Data Processing Addendum

We’ll be happy to help you If you’ve questions about this Addendum. Please email them to gdpr@salesorder.com and we’ll do our best to give you practical answers.

Background

(A) References to the term "Data Processing Addendum" means this Addendum and the following schedules attached hereto:

(B) This Data Processing Addendum (DPA) forms part of the Salesorder.com Terms of Use Agreement.

(C) The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the applicable data protection legislation (“Data Protection Legislation”) relating to the processing of Personal Data in relation to all processing of Personal Data by the Processor for the Controller.

1. Agreed terms

The terms and expressions set out in this Agreement shall have the following meanings:

1.1. Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998;

1.2. “Controller”, “Processor”, “Processing” and “Data Subject” shall have the meanings given to them in the Data Protection Legislation; For the avoidance of doubt we Salesorder.com are the Processor and you our Customer are the Controller.

1.3. ICO means the Information Commissioner’s Office;

1.4. Personal Data means all such “personal data” as defined in the Data Protection Legislation as is, or is to be, processed by the Processor on behalf of the Controller;

1.5. Services means those services described in Schedule 1 which are provided by the Processor to the Controller and which the Controller uses for the purpose[s] described in Schedule 1.

1.6. “Security Measures” means the security measures set out in Schedule 2

1.7. Clause, Schedule and paragraph headings shall not affect the interpretation of this Agreement.

1.8. A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).

1.9. The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.

1.10. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.11. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

1.12. Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.

1.13. Agreement and Addendum are one and the same.

It Is Agreed as follows:

1. Acceptance of our Terms of Use Agreement means you agree to this Salesorder.com Data Processing Addendum (DPA) which forms a part of the Salesorder.com Terms of Use Agreement.

2. The Parties agree that in the event of any conflict between the Terms of Use Agreement and this Addendum, the provisions of this Addendum shall control.

4. Scope of Processing

4.1. The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to Data Protection Legislation, including responsibility to ensure necessary legal basis for collecting, processing and transfer of Personal Data.

4.2. The terms of this Agreement supersede any other arrangement, understanding or agreement made between the Parties at any time relating to protection of Personal Data.

4.3. This Agreement concerns the Processor's processing of Personal Data on behalf of the Controller in connection with the Processor's provision of the Services or otherwise as described in Schedule 1.

4.4. The nature and the purpose of the processing, including operations and activities, are specified in Schedule 1 but the Processor is only to carry out the Services, and only to process Personal Data received from the Controller:

(a) for the purposes of those Services and not for any other purpose;

(b) to the extent and in such manner as is necessary for those purposes; and

(c) strictly in accordance with the express authorization and instructions of designated contacts at the Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Controller to the Processor).

4.5. The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Controller and in accordance with the Processing Agreement, unless otherwise stipulated in applicable statutory laws.

4.6. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Legislation.

4.7. The Processor shall promptly respond to any request from the Controller requiring the Processor to amend, transfer or delete the Personal Data.

4.8. The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and all applicable legislation from time to time in force and any best practice guidance issued by the ICO.

4.9. Where the Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Controller it shall:

(a) process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as is required by law or any regulatory body including but not limited to the ICO;

(b) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR

(c) in assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.

(d) any transfer of Personal Data is subject to the Data Protection Legislation’s standard contractual clauses or other legal basis for such transfer or disclosure;

4.10. The Processor shall notify the Controller (within two working days) if it receives:

(a) a request from a data subject to have access to that person’s Personal Data; or

(b) a complaint or request relating to the Controller’s obligations under the Data Protection Legislation.

4.11. The Processor agrees to provide the Controller with full cooperation and assistance in relation to any complaint or request made, including by:

(a) providing the Controller with full details of the complaint or request;

(b) complying with a data access request within the relevant timescale and in accordance with the Controller’s instructions;

(c) providing the Controller with any Personal Data it holds in relation to a data subject (within reasonable timescales required by the Controller);

(d) providing the Controller with any information requested by the Controller;

(e) notify the Controller immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of any of the Personal Data.

5. Controller’s Audit Rights

5.1. Where the Controller is entitled to and desires to review the Processor's compliance with the EU Data Protection Laws, the Controller may request, and the Processor will allow the Controller (subject to obligations of confidentiality) or an independent auditor appointed by the Controller to conduct audits (including inspections) to verify the Processor's compliance with its obligations under this Data Processing Agreement in accordance with Section 5.2 (Additional Business Terms for Reviews and Audits). The Controller will be responsible for any fees charged by any auditor appointed by the Controller to execute any such audit.

5.2. Additional Business Terms for Reviews and Audits. The Processor may object in writing to an auditor appointed by the Controller to conduct any audit under Section 5.1 if the auditor is, in the Processor's reasonable opinion, not suitably qualified or independent, a competitor of the Processor, or otherwise manifestly unsuitable. Any such objection by the Processor will require the Controller to appoint another auditor or conduct the audit itself.

5.3. No Modification of MCCs. Nothing in this Section 4 (Controllers Audit Rights) varies or modifies any rights or obligations of the Controller or the Processor under any Model Contract Clauses entered into as described in Section 9.2 (Transfers of Data Out of the EEA).

6. Processor and Controller Security Measures

6.1. The Processor shall implement appropriate technical and organisational measures as stipulated in Data Protection Legislation and/or measures imposed by the ICO to ensure an appropriate level of security and these are outlined in Schedule 2.

6.2. The Processor shall assess the appropriate level of security and take into account the risks related to the processing, including risk for accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

6.3. All transmissions of Personal Data between the Processor and the Controller or between the Processor and any third party shall be done by means of adequate encryption agreed between the Parties.

6.4. The Processor shall provide the Controller with general descriptions of the Processor's and its Sub-processors' on the Privacy Policy Page (to the extent that the Processor has access to such Sub-processors information) technical and organisational measures implemented to ensure an appropriate level of security.

6.5. The Processor shall provide reasonable assistance to the Controller, taking into account relevant information available to the Processor, if the Controller is obliged to perform an impact assessment and/or consult ICO in connection with the processing of Personal Data. The Controller shall bear any costs accrued by the Processor related to such assistance.

6.6. The Controller is solely responsible for its use of the Services including:

(a) using the Services appropriately and ensuring a level of security appropriate to the risk in respect of the Personal Data.

(b) securing the Salesorder.com account user’s authentication credential’s systems and devices the Controller and its trading partners including a not restricted to Customers, Suppliers and Advisors.

(c) backing up both its Personal Data, other Data; and

6.7. The Processor has no obligation to protect any Personal Data or other Data the Controller elects to stores outside of systems belonging to the Processor.

6.8. The Controller is solely responsible for reviewing and evaluating for itself whether the Services and the Security measures and the commitments made under this Section 6 will meet the Controller’s needs, including with respect to the any security obligations of the Controller under GDPR or any other Data protection regulation.

7. Notification of any Breach and other ‘Data Incidents’

7.1. The Controller must provide the Processor with an email address and telephone number in this form (Agreement Acceptance) so as the Processor can notify the Controller about any Breach or Data incident. The Controller is solely responsible for making sure the email address and telephone number is current and valid.

7.2. The Processor shall notify the Controller without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed ("Personal Data Breach"). The Controller is responsible for notifying the Personal Data Breach to the ICO within 72 hours of any such breach.

7.3. The notification to the Controller shall as a minimum describe (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences, in the reasonable opinion of the Processor, of the Personal Data Breach; (iii) the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.4. The Processor’s notification of or response to a Breach or Data Incident will not be construed as an admission by the Processor of any liability whatsoever.

7.5. In the event the Controller is obliged to communicate a Personal Data Breach to the Data Subjects, the Processor shall assist the Controller, including the provision, if available, of necessary contact information to the affected Data Subjects. The Controller shall bear any costs related to such assistance provided by the Processor and to such communication to the Data Subject. The Processor shall nevertheless bear such costs if the Personal Data Breach is caused by circumstances for which the Processor is responsible.

8. Sub-Processing

8.1. Consent to Subprocessor Engagement. the Controller specifically authorizes the engagement of the Processor’s Sub-processors. In addition, the Controller generally authorizes the engagement of any other third parties as Subprocessors

8.2. The Processor shall ensure that its data protection obligations set out in this Agreement and the Data Protection Legislation are imposed to any Sub-processors by way of a written agreement. Any Sub-processor shall in particular provide sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Legislation. The Processor shall not be liable to the Controller for the performance of any Sub-processor.

8.3. Information about Sub-processors. Information about Sub-processors, including their functions and locations, is available on our Privacy Policy Page. (as may be updated by the Processor from time to time in accordance with this Data Processing Addendum).

8.4. Requirements for appointing a Subprocessor. When appointing any Subprocessor, the Processor will ensure via a written agreement that:

(a) the Sub-processor only accesses and uses the Controller Data to the extent required to perform the obligations agreed with it, and does so in accordance with the applicable Agreement (including this Data Processing Addendum) and any Model Contract Clauses entered into or Alternative Transfer Solution adopted by the Processor as described in Section 9.2 (Transfers of Data Out of the EEA); and

(b) if the GDPR applies to the processing of Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this Data Processing Amendment, are imposed on the Sub-processor; and

(c) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.

8.5. Opportunity to refuse or object to Subprocessor Changes.

(a) When any new Third Party Sub-processor is engaged during the applicable Term, the Processor will, at least 30 days before the new Third Party Subprocessor processes any Personal Data, inform Controller of the engagement (including the name and location of the relevant subprocessor and the activities it will perform).

(b) Controller may object to any new Third Party Subprocessor by terminating the applicable Master Subscription Agreement immediately upon written notice to the Processor, on condition that the Controller provides such notice within 90 days of being informed of the engagement of the subprocessor as described in Section 8.5(a). This termination right is the Controller’s sole and exclusive remedy if the Controller objects to any new Third Party Subprocessor.

9. Data Transfers

9.1. Processing and Data Storage facilities. Controller agrees that the Processor may, subject to Section 9.2 (Transfers of Data Out of the EEA), store and process the Personal Data in the United States and any other country in which the Processor or any of its Sub-processors maintains facilities.

9.2. Transfers of Data outside of the EEA.

(a) The Processor’s Transfer Obligations. If the storage and/or processing of Personal Data (as set out in Section 9.1 Processing and Data Storage facilities) involves transfers of Personal Data out of the EEA and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), the Processor will:

(b) if requested to do so by Controller, ensure that the Processor as the data importer of the Transferred Personal Data enters into Model Contract Clauses with Controller as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses; and/or

(c) offer an Alternative Transfer Solution, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to Controller about such Alternative Transfer Solution.

9.3. Controllers Transfer Obligations. In respect of Transferred Personal Data, Controller agrees that:

(a) if under the European Data Protection Legislation the Processor reasonably requires the Controller to enter into Model Contract Clauses in respect of such transfers, Controller will do so; and

(b) if under the European Data Protection Legislation the Processor reasonably requires the Controller to use an Alternative Transfer Solution offered by the Processor, and reasonably requests that the Controller take any action (which may include execution of the Controller will do so.

9.4. The Controller (as “data exporter”) and the Processor (as “data importer”) hereby enter into, as of the Addendum Effective Date, the Standard Contractual Clauses, which are incorporated by this reference and constitute an integral part of this Addendum. The Parties are deemed to have accepted and executed the Standard Contractual Clauses in their entirety, including the appendices.

10. Salesorder Team Security

10.1. Salesorder.com team members are required to conduct themselves in a manner consistent with Salesorder.com’s business ethics, appropriate usage, and professional standards. We conduct appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

10.2. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Salesorder.com’s Data Protection, Confidentiality and Privacy policies and guidelines.

11. Warranties and Indemnities

11.1. Each party warrants to the other that it will process the Personal Data in compliance with this Agreement and in accordance with the Data Protection Legislation.

11.2. The Parties shall each be liable for and shall indemnify (and keep indemnified) each other against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demand incurred by the other which arise directly or in connection with any data processing activities which are subject to this Agreement.

12. Confidentiality

12.1. The Processor shall maintain the Personal Data processed by the Processor on behalf of the Controller in confidence, and in particular, unless the Controller has given written consent for the Processor to do so, the Processor shall not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Controller to any third party. The Processor shall not process or make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of the Services to the Controller.

12.2. The Controller is subject to a duty of confidentiality regarding any documentation and information, received by the Processor, related to the Processor's and its Sub-processors' implemented technical and organisational security measures.

12.3. The obligations in this Clause 7 shall continue for a period of five years after the cessation of the provision of Services by the Processor to the Controller. Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed by the ICO or a court. Both parties shall however, where possible, discuss together the appropriate response to any request from the ICO or court for disclosure of information.

13. Term and Termination

13.1. The Processing Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller.

13.2. In the event of the Processor's breach of the Processing Agreement, the Controller may (i) instruct the Processor to stop further processing of Personal Data with immediate effect; (ii) terminate the Processing Agreement with immediate effect; and/or (ii) claim damages for direct economic loss caused by the Processor's breach, subject always to the provisions (including limitation of liability provisions) of the Master Subscription Agreement and other agreements(s) pursuant to which the Services are provided.

13.3. The Processor shall, upon the termination of this Agreement and at the choice of the Controller, delete or return all the Personal Data to the Controller, unless otherwise stipulated otherwise in the Data Protection Legislation. The Processor shall document in writing to the Controller that deletion has taken place.

14. General

14.1. This Agreement may only be amended by the Parties subject to mutual consent and in accordance with the Data Protection Legislation.

14.2. The Processor shall not sub-contract to any third party any of its rights or obligations under this Agreement save for where permitted by the Parties under this Agreement.

14.3. Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

14.4. This Agreement shall be governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1: Services, Processing, Personal Data, and Data Subjects

1. Services

The “Services” referred to in Sub-Clause 1.5 means the software Salesorder.com as described on the Processor’s website www.salesorder.com and includes Pre-Sales inquiries and Technical Support.

The Controller uses the Services for the following purposes: Administering the Controller’s Business and providing the Controller’s Products and Services to its Customers.

1. Processing

The Personal Data will be subject to the following basic processing activities as detailed here on our Privacy Page.

1. Personal data

The Personal Data processed concern the following type and categories as displayed here on our Privacy Page.

1. Data subjects

The Personal Data processed concern the following categories of Data Subjects:

1. The Controller’s employees

2. Contact persons at the Controller’s Customers

3. The Controller’s subcontractors’ employees

4. The Controller’s Customers and Suppliers

5. OR as specified by the Controller in the submission of the Terms of Use Agreement to constitute and create a record about:

   1. how the Controller will use Salesorder.com to process Personal data

   2. all the categories of personal data that the Controller will process in Salesorder

   3. all the categories of individuals whose personal data the Controller will process in Salesorder

Schedule 2: Security Measures

The following are the Security Measures referred to in Sub-Clauses 1.6 and section 6:

1. The Processor will ensure that in respect of all Personal Data it receives from or processes on behalf of the Controller it maintains security measures to a standard appropriate to:

1.1. the harm that might result from unlawful or unauthorised processing or accidental loss, damage or destruction of the Personal Data; and

1.2. the nature of the Personal Data.

1. In particular the Processor shall:

2.1. have in place and comply with a security policy which:

2.1.1. defines security needs based on a risk assessment;

2.1.2. allocates responsibility for implementing the policy to a specific individual or members of a team;

2.1.3. is disseminated to all relevant staff; and

2.1.4. provides a mechanism for feedback and review.

2.2. ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;

2.3. prevent unauthorised access to the Personal Data;

2.4. ensure its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;

2.5. have secure methods in place for the transfer of Personal Data whether in physical form (for instance, by using couriers rather than post) or electronic form (for instance, by using encryption);

2.6. put password protection on computer systems on which Personal Data is stored and ensure that only authorised personnel are given details of the password;

2.7. take reasonable steps to ensure the reliability of employees or other individuals who have access to the Personal Data;

2.8. ensure that any employees or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Agreement;

2.9. ensure that none of the employees or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller;

2.10. have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including:

2.10.1. the ability to identify which individuals have worked with specific Personal Data;

2.10.2. having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the Act; and

2.10.3. notifying the Controller as soon as any such security breach occurs.

2.11. have a secure procedure for backing up and storing back-ups separately from originals;

2.12. have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print outs and redundant equipment; and

2.13 adopt such organisational, operational and technological processes and procedures as are required to comply with the requirements of ISO/IEC 27001:2013 as appropriate to the Services provided to the Controller.