Data Processing Supplement

1. DEFINITIONS

“the Agreement” means the agreement to which this Supplement is attached, and where the context requires, includes this Supplement; “Customer Data” means any data of the Customer (including data of the Customer’s own customers, suppliers, vendors and end users) which is Processed on the Diffusion System;
“Customer Instance” means any version of the Diffusion System the Customer has access to that has been configured according to the Customer’s requirements;
“Customer Personal Data” means any Customer Data which is Personal Data;
“Customer System” means any information technology system or systems owned or operated by the Customer from which Customer Data is received in accordance with this Supplement.
“End User System” means any data processing equipment of the Customer or third parties authorised by the Customer which receives Customer Data from the Diffusion System;
“Privacy and Data Protection Requirements” means all applicable data protection and privacy legislation in force from time to time including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and the equivalent of any of the foregoing in any relevant jurisdiction.
“Diffusion System” means any data processing equipment or system owned or under the control of Diffusion and used to Process Customer Data;
“Security Standards” means the physical and data security standards annexed contained within or annexed to this Supplement as amended by Diffusion from time to time.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.
“Security Breach” means any security breach relating to:
(a) the Customer Personal Data reasonably determined by Diffusion to be sufficiently serious or substantial to justify notification to the Information Commissioner or other relevant supervisory authority in accordance with the Privacy and Data Protection Requirements; or (b) the Customer Personal Data reasonably determined by Diffusion to be sufficiently serious or substantial to give rise to a material risk of litigation by third parties affected by the breach.
“Security Feature” means any security feature, including any key, PIN, password, biometric information, token, certificate or smartcard.
“Specific Instructions” means instructions for the Processing of Customer Personal Data given by or on behalf of the Customer to Diffusion in any form, including configuration of the Customer Instance and any support or maintenance services which Diffusion provides to the Customer.
“This Supplement” means this data processing and security supplement.
Capitalised terms not defined above are to be interpreted in accordance with the Agreement and the Privacy and Data Protection Requirements.

2. CONTEXT

2.1 Diffusion provides a cloud-based system which facilitates the provision of data in realtime or as stored on the Diffusion System, to multiple devices (“Services”).

2.2 To the extent that any Customer Personal Data is being Processed on any Customer Instance, it is the Customer, and not Diffusion, who determines the purposes for which it is Processed, and the Customer, and not Diffusion, which determines the configuration of the Customer Instance (including the extent to which, and duration for which, any data is stored), and thereby acts as Data Controller.

2.3 The Customer acknowledges the Customer Instance is configurable in ways concerning which the Customer has specific duties and responsibilities as Data Controller which if not adhered to may result in breach of Privacy and Data Protection Requirements, such as the non-transient storage, deletion, amendment, blocking, erasure, unauthorised transmission and transfer to third countries of Customer Personal Data. The Customer acknowledges that such configuration is entirely outside of Diffusion’s control and it is the Customer’s sole responsibility to ensure that the configuration of its Customer Instance(s) is in compliance with Privacy and Data Protection Requirements.

3. DIFFUSION RIGHTS AND OBLIGATIONS

3.1 Diffusion agrees to (1) act solely on the instructions of the Customer in relation to the Processing of Customer Personal Data, as set out in Appendix 1, through the Services (meaning that Diffusion shall not Process Customer Personal Data either (a) on the instructions of any entity other than the Customer or (b) on its own account (other than in circumstances where it is required to do so by applicable law, in which case Diffusion shall notify the Customer in advance, unless prevented from doing so by such law); and (2) employ technical and organisational measures to ensure the security of Customer Personal Data, as more particularly set out in this Supplement and the Security Standards.

3.2 Diffusion shall keep at its normal place of business appropriate records relating to the processing of the Customer Personal Data by Diffusion (‘Records’). Diffusion may keep logs of Specific Instructions received from the Customer, thus causing those Specific Instructions to be documented.

3.3 Diffusion shall permit the Customer on reasonable notice in writing, during normal business hours and on one occasion per contract year, (but without notice or restriction on the number of occasions in case of any reasonably suspected breach of this Supplement or the Security Standards), to:
(a) gain access to review and take copies of the Customer Records and review any other relevant information held at Diffusion’s premises or on the Customer System; and
(b) inspect all Customer Records, and relevant documents; and
(c) make such information available relating to any Subcontractors as shall be necessary for the Customer to undertake the review set out above.

3.4 Diffusion will submit to reasonable data security and privacy compliance audits by the Customer or an independent third party, to verify compliance with this Supplement, applicable law, and any other applicable contractual undertakings. Any such audits shall be subject to the provision of reasonable notice and the further restrictions described in Clause 3.3. Diffusion shall give all necessary assistance to the conduct of such audits throughout the Term of the Agreement and the Customer will provide Diffusion with a copy of the resulting audit reports. Diffusion reserves the right to charge the Customer any reasonable costs incurred as a result of the Customer exercising its rights pursuant to Clause 3.3 and/or Clause 3.4.

3.5 To the extent that it acts as Data Processor, Diffusion shall ensure that the Customer Personal Data is kept secure, and shall use all reasonable security practices and systems applicable to the use of the Customer Personal Data to prevent, and take prompt and proper remedial action against, unauthorised access, copying, modification, storage, reproduction, display or distribution of the Customer Data and Customer Personal Data, it being always acknowledged that other than the limited circumstances in which Diffusion Processes Customer Personal Data in connection with the Services the Customer, and not Diffusion, has access to and is aware of the nature of the Customer Personal Data and consequently bears sole responsibility for compliance with Privacy and Data Protection Requirements.

3.6 Diffusion shall not disclose any Customer Personal Data other than (1) subject to Specific Instructions or (2) as required by law.

3.7 Diffusion shall:
(a) only make copies of the Customer Personal Data to the extent reasonably necessary to carry out its duties under the Agreement; and
(b) not extract, re-utilise, use, exploit, redistribute, re-disseminate, copy or store the Customer Personal Data other than to carry out its duties under the Agreement or in accordance with Specific Instructions.

3.8 Diffusion shall take reasonable steps to ensure that personnel who have access to the Customer Personal Data have committed themselves to confidentiality and shall comply with these this Supplement and Privacy and Data Protection Requirements.

3.9 Diffusion shall not permit any third party to Process Customer Personal Data except as specifically stated in this Supplement, in accordance with Specific Instructions, or where such disclosure or transfer is required by applicable law.

3.10 Diffusion shall take reasonable precautions to preserve the integrity of any Customer Personal Data Processed by it and to prevent any corruption or loss of such Customer Personal Data. Where configured by the Customer, Diffusion will store such Customer Personal Data for a period of time to permit failover and recovery in the case of failure of Diffusion Systems.

3.11 Diffusion may transfer Customer Personal Data to and Process Customer Personal Data in any country where it or its Subcontractors are located insofar as such Processing is required for the performance of the Services. Diffusion shall ensure that, when processing any Customer Personal Data which is subject to the Privacy and Data Protection Requirements of the European Economic Area (which for the purposes of this Agreement shall be deemed to include the United Kingdom), and such processing takes place outside the European Economic Area, that appropriate measures are in place, such as the Standard Contractual Clauses, Binding Corporate Rules or compliance with the US Privacy Shield program to permit such processing to take place lawfully.

3.12 Diffusion may engage third parties (“Subcontractors”) to provide limited services on its behalf, such as support or where set out in the Security Standards. Diffusion shall transfer Customer Personal Data to subcontractors solely where necessary for the Subcontractors to provide such limited services, on written terms which prohibit the Subcontractors from Processing the Customer Personal Data for any other purpose and are otherwise compliant with this Supplement and the Data Protection Requirements, including where such transfer is outside the European Economic Area. Diffusion shall remain accountable and responsible for all actions by Subcontractors with respect to the disclosed or transferred Customer Personal Data. A list of Subcontractors which are or may be used to Process Customer Personal Data is available on request. Diffusion shall notify Customer in advance of any addition or replacement of such Subcontractors, and Customer shall have up to two weeks to object to any such change.

4. CUSTOMER OBLIGATIONS

4.1 The Customer agrees and acknowledges that:
a) it has familiarised itself with the configuration and operation of the Customer Instance;
b) that the technical and organisational measures implemented by Diffusion are as set out in the Security Standards; and
c) it is responsible for the configuration of the Customer Instance (including storage whether for resilience or otherwise) in such a way to ensure that it complies with the Privacy and Data Protection Requirements.

4.2 The Customer agrees that as Data Controller it is itself responsible for ensuring compliance with Privacy and Data Protection Requirements and that it will design, implement and operate the Customer Systems accordingly, taking into account the fact that the Security Standards are designed on the basis that Diffusion has limited access to the Customer Personal Data.

4.3 The Customer acknowledges that Diffusion is under no duty to investigate the completeness, accuracy or sufficiency of any Specific Instructions or the Customer Data.

4.4 Where Diffusion provides services relating to the configuration and operation of the Customer Instance, the Customer acknowledges that Diffusion is advising the Customer as to industry best practice, in terms of in the context of the purpose for which Customer Personal Data may be Processed as opposed to making any determination as to the means by which and the purpose for which the Processing occurs on the Customer’s behalf, and that the decisions are made by Customer alone and that accordingly, Diffusion is neither sole or co-data controller in respect of such Customer Personal Data.

4.5 Where Diffusion provides support and maintenance services for the Customer, the Customer will, to the extent possible, ensure that it does not disclose Customer Personal Data to Diffusion. Where such Customer Personal Data is disclosed, the Customer hereby instructs Diffusion to process the data solely and to the extent necessary for the purposes of providing support and maintenance services for the Customer and to delete such Customer Personal Data once such Customer Personal Data are no longer required for providing such support and maintenance services. Diffusion shall otherwise process such Customer Personal Data in accordance with the Agreement including this Supplement. The Customer acknowledges and accepts that Diffusion may use remote screen services such as Intercom and that Customer Personal Data obtained and Processed using such systems shall be used solely for the purpose of providing support and maintenance services.

4.6 Diffusion will reasonably assist the Customer with meeting Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Diffusion’s processing and the information available to Diffusion, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under Privacy and Data Protection Requirements.

4.7 Diffusion will take such technical and organisational measures as may be appropriate, and promptly provide such information and assistance to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
(a) the rights of data subjects under the Privacy and Data Protection Requirements, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and (b) information or assessment notices served on Customer by any supervisory authority under the Privacy and Data Protection Requirements.

4.8 Diffusion reserves the right to charge Customer any reasonable costs incurred in the course of fulfilling its obligations pursuant to Clause 4.6 and/or Clause 4.7.

5. MUTUAL OBLIGATIONS

5.1 If either party:
(a) becomes aware of any unauthorised or unlawful processing of any Customer Personal Data or that any Customer Personal Data is lost or destroyed or has become damaged, corrupted or unusable;
(b) becomes aware of any Security Breach; or
(c) learns or suspects that any Security Feature has been revealed to or obtained by any unauthorised person,
that party shall, at its own expense, promptly notify the other party and fully co-operate with the other party and any supervising authority having jurisdiction over such party and/or the Personal Data in question to remedy the issue as soon as reasonably practicable.

5.2 Diffusion may change Security Features on notice to the Customer for security reasons.

6. WARRANTIES

6.1 Each party warrants to the other that it will process the Customer Personal Data in compliance with the Privacy and Data Protection Requirements.

6.2 Diffusion warrants and represents that for such time as it Processes Customer Personal Data that it will:
(a) (having regard to the state of technological development and the cost of implementing any measures, subject to Customer’s compliance with paragraphs 6.3 (e) and (f) below) take the technical and organisational measures against the unauthorised or unlawful processing and the accidental loss or destruction of, or damage to, of Customer Personal Data to ensure a level of security appropriate to:
(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(ii) the nature of the Data to be protected as set out in the Security Standards
(b) take reasonable steps to ensure compliance with those measures; and
(c) discharge its obligations under this Supplement with all due skill, care and diligence.

6.3 The Customer warrants, undertakes and represents that for such time as Diffusion processes Customer Personal Data:
(a) the Customer has the right to license the processing of the Customer Data for the purpose of its agreement with Diffusion;
(b) the processing of the Customer Data under its agreement with Diffusion will not infringe the Intellectual Property Rights of any third party;
(c) the Customer Data contains nothing that is defamatory or indecent;
(d) Diffusion’s processing of the Customer Personal Data in accordance with Specific Instructions has been and will be carried out in accordance with the Privacy and Data Protection Requirements at all times;
(e) the Customer has reviewed the Security Standards and has made its own determination that the Security Standards are appropriate for the Processing of Customer Personal Data by Diffusion in accordance with the Agreement;
(f) the Customer has obtained, where necessary, appropriate consents from the Data Subjects of Customer Personal Data to ensure that any Processing carried out by Diffusion in accordance with this Supplement and the Agreement is carried out lawfully;
(g) the Customer is not aware of any circumstances likely to give rise to breach of any of the Privacy and Data Protection Requirements in the future (including any Security Breach); and
(h) the Customer is registered with or has provided appropriate notification to all relevant data protection authorities to process all Customer Personal Data.

6.4 Except as expressly stated in the Agreement and this Supplement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law.

6.5 Neither party will be deemed to be in breach of this Supplement where it has undertaken any act (including any omission) required by a regulator having lawful jurisdiction over it or the Customer Personal Data in question, provided that it promptly notifies, where practicable and lawful, the other party of the act or omission in question.

7. This Supplement shall survive the termination, expiration, or other conclusion of the Agreement for as long as Diffusion has access to or possession of the Customer Data.

8. The Customer shall fully and effectively indemnify Diffusion against any cost, claim, expense, liability or damage arising from any breach of this Supplement by Customer. Such indemnity, shall not be subject to any provision of the Agreement which limits the Customer’s liability, shall survive termination of the Agreement or this Supplement and shall subsist for a period of 6 years after Diffusion has last processed Customer Personal Data on behalf of the Customer under the Agreement.

9. Diffusion’s liability under this Supplement shall be subject to the limitation of liability provisions in the Agreement.

Security Standards

These Security Standards are annexed to the data processing Supplement, and may be modified by Diffusion from time to time by notice to the Customer, or by modifying them as available from www.diffusiondata.com/data-processing.

1. PERSONNEL

1.1 Diffusion has and will maintain a security policy for its employees and contractors and will require those which have access to Customer Personal Data to undergo security and privacy awareness training.

1.2 Diffusion shall ensure that its employees and contractors are responsible for ongoing monitoring of its security practices, Diffusion procedures and infrastructure and incident handling.

2. DATA HANDLING

2.1 Diffusion shall Process and transmit all Customer Personal Data through servers which are managed by Diffusion. Diffusion may replicate data across multiple storage systems.

2.2 Subject to paragraph 2.3, once Diffusion no longer requires any Customer Personal Data to fulfil its obligations to the Customer and its legal requirements, it shall securely delete the Customer Personal Data. Such deletion shall take place in accordance with guidelines issueds by the UK Information Commissioner from time to time, which may permit placing the data ‘beyond use’ as an alternative to physical erasure.

2.3 Upon termination of the Agreement, Diffusion shall either securely delete the Customer Personal Data in accordance with paragraph 2.2, or at Customer’s election (which must be made by written notice prior to termination of the Agreement), retain the Customer Personal Data in such a manner as to enable Customer to retrieve the Customer Personal Data, provided always that the Customer Personal Data must be retrieved by Customer within four weeks of termination.

2.4 To the extent that Diffusion considers appropriate, it will employ cryptography covering data in transit and/or at rest.

3. VULNERABILITIES

3.1 Diffusion will monitor a variety of communication channels for security vulnerabilities, and Diffusion’s security team will react promptly to known security vulnerabilities.

4. CHANGE MANAGEMENT

4.1 Diffusion’s change management will include, but not be limited to a code review process to increase the security of the code provided in the Diffusion System.

4.2 Diffusion will also continue to employ a security review process to enhance the security features in production environments.

5. SERVER

5.1 Diffusion will use a hardened operating system implementation customized for the Diffusion System.

5.2 Diffusion will maintain a prioritized patch management policy.

5.3 Diffusion will install the most recent security patches on the Diffusion System as soon as reasonably practical.

6. ACCESS CONTROL

6.1 Diffusion employs systems and processes to limit physical and logical access based on least privileges and according to job responsibilities to ensure Customer Personal Data can only be accessed by authorized Diffusion personnel.

7. USER ROLES

7.1 Diffusion and Customer will have control over the creation, deletion, and suspension of user roles within the Customer’s environment of the Diffusion System

8. CONNECTIVITY REQUIREMENTS

8.1 Diffusion will protect its Diffusion System with multiple security layers and services.

9. DATA CENTRE ENVIRONMENT AND PHYSICAL SECURITY

9.1 Diffusion currently uses the data centere services provided by Amazon Web Services (“AWS”) for the delivery of its Services., AWS’ security standards can be found here http://aws.amazon.com/security/

9.2 Each year, Diffusion will review and evaluate the applicable third party security audit reports provided by AWS to ensure they meet an acceptable standard.

10. CONTINUITY MANAGEMENT

10.1 Diffusion shall at all times during the term of this Agreement have in place internal practices, plans or procedures aiming to reasonably ensure the Diffusion System is uninterrupted during the term of the Agreement (“Business Continuity Plan”).

10.2 Certain portions of the Business Continuity Plan may be made available to Customer upon reasonable written notice and shall be kept up to date, tested at regular intervals- and in good working order.

11. DEVELOPMENT AND TESTING

11.1 Systems and processes used for test and development activities will be segregated from Diffusion System.

11.2 Diffusion shall not use Customer Personal Data in its testing and development activities, but it may use Customer Personal Data for the purposes of providing Support and Maintenance as set out in the Agreement.

11.3 The Diffusion System is developed using a documented Software Development LifeCycle (SDLC) to help minimize the risk of introducing security vulnerabilities into the Diffusion System. As an example the SDLC includes the following gates:

11.4 Security review of the source code – automatic and/or manual;

11.5 Security audit of the Diffusion System prior to deployment.

11.6 All of Diffusion System is subject to penetration testing and vulnerability scans prior to being launched into production status, and on a regular basis and following major changes.

11.7 All critical security vulnerabilities found during the security testing in the Diffusion System will be addressed.

11.8 All Diffusion developers are trained annually to identify and resolve common coding vulnerabilities in order to minimise the number of security vulnerabilities.

Appendix 1

Processing Details

Nature and Purpose of Processing
Processing shall be undertaken in accordance with and for the purpose of the fulfilment of the Services as further described in the Agreement.

Types of Personal Data
Personal data includes name, address, email address, phone number, IP address, location data, phone ID number (UDID), log-in credentials, password.

Special Category Data
Special Category Data may include health data.

Data Subjects
End users, customers, employees and contractors of the Customer.

Duration of the Processing:
The Processing shall continue for the duration of the Services.