Docsafe Limited (‘Processor’) – Data Processing Agreement
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications);
UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
1. Both parties will comply with all applicable requirements of the Data Protection Legislation. These terms are in addition to, and do not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. In these terms, Applicable Laws means (for so long as and to the extent that they apply to the Provider) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.
2. The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Provider is the Processor. The scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data and categories of Data Subject are part of standard terms of service unless agreed otherwise.
3. Without prejudice to the generality of clause 1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider and/or lawful collection of the Personal Data by the Provider on behalf of the Customer for the duration and purposes of this agreement.
4. Without prejudice to the generality of clause 1, the Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under this agreement:
5. The Customer consents to the Provider appointing THIRD-PARTY PROCESSORS as third-party processors of Personal Data under this agreement. The Provider confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business or incorporating terms which are substantially similar to those set out in these terms and in either case which the Provider undertakes reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Customer and the Provider, the Provider shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to these terms.
6. Either party may, at any time on not less than 30 days’ notice, revise these terms by replacing them with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).
Amazon Web Services – web hosting
Mandrill – email gateway
Zendesk – customer support platform
2Checkout – payments gateway
GoCardless – payment processing
Intercom – chat and marketing emails
Yoti – ID verification
Verifile – ID verification
Onfido – ID verification
Stripe – payment processing