Log in

Log in

Data Processing Agreement

This Data Processing Agreement ("DPA") sets out the terms, requirements, and conditions on which SERENDIPITY AI LIMITED a company incorporated in England and Wales under company no. 10750630 ("Serendipity AI", "We", "Us", "Our") will process Personal Data when providing services to You as our Customer (as detailed in Your Order Form) ("Customer", "You", "Your"), pursuant to our Subscription Terms ("Agreement").

  1. Definitions and Interpretation


The following definitions and rules of interpretation apply in this DPA. Any terms not defined here shall be interpreted as defined in the Agreement.


1.1 Definitions:


  • "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, as amended by the California Privacy Rights Act.

  • "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" / "Process" / "Processed" and "Supervisory Authority" are as defined in the GDPR.

  • "Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the EU and UK, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 ("UK GDPR"); the Data Protection Act 2018 ("DPA 2018"); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; the CCPA and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.

  • "Processor" means an entity which processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

  • "Services" means the services to be provided by You to Us under the Agreement.

  • "Standard Contractual Clauses" means, together, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs ("UK Addendum").


1.2 A reference to writing or written includes email.


1.3 In the case of conflict or ambiguity between:


1.3.1 any provisions contained in the body of this DPA and any provisions contained in the Schedules, the provisions in the body of this DPA will prevail; and


1.3.2 any of the provisions of this DPA and any provisions in the Agreement, the provisions of this DPA will prevail.


  1. Personal Data Types and Processing Purposes


2.1 The parties acknowledge that for the purpose of the Data Protection Legislation, You are the Controller and We are the Processor.


2.2 You retain control of the Personal Data and remain responsible for Your compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions You give to Us.


2.3 You warrant that Our expected use of the Personal Data for the provision of the Services and as specifically instructed by You will comply with the Data Protection Legislation.


2.4 The Schedules describe the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which We may process Personal Data to fulfil the Services.


  1. Your Obligations


3.1 You will:


3.1.1 have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, and no less than Our measures set out at paragraph 3.11 of Schedule 1;


3.1.2 provide clear and comprehensible written instructions to Us for the Processing of Personal Data to be carried out under the Agreement;


3.1.3 ensure that You have all the necessary licences, permissions and consents from Data Subjects;


3.1.4 ensure that You have an applicable legal basis, for the transfer of Personal Data to Us and to the processing of that Personal Data by Us; and


3.1.5 indemnify Us against all loss, liability, damages, costs, fees, claims and expenses which We may incur or suffer by reason of any breach of this DPA or the Data Protection Legislation by You.


3.2 You additionally warrant and represent that:


3.2.1 You have and will, throughout the term of the Agreement, maintain (at Your own cost and expense) all relevant regulatory registrations and notifications as required from time to time under the Data Protection Legislation; and


3.2.2 You have undertaken appropriate due diligence in relation to Our Processing operations, and are satisfied that: (i) Our Processing operations are suitable for the purposes for which You propose to engage Us to Process Personal Data; and (ii) We have sufficient expertise, reliability, and resources to implement technical and organisational measures that meet the requirements of the Data Protection Legislation.


  1. Our Obligations


4.1 We will only process the Personal Data to the extent, and in such a manner, as is necessary for the performance of the Services in accordance with Your written instructions unless required to do so by the Data Protection Legislation; in such case We will notify You of said legal requirement before Processing, unless otherwise prohibited. We will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation.


4.2 We will immediately notify You if, in Our opinion, Your instructions would not comply with the Data Protection Legislation. We will be entitled to suspend performing the relevant Services until We and You have agreed appropriate amended instructions which are not infringing.


4.3 We will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless You or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Us to process or disclose Personal Data, We will first use reasonable endeavours to inform You of the legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless the law prohibits such notice.


4.4 We will reasonably assist You, in a manner consistent with the functionality and performance of the Services and Our role as Processor, with meeting Your compliance obligations under the Data Protection Legislation, taking into account the nature of Our processing and the information available to Us, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation. To the extent legally permitted, You shall be responsible for any costs arising from Our provision of such assistance beyond the existing functionality or performance of the Services.


4.5 We will promptly notify You of any changes to Data Protection Legislation that may adversely affect Our performance of the Services.


4.6 You acknowledge that We are free to use meta-data, statistics and such other information derived from the Personal Data We receive from You which cannot be identified as originating or deriving directly from such Personal Data, and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.


4.7 We will ensure that any and all employees are bound by confidentiality obligations and use restrictions in respect of the Personal Data.


  1. Security


5.1 We will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out at paragraph 3.11 of Schedule 1.


5.2 We may update the security measures from time to time, provided they do not result in a reduction in the security over the Personal Data to which they apply. We will maintain an up-to-date written record of Our then-current security measures, which We shall provide to You on request.


5.3 We will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:


5.3.1 the pseudonymisation and encryption of Personal Data;


5.3.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;


5.3.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and


5.3.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures.


  1. Personal Data Breach


6.1 We will promptly and without undue delay notify You of any Personal Data Breach relating to Your Personal Data.


6.2 Where We become aware of a Personal Data Breach, We will, without undue delay, provide You with the following information:


6.2.1 a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;

6.2.2 the likely consequences of the event; and


6.2.3 a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.


6.3 We will reasonably co-operate with You in Your handling of the matter, including:


6.3.1 assisting with any investigation;


6.3.2 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation; and


6.3.3 taking reasonable steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach.


6.4 In the event that a Personal Data Breach was not due to Our fault, We will cooperate with You with reasonable costs and expenses to be covered by You.


6.5 We will not inform any third party of any Personal Data Breach without first obtaining Your prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.


6.6 Subject to clause 6.4 You have the sole right to determine and responsibility to action:


6.6.1 whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Your discretion, including the contents and delivery method of the notice; and


6.6.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.


  1. Cross-Border Transfers of Personal Data


7.1 If an adequate protection measure for the international transfer of Personal Data is required under Data Protection Legislation (and has not otherwise been arranged by the parties) the Standard Contractual Clauses shall be incorporated into this Agreement in the Schedules as if they had been set out in full.


7.2 The parties shall ensure that whenever Personal Data is transferred outside the European Economic Area and the United Kingdom ("GDPR Territories") they:


7.2.1 are Processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;


7.2.2 participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the parties can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or


7.2.3 otherwise ensure that the transfer complies with the Data Protection Legislation.


7.3 In the case of any Processing of Personal Data outside of the GDPR Territories as at the date of this DPA, We have identified in the Schedules the relevant transfer mechanism. We will promptly inform You of any change to such mechanisms.


7.4 You authorise Us to enter into appropriate transfer mechanisms with sub-Processors on Your behalf, if required to ensure the relevant Processing of Personal Data complies with Data Protection Legislation. We will make the relevant parts of the executed agreements available to You on written request.


  1. Sub-Processors


8.1 You authorise Us to use sub-Processors set out on Our dedicated sub-Processor webpage (the "Sub-Processor List"). These sub-Processors include but are not limited to the general categories of data storage, hosting (including data centres and providers of virtual software environments) and IT support.


8.2 Where We engage a sub-Processor we will enter into a written contract with them that contains terms similar to those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Your written request and at Your expense, provide You with copies of such contracts (subject to redaction of any confidential information) and We will maintain control over all Personal Data We entrust to the sub-Processor.


8.3 Where the sub-Processor fails to fulfil its obligations under such written agreement, We remain fully liable to You for the sub-Processor’s performance of its agreement obligations.


8.4 We will provide notice of any changes to the Sub-Processor List by posting to the Sub-Processor List webpage. Within ten (10) days of such notice being posted You may object to the appointment of an additional Sub-Processor on reasonable grounds relating to Data Protection Legislation or other relevant regulations, in which case We will have the right to cure the objection through one of the following options (to be selected at Our sole discretion):


8.4.1 We will cancel Our planned use of sub-Processor or will offer an alternative plan to provide the Services without using such sub-Processor;


8.4.2 We will take the corrective steps, if any, identified by You in Your objection as sufficient to remove Your objection, and proceed to use the sub-Processor; or


8.4.3 We may cease to provide, or You may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such sub-Processor, subject to a mutual agreement between us to adjust the remuneration for the Services considering the reduced scope of the Services.


  1. Complaints, Data Subject Requests and Third-Party Rights


9.1 We will take such technical and organisational measures and promptly provide such information to You as required by Data Protection Legislation, to enable You to comply with:


9.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and


9.1.2 information or assessment notices served on You by any supervisory authority under the Data Protection Legislation.


9.2 We will notify You immediately if We receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.


9.3 If We receive a request from one of Your Data Subjects to exercise one or more of their rights under applicable Data Protection Legislation We will instruct the Data Subject to make their request directly to You. You will be responsible for responding to any such request.


9.4 We will give You Our reasonable co-operation and assistance in a manner consistent with the functionality and performance of the Services and Our role as a Processor in responding to a complaint, notice, communication or Data Subject request.


9.5 We will not disclose the Personal Data to any Data Subject or to a third party other than at Your request or instruction, as provided for in this DPA or as required by law.


  1. Liability


10.1 Our total liability pursuant to this DPA shall be subject to the liability cap and any exclusions in the Agreement.


  1. Term and Termination


11.1 This DPA will remain in full force and effect for so long as We retain any of Your Personal Data related to the Services in Our possession or control.


11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Services in order to protect Personal Data will remain in full force and effect.


11.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Services, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements.


  1. Data Return and Destruction


12.1 At all times during the term of the Agreement. We will give You the ability to access, extract and delete Your Personal Data stored in our systems. We will retain Your Personal Data for sixty (60) days after expiration or termination of the Agreement so that you may extract Your Personal Data. After said 60-day period ends We will disable Your account and delete all Your Personal Data, save to the extent We are required by any applicable law to retain some or all of such Personal Data. In such event We will extend the protections of this DPA to such retained Personal Data and limit any further Processing of such Personal Data only to those limited purposes for which, and only for so long as, such retention is required by applicable law.


12.2 This requirement shall not apply to Personal Data which We have archived on Our backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by Us using those backups to restore Our systems).


  1. Records


13.1 We will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data We carry out for You ("Records") and provide You with copies of the Records upon request.


  1. Audit


14.1 No more than once during any consecutive 12-month period, on Your request We will provide You with the relevant information from Our information security audit (which may have been carried out internally or by third-party representatives) to evidence Our compliance with this DPA and provide the summary results to You. You shall be entitled to ask questions of Us related to compliance with Data Protection Legislation in advance of the audit, We shall use Our reasonable endeavours to respond adequately when providing the audit results.


14.2 Where required by Data Protection Legislation We will exercise relevant audit rights We have in connection with Our sub-Processors’ compliance with their obligations regarding Your Personal Data, and provide You with a summary of the audit results.


14.3 The audit rights set out at clauses 14.1 – 14.2 are Your only contractual rights (and Our only contractual obligations) in connection with the auditing of Our Processing of Personal Data. Save that nothing in this DPA shall prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly We will submit to any audits required by a Supervisory Authority or Data Protection Legislation.


  1. CCPA


15.1 To the extent that (i) We act as a “service provider” or “contractor” for the purposes of the CCPA and (ii) Personal Data is “personal information” as it is defined in the CCPA ("CCPA Data"), the provisions of this clause 15 shall apply.


15.2 We will Process CCPA Data on Your behalf and will not retain, use, or disclose CCPA Data for any purpose other than for the purposes set out in this DPA and as permitted under the CCPA, including under any “sale” exemption.


15.3 In no event will We: (i) “sell” or “share” (as those terms are defined in the CCPA) any CCPA Data; (iii) combine CCPA Data that We receive from, or on behalf of, You with CCPA Data that We receive from, or on behalf of, any other person, or that We collect from Our own interaction with an end user, provided that We may combine CCPA Data to perform any business purpose as defined in regulations adopted pursuant to the CCPA.


15.4 We will: (i) grant to You the right to take reasonable and appropriate steps to help ensure that We use CCPA Data in a manner consistent with Your obligations under the CCPA; (ii) notify You in the event that We determine that We can no longer meet Our obligations under the CCPA; and (iii) grant to You the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorised use of CCPA Data.

SCHEDULE 1


EU SCCs

1. Incorporation of the EU SCCs


1.1. To the extent clause 7 applies and the transfer is made pursuant to the GDPR, this Schedule 1 and the following terms shall apply:


1.1.1. Module 2 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Controller, the importer is a Processor and the transfer requires such additional protection; and


1.1.2. Module 3 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Processor, the importer is a sub-Processor and the transfer requires such additional protection.


2. Clarifications to the EU SCCs


2.1. To the extent Module 2 and Module 3 of the EU SCCs apply as determined by paragraph 1 of this Schedule 1:


2.1.1. Deletion of data. For the purposes of clause 8.5 of the EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the importer shall delete all Personal Data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing.


2.1.2. Auditing. The parties acknowledge that the importer complies with its obligations under clause 8.9 of the EU SCCs (Documentation and compliance) by exercising its contractual audit rights it has agreed with its sub-processors.


2.1.3. Sub-Processors. For the purposes of clause 9 of the EU SCCs (Use of sub-processors), option 2 (general) applies and the parties agree that the process for appointing sub-processors set out in clause 8.3 applies.


2.1.4. Competent Supervisory Authority. For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:


i. if the exporter is established in an EU Member State: The Irish Data Protection Commissioner;

ii. where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter's representative is appointed shall be the competent Supervisory Authority; and

iii. where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose Personal Data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.


2.1.5. International Transfer Assessments. For the purposes of clause 14(c) of the EU SCCs (local laws and practices affecting compliance with the Clauses) the exporter has been provided with a transfer impact assessment by the importer which the exporter accepts as sufficient to fulfil the importer's obligations pursuant to clause 14(c) and 14(a). The exporter acknowledges that it has been provided with the security measures applied to the Personal Data and approves such measures as being in compliance with the EU SCCs.


2.1.6. Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the EU SCCs (local laws and practices affecting compliance with the clauses) the parties agree that "best efforts" and the obligations of the importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.


2.1.7. Governing Law & Jurisdiction. For the purposes of clauses 17 and 18 of the EU SCCs, the parties agree that the governing law and choice of jurisdiction shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply and the courts of Ireland will have exclusive jurisdiction.


2.2. To the extent Module 3 of the EU SCCs applies as determined by paragraph 1 of this Schedule 1:


2.2.1. paragraphs 3.1 and 3.2 of this Schedule 1 shall be modified to reflect that the exporter is a processor and the importer is a sub-processor;


2.2.2. the exporter warrants that it has the rights necessary to transfer the Personal Data to the importer;


2.2.3. any request received from a data subject in connection with the Personal Data being processed by the importer shall be forwarded to the exporter to facilitate with the controller of such Personal Data; and (iv) for the purposes of clause 8.6(c) and (d) of the EU SCCs, the importer shall notify the exporter of any Personal Data Breach.


3. Processing Particulars for the EU SCCs


The Parties


3.1. Exporter (Controller): Customer

3.2. Importer (Processor): Serendipity AI


Description Of Data Processing


3.3. Categories of Data Subjects: (a) employees; (b) consultants; (c) contractors; (d) subcontractors of the Exporter and/or its suppliers or customers; (e) suppliers; (f) customers; and (g) any other Data Subject whose information is made available to Us by You.


3.4. Categories of Personal Data transferred: (a) first name; (b) last name; (c) address; (d) e-mail address; (e) IP address; (f) phone number; (g) location data; (h) username; and (i) any other categories of Personal Data which are made available to Us by You.


3.5. Sensitive data transferred: None.


3.6. Frequency of the transfer: Continuous.


3.7. Nature and purpose: For the provision of the Software as set out in the Agreement.


3.8. Duration of the Processing: The term of the Agreement.


3.9. Sub-Processor Transfers: As set out at clause 8.1


3.10. Competent Supervisory Authority: As set out at paragraph 2.1.4.


3.11. Technical and Organisational Measures: means the measures in place to protect Personal Data which may be provided to you on request.

SCHEDULE 2


UK ADDENDUM

1. Parties


As set out in Schedule 1.


2. Selected SCCs, Modules and Clauses

Module 2 and Module 3 of the EU SCCs and no other optional clauses unless explicitly specified, and as amended by the clarifications in Schedule 1, paragraph 2, but subject to any further amendments detailed in this Schedule 2.


3. Appendix Information


The processing details required by the UK Addendum are as set out in Schedule 1, paragraph 3.


4. Termination of the UK Addendum


In the event the template UK Addendum issued by the Information Commissioner's Office and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section ‎18 is amended, either party may terminate this Schedule 2 on written notice to the other in accordance with Table 4 and paragraph 19 of the UK Addendum and replace it with a mutually acceptable alternative.