Data Processing Agreement (DPA)
This Data Processing Agreement (hereinafter referred to as “DPA”) is entered into by and between Upscore Ltd, a company registered under the laws of England, with its principal place of business at 15 Westmoreland Terrace, London, England, SW1V 4AG (hereinafter referred to as the “Data Processor”) and you (hereinafter referred to as the “Data Controller”).
1. The Data Controller and Data Processor have entered into an agreement (the “Master Agreement”) for the provision of services (the “Services”).
2. In the course of providing the Services, the Data Processor may process Personal Data on behalf of the Data Controller.
1. “Personal Data” shall have the same meaning as defined in the applicable data protection legislation.
2. “Data Protection Legislation” shall mean the General Data Protection Regulation (GDPR) and any other applicable data protection laws and regulations in force in the United Kingdom, as amended or replaced from time to time.
3. “Data Subject” shall have the same meaning as defined in the Data Protection Legislation.
4. “Processing” shall have the same meaning as defined in the Data Protection Legislation.
Data Processing Obligations:
1. The Data Processor shall process Personal Data on behalf of the Data Controller only for the purposes set out in the Master Agreement and in accordance with the Data Controller’s lawful instructions.
2. The Data Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved in the processing of Personal Data.
3. The Data Processor shall promptly notify the Data Controller if it receives any request from a Data Subject regarding their Personal Data, and shall cooperate with the Data Controller in responding to such requests.
4. The Data Processor shall assist the Data Controller in ensuring compliance with its obligations under the Data Protection Legislation, including providing the Data Controller with necessary information and cooperating with any data protection impact assessments or prior consultations with the supervisory authority.
1. The Data Processor may engage subprocessors to assist in the provision of the Services. The Data Processor shall notify the Data Controller in writing of any intended changes concerning the addition or replacement of subprocessors. The Data Controller shall have the right to object to such changes on reasonable grounds.
2. The Data Processor shall enter into a written agreement with each subprocessor that imposes data protection obligations equivalent to those set out in this DPA.
3. The Data Processor shall remain fully liable to the Data Controller for the performance of any subprocessor’s obligations.
1. The Data Processor shall not transfer Personal Data outside the United Kingdom without the prior written consent of the Data Controller, unless such transfer is made in compliance with the Data Protection Legislation and provides appropriate safeguards for the rights and freedoms of Data Subjects.
2. If the Data Processor transfers Personal Data to a country outside the United Kingdom that does not provide an adequate level of data protection, the Data Processor shall implement appropriate safeguards, such as Standard Contractual Clauses approved by the Information Commissioner’s Office or any other appropriate mechanism recognized under the Data Protection Legislation.
Data Breach Notification:
1. The Data Processor shall promptly notify the Data Controller in writing of any Personal Data breach within the timelines required by the Data Protection Legislation.
2. The Data Processor shall cooperate with the Data Controller in investigating the breach, mitigating its effects, and complying with any legal obligations arising from the breach.
Term and Termination:
1. This DPA shall remain in effect for the duration of the Master Agreement.
2. Either party may terminate this DPA if the other party is in material breach of its obligations and fails to remedy such breach within a reasonable time