GDPR – Data Processing Agreement

Definitions

Customer Data

Information supplied by or on behalf of Customer or Customer End Users through the Services under the Customer’s account.

Data Controller

The entity which determines the purposes and means of the processing of Personal Data.

Data Processor

The entity which processes Personal Data on behalf of the Data Controller.

Data Protection Laws

All applicable data protection and privacy regulations, including the GDPR.

Data Subject

An individual to whom Personal Data relates.

EEA

The European Economic Area.

GDPR

EU General Data Protection Regulation 2016/679.

Personal Data

Customer Data relating to an identified or identifiable natural person, as protected under the GDPR.

Processing

As defined in the GDPR; includes process, processes, and processed.

Sub-Processor

A third party authorised to access and process Customer Data in order to deliver the Services.

Services

The products and services provided by 365i in accordance with the Terms and Conditions.

Data Processing Obligations

365i processes Customer Data solely in accordance with documented instructions from the Customer. The baseline instruction is that 365i may process Customer Data only for the purpose of delivering the Services as described in the Terms and Conditions and any product-specific agreements.

365i will inform the Customer if, in its opinion, an instruction infringes the GDPR before carrying out that instruction.

Both parties acknowledge that for the purposes of this DPA:

• 365i functions as Data Processor
• The Customer functions as Data Controller

Confidentiality

365i treats all Customer Data as strictly confidential. Customer Data shall not be copied, transferred, or processed contrary to the Customer’s instructions unless required by law.

All 365i personnel are bound by confidentiality obligations and may only process Customer Data in accordance with the Customer’s instructions.

Sub-Processor Authorisation & Management

The Customer authorises 365i to engage third-party Sub-Processors without additional written authorisation. 365i restricts Sub-Processor access to what is necessary to provide the Services.

365i enters into written agreements with each Sub-Processor that provide equivalent data protection obligations to those set out in this DPA. 365i remains accountable for the actions and omissions of its Sub-Processors.

Notification

365i provides at least 30 days’ notice before any new Sub-Processor begins processing Customer Data. Notice is provided via the account email address or the hosting control panel.

Customer Rights

If the Customer objects to a new Sub-Processor, the Customer may terminate this DPA and the Services in accordance with the Terms and Conditions.

Data Breach Notification

In the event of a security breach involving accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data, 365i will notify the Customer without undue delay.

Notifications are sent to the Customer’s account email address. The Customer is responsible for keeping this contact information up to date.

365i will make reasonable efforts to identify the cause of any breach and take steps to prevent recurrence.

Exclusions

The following do not constitute data breaches for the purposes of this DPA: unsuccessful access attempts, unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks that do not compromise data security.

Data Subject Rights

365i forwards any data subject rights requests it receives directly to the Customer. The Customer must respond within the timeframes specified by the GDPR.

365i assists the Customer in fulfilling its obligations to data subjects, including by providing tools within the hosting control panel where appropriate.

Data Transfers & Storage

365i stores and processes Customer Data in secure data centres within the EEA. Data may be transferred to and processed outside the EEA where Sub-Processors maintain operations in other jurisdictions.

The Customer agrees to the transfer, storage, or processing of data outside the EEA. 365i takes all reasonably necessary steps to ensure that such transfers comply with applicable Data Protection Laws and that Customer Data is treated securely.

Compliance & Audit Rights

365i maintains records of its security standards and makes relevant compliance information available to the Customer upon written request.

Audits and inspections require a minimum of 30 days’ prior written notice and may not take place more than once in any 12-month period.

If 365i declines an audit request, the Customer may terminate this DPA and the Services in accordance with the Terms and Conditions.

Data Return or Deletion

365i retains Customer Data only for as long as necessary for the purposes for which it was collected. Upon termination of the Services in accordance with the Terms and Conditions, 365i will delete all Customer Data unless retention is required by law.

Archived backup data is securely isolated and protected from further processing.

Limitation of Liability

Total liability under this DPA is subject to the limitations set out in the 365i Terms and Conditions. 365i shall not be liable for any losses or damages suffered by the Customer where the Customer is using the Services in breach of the Terms and Conditions.

Effective Period

This DPA is effective from 4 April 2020 and replaces any previous data processing or security terms between 365i and the Customer. It continues in effect for as long as 365i provides the Services to the Customer.

Annex 1: Sub-Processors

The following third parties are authorised to process Customer Data as Sub-Processors: