Data Processing Addendum (DPA)

This Data Processing Addendum (the DPA) is incorporated by reference into our Terms and Conditions governing the use of our Services entered by and between you and Executives Place Ltd, a company registered in England under number 07100165, with its registered office at Churchill House, 137-139 Brent Street, London NW4 4DJ, UK (Executives Place or we/us).

Unless otherwise stated, any defined terms herein shall have the same meaning as provided in the Terms and Conditions.

This DPA reflects the agreement of the parties for us to process the Customer Data in accordance with your instructions and on your behalf. Any such Customer Data includes all Personal Data (as defined below) that you provide when using the Services over which you are a controller, including any Personal Data submitted to your account dashboards, items and any documents you upload onto the Services (for the purpose of this Addendum only).

You are solely responsible for determining whether and how you use your Services, and ensuring that you have the right or obtained the consent of any individual whose Personal Data you are processing when using our Services, and in doing so, you comply with all applicable data protection laws.

AGREED TERMS

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this DPA.

1.1 Definitions:

1.1.1 Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.

1.1.2 Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder)
(DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1.1.3 EEA: the European Economic Area.

1.1.4 UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.1.5 Special Categories of Personal Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation

1. 2 A reference to writing or written includes email.

1.3 In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Terms (which includes by reference the Privacy Policy), the provisions of this DPA will prevail.

2. Personal data types and processing purposes

2.1 We agree and acknowledge that for the purpose of the Data Protection Legislation:

(a) You are the Controller and we are the Processor.

(b) You retain control of the Customer Data and remain responsible for its compliance obligations under the Data Protection Legislation, including for the written processing instructions you give us.

(c) Error: Reference source not foundThe subject matter of the Processing is the performance of the Services pursuant to the Terms.

(d) We shall only Process the Customer Data for the duration of the Term, unless otherwise set out in the Terms, the Privacy Policy or the DPA, or otherwise required by professional or legal obligations to which we are subject.

(e) The nature and purpose of Processing are:

(i) to provide the Services to you;

(ii) to perform the DPA and our obligations under the Terms or other contracts executed between us, including without limitation, to repair any bugs to our Services or assist you with any query;

(iii) to act on your written instructions where consistent with the purpose of providing the Services;

(iv) to render Customer Data fully anonymous in accordance with applicable standards recognised by Data Protection Legislation;

(v) to share the Customer Data with third parties in accordance with your instructions, pursuant to your use of the Services (e.g. to allow the integration of third party service providers with the Services) or as set out in this DPA;

(vi) to comply with applicable laws and regulations; or

(vii) as required under applicable laws or a court of competent jurisdiction, provided that we shall inform you of any such legal requirement prior to the Processing in such a way, unless we are legally prohibited to do so on important grounds of public interest.

(f) The type of Customer Data and the categories of Data Subjects are set out by you on a case by case basis – depending on your use of the Services.

2.2 You agree that you will not use the Services to Process Special Categories of Personal Data. If you wish to use the Services in order to do so, you must first obtain our written consent, and enter any additional agreements as we may require from time to time.

3. Our obligations

3.1 We will only process the Customer Data to the extent, and in such a manner, as is necessary for the purposes set out in this DPA, including to provide the Services in accordance with the Terms, and in accordance with your written instructions. We will not process the Customer Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. We will inform you without undue delay if we believe that your instructions to Process Customer Data infringes Data Protection Legislation.

3.2 We will maintain the confidentiality of the Customer Data and will not disclose the Customer Data to third-parties unless you, or this DPA, specifically authorises the disclosure, or as required by applicable law, court or regulator. In such a case, we will inform you of any such disclosure requirement unless we are prohibited to do so by law or a court of competent jurisdiction.

3.3 We will reasonably assist you, at no additional cost, with meeting your compliance obligations under the Data Protection Legislation, taking into account the nature of the our processing and the information available to us including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the regulator under the Data Protection Legislation.

3.4 We will ensure that all of our employees and advisors engaged in the Processing of Customer Data are under an obligation of confidentiality (whether statutory or contractual).

3.5 We will implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Data.

4. Personal data breach

4.1 We will, without undue delay, notify you in writing if we become aware of a Personal Data Breach. In such a case, we will provide you, insofar as possible, with the following written information:

(a) description of the nature of the Personal Data Breach, including the categories of in-scope Customer Data and approximate number of both Data Subjects and the Customer Data records concerned;

(b) the likely consequences; and

(c) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

4.2 We will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Customer Data and/or a Personal Data Breach without first obtaining your written consent, except when required to do so by applicable law.

5. Cross-border transfers of personal data

5.1 We (and any sub-processors) will not transfer or otherwise process the Customer Data outside the UK or the EEA without obtaining your consent, with the exception of feature-specific actions undertaken by you as outlined in sections 6.2 . For the avoidance of doubt, you authorise to transfer any Customer Data to the sub-processors set out in sections 6.1 and 6.2.

6. Subprocessors

6.1 You expressly authorise us to transfer Customer Data to the following sub-processors:

Name Type of service Data shared Region
DigitalOcean Cloud computing and database hosting All account data UK
Microsoft Managed database platform and backups All account data UK
Amazon Web Services Document storage and email notification service File uploads and account data required for system email notifications EEA
Pusher In-application notifications User interface events that may contain attributes related to account data EEA
Sentry Error monitoring Error logs that may contain attributes related to account data EEA
Site24x7 Performance monitoring Diagnostic data that may contain attributes related to account data EEA
Matomo Analytics data Anonymised usage logs that do not contain account data EEA

6.2 You expressly authorise us to transfer Customer Data to the following sub-processors when using features and services in the specified context:

Name Type of service Context Data shared Region
Stripe Payment service Upgrading and downgrading subscription plan Email address and account subscription level US
OpenAI AI functionality AI-driven account creation and customisation Information about account structure but no account data US

6.3 We may only authorise a third-party (sub-processor) to process the Customer Data if you have been provided with an opportunity to object to the appointment of each sub-processor within seven days from being notified. You must include the reasons for objecting to our use of any new sub-processor in your objection notice.

6.4 Failure to object to such new sub-processor in writing within seven days following notice shall be deemed as acceptance of the new sub-processor. In the event you object to a new sub-processor as per clause 6.1 and 6.2 of this DPA, you may, as your sole remedy, terminate the Agreement and this DPA with respect only to those elements of the Services which we cannot provided without the use of the objected-to new sub-processor, by providing us with a written notice to that effect. You shall pay us all amounts outstanding under the Agreement before the termination date with respect to the Processing at issue. 

6.5 We remain fully liable to you for any sub-processor’s performance of its obligations in connection with this DPA.

7. Complaints, Data Subject Requests and Third-Party Rights

7.1 We will take such technical and organisational measures as may be appropriate, and without undue delay, to the extent legally permitted, provide such information as you may reasonable require to enable you to comply with:

(a) the rights of Data Subjects under Data Protection Legislation, including to subject access rights, rights to rectify, port and erase personal data, object to the processing of personal data; and

(b) information or assessment notices served on you by a regulator under the Data Protection Legislation.

7.2 To the extent legally permitted, we will notify you without undue delay in writing if we receive a complaint, notice or communication that relates directly or indirectly to the processing of the Customer Data or to either party’s compliance with the Data Protection Legislation.

7.3 We will notify you without undue delay, and where feasible within seven days, if we receive a request from a Data Subject for access to their Customer Data or to exercise any of their other rights under the Data Protection Legislation.

7.4 We will cooperate with you and assist you in responding to any complaint, notice, communication or Data Subject request.

8. Data Return and Destruction

8.1 At your written request, we will give you, or a third-party nominated in writing by you, a copy of or access to all or part of the Customer Data you have provided us under this DPA which is in our possession or control.

8.2 On termination or expiry of the Agreement we will securely delete or destroy or, if directed in writing by you, return and not retain, all or any of the Customer Data related to this Agreement in our possession or control, except for one copy which we will retain and use for our legal and professional purposes only, in accordance with our retention policies.

9. Records and Audits

9.1 We will keep detailed, accurate and up-to-date written records regarding any processing of the Customer Data, including but not limited to, the access, control and security of the Customer Data, subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures implemented.

9.2 You will be given the opportunity periodically to check compliance with this DPA and Data Protection Legislation. The checks may be carried out by you or on your behalf by an auditor. The periodic check shall be limited to us answering questions put by you (a maximum of once a year) about our compliance with Data Protection Legislation. If we decline to follow any of your instruction regarding audits, you will be entitled to terminate the Agreement and this DPA by providing us with a written notice to that effect. You shall pay us all amounts outstanding under the Agreement before the termination date with respect to the Processing at issue.

9.3 Having regard to our duty of confidentiality towards other users, you accept and acknowledge that neither you nor your auditor may access our IT systems or IT infrastructure.