Highrise Digital Ltd Data Processing Agreement
For the purposes of this agreement, any references to your “online services” means any website, application, database, email, files, cloud computing services or any other IT computer system that we (Highrise Digital) work on for you.
The agreement forms part of Highrise Digital Ltd’s terms and conditions and applies if:
- we host your online services e.g. your website
- we carry out maintenance and development work on your website
- we migrate or take a copy of your online services to work on
- we export or import data to or from your online services
- we are building you an online service e.g. a WordPress website
- we help with other forms of digital services, notably were we need to login to your other digital account e.g. your social media accounts
Data Protection Legislation: all applicable data protection laws including General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any applicable national data protection legislation, regulations and secondary legislation from time to time in force in the jurisdiction of the Controller and/or the Processor relating to the processing of Personal Data, and where relevant the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
For the purposes of this document “you” or “your” either represent yourself if you are the data controller or the organisation you represent if it is the data controller. “We” or “us” refer to Highrise Digital Ltd.
All definitions used in this clause shall have the definition set out in the Data Protection Legislation.
The Controller and the Processor acknowledge that the Controller is the controller and the Processor is the processor and that the Controller retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation. The Processor may process the Personal Data categories and Data Subject types set out in Schedule 1 of this Agreement. Each party agrees to comply with all applicable requirements of the Data Protection Legislation.
The data processor (us) shall:
- implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Legislation and ensure the protection of the rights of the Data Subject;
- only authorise a third party (“sub-processor”) to process the Personal Data if:
- (i) the Processor has obtained the prior written consent from the Controller for each appointment of a sub-processor (or the sub-processor’s name or category is set out in Schedule 1 below) and;
- (ii) the Processor and the sub-processor enter into a written contract containing terms the same as those set out in this clause, in particular, in relation to data security measures and
- (iii) the Processor maintains control over all Personal Data it shares with the sub-processor and
- (iv) the Processor ensures that the sub-processor does not process the Personal Data except on instructions from the Data Controller (unless required to do so by Union or Member State law);
- process the Personal Data only on documented instructions from the Controller, unless required to do so by Data Protection Legislation to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensure that persons authorised to process the personal data (such as its employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- ensure that is has in place appropriate technical and organisational measures, reviewed and approved by the Controller, to ensure a level of security appropriate to the risk (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Natural Persons) including, where appropriate, the pseudonymisation and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident and a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of processing. Account shall also be taken of the risks that are presented by the processing in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;
- taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights set out in Chapter III of the GDPR;
- assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR (data breach) taking into account the nature of processing and the information available to the Processor;
- at the choice of the Controller, delete or return all the Personal Data to the Controller after the termination or expiry of this Agreement and delete existing copies (unless Union or Member State law requires storage of the Personal Data);
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
- assist the Controller in ensuring compliance with the requirement to carry out Data Protection Impact Assessments as set out in Article 35 of GDPR, taking into account the nature of processing and the information available to the Processor;
- immediately inform the Controller, if in the opinion of the Processor, an instruction from the Controller infringes Data Protection Legislation;
- promptly comply with any request by or instruction from the Controller to process the Personal Data, or to stop, mitigate or remedy any unauthorised processing;
- keep all Personal Data confidential and not disclose such data to third parties unless specifically authorised in writing by the Controller or as required by law. If the Processor is required by law, court, regulator or supervisory authority to process or disclose any Personal Data, the Processor will first inform the Controller of this and allow the Controller to object or challenge the requirement, unless the law prohibits the Processor from informing the Controller;
- not transfer or otherwise process Personal Data outside the European Economic Area (EEA) without obtaining the Controller’s prior written consent (except where the Processor is required to transfer such data by Union or Member State law, in which case the Processor shall inform the Controller of such legal requirement before processing takes place, unless any law prohibits such disclosure on important grounds of public interest) and (i) there is an appropriate safeguard or derogation for such transfer in accordance with part V of the GDPR;
Personal data processing purposes and details
Subject matter of processing:
This is personal information which is stored on or in the controllers website, database, mobile or web application, IT system or any other files or database that we host.
Duration of Processing:
Below outlines the duration of the processing for the different subject matters we process data for:
- Website hosting: the processor will keep data for the duration of the hosting agreement. Once the hosting agreement is terminated the processor will delete such hosted data including any data backups which were taken during the course of the agreement.
- Data or website migrations: the processor will keep migrated data until such time as the controller and the processor agree that the migration is successful. Once agreed in writing the processor shall delete such data including any backups. Backup data may take up to a month for be deleted.
- Copies of data taken for development work: the processor may need copies of data in order to carry out development work on systems e.g. websites. Both the controller and the processor will make every effort to anonymise personal information in this data. Where this cannot be done, the processor will only keep this taken for the duration of the work to be carried out, after which the processor will delete such data.
- Any other data: sometimes the processor will be required to carry out tasks for specific personal information and as such will be required to process this data in order to help. Once the request is complete the processor will delete this personal information, unless there is a specific legal or regulatory reason to process it for longer.
Nature and Purpose of Processing:
The processor will process data for the following reasons:
- To host the controllers website, web or mobile application, database, files or other IT system.
- Migrate the controllers website, web or mobile application, database, files or other IT systems from one server or host to another.
- Carrying out requests to work on the controllers website, web or mobile application, database, files or other IT systems from one server or host to another.
- Billing / invoicing requirements.
Data Subject Types:
- Users – these are anyone accessing the online services by logging in. Usually these users are provided by the controller or authorised to access the services by the controller through creating a login.
- Visitors – these are people visiting the online services of the controller, usually the websites visitors
Personal Data Categories:
These may include but are not limited to:
- User logins - email address, passwords (encrypted), addresses and any other data users add to their online profiles
- eCommerce purchase records
- Data that is submitted in forms on/in online services
- Website comments and associated personal data
- Online identifiers such as cookies, session IDs and IP addresses
- Analytics data from websites and user tracking
- Email that you send and receive (assuming that the processor is hosting the controllers email)
- Documents and media items uploaded to online services
The processor will endeavour to take the following minimum security measures:
- Use long passwords over 24 characters in length, generated by a password manager
- Use a password manager in order to store all passwords in a securely encrypted vault
- Where services allow, use 2-factor authentication on login credentials
- Use SSL (https) where possible on all websites that collect personal information to ensure its transfer is encrypted
- Employees are instructed to encrypt all hard drives on work computers
- Employees are also instructed to always lock all computers when away from the screen
- Ensuring that all employees computers are backed up
- Endeavouring to always keep software up-to-date running updates as soon as possible
Approved sub-processors categories
- Hosting companies providing either shared hosting or a virtual private server (VPS)
- Cloud computing companies
- Services providers for things such as email, document storage, accounting, backups, project management systems and other business related activities