These are the processor terms under which Bequeathed Limited (company number 10960116), whose registered office is at West End Farmhouse, Long Marston Road, Cheddington, LU7 0RS, telephone 020 3411 9730 and e-mail [email protected] agrees to process certain personal data that registered users of Bequeathed (as defined in Terms of Business enter or create in the course of using the drafting tool on Bequeathed (Agreement).
In this Agreement we refer to ourselves as the Processor and to each registered user for whom we are processing personal data as the Controller (and related expressions must be interpreted accordingly).
In consideration for the Processor processing Relevant Personal Data (as defined below), and for other consideration the sufficiency of which is acknowledged by the Processor, the Processor shall process Relevant Personal Data in accordance with this Agreement.
1.1 In this Agreement, capitalised expressions in the Terms of Business and the body of this Agreement have the meanings given to them, and the following additional definitions apply:
Cloud Services means services supporting the Website, including by way of platform-as-a-service or infrastructure-as-a-service (as those expressions are defined by The National Institute of Standards and Technology in the USA or any replacement body).
Data Protection Regulations means applicable law and regulation relating to data protection and information privacy.
Data Protection Termination Event means any of the following, namely: (i) the Controller does not consent to the appointment of any sub-contractor under this Agreement; (ii) an instruction from the Controller is necessary to enable the Controller to meet mandatory legal requirements and a Sub-processor is not able to accommodate the requested changes, or (iii) the Processor cannot comply with this Agreement in relation to the processing of Relevant Personal Data due to terms having effect between the Processor and its Sub-processors.
Purpose means the storage of Relevant Personal Data for the Controller’s own purposes.
Relevant Personal Data means the Controller’s answers to questions posed by the drafting tool of Bequeathed and the Will generated by the drafting tool in response to those answers.
Relevant Personnel means representatives and personnel of the Processor who have access to Relevant Personal Data.
Sub-processor means any company, partnership or other entity authorised by the Processor in accordance with this Agreement to process Relevant Personal Data, including a sub-contractor of the Processor and any other third-party which is a party to a contract under which such processing is authorised to take place.
1.2 In this Agreement references to words and phrases that are defined in Data Protection Regulations have the meaning in the Data Protection Regulations, including personal data, processing, disclosure, data controller, controller, and data processor and processor, and processor is synonymous with data processor, and controller is synonymous with data controller.
This Agreement applies to the processing of Relevant Personal Data by the Processor as the processor of the Controller.
3. Return or destruction of personal data
4. DOCUMENTED INSTRUCTIONS
4.1 Subject to paragraph 4.4, the Processor shall, and shall procure that any person doing so under the authority of the Processor shall, process Relevant Personal Data in accordance with documented instructions from the Controller only, and shall comply promptly with all such instructions or directions received by it from the Controller; all processing of Relevant Personal Data in accordance with this Agreement shall be deemed to be pursuant to those instructions.
4.2 The Processor shall inform the Controller if, in the Processor’s opinion, any of the Controller’s instructions would breach Data Protection Regulations having regard to the information then available to the Processor.
4.3 The Controller acknowledges that, in order to make available Bequeathed and process Relevant Personal Data, the Processor shall rely on Cloud Services; accordingly, the Controller authorises the following persons to process Relevant Personal Data under this Agreement:
4.3.1 the Processor;
4.3.2 Relevant Personnel; and
4.3.3 sub-contractors of the Processor and any other company, partnership or other entity which may, under authority conferred directly or indirectly by the Processor as the Controller’s processor, process Relevant Personal Data in the course of the provision of Cloud Services.
4.4 Paragraph 4.1 does not apply in respect of any processing which the Processor or any person doing so under the authority of the Processor, including a Sub-processor, is obliged to perform under applicable law or regulation, provided that reasonable prior notice of the law or regulation in question is given to the Controller by the Processor except where and to the extent applicable law or regulation prevents or restricts the giving of notice.
5. ORGANISATIONAL AND TECHNICAL MEASURES
5.1 The Processor shall establish and maintain appropriate technical and organisational measures against accidental, unauthorised or unlawful processing of, access to, loss of, or damage to Relevant Personal Data (any such event being a Data Protection Event), and shall regularly test, assess, and evaluate those measures.
5.2 The measures to be adopted under paragraph 5.1 shall ensure a level of security appropriate to the harm that might result from a Data Protection Event and the nature of the Relevant Personal Data, having regard to the state of technological development and the cost of implementing the measures.
5.3 The Processor shall:
5.3.1 take reasonable steps to ensure the reliability of Relevant Personnel, and that they process Relevant Personal Data in relation to the Purpose in accordance with this Agreement only;
5.3.2 provide training for Relevant Personnel so that they are aware of the Processor’s obligations under Data Protection Regulations, and inform them of the importance of the need to avoid Data Protection Events;
5.3.3 have in place disciplinary procedures in respect of non-compliance with relevant data protection requirements and standards;
5.3.4 ensure that Relevant Personnel have committed themselves to be bound by confidentiality provisions; and
5.3.5 appoint a person to be responsible for security and data protection matters and provide the name of such person to the Controller on request.
6. GENERAL DATA PROTECTION OBLIGATIONS
6.1 The Processor shall without undue delay, and in any event no later than reasonably required in order to enable the Controller to fulfil its duties under Data Protection Regulations:
6.1.1 provide such information as the Data Controller may reasonably require in relation to Relevant Personal Data or its processing;
6.1.2 pass on to the Controller any enquiries or communications (including subject access requests) from data subjects relating to their Relevant Personal Data or its processing;
6.1.3 provide such information as may be required for the purpose of responding to any such data subject;
6.1.4 report to the Controller any security incidents or breaches relating to the Relevant Personal Data and provide such information as the Data Controller may reasonably require in relation to the incident or breach.
6.2 Subject to paragraph 6.1, the Processor shall assist the Controller with:
6.2.1 the conduct of a data protection impact assessment in relation to Relevant Personal Data; and
6.2.2 responding to requests of data subjects (other than the Controller (as appropriate)) to exercise their rights in respect of the processing of their Relevant Personal Data,
subject to payment of a reasonable charge in respect of such assistance.
7.1 Where and to the extent Bequeathed relies on Cloud Services to process Relevant Personal Data:
7.1.1 the policies and procedures of the Sub-processors providing the Cloud Services, and the terms having effect from time to time between the Processor and such Sub-processors, in relation to the processing of Relevant Personal Data as part of the Cloud Services shall be included in this Agreement (with such changes as are necessary being deemed to be made), and which shall apply to any processing of Relevant Personal Data in the course of those Cloud Services to the exclusion of any provisions to the contrary in this Agreement; and
7.1.2 the manner in which and the extent to which the Controller exercises or is entitled to exercise rights under this Agreement in respect of Relevant Personal Data processed as part of the Cloud Services shall be subject to those policies, procedures and terms.
7.2 The Processor is liable for a breach of this Agreement which is caused by the acts or omissions of Sub-processors.
7.3 The Processor shall not without prior specific written consent of the Controller engage a sub-contractor or confer on any other third party (directly or indirectly) authority to process Relevant Personal Data, including in the course of Cloud Services, and if such consent is provided by the Controller in relation to a sub-contractor, without first entering into a contract with that sub-contractor under which the sub-contractor agrees to comply with obligations the same as those set out in these Data Processing Terms so far as material in relation to the processing of Relevant Personal Data.
7.4 A list of the appointed Sub-processors and a description of the Cloud Services on which the Processor relies from time to time shall be provided as soon as reasonably practicable after the Processor receives a written request for that information from the Controller.
7.5 The Controller shall not deal directly with Sub-processors but the Processor shall serve as a single point of contact for the Controller, and is solely responsible for the internal coordination, review, and submission of instructions or requests to Sub-processors.
7.6 Instructions in relation to the processing of Relevant Personal Data given by the Controller must be addressed to the Processor except where Bequeathed enables that processing, in which case the Controller is responsible for undertaking the processing in question.
7.7 The Processor and Sub-processors are entitled to suspend the performance of instructions from the Controller which it believes contravenes Data Protection Regulations until the Controller has confirmed or modified the instruction accordingly; the Controller will promptly give instructions in writing to the Processor to do so.
8. DATA PROTECTION TERMINATION EVENTS
Where a Data Protection Termination Event occurs, the Processor is entitled to terminate this Agreement by giving not less than sixty (60) days’ notice to the Controller.
9. OVERSEAS TRANSFERS OF RELEVANT PERSONAL DATA
Except on documented instructions from the Data Controller or otherwise provided by this Agreement, the Processor shall not transfer any Relevant Personal Data to any country or territory outside of the European Union or to any international organisation.
10.1 Entire agreement
This Agreement constitutes the entire agreement between the parties relating to its subject matter and supersedes all prior representations, including negligent misrepresentations, agreements, negotiations or understandings between the parties, except that this paragraph does not affect the liability of either party for fraudulent misrepresentation.
10.2 Remedies are cumulative
The rights and remedies provided by this Agreement are cumulative and (unless otherwise provided in this Agreement) are not exclusive of any rights or remedies provided by law or in this Agreement.
11. GOVERNING LAW
This Agreement shall be governed by and construed in accordance with English law.