Data Processing Agreement

Overview

This Data Processing Agreement (the “DPA”) governs the processing of personal data by Centili Group Ltd. (trading as Centili, “Centili”, “we”, “us” or the “Processor”) on behalf of the customer (the “Customer” or the “Controller”) under the agreement for the provision of Centili’s services (the “Main Agreement”).

This DPA is incorporated into, and forms an integral part of, the Main Agreement and our Terms of Service. Where there is any conflict between this DPA and the remainder of the Main Agreement in relation to the processing of personal data, this DPA prevails. It should be read together with our Privacy Policy, which describes the processing we carry out as a controller in our own right.

This DPA is concluded to comply with Article 28 of the UK General Data Protection Regulation (the “UK GDPR”) and the Data Protection Act 2018, together with any equivalent obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679) where it applies to a particular processing activity.

Definitions

Capitalised terms not defined in this DPA have the meaning given to them in the Main Agreement. The following definitions apply:

• “Data Protection Laws” means all laws and regulations applicable to the processing of personal data under this DPA, including the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (“PECR”) and, where applicable, the EU GDPR.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Special Categories of Personal Data” have the meanings given to them in the UK GDPR.
• “Sub-processor” means any third party engaged by the Processor (or by another sub-processor) to process Customer Personal Data on its behalf in connection with the services.
• “Customer Personal Data” means any personal data that the Processor processes on behalf of the Customer under the Main Agreement and this DPA.
• “Restricted Transfer” means a transfer of Customer Personal Data to, or access from, a country outside the United Kingdom that is not subject to adequacy regulations made under the Data Protection Act 2018.
• “IDTA” means the International Data Transfer Agreement issued by the Information Commissioner’s Office (“ICO”) under section 119A of the Data Protection Act 2018, and “UK Addendum” means the international data transfer addendum to the EU Standard Contractual Clauses (“SCCs”) issued by the ICO.

Roles of the Parties

For the purposes of the services covered by this DPA, the parties acknowledge and agree that the Customer is the Controller and Centili is the Processor in respect of Customer Personal Data. The Customer remains responsible for establishing a lawful basis for the processing, for the accuracy, quality and legality of the Customer Personal Data, and for the lawfulness of the instructions it provides to the Processor.

Where the Customer is itself acting as a processor on behalf of a third-party controller, the Customer warrants that it has the authority of, and acts on the instructions of, that controller, and that Centili is appointed as a sub-processor on the terms of this DPA.

Where Centili acts as an independent controller

Centili acts as an independent controller, and not as a processor, in respect of certain limited categories of personal data, including: data we process for our own billing, accounting, tax, credit-risk and audit purposes; data processed to meet our regulatory obligations (such as anti-money-laundering, counter-terrorist-financing, fraud-prevention and sanctions-screening obligations under the Proceeds of Crime Act 2002, the Money Laundering Regulations 2017 and applicable UK sanctions); data we use to operate, secure, analyse and improve our own services; and contact details of the Customer’s personnel processed to manage the commercial relationship. Our processing in those capacities is governed by our Privacy Policy rather than by this DPA. Each party is independently responsible for its own compliance with Data Protection Laws when acting as a controller.

Scope, Nature & Purpose of Processing

The Processor will process Customer Personal Data only to the extent, and in such a manner, as is necessary to provide the services under the Main Agreement and as further instructed by the Customer. The subject matter, duration, nature and purpose of the processing, the categories of data subjects, and the types of personal data are set out in the table below, which constitutes the parties’ record of processing for the purposes of Article 28(3) and Article 30 of the UK GDPR.

Processing on Documented Instructions

The Processor will process Customer Personal Data only on the documented instructions of the Customer, including with regard to international transfers, unless required to process the data by UK or EU law to which the Processor is subject. In that case, the Processor will inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

The Main Agreement, this DPA and the Customer’s use and configuration of the services constitute the Customer’s complete and final documented instructions to the Processor. Additional or different instructions must be agreed in writing. The Processor will promptly inform the Customer if, in its opinion, an instruction infringes Data Protection Laws, although the Processor is not obliged to carry out a general legal review of the Customer’s instructions.

Processor Obligations

The Processor undertakes that it will:

• process Customer Personal Data only on the Customer’s documented instructions, as set out above;
• ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to those personnel who need it to deliver the services;
• implement and maintain the appropriate technical and organisational measures described in the Security Measures section to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR;
• respect the conditions set out in this DPA for engaging Sub-processors, as described in the Sub-processing section;
• assist the Customer, taking into account the nature of the processing, in fulfilling its obligation to respond to requests from data subjects exercising their rights under the UK GDPR, and in ensuring compliance with its obligations under Articles 32 to 36 (security, breach notification, and data protection impact assessments), as described in the Assistance & Cooperation section;
• at the Customer’s choice, delete or return all Customer Personal Data on termination of the services, as described in the Return & Deletion section; and
• make available to the Customer all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, as described in the Audits & Inspections section.

Security Measures (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of data subjects, the Processor implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include, as appropriate:

• encryption of Customer Personal Data in transit (TLS) and at rest;
• pseudonymisation and data minimisation where appropriate, and tokenisation of payment and telecommunications identifiers;
• measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, including network segmentation, firewalling and DDoS protection;
• role-based access controls, the principle of least privilege, multi-factor authentication for administrative access, and detailed audit logging;
• the ability to restore the availability of and access to Customer Personal Data in a timely manner in the event of a physical or technical incident, including backups and tested disaster-recovery procedures;
• a process for regularly testing, assessing and evaluating the effectiveness of these measures, including vulnerability scanning, penetration testing and secure-development practices;
• vendor and personnel vetting, security awareness training, and documented incident-response procedures;
• alignment with recognised information-security frameworks (such as ISO/IEC 27001 and, where applicable to payment data, the PCI DSS).

The Processor may update or modify these measures from time to time provided that such updates do not materially reduce the overall level of security provided under this DPA.

Personal Data Breaches

The Processor will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent then known and as further information becomes available:

• describe the nature of the breach, including the categories and approximate number of data subjects and records concerned;
• provide the name and contact details of the Processor’s data protection contact;
• describe the likely consequences of the breach; and
• describe the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

The Processor will cooperate with the Customer and take reasonable steps as directed by the Customer to assist in the investigation, mitigation and remediation of the breach. As the Controller, the Customer remains responsible for assessing whether the breach must be reported to the ICO and/or to affected data subjects under Articles 33 and 34 of the UK GDPR. Breaches may also be reported to security@centili.co.uk.

Assistance & Cooperation

Data subject rights

Taking into account the nature of the processing, the Processor will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability and objection. If the Processor receives a request directly from a data subject relating to Customer Personal Data, it will, unless legally required to respond, promptly forward the request to the Customer and will not respond except on the Customer’s documented instructions.

Data protection impact assessments

The Processor will provide reasonable assistance to the Customer with any data protection impact assessments (DPIAs) and prior consultations with the ICO that the Customer reasonably considers to be required under Articles 35 and 36 of the UK GDPR, in each case solely in relation to the processing of Customer Personal Data by the Processor and taking into account the information available to the Processor.

Sub-processing & General Authorisation

The Customer grants the Processor general written authorisation to engage Sub-processors to process Customer Personal Data in connection with the services, subject to the conditions in this section. The Processor will:

• impose on each Sub-processor, by way of a written contract, data-protection obligations that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures under Article 28(4) of the UK GDPR;
• remain fully liable to the Customer for the performance of each Sub-processor’s obligations where that Sub-processor fails to fulfil its data-protection obligations; and
• maintain an up-to-date list of Sub-processors, as set out below, and notify the Customer of any intended addition or replacement of a Sub-processor.

The Processor will give the Customer at least thirty (30) days’ prior notice (for example, by email to the Customer’s designated contact or via an update to the list published at centiligroup.com) of any intended changes concerning the addition or replacement of a Sub-processor, thereby giving the Customer the opportunity to object on reasonable data-protection grounds before the new Sub-processor begins processing Customer Personal Data. If the Customer raises a reasonable objection that cannot be resolved, the Customer may, as its sole and exclusive remedy, terminate the affected portion of the services in accordance with the Main Agreement.

Sub-processor List

The Processor currently engages the following Sub-processors to process Customer Personal Data. This list may be updated in accordance with the Sub-processing section; the version published at centiligroup.com is the authoritative current list.

In addition to the above, the Processor may engage members of its own corporate group as Sub-processors to provide support, infrastructure and shared services, in each case subject to the same data-protection obligations.

International Transfers

The Processor will not carry out a Restricted Transfer of Customer Personal Data unless it has taken such measures as are necessary to ensure the transfer is lawful under Data Protection Laws. Where the Processor transfers Customer Personal Data to a country outside the United Kingdom that is not the subject of adequacy regulations, it will ensure that an appropriate transfer mechanism is in place, such as:

• the ICO’s International Data Transfer Agreement (IDTA); or
• the EU Standard Contractual Clauses as supplemented by the ICO’s UK Addendum (the UK International Data Transfer Addendum);

together, where required, with a documented transfer risk assessment and any supplementary technical, organisational or contractual measures necessary to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the United Kingdom. Where the EU GDPR applies to a transfer, the parties will additionally rely on the European Commission’s Standard Contractual Clauses. The relevant clauses are incorporated into this DPA by reference and take effect automatically on commencement of the relevant Restricted Transfer.

Audits & Inspections

The Processor will make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the UK GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.

To minimise disruption and protect the confidentiality and security of other customers’ data, audits are subject to the following conditions: the Customer must give reasonable prior written notice (at least thirty days, save where an audit is required following a Personal Data Breach or by a supervisory authority); audits are limited to once in any twelve-month period unless required by Data Protection Laws or a regulator; the Customer and its auditors must comply with the Processor’s reasonable on-site security and confidentiality policies; and the Processor may satisfy audit requests by providing up-to-date certifications, third-party audit reports (such as ISO/IEC 27001 certificates or SOC 2 reports) and responses to a reasonable security-questionnaire where these adequately address the Customer’s request.

Return & Deletion on Termination

On termination or expiry of the services, the Processor will, at the choice of the Customer and following a request made within thirty (30) days of termination, delete or return all Customer Personal Data to the Customer and delete existing copies, unless UK or EU law requires continued storage of the Customer Personal Data.

Where the Processor is required by law (including its anti-money-laundering, tax, accounting and audit obligations) to retain some or all of the Customer Personal Data, it will retain only the minimum data necessary, for the minimum period required, will cease all active processing of that data other than as required for the retention purpose, and will continue to protect it in accordance with this DPA until deletion is permitted.

Liability & Indemnity

Each party’s liability arising out of or in connection with this DPA, whether in contract, tort (including negligence) or otherwise, is subject to the limitations and exclusions of liability set out in the Main Agreement, and any reference in the Main Agreement to a party’s liability means the aggregate liability of that party under the Main Agreement and this DPA together. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under Data Protection Laws or other applicable law, including a data subject’s right to compensation under Article 82 of the UK GDPR.

The allocation of responsibility for any claims, fines or compensation between the parties will reflect each party’s respective responsibility for the relevant non-compliance, in accordance with Article 82 of the UK GDPR and the indemnity provisions (if any) of the Main Agreement.

Duration & Termination

This DPA takes effect on the effective date of the Main Agreement and continues in force for as long as the Processor processes Customer Personal Data on behalf of the Customer. Provisions which by their nature should survive termination — including those concerning confidentiality, return and deletion, retention required by law, liability and the relevant transfer mechanisms — will survive termination or expiry of this DPA. This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

Contact

Questions about this DPA, requests to exercise data-protection assistance, sub-processor notifications, audit requests and transfer documentation should be directed to Centili Group Ltd.’s Data Protection Officer:

• Data Protection Officer: dpo@centili.co.uk
• Privacy enquiries: privacy@centili.co.uk
• Security & breach reports: security@centili.co.uk

Centili Group Ltd., registered in England and Wales under company number [Company number — to be confirmed], with its registered office at [Registered office address — to be confirmed], United Kingdom. ICO registration number [ICO registration number — to be confirmed].