Data Processing Agreement 

This Data Processing Agreement (the "Agreement") is entered into on the date the Sales Order is signed by and between:

1. Safe Space Technology, a company registered in the United Kingdom, registration number 12678933, hereinafter referred to as the "Processor."

   
   

2.  The purchasing customer, and all subsidiaries or related or controlled entities, whose details are specified on the Sales Order, hereinafter referred to as the "Controller" if and to the extent the Processor processes Personal Data for which such Customer entities qualify as Controllers.

WHEREAS, the Processor provides software and technology services to the Controller, involving the processing of personal data as defined under applicable data protection laws.

In consideration of the mutual covenants contained herein, the parties agree as follows:

1. Definition

1.1 "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR).

1.2 "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction.

1.3 "Data Protection Laws" means all applicable laws and regulations related to the processing of personal data, including but not limited to the GDPR.

2. Data Processing

2.1 Scope of Processing: The Processor shall process personal data on behalf of the Controller for the purposes described in the Data Processing Agreement attached hereto as Annex A.

2.2 Compliance with Laws: The Processor shall comply with all applicable Data Protection Laws in the processing of personal data, and the Controller shall comply with the same laws in relation to its use of the Processor's services.

3. Subprocessing

3.1 Authorised Subprocessors: The Controller hereby authorises the Processor to engage subprocessors to assist in the provision of the services, provided that the Processor maintains an up-to-date list of its subprocessors, which shall be available to the Controller upon request.

3.2 Responsibility for Subprocessors: The Processor shall remain responsible for its subprocessors' compliance with the Agreement and shall ensure that subprocessors are bound by data processing terms no less protective than those in this Agreement.

4. Data Transfers

4.1 International Data Transfers: The Processor may transfer personal data to countries outside of the European Economic Area (EEA) or the United Kingdom, as necessary for the provision of the services, provided that such transfers comply with applicable data protection laws.

4.2 International Locations: the Processor shall take all necessary steps to ensure compliance with local data protection laws and regulations.

5. Data Security

5.1 Security Measures: The Processor shall implement appropriate technical and organisational measures to ensure the security and confidentiality of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.

6. Data Subject Rights

6.1 Assistance to Controller: The Processor shall assist the Controller in responding to data subject requests to exercise their rights under applicable data protection laws. Note this assistance will be chargeable at the agreed hourly rate.

7. Data Breach Notification

7.1 Notification: The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach.

8. Data Protection Impact Assessments and Consultation

8.1 Assistance: The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultation with supervisory authorities, as required by applicable data protection laws.

9. Term and Termination

9.1 Term: This Agreement shall remain in effect until the termination of the Data Processing Agreement or until both parties agree to terminate it.

9.2 Return or Deletion of Data: Upon termination, the Processor shall return all personal data to the Controller or delete it, as directed by the Controller.

10. General Provisions

10.1 Governing Law and Jurisdiction: This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of the United Kingdom and Great Britain.

10.2 Entire Agreement: This Agreement constitutes the entire agreement between the parties and supersedes all prior agreements, representations, and understandings.

ANNEX A - Data Categories & Purpose

DescriptionDetailsSubject matter of the processing Personal data of employees, contractors and other related persons of the Data ControllerNature and purpose of the processing Demographic data, location data and misconduct data for reporting and BI, misconduct data to enable governance, case management and compliance of the Controller. Type of Personal Data May include but is not limited to: Name Gender Email address Phone numberEthnicityReligionSexual orientationLocationDetails of employment Categories of Data SubjectPersonal data 

ANNEX B - Processing and Retention

This policy outlines the data retention practices followed by Safe Space Technology (the "Processor") in accordance with applicable data protection laws and regulations. It specifies the duration for which personal data is retained and the criteria for data deletion. As well as the technical procedures for data encryption, access controls, and testing implemented by Safe Space Technology (the "Processor") to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services 

Data Retention Period: The retention period for each category of data will be defined by the Data Controller. The Data Controller agrees that setting the retention period to be compliant with legislative retention requirements will be solely their responsibility.

Data Deletion: Personal data will be deleted upon reaching the end of its retention period, or earlier upon the Controller's request. The deletion process includes secure erasure to prevent unauthorised access.

Exceptions: In certain cases, data may be retained for a longer period if required by law or regulation. In such cases, the Controller will be informed accordingly.

2. Data Encryption

2.1 Encryption at Rest: The Processor shall implement encryption measures to protect personal data while it is stored on its systems. Data shall be encrypted using industry-standard encryption algorithms and protocols.

2.2 Encryption in Transit: The Processor shall use encryption during the transmission of personal data to and from its systems. Secure communication channels, such as HTTPS, shall be utilised to ensure data remains confidential during transit.

3. Access Controls

3.1 User Access: The Processor will ensure that the software is secure. The Controller will be responsible for only providing system and therefore data access to those that are authorised to and should have access to personal data. Access rights should be granted based on the principle of least privilege, ensuring that only authorised personnel have access to the necessary data.

3.2 Authentication: Multi-factor authentication (MFA) or strong authentication mechanisms shall be used to verify the identity of individuals accessing personal data.

3.3 Logging and Monitoring: The Processor shall maintain access logs and monitor access to personal data to detect and respond to unauthorised access or suspicious activities.

4. Testing and Auditing

4.1 Regular Security Testing: The Processor shall conduct regular security testing, including vulnerability assessments and penetration testing, to identify and address potential security vulnerabilities in its processing systems.

4.2 Incident Response Testing: The Processor shall periodically test its incident response procedures to ensure a swift and effective response to security incidents.

4.3 Audit Trails: The Processor shall maintain audit trails of data processing activities, including who accessed personal data, when, and for what purpose.

5. Data Backup and Recovery

5.1 Data Backup: The Processor shall regularly back up personal data to prevent data loss in case of system failures or other unforeseen events.

5.2 Data Recovery: The Processor shall have a data recovery plan in place to ensure the timely restoration of services and access to data in the event of a disruption.

6. Business Continuity and Resilience

6.1 Business Continuity Plan: The Processor shall have a business continuity plan in place to ensure the continued availability of services and data in case of disruptions.

6.2 Resilience Measures: The Processor shall implement resilience measures, such as redundancy and failover mechanisms, to maintain the availability of processing systems.

7. Compliance with Legal and Regulatory Requirements

7.1 The Processor shall ensure that the technical and organisational requirements outlined in this annexe comply with applicable data protection laws and regulations.

7. Agreement

The Processor, in providing the software, agrees to comply with this Data Processing Agreement.

The Controller, by signing the Sales Order, agrees to comply with this Data Processing Agreement.