Data Processing Agreement (DPA)

Effective Date: 29th July 2024

Introduction

This Data Processing Agreement ("Agreement") is made and entered into as of 29th July 2024 ("Effective Date") by and between, Relaybox Ltd ("Processor"), having its principal place of business at 4D Madeley Road, London, W5 2LH, and Customer ("Controller"), using the services provided by Relaybox Ltd.

This Agreement sets forth the terms and conditions under which Processor will process personal data on behalf of Controller in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.

Scope and Duration

  • Scope: This Agreement applies to all processing of Personal Data carried out by Processor on behalf of Controller as specified in the services provided by Relaybox Ltd ("Services").
  • Duration: This Agreement will remain in force for the duration of the Controller's use of the Services, unless terminated earlier in accordance with the terms set forth herein.

Processing of Personal Data

  • Instructions: Processor shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  • Purpose: Processor shall process Personal Data solely for the purposes of providing the services specified in the Services.

Obligations of the Processor

  • Confidentiality: Processor shall ensure that its personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security Measures: Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to pseudonymization and encryption of Personal Data, measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services, and measures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
  • Assistance: Processor shall assist Controller in ensuring compliance with Controller's obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
  • Data Subject Rights: Processor shall promptly notify Controller of any requests received from Data Subjects exercising their rights under the GDPR. Processor shall not respond to such requests unless instructed by Controller.

Sub-processing

  • Authorization: Controller authorizes Processor to engage Sub-processors for carrying out specific processing activities on behalf of Controller. Processor shall inform Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Controller the opportunity to object to such changes.
  • Liability: Processor shall remain fully liable to Controller for the performance of the Sub-processor's obligations.

Data Transfers

  • Transfers: Processor shall not transfer Personal Data to a third country or international organization without Controller's prior written consent. Where such transfers are necessary, Processor shall ensure appropriate safeguards are in place as required by GDPR.

Data Breach Notification

  • Notification: Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach. Such notification shall, at a minimum, describe the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.

Termination and Deletion

  • Termination: Upon termination of the Controller's use of the Services, Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless Union or Member State law requires storage of the Personal Data.
  • Retention: Processor may retain Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law.

Miscellaneous

  • Amendments: Any amendments to this Agreement shall be in writing and signed by authorized representatives of both parties.
  • Governing Law: This Agreement shall be governed by and construed in accordance with the laws of [Your Jurisdiction], without regard to its conflict of law principles.
  • Severability: If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Contact Information

For any questions or concerns regarding this Agreement, please contact:

  • Relaybox Ltd
    • Email: admin@relaybox.net
    • Address: 4D Madeley Road, London, W5 2LH

By using our Services, you acknowledge that you have read, understood, and agree to be bound by the terms and conditions of this Data Processing Agreement.