Privacy Policy
Terms of Use
Cookie Policy
Acceptable Use Policy
Service Level Agreement
Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (DPA) is entered into automatically as part of the SaaS Services Agreement ("the Agreement"), and supplements section 3.4 of the Agreement by addressing requirements for processors as set out in the Data Protection Acts 1988-2018 (Republic of Ireland), and in line with the GDPR.

This DPA is between Upscaler Limited ("the Company"), and your organisation ("the Customer") as defined in the Agreement.

This DPA was last updated on 30 January 2022.

1. DEFINITIONS

1.1 Capitalised terms used in this DPA are defined in the Agreement, and the Agreement definitions shall apply.

1.2 The personal data which is stored and processed by the Customer using the Services provided by the Company is referred to as "Customer Personal Data" in this DPA. Customer Personal Data is a sub-set of Customer Data as defined in section 3.1 of the Agreement.

1.3 Personal data is defined in the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland), and applies to all references to personal data within this DPA.

1.4 The GDPR refers to the General Data Protection Regulation (EU) 2016/679.

2. SCOPE

This DPA applies to Customer Personal Data that is processed using the Services. The Services are provided to the Customer by the Company in line with the Agreement.

3. ROLES

3.1 The Company does not determine the use of any Customer Personal Data which the Customer may record and store using the Services, and will act as the processor to the Customer. The Customer will act as the controller of the Customer Personal Data, or where the Customer is acting on behalf of the Customer's own clients or end-users, the Customer will act as the processor to their clients or end-users.

3.2 As the controller of the Customer Personal Data, the Customer is responsible for determining the details of the processing, which includes: (a) the subject matter, (b) the duration of the processing, (c) the purpose of the processing, (d) the nature of the processing, (e) the type of data uploaded and stored, and (f) the categories of data subjects (e.g. employees, third-parties, end-users, clients, etc.). The details of the processing as understood by the Company are set out in section 4 of this DPA.

3.3 Where the Customer is acting as a processor on behalf of the Customer's own clients or end-users, the Customer is responsible for processing the Customer Personal Data in line with Customer client or end-user instructions.

3.4 Third parties which the Company engages with to provide the Services to the Customer will act as sub-processors where Customer Personal Data may be shared with them in the provision of the Services.

3.5 The Company and the Customer will comply with all applicable legal and regulatory obligations for data processing in line with the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland).

4. DETAILS OF PROCESSING

As the processor, the Company understands the details of the processing activities to be as follows:

4.1 Subject matter

Processing of Customer Personal Data as per this DPA.

4.2 Duration of the processing

The Customer Personal Data will be processed for the duration of the Agreement between the Company and the Customer. Processing of Customer Personal Data will cease upon termination of the Agreement, and will be deleted or returned to the Customer as per section 5.7 of this DPA.

4.3 Purpose of processing

The Customer Personal Data will be processed in order to provide the Services to the Customer as set out in the Agreement.

4.4 Nature of processing

Provision of the Services to the Customer as set out in the Agreement, which includes such services as storage, compute, and access to the data.

4.5 Type of data uploaded and stored

Customer Personal Data as determined and controlled by the Customer. This may include contact data, employee data, end-user activity data, documentation which includes Customer Personal Data, or any other Customer Personal Data that is recorded and stored by the Customer or their end-users or clients in their use of the Services.

4.6 Categories of data subjects

Data subjects may include Customer end-users, Customer clients, Customer employees, Customer third-parties, or any end-user of the Services that the Customer has authorised to use the Services on their behalf.

5. OBLIGATIONS OF THE COMPANY

5.1 Written instruction

The Company agrees to process Customer Personal Data only in accordance with written instruction, and the Customer and the Company agree that this DPA and the Agreement constitute the written instruction for the processing of the Customer Personal Data. Any additional processing instruction from the Customer will be considered outside the scope of this DPA and the Agreement, and will require separate, prior written agreement between the Company and the Customer, which may incur additional fees. Where the Company cannot agree to the additional instruction issued by the Customer, the Customer is entitled to terminate the Agreement. Where the Company is of the opinion that the written instruction contradicts the requirements of the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland), the Company shall inform the Customer immediately.

5.2 Confidentiality

5.2.1 The Company agrees that it will not access, use, or disclose Customer Personal Data except where it may be necessary to provide the Services to the Customer, such as when providing customer support services, engaging with necessary third-party providers such as those listed in the Company's Privacy Policy, or when legally required to do so. The overall terms and conditions regarding the confidentiality of data are set out in section 3 of the Agreement.

5.2.2 The Company agrees to enforce appropriate contractual obligations for its personnel regarding the confidentiality of Customer Personal Data, and that personnel are obliged to adhere to the Company's information security policies, which includes the protection and confidentiality of Customer Personal Data.

5.3 Protection of data

5.3.1 The Company agrees to implement appropriate technical and organisational measures to protect the Services provided to the Customer, and the Customer Personal Data stored and processed using the Services. The Company is certified to the IEC/ISO 27001:2013 standard for information security, and implements best practice security controls for the protection of data as required by the standard. This includes such controls as encryption, continuity and availability of information and services, and testing and assessing of the effectiveness of implemented controls. The certificate can be viewed on the Company's Trust webpage, along with additional information regarding the Company's security controls.

5.3.2 The Company agrees to assist the Customer in complying with the Customer's obligations for protecting Customer Personal Data in line with the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland) by providing the Services with optional security controls such as: (a) configurable permissions, (b) role-based access controls, (c) multi-factor access control to the Services, and (d) data export facilities. The Company also implements security and data protection measures as set out in section 5.3.1 of this DPA.

5.4 Assisting with Customer obligations

5.4.1 The Company agrees to, taking into account the nature of the processing, assist the Customer in fulfiling their obligations to respond to data subject requests by providing, where practical and possible, appropriate technical and organisational measures. Where the Customer's data subject makes a request to the Company, the Company will forward the data subject request to the Customer, and confirm with the data subject that the request has been forwarded to the Customer.

5.4.2 The Company agrees to, taking into account the nature of the processing and information provided by the Customer regarding the processing, assist the Customer in complying with the Customer's obligations regarding data protection impact assessment and prior consultation in line with the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland) by providing information about the Company's security and data protection measures as described in this DPA.

5.4.3 Where the Company becomes aware of a data breach impacting Customer Personal Data, the Company agrees to: (a) notify the Customer without undue delay, and (b) take steps to mitigate any adverse effects that may result from the breach, where possible and appropriate. The notification to the Customer will include, where possible, information about the breach which the Company is able to disclose, taking into consideration the nature of the processing and any restrictions regarding the disclosure of information.

5.5 Sub-processing of data

5.5.1 The Company agrees to provide adequate notification to the Customer of any new sub-processors that the Company may engage with in order to provide the Services to the Customer. Approved sub-processors currently engaged by the Company are listed in section 5 of the Company's Privacy Policy, and the Customer is considered to have provided general authorisation to the use of this approved list of sub-processors. The Privacy Policy will be updated periodically to include any newly approved sub-processors, and the Customer is entitled to terminate the Agreement where it objects to the use of any new sub-processors.

5.5.2 When engaging with sub-processors, the Company agrees to: (a) restrict the access of Customer Personal Data to only what is necessary to provide the Services to the Customer, (b) ensure that there is a written agreement with the sub-processor for processing of personal data that meets the requirements of the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland), and (c) remain responsible for any failure of a sub-processor to fulfil its data protection obligations.

5.6 Demonstrating compliance

The Company agrees to maintain its IEC/ISO 27001:2013 certification as evidence of compliance with this DPA, and makes the certificate available to the Customer for audit purposes. The IEC/ISO 27001:2013 certification is audited by external third-party auditors appointed by an accredited Certification Body. The Certification Body is accredited by INAB and UKAS, which are both members of the IAF. Surveillance audits are carried out by the Certification Body every six months, and are documented in bi-annual audit reports. Audit reports and supporting documentation such as information security policies may be made available to the Customer upon request, provided that an appropriate NDA is in place between the Company and the Customer, and taking into consideration any restrictions regarding the disclosure of information.

5.7 Deletion of data

The Company agrees to delete all Customer Personal Data following a termination of the Agreement. Terms and conditions regarding termination are set out in section 5 of the Agreement, and shall apply to this DPA.

5.8 Data transfer

The Company agrees to comply with the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland) for any international transfers of data. Information regarding transfer of data is set out in section 6 of the Company's Privacy Policy, and shall apply to this DPA.

6. OBLIGATIONS OF THE CUSTOMER

6.1 Data accuracy

The Customer agrees that the Company is not likely to be able to determine if Customer Personal Data stored and processed using the Services is up-to-date and accurate. The Customer will maintain the accuracy of the Customer Personal Data.

6.2 Written instruction

The Customer acts as the controller of the Customer Personal Data, or as the processor when acting on behalf of its end-users or clients, and agrees that the Company is not likely to be able to determine if any written instruction set out in section 4 of this DPA may breach compliance with the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland). The Customer agrees to provide the Company with accurate written instruction in compliance with the GDPR and Data Protection Acts 1988-2018 (Republic of Ireland) so that Services can be delivered to the Customer as set out in the Agreement.

6.3 Protection of data

The Company makes optional security controls available to the Customer as described in section 5.3.2 of this DPA. The Customer agrees that it is responsible for appropriately implementing and configuring any such optional security controls for the protection of Customer Personal Data, and will not hold the Company responsible for any misconfiguration of the optional security controls where the misconfiguration results in a breach of the Customer Personal Data.

6.4 Data breaches

The Customer agrees that the Company is not likely to be able to determine the impact to the rights and freedoms of the Customer's data subjects in the event of a data breach. Where there is a breach of the Customer Personal Data stored and processed using the Services, the Customer will be responsible for determining the impact to the Customer's data subjects.

6.5 Customer audits

The Customer agrees that the Company demonstrates compliance with this DPA by carrying  out the audit activities described in section 5.6 of this DPA. Any request by the Customer to conduct an audit constitutes an instruction to the Company to undertake the audit activities described in section 5.6 of this DPA. Where the Customer wishes to request additional auditing not already provided by the Company, the Company may decline the request, and the Customer is entitled to terminate the Agreement.

7. Precedence

The subject matter of this DPA is the processing of Customer Personal Data. Where there is any conflict or inconsistency between the Agreement and this DPA regarding the processing of Customer Personal Data, this DPA shall take precedence.

Scale your technology business, with high-value, enterprise deals by becoming ISO certified.
HomeResourcesBook a demoLog inSystem Status
ISO 27001ISO 9001ISO 27701View all
AboutCareersContactEventsLegalTrust Center
ISO 27001 certificate badge.
Proudly headquartered in Dublin, Ireland 🇮🇪
© 2021 Upscaler Limited. A limited liability company incorporated in Ireland with number 685730 and registered address: Yellow Walls Road, Malahide, Co. Dublin, Ireland. All rights reserved.

Learn how Upscaler can help with ISO compliance

Complete the form below and one of our experts will be in touch to arrange a call.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.