Tyresoft Limited

This Policy sets out the additional terms, requirements and conditions on which the Supplier will process Personal Data when providing services under the Master Agreement. This Policy contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.

1. Definitions and interpretation

The following definitions and rules of interpretation apply in this Policy.

1.1 Definitions

• Business Purposes: the licence and use of the Software and the provision of the Services.
• Customer: a person or firm that purchases the Services from the Supplier.
• Data Subject: an individual who is the subject of Personal Data.
• Personal Data: means any information relating to an identified or identifiable natural person that is processed by the Supplier as a result of, or in connection with, the provision of the services under the Master Agreement.
• Processing, processes and process: any activity involving the use of Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, disclosure, transmission, dissemination, restriction, erasure or destruction.
• Data Protection Legislation: all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679), applicable national implementing laws, and related UK regulations and legislation as amended or updated from time to time.
• Master Agreement: the agreement between the Supplier and the Customer whereby the Supplier licenses the Software to the Customer and agrees to provide the Services.
• Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
• Services: the licence to use the Software and the services provided by the Supplier to the Customer as set out in the Master Agreement.
• Software: the cloud based software licensed to the Customer as more particularly described in the Master Agreement.
• Standard Contractual Clauses (SCC): the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the annex to Commission Decision 2010/87/EU.
• Supplier: Tyresoft Limited, a company registered in England and Wales with company number 07487064 whose registered office is situated at Left Hand Turret, The Avenue, The Cross, Worcester WR1 3QA. VAT number 104 3295 47.
• Term: the period this Policy remains in force referred to in clause 9.

1.2 This Policy is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Policy.

1.3 Annex A forms part of this Policy and will have effect as if set out in full in the body of this Policy. Any reference to this Policy includes Annex A.

1.4 A reference to writing or written includes faxes and email.

1.5 In the case of conflict or ambiguity between: (a) any provision contained in the body of this Policy and any provision contained in Annex A, the provision in the body of this Policy will prevail; (b) any of the provisions of this Policy and the provisions of the Master Agreement, the provisions of this Policy will prevail; and (c) any of the provisions of this Policy and any executed SCC, the provisions of the executed SCC will prevail.

2. Personal data types and processing purposes

2.1 The Customer and the Supplier acknowledge that for the purpose of the Data Protection Legislation, the Customer is the controller and the Supplier is the processor.

2.2 The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Supplier.

2.3 Annex A describes the subject matter, duration, nature and purpose of processing, and the Personal Data categories and Data Subject types in respect of which the Supplier may process to fulfil the Business Purposes of the Master Agreement.

3. Supplier's obligations

3.1 The Supplier will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Master Agreement.

3.2 The Supplier will promptly comply with any Customer request or instruction requiring the Supplier to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3 The Supplier will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer, the Master Agreement or this Policy specifically authorises the disclosure, or as required by law.

3.4 The Supplier will reasonably assist the Customer with meeting its obligations to Data Subjects and when reporting to and consulting with supervisory authorities under the Data Protection Legislation.

3.5 The Customer acknowledges that the Supplier is reliant on the Customer for direction as to the extent the Supplier is entitled to use and process the Personal Data.

4. Supplier's employees

4.1 The Supplier will take reasonable steps to ensure that its employees: (a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data; (b) have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and (c) are aware both of the Supplier's duties and their personal duties and obligations under the Data Protection Legislation and this Policy.

4.2 The Supplier will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of the Supplier's employees with access to the Personal Data.

5. Security

5.1 The Supplier will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

5.2 The Supplier will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.

6. Personal Data Breach

6.1 The Supplier will promptly and without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.

6.2 The Supplier will within 24 hours and without undue delay notify the Customer if it becomes aware of: (a) any accidental, unauthorised or unlawful processing of the Personal Data; or (b) any Personal Data Breach.

6.3 Where the Supplier becomes aware of either of the above, it shall also provide the Customer with the nature of the incident, likely consequences if known, and the measures taken or proposed to address it.

6.4 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter, and the Supplier will reasonably co-operate with the Customer.

6.5 The Supplier will not inform any third party of any Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by law.

6.6 The Customer has the sole right to determine whether to provide notice of the breach to Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, and whether to offer any type of remedy to affected Data Subjects.

6.7 The Supplier will cover all reasonable expenses associated with the performance of its obligations under clauses 6.2 and 6.4 unless the matter arose from the Customer's specific instructions, negligence, wilful default or breach of this Policy.

6.8 The Supplier will also reimburse the Customer for actual reasonable expenses incurred in responding to a Personal Data Breach to the extent that the Supplier caused such a breach.

7. Subcontractors

7.1 The Supplier may authorise a third party (subcontractor) to process the Personal Data if: (a) the Supplier enters into a written contract with the subcontractor requiring appropriate technical and organisational data security measures; (b) the Supplier maintains control over all Personal Data it entrusts to the subcontractor; and (c) the subcontractor's contract terminates automatically on termination of this Policy or the Master Agreement for any reason.

7.2 Where the subcontractor fails to fulfil its obligations under such written agreement, the Supplier remains fully liable to the Customer for the subcontractor's performance of its Policy obligations.

7.3 The Parties consider the Supplier to control any Personal Data controlled by or in the possession of its subcontractors.

8. Complaints, data subject requests and third party rights

8.1 The Supplier will, at no additional cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with: (a) the rights of Data Subjects under the Data Protection Legislation; and (b) information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.

8.2 The Supplier will notify the Customer immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

8.3 The Supplier will co-operate with the Customer if it receives a request from a Data Subject for access to their Personal Data or to exercise any related rights.

8.4 The Supplier will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

8.5 The Supplier will not disclose the Personal Data to any Data Subject or to a third party other than at the Customer's request or instruction, as provided for in this Policy or as required by law.

9. Term and termination

9.1 This Policy will remain in full force and effect so long as: (a) the Master Agreement remains in effect; or (b) the Supplier retains any Personal Data related to the Master Agreement in its possession or control.

9.2 Any provision of this Policy that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Data will remain in full force and effect.

9.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements.

10. Data return and destruction

10.1 At the Customer's request, the Supplier will give the Customer a copy of or access to all or part of the Customer's Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

10.2 On termination of the Master Agreement for any reason or expiry of its term, the Supplier will securely delete or destroy, or if directed in writing by the Customer, return and not retain, all or any Personal Data related to the Master Agreement in its possession or control, except it may retain and use such Personal Data for 12 months for audit purposes only.

10.3 If any law, regulation, or government or regulatory body requires the Supplier to retain any documents or materials that the Supplier would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement and related details.

11. Records

11.1 The Supplier will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Customer, including access, control and security of Personal Data, approved subcontractors and affiliates, processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in clause 5.1.

11.2 The Supplier will ensure that the Records are sufficient to enable the Customer to verify the Supplier's compliance with its obligations and will provide copies as soon as reasonably practicable.

12. Audit

12.1 The Supplier will permit the Customer to audit the Supplier's compliance with its Policy obligations, on at least fourteen days' notice, during the Term.

12.2 The notice requirements in clause 12.1 will not apply if the Customer reasonably believes that a Personal Data Breach occurred or is occurring, or the Supplier is in breach of any of its obligations.

12.3 If a Personal Data Breach occurs or is occurring, or the Supplier becomes aware of a breach of any of its obligations, the Supplier will promptly conduct its own audit, produce a written report, provide the Customer with a copy of that report, and remedy any deficiencies identified by the audit as soon as reasonably practicable.

12.4 At the Customer's written request, the Supplier will conduct an information security audit before it first begins processing any Personal Data and repeat that audit annually, produce a written report, provide the Customer with a copy of that report, and remedy any deficiencies identified within seven days.

12.5 Any costs incurred by the Supplier as a consequence of the Customer's unreasonable requests under this clause shall be reimbursed by the Customer.

13. Warranties and indemnity

13.1 The Supplier and the Customer both warrant that: (a) they and anyone operating on their behalf will control and process Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and similar instruments; and (b) neither has reason to believe that the Data Protection Legislation prevents it from providing any of the Services.

13.2 The Supplier warrants that, considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent unauthorised or unlawful processing of Personal Data and the accidental loss, destruction of, or damage to, Personal Data, and ensure an appropriate level of security.

13.3 The Customer warrants that: (a) the Supplier's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation; and (b) when collecting Personal Data it has complied in all respects with the Data Protection Legislation and that any limitations or restrictions on use have been notified to the Supplier in advance.

13.4 The Customer shall at all times during and after the Term indemnify the Supplier against all losses, damages, costs or expenses and other liabilities arising from any breach of the Customer's obligations under this Policy, the Master Agreement and the warranty given in clause 13.3(c), except to the extent such liability has arisen directly from the Supplier's breach of this Policy.

14. Notices

Any notice given to a party under or in connection with this Policy must be given in accordance with the notice provisions set out in the Master Agreement.

Annex A: Personal Data Processing Purposes and Details

Subject matter of processing: The processing of the Personal Data of the Client and the Personal Data of the Client's customer or any other data collected or held by the Client and supplied to Tyresoft for use when providing services to the Client.

Duration of Processing: Re-occurring so long as the Client pays the subscriptions under the Master Agreement.

Nature of Processing: The storage and handling of data provided to us by the Client into a format that the Client can access whilst using the Software and/or Services.

Business Purposes: In order to perform the contract that the Supplier has entered into with the Client.

Personal Data Categories: Personal Data (no special categories/sensitive data/criminal convictions and offences/data in relation to children processed).

Data Subject Types: Personal Data of Client, Personal Data of the Client's contacts and customers.