This Data Processing Agreement ("DPA") is incorporated into, and is subject to the terms and conditions of, the Agreement between International Software Licensing Pty Ltd,  trading as “Meet Alfred”, (together with its Affiliates, “Alfred”) and the customer entity that is a party to the Agreement ("Customer" or "you").

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. 

Definitions

“Agreement” means this data processing agreement, together with its schedules.

“Controller” has the meaning given to it in: (a) the GDPR, if the GDPR is applicable; or (b) the UK DPA, if the UK DPA is applicable.

“Data Protection Authority” means: (a) if the GDPR is applicable, a 

“Supervisory Authority”, as that term is defined in the GDPR; or (b) if the UK DPA is applicable, the Information Commissioner.

“Data Protection Impact Assessment” means a data protection impact assessment, as described in Article 35 of the GDPR. 

“Data Protection Laws” means: (a) the UK DPA; (b) the GDPR, Directive 95/46/EC, Directive 2002/58/EC and Directive 2009/136/EC, together with any national implementing laws in any Member State of the European Union; and (c) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world, in each case as amended, consolidated or replaced from time to time.

“Data Subject” has the meaning given to it in: (a) the GDPR, if the GDPR is applicable; or (b) the UK DPA, if the UK DPA is applicable.

“GDPR” means Regulation (EU) 2016/679, as amended, consolidated or replaced from time to time. 

“Personal Data” has the meaning given to it in: (a) the GDPR, if the GDPR is applicable; or (b) the UK DPA, if the UK DPA is applicable.

“Personal Data Breach” has the meaning given to it in: (a) the GDPR, if the GDPR is applicable; or (b) the UK DPA, if the UK DPA is applicable.

“Personnel” means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.

“Process”, “Processing” or “Processed” each have the meanings given to them in the GDPR.

“Processor” has the meaning given to it in the GDPR.

“Relevant Personal Data” means the categories of Personal Data that are set out in Schedule 1 and that are Processed under, or in connection with the provision of the Services. 

“Services” means the Meet Alfred web services, as more particularly described in the Services Agreement.  

“Services Agreement” means the terms of service agreement entered into by Parties on or around the date of this Agreement.

“Subprocessor” means any party (including but not limited to affiliates and sub-contractors) engaged by Service Provider to Process Relevant Personal Data.

“Term” has the meaning given to it in Clause 2 below.

“UK DPA” means the Data Protection Act 2018, as amended, consolidated or replaced from time to time.


Roles and Responsibilities

1.1 With respect to the Processing of Relevant Personal Data, Service Provider shall, and shall procure that each of its Personnel, agents and Subprocessors shall comply with all Data Protection Laws, to the extent applicable.

1.2 Service Provider represents and warrants to Customer that it shall implement appropriate technical and organisational measures to protect Relevant Personal Data, in accordance with applicable Data Protection Laws and, during the GDPR Period, in accordance with Articles 32-34 of the GDPR in particular. Service Provider shall ensure that such technical and organisational measures are appropriate to the particular risks that are presented by its Processing activities, in particular to protect Relevant Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access. Prior to the Processing of any Relevant Personal Data, and then regularly thereafter, Service Provider shall document its relevant technical and organisational security measures, in the format set out in Schedule 2 below. Service Provider shall perform internal inspections on a regular basis, to confirm that it is complying with its obligations under this Agreement and, where appropriate, Service Provider shall amend its Processing activities to satisfy its obligations under this Agreement.

1.3 The Parties hereby acknowledge and agree that Customer is a Controller and Service Provider is a Processor with respect to the Processing of Relevant Personal Data. In addition to, and notwithstanding, any other right or obligation arising under this Agreement or the Services Agreement, the Service Provider shall, in relation to such Processing:

(a) comply with the express instructions or directions of Customer given from time to time in connection with the Processing of Relevant Personal Data, and the requirements of any applicable Data Protection Laws; and

(b) only Process Relevant Personal Data strictly and solely: (i) to the extent necessary in connection with this Agreement, in particular as described in Schedule 1 below; and (ii) in accordance with the documented instructions received from Customer from time to time. If at any point, Service Provider becomes legally unable to comply with Customer's instructions regarding the Processing of Relevant Personal Data (whether as a result of a change in applicable law, or a change in Customer's instructions), Service Provider shall promptly:

(i) notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and

(ii) cease all Processing of the affected Relevant Personal Data (other than merely storing and maintaining the security of the affected Relevant Personal Data) until such time as Customer issues new instructions with which Service Provider is able to comply;

(c) (i) create; (ii) keep up-to-date for the duration of the Processing; and (iii) maintain for four (4) years thereafter; complete and accurate records in writing (including in electronic form) of its Processing activities, including all categories of its Processing activities, in relation to Relevant Personal Data, and disclose such records to Customer, or any Data Protection Authority, promptly upon demand;

(d) ensure Relevant Personal Data are kept confidential; (ii) take all reasonable steps to ensure the reliability and trustworthiness of Service Provider’s Personnel and any Subprocessors, and (iii) ensure that all relevant Service Provider Personnel, and any relevant Subprocessors, have committed themselves to ensuring the confidentiality of all Relevant Personal Data that they Process;

(e) ensure that, in each instance in which it engages a Subprocessor to Process any Relevant Personal Data, it shall: (i) only appoint such Subprocessor in accordance with the prior written authorisation of Customer (such authorisation not to be unreasonably withheld, conditioned or delayed); (ii) keep Customer informed if there is any change to the role or status of the Subprocessor; and (iii) enter into a binding written agreement with the Subprocessor that imposes on the Subprocessor the same obligations that apply to Service Provider under this Agreement with respect to the Processing of Relevant Personal Data and, if applicable, any restricted transfers of Relevant Personal Data;

(f) at Customer’s request and expense, promptly provide Customer with all reasonable technical and organisational assistance necessary to respond appropriately to requests from Data Subjects to exercise their rights;

(g) at Customer’s request and expense, promptly provide Customer with all reasonable assistance necessary to enable Customer to: (i) notify relevant breaches of the GDPR to the relevant Data Protection Authorities and/or affected Data Subjects; (ii) conduct Data Protection Impact Assessments; and (iii) obtain any necessary authorisations from Data Protection Authorities;

(h) permanently and securely delete (or, at the election of Customer, return) all Relevant Personal Data in the possession or control of Service Provider or any of its Subprocessors, within thirty (30) days after the end of the Term, unless the applicable law of England or the European Union or an EU Member State (as applicable) requires otherwise; and (ii) procure that its Subprocessors shall do likewise; 

(i) at Customer’s request and expense: (i) promptly provide Customer with all information necessary to enable Customer to demonstrate compliance with its obligations under the GDPR, to the extent that Service Provider is able to provide such information; and (ii) allow for and contribute to audits, including inspections, conducted by Customer or an auditor appointed by Customer; and

(j) notify Customer promptly, and in any event within twenty-four (24) hours, of: (i) becoming aware of any Personal Data Breach affecting Relevant Personal Data; (ii) becoming aware of any material breach of this Clause 1; or (iii) receipt of any correspondence or communication from any Data Subject, Data Protection Authority or third party regarding the Processing of Relevant Personal Data.

1.4 Service Provider shall not, whether through action or omission, place Customer in breach of any applicable Data Protection Laws.

1.5 Service Provider shall remain primarily liable and responsible for the acts and omissions of its Subprocessors. 



Blue Top

Getting started is 100% risk-free

When you start a free Alfred trial, we don’t ask for your credit card or any other commitment. After 14 days, you decide if Alfred is right for you, and our team is ready to help 24/7.

Start 14-Day FREE Trial Now