwise facilitate Subprocessors to Process Client Personal Data without the prior written consent of the Client, and unless Brisqq enters into a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regards to their Processing of Client Personal Data as are imposed on Brisqq under this DPA.
4.4.
Liability of Subprocessors. Brisqq shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Client for the acts and omissions of any Subprocessor approved by the Client as if they were the acts and omissions of Brisqq.
4.5.
Transfers of Personal Data. To the extent that the Processing of Client Personal Data by Brisqq involves the export of such Client Personal Data to a third party to a country or territory outside the EEA, other than (i) a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of personal data as determined by the European Commission, or (ii) where the third party is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission, such export shall be governed by the Standard Contractual Clauses between the Client as exporter and such third party as importer. For this purpose, the Client appoints Brisqq as its agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the Client on its behalf for this purpose.
4.6.
In the event of any conflict between any terms and conditions of the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail.
5.1.
Brisqq Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Brisqq shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in ANNEX 2.
5.2.
Security Audits. The Client may, upon reasonable notice, audit (by itself or using independent third party auditors) Brisqq's compliance with the security measures set out in this DPA (including the technical and organisational measures as set out in ANNEX 2), including by conducting audits of Brisqq's data processing facilities. Upon request by the Client, Brisqq shall make available all information reasonably necessary to demonstrate compliance with this DPA.
5.3.
Security Incident Notification. If Brisqq or any Subprocessor becomes aware of a Security Incident, Brisqq will (a) without undue delay, and in any event within 72 hours of becoming aware of the Security Incident, notify the Client of the Security Incident, (b) investigate the Security Incident and provide such reasonable assistance to the Client (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
5.4.
Brisqq Employees and Personnel. Brisqq shall treat the Client Personal Data as the Confidential Information of the Client, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Client Personal Data.
6.1.
Data Subject Requests. Save as required (or where prohibited) under applicable law, Brisqq shall notify the Client of any request received by Brisqq or any Subprocessor from a Data Subject in respect of their personal data included in the Client Personal Data, and shall not respond to the Data Subject.
6.2.
Brisqq shall provide the Client with the ability to correct, delete, block, access, or copy the Client Personal Data in accordance with the functionality of the Brisqq Service.
6.3.
Government Disclosure. Brisqq shall notify the Client of any request for the disclosure of Client Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
6.4.
Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Brisqq shall use all reasonable endeavours to assist the Client by implementing any other appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligation to respond to requests for exercising Data Subject rights laid down in the GDPR.
7.1.
To the extent required under applicable Data Protection Laws, Brisqq shall provide reasonable assistance to the Client with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Client, in each case solely in relation to Processing of Client Personal Data and taking into account the nature of the Processing and information available to Brisqq.
8.1.
Deletion of data. Subject to clauses 8.2 and 8.3 below, Brisqq shall, within ninety (90) days of the date of termination of the Agreement:
(a) return a complete copy of all Client Personal Data by secure file transfer in such a format as notified by the Client to Brisqq; and
(a) delete and use all reasonable efforts to procure the deletion of all other copies of Client Personal Data Processed by Brisqq or any Subprocessors.
8.2.
Subject to clause 8.3 below, the Client may in its absolute discretion notify Brisqq in writing within thirty (30) days of the date of termination of the Agreement to require Brisqq to delete and procure the deletion of all copies of Client Personal Data Processed by Brisqq. Brisqq shall, within ninety (90) days of the date of termination of the Agreement:
(a) comply with any such written request; and
(b) use all reasonable endeavours to procure that its Subprocessors delete all Client Personal Data Processed by such Subprocessors,
and, where this clause 8.2 applies, Brisqq shall not be required to provide a copy of the Client Personal Data to the Client.
8.3.
Brisqq and its Subprocessors may retain Client Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Brisqq shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
This ANNEX 1 includes certain details of the processing of Client Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Client Personal Data
The subject matter and the duration of the Processing of the Client Personal Data are set out in the Agreement (including this DPA).
The nature and purpose of the Processing of Client Personal Data
The Client Personal Data will be subject to the following basic Processing activities: transmitting, collecting, storing, and analysing data in order to provide the Brisqq Service to the Client, and any other activities related to the provision of the Brisqq Service or as specified in the Agreement.
The types of Client Personal Data to be Processed
The types of Client Personal Data to be Processed concern the following categories of data: names of Client personnel and of end users of services of the Client; contact information (including email addresses and telephone numbers) of Client personnel and of end users of services of the Client; residential and commercial addresses of end users of services of the Client; online identifiers of end users of services of the Client and of visitors to the Client's websites and mobile applications.
The categories of Data Subject to whom the Client Personal Data relates
The categories of Data Subject to whom the Client Personal Data relates concern: employees and other personnel of the Client; end users of the services of the Client; visitors to the Client's websites and mobile applications.
The obligations and rights of the Client
The obligations and rights of the Client are as set out in the Agreement (including this DPA).
1. Brisqq maintains, and shall procure that its Subprocessors maintain, internal policies and procedures which are designed to:
(a) secure any Client Personal Data Processed by Brisqq against accidental or unlawful loss, access or disclosure;
(b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Client Personal Data Processed by Brisqq;
(c) minimise security risks, including through risk assessment and regular testing.
2. Brisqq will, and will use reasonable efforts to procure that its Subprocessors will, conduct periodic reviews of the security of its network and the adequacy of its information security program as measured against industry security standards and its policies and procedures.
3. Brisqq will, and will use reasonable efforts to procure that its Subprocessors periodically will, evaluate the security of its network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.