Graphologi

Data Processing Addendum

This Data Processing Addendum forms part of our Conditions.

Capitalised and defined terms have the meanings given to them in our Conditions. References to “we” or “us” are to Graphifi. 

1.1 You shall ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of the Protected Data to us for the duration and purposes of Services so that we may lawfully use, process, and transfer the Protected Data in accordance with the Services. 

1.2 Instructions. We shall only process (and shall ensure its personnel only process) the Protected Data in accordance with this addendum, except to the extent: 

1. that alternative processing instructions are agreed between us in writing; or
2. we are otherwise required by applicable law (and shall inform you of that legal requirement before processing, unless applicable law prevents us doing so on important grounds of public interest); and
3. without prejudice to any other term in this Data Processing Addendum or our Conditions, if we believe that any instruction is likely to infringe the Data Protection Laws we shall promptly inform you and be entitled to cease to provide the relevant Services until we have agreed appropriate amended instructions which are not infringing.

1.3 The processing of the Protected Data by us shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the Appendix to this addendum.

1.4 Security. Taking into account the state of technical development and the nature of processing, we shall implement and maintain technical and organisational measures to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. 

1.5 Sub-processing and personnel. We shall:

1. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this Data Protection Addendum (including those relating to sufficient guarantees to implement appropriate technical and organisational measures) that is enforceable by us and ensure each such Sub-Processor complies with all such obligations;
2. remain fully liable to you under the Conditions for all the acts and omissions of each Sub-Processor as if they were our own; and
3. ensure that all persons engaged by us or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential, and

you authorise the appointment of Sub-Processors provided we complies at all times with the provisions of this clause 1.5.

1.6 Assistance. We shall (at your cost):

1. assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the processing and the information available to us; and
2. taking into account the nature of the processing, assist you (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of your obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.

1.7 International transfers. We shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the United Kingdom without your prior written consent. 

1.8 Audits and processing. We shall, in accordance with Data Protection Laws, make available to you such information that is in our possession or control as is necessary to demonstrate our compliance with the obligations placed on us under this clause 1.8 and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by you (or another auditor you mandate) for this purpose (subject to a maximum of one audit request in any 12 month period).

1.9 Breach. We shall notify you without undue delay (and in any event within 24 hours) and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.

1.10 Deletion/return. On the end of the provision of the Services relating to the processing of Protected Data, at your cost and our option, within 30 days we shall either return all of the Protected Data to you or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires us to store such Protected Data. This clause 1.10 shall survive termination or expiry of the agreement.

Appendix

Data Processing Details

Subject-matter of processing:

The provision of remote software for taxonomy and ontology management. 

Duration of the processing:

For the duration of the customer’s paid subscription. 

Nature and purpose of the processing:

Processing as reasonably required to provide the services to the customer. 

Type of Personal Data:

Names and email addresses. 

Categories of Data Subjects:

Employees of the customer. 

Special categories of Personal Data:

None.