Data Processing Agreement

This Data Processing Agreement (“DPA”) sets out the terms, requirements, and conditions on which Aguru UK LTD a company incorporated and registered in England and Wales with company number 15713497 and registered address at Mishcon De Reya, 70 Kingsway, London, Greater London, United Kingdom, WC2B 6AH (“Aguru”) will process Personal Data when providing services to you, (“Customer”) pursuant to the services Agreement agreed between Aguru and the Customer (“Agreement”)

1. Interpretation
The following definitions and rules of interpretation apply in this DPA.

1.1 Definitions:
“Controller, Data Subject, Personal Data, Personal Data Breach, Processor, Processing/Process/Processed and Supervisory Authority” is as defined in the GDPR.

“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the EU and UK, including Regulation (EU) 2016/679 (“GDPR”); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (“UK GDPR”); the Data Protection Act 2018 (“DPA 2018”); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.

“Services” means the services to be provided by Aguru to Customer under the Agreement

1.2 Capitalised terms used in this DPA and not otherwise defined in the Agreement shall have the meaning given to them in the Data Protection Legislation.

1.3 If there is a conflict between the Agreement and this DPA, the terms of this DPA shall prevail.

2. Data Processing Obligations

2.1 The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and Aguru is the Data Processor of the Personal Data and a description of the Personal Data and the Processing activities undertaken by Aguru is set out in paragraph 5.

3. Aguru’s processing obligations 

3.1 To the extent that Aguru processes any Personal Data on behalf of Customer in connection with the Services, Aguru shall:

3.1.1 only Process such Personal Data in accordance with the purposes set out in this Agreement and notify Customer immediately if in its opinion the Customer’s instructions infringes applicable law;

3.1.2 maintain a record of its Processing activities under this Agreement in accordance with and to the extent required by Article 30(2) GDPR, and Aguru shall at any time upon request, deliver up to Customer details of such Processing activities;

3.1.3 ensure that access to any such Personal Data is restricted to those of its personnel who need to have access in order to perform the Services and who are subject to confidentiality obligations in respect of the Personal Data;

3.1.4 notify Customer without undue delay if it suffers a Personal Data Breach, if it receives any Data Subject Request relating to the Personal Data, and shall: (a) not respond to the Data Subject Request without Customer’s prior written consent and in accordance with Customer’s instructions; and (b) shall provide such assistance as Customer may reasonably require in respect of such Personal Data in order for Customer to comply and respond to the Data Subject Request in accordance with the Data Protection legislation;

3.1.5 provide reasonable assistance to Customer in inputting into and carrying out data protection impact assessments and, to the extent required under the Data Protection Legislation, prior notification under Article 36 of GDPR; and

3.1.6 ensure that it has implemented appropriate organisational and technical measures in order to comply with its obligations under this paragraph 3.

3.2 To the extent legally permitted, Customer shall be responsible for any costs arising from Aguru’s provision of assistance beyond the existing functionality of the Services.

3.3 Aguru is permitted to engage a Sub-processor to Process any of the Personal Data on Customer’s behalf in connection with the Services. The Customer pre-approves the Aguru’s use of third party processors for the purposes of fulfilling its obligations, including Amazon Web Services. Aguru shall: 

3.3.1 inform Customer regarding the appointment or removal of any such Sub-processor via its website found here: Subprocessors]. If Customer objects on reasonable grounds, Aguru shall either: i) alter its plans to use the Sub-Processor with respect to Personal Data, or (ii) take corrective steps to remove Customer’s objections. If none of the above options are reasonably available or the issue is not resolved within 30 days of the objection, either Party may terminate this Agreement; and 

3.3.2 ensure that such Sub-processor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on Aguru under this DPA; and

3.3.3 ensure that the Sub-processor’s Processing of such Personal Data terminates upon termination of the Aguru’s right to Process the data, 

provided that Aguru shall be liable for the acts and omissions of such Sub-processors in relation to the Processing of such Personal Data. 

3.4 Customer acknowledges that Aguru and its Sub-Processors may Process Personal Data outside of the EEA or UK in non-adequate countries. Aguru will abide by the requirements of the Data Protection Legislation regarding the transfer and Processing of Personal Data from the EEA or UK. Aguru will ensure that transfers of Personal Data to a third country or an international organization that does not ensure an adequate level of protection are subject to appropriate safeguards as described in Article 46 of the GDPR or UK GDPR.

3.5 Upon termination or expiry of this Agreement, Aguru shall cease all Processing of any Personal Data Processed on Customer’s behalf under this Agreement and shall, at Customer’s option, return or destroy and delete all such Personal Data. 

3.6 In order to demonstrate Aguru’s compliance with the Data Protection Legislation and the terms of this DPA, Aguru shall: 

3.6.1 provide Customer with such information as Customer reasonably requests from time to time to enable Customer to satisfy itself that Aguru is complying with its obligations under this DPA and the Data Protection Legislation; and 

3.6.2 allow Customer, at Customer’s sole cost and expense access (on reasonable notice and no more than once a year) to its premises where Personal Data is Processed under this Agreement to allow Customer to audit its compliance with this DPA and the Data Protection Legislation and shall provide reasonable co-operation as requested by Customer in the performance of such audit. The Parties shall agree in advance on the reasonable start date, duration and security and confidentiality controls applicable to such audit.

4. Obligations of Customer 
4.1 Customer shall:

4.1.1 have at all times during the term of this Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data; 

4.1.2 provide clear and comprehensible written instructions to Aguru for the processing of Personal Data to be carried out under this Agreement; and

4.1.3 ensure that it has all the necessary licences, permissions, consents and notices in place to enable lawful transfer of Personal Data to Aguru for the duration and purposes of this Agreement.

5. Processing Particulars

5.1 Data Subjects. The categories of Data Subjects whose Personal Data may be Processed in connection with the Agreement are users of the Software (the Customer’s employees), and the customers, prospects and employees of the Customer whose Personal Data may be provided as Inputs.

5.2 Categories of Personal Data. The categories of Personal Data to be Processed in connection with the Agreement are name, email address, telephone numbers and any prompts given to the Software.

5.3 Special Categories of Personal Data. Special categories of Personal Data, if any, to be Processed in connection with the Agreement are N/A. 

5.4 Processing Operations. Provision of the Services.

5.5 Duration. Aguru will Process the Personal Data on the Customer’s behalf for the duration of the Agreement.