| 1 |
Definitions |
|
|
1.1
|
In this Agreement:
|
|
| |
applicable law |
means applicable law of the United Kingdom (or of a part of the United Kingdom); |
| |
Contract |
the agreement under which Tugger agrees to provide Services to the Customer, including where the Customer agrees to Tugger’s standard Terms of Service; |
| |
Controller |
has the meaning given in applicable Data Protection Laws from time to time; |
| |
Customer |
the person, firm or company to whom Tugger supplies Services under a Contract; |
| |
Data Subject |
has the meaning given in applicable Data Protection Laws from time to time; |
| |
Data Protection Laws |
means, as binding on either party or the Services:
| (a) |
the GDPR; |
| (b) |
the Data Protection Act 2018; |
| (c) |
any laws which implement or supplement any such laws; and |
| (d) |
any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; |
|
| |
Extracted Data |
the Customer’s data extracted by Tugger’s software as part of the Services; |
| |
GDPR |
means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time); |
| |
International Organisation |
has the meaning given in applicable Data Protection Laws from time to time; |
| |
Personal Data |
has the meaning given in applicable Data Protection Laws from time to time; |
| |
Personal Data Breach |
has the meaning given in applicable Data Protection Laws from time to time; |
| |
processing |
has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed and processes shall be construed accordingly); |
| |
Processor |
has the meaning given in applicable Data Protection Laws from time to time; |
| |
Protected Data |
means Personal Data received from or on behalf of the Customer in connection with the performance of Tugger’s obligations under the Contract; |
| |
Services |
the services to be provided by Tugger to the Customer under a Contract; |
| |
Sub-Processor |
means any Processor engaged by Tugger (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data on behalf of the Customer; |
| |
Terms of Service |
Tugger’s standard Terms of Service applicable to the supply of Services to the Customer by Tugger; and |
| |
Tugger |
Tugger Limited (Company no. 13220093), the supplier of the Services to which this Agreement shall apply. |
| |
| 2 |
Customer’s compliance with Data Protection Laws |
| 2.1 |
The parties agree that the Customer is a Controller and that Tugger is a Processor for the purposes of processing Protected Data pursuant to the Contract. |
| 2.2 |
The Customer shall, at all times, comply with all Data Protection Laws in connection with the processing of Protected Data by Tugger in accordance with this Agreement and warrants to Tugger that:
| 2.2.1 |
it has all necessary appropriate consents and notices in place to enable the lawful transfer of the Protected Data to Tugger for the duration and purposes of the Contract so that Tugger may lawfully process the Protected Data in accordance with this Agreement;
|
| 2.2.2 |
the collection and processing of the Protected Data prior to its transfer to Tugger has been carried out in all material respects in accordance with Data Protection Laws;
|
| 2.2.3 |
it is not aware that the processing of the Protected Data in accordance with this Agreement is likely to give rise to breach of any of Data Protection Laws; and
|
| 2.2.4 |
it is registered with all relevant data protection authorities to collect and process the Protected Data.
|
|
| 2.3 |
The Customer shall ensure all instructions given by it to Tugger in respect of Protected Data (including the terms of this Agreement) shall at all times be in accordance with all Data Protection Laws. |
| |
| 3 |
Supplier’s compliance with Data Protection Laws |
| |
Tugger shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of this Agreement. |
| 4 |
Instructions |
| 4.1 |
Tugger shall only process (and shall ensure that its personnel only process) the Protected Data in accordance with Part B of this Agreement and for the purpose of the Contract (including with regard to any transfer to which paragraph 9 of this Part A relates), except to the extent:
| 4.1.1 |
that alternative processing instructions are agreed between the parties in writing; or
|
| 4.1.2 |
otherwise required by applicable law (and shall inform the Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest).
|
|
| 4.2 |
If Tugger believes that any instruction received by it from the Customer is likely to infringe Data Protection Laws it shall promptly inform the Customer and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing.
|
| 5 |
Security |
| 5.1 |
Tugger shall implement and maintain technical and organisational measures to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Such measures may include, where appropriate:
| 5.1.1 |
pseudonymising and encrypting Protected Data,
|
| 5.1.2 |
ensuring the confidentiality, integrity, availability and resilience of its systems and services;
|
| 5.1.3 |
ensuring that the availability of and access to Protected Data can be restored in a timely manner after an incident; and
|
| 5.1.4 |
regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it.
|
|
| 6 |
Sub-processing and personnel |
| 6.1 |
Tugger shall:
| 6.1.1 |
not permit any processing of Protected Data by any Sub-Processor save for those authorised pursuant to clause 6.2 or those for which it obtains the prior specific written authorisation of the Customer;
|
| 6.1.2 |
prior to any Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure such Sub-Processor is appointed under a binding written contract containing materially the same obligations as under this Agreement (including those relating to sufficient guarantees to implement appropriate technical and organisational measures) and ensure such Sub-Processor complies with all such obligations; and
|
| 6.1.3 |
remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor as if they were its own.
|
|
| 6.2 |
The Customer generally authorises the appointment of the Sub-Processors listed below:
| 6.2.1 |
IT and system administration service providers such as HubSpot (contact email and phone number), SendGrid (contact email) and Microsoft Power BI (contact email);
|
| 6.2.2 |
payment service providers such as Paddle and Stripe (contact name, email and payment card details);
|
| 6.2.3 |
account management software providers such as Xero (contact name, email and phone number); and
|
| 6.2.4 |
software platform and cloud services providers such as Microsoft’s Azure or Google, on whose platforms the Tugger software and the Extracted Data will reside.
|
|
| 7 |
Further Sub-Processors |
| |
The Customer shall reply to any communication from Tugger requesting any further prior specific authorisation of a Sub-Processor pursuant to paragraph 6.1.1 of this Part A promptly and in any event within 10 Business Days of request from time to time. The Customer shall not unreasonably withhold, delay or condition any such authorisation.
|
| 8 |
Assistance |
| 8.1 |
Tugger shall (at the Customer’s cost and expense) assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Tugger. |
| 8.2 |
Tugger shall (at the Customer’s cost and expense) and taking into account the nature of the processing, assist the Customer (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR in respect of any Protected Data. |
| 8.3 |
Tugger shall promptly refer to the Customer all requests it receives for exercising any Data Subjects’ rights under Chapter III of the GDPR which relate to any Protected Data. It shall be the Customer’s responsibility to reply to all such requests as required by applicable law. |
| 9 |
International transfers |
| |
Where any Protected Data is transferred to or processed by a Sub-Processor based outside of the UK, Tugger will ensure a similar degree of protection is afforded to the Protected Data by ensuring at least one of the following safeguards is implemented (as required by and in accordance with Data Protection Laws):
- The Protected Data is only transferred to countries that have been deemed to provide an adequate level of protection for personal data; or
- The Sub-Processor enters into a specific contract approved for use in the UK which give the Protected Data the same protection as it has in the UK.
|
| 10 |
Audits and processing |
| |
Tugger shall, in accordance with Data Protection Laws, make available to the Customer on request such information that is in its possession or control as is necessary to demonstrate Tugger’s compliance with the obligations placed on it under this Agreement and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) on reasonable notice for this purpose (subject to a maximum of one audit request in any 12 month period under this paragraph 10). To the extent consistent with the foregoing, Tugger shall, however, be entitled to withhold information where it is commercially sensitive or confidential to it or its other customers.
|
| 11 |
Breach |
| |
Tugger shall notify the Customer without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.
|
| 12 |
Deletion |
| 12.1 |
On the end of the provision of the Services relating to the processing of Protected Data (the Processing End Date), at the Customer’s cost and expense and the Customer’s option, the Supplier shall either return all of the Protected Data to the Customer or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the Supplier to store such Protected Data. To the extent the Customer has not notified the Supplier within 20 Business Days of the Processing End Date that it requires the return of any Protected Data the Supplier is irrevocably authorised to securely dispose of the Protected Data. For the avoidance of doubt any electronically held Protected Data data shall be considered deleted, for the purpose of this clause, where it has been put beyond use.
|
| 12.2 |
On request from the Customer, Tugger shall confirm in writing whether or not it has complied with its obligations to dispose of the Protected Data under paragraph 12.1 of this Part A.
|
| 13 |
Survival |
| 13.1 |
This Agreement shall survive, until the later of:
| 13.1.1 |
the termination or expiry of the Contract; or
|
| 13.1.2 |
the secure deletion or disposal of the last of the Protected Data in Tugger’s (or any of its Sub-Processor’s) possession or control in accordance with this Agreement.
|
|
| 14 |
Limitation of Liability |
| |
To the fullest extent permitted by law, Tugger shall not be liable to the Customer, whether in contract, tort (including negligence), for breach of statutory duty or otherwise for: (i) loss of profits; (ii) indirect or consequential losses; (iii) loss of sales or business; (iv) loss of anticipated savings; (v) loss of use or corruption of software, data or information; (vi) business interruption; or (vii) exemplary or punitive damages.
|
| 15 |
General |
| 15.1 |
Except as expressly provided in this Agreement, no variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
|
| 15.2 |
If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Agreement.
|
| 15.3 |
This agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.
|
| 15.4 |
This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
|
| 15.5 |
The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
|
