This Data Processing Agreement ("DPA") is incorporated into and is subject to the terms and conditions of, the Agreement between Meet Alfred and the customer entity that is a party to the Agreement ("Customer" or "you"). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions

In this agreement, the following defined terms apply:

1. Agreement - means this data processing agreement and its schedules.
2. CCPA - means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”) and its implementing regulations.
3. Business Purpose, Commercial Purpose, Contractor, Sell, Share, Service Provider, Sensitive Personal Information - shall have the meanings set forth in the CCPA.
4. Controller - has the meaning given to it in:
   1. the GDPR, if the GDPR is applicable; or
   2. the UK DPA, if the UK DPA is applicable.
5. Data Protection Authority - means:
   1. if the GDPR is applicable, a “Supervisory Authority”, as that term is defined in the GDPR; or
   2. if the UK DPA is applicable, the Information Commissioner.
6. Data Protection Impact Assessment - means a data protection impact assessment, as described in Article 35 of the GDPR.
7. Data Protection Laws - means:
   1. the UK DPA;
   2. the GDPR, Directive 2002/58/EC and Directive 2009/136/EC, together with any national implementing laws in any Member State of the European Union;
   3. the CCPA; and
   4. any equivalent legislation, or legislation dealing with the same subject matter, in each case as amended, consolidated or replaced from time to time.
8. Data Subject - has the meaning given to it in:
   1. the GDPR, if the GDPR is applicable; or
   2. if the CCPA is applicable, “Consumer” shall have the corresponding meaning under the CCPA.
9. GDPR - means Regulation (EU) 2016/679, as amended, consolidated or replaced from time to time.
10. Personal Data - has the meaning given to it in:
    1. the GDPR, if the GDPR is applicable; or
    2. the CCPA, if the CCPA is applicable.
11. Personal Data Breach - has the meaning given to it in:
    1. the GDPR, if the GDPR is applicable; or
    2. the UK DPA, if the UK DPA is applicable.
12. Personnel - means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee, or other personnel.
13. Process, Processing or Processed - each have the meanings given to them in the GDPR.
14. Processor - has the meaning given to it in the GDPR.
15. Relevant Personal Data - means the categories of Personal Data that are set out in Schedule 1 and that are Processed under, or in connection with the provision of the Services.
16. Services - means the Meet Alfred web services, as more particularly described in the Services Agreement.
17. Services Agreement - means the terms of service agreement entered into by Parties on or around the date of this Agreement.
18. Subprocessor - means any party (including but not limited to affiliates and sub-contractors) engaged by Service Provider to Process Relevant Personal Data.
19. Term - has the meaning given to it in Clause 4.1 below.
20. UK DPA - means the Data Protection Act 2018, as amended, consolidated or replaced from time to time.
21. UK Addendum - means the International Data Transfer Addendum issued by the UK Information Commissioner.
22. EU SCCs - means the Standard Contractual Clauses approved by the European Commission pursuant to Article 46 GDPR.

2. Obligations of Service Provider

2.1 Compliance

With respect to the Processing of Relevant Personal Data, Service Provider shall, and shall procure that each of its Personnel, agents and Subprocessors shall comply with all applicable Data Protection Laws.

2.2 Technical and Organizational Measures

Service Provider represents and warrants to Customer that it shall implement appropriate technical and organisational measures to protect Relevant Personal Data, in accordance with applicable Data Protection Laws and Articles 32-34 GDPR in particular.

Service Provider shall ensure that such technical and organisational measures are appropriate to the particular risks presented by its Processing activities, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Relevant Personal Data.

Such technical and organizational measures shall include, where appropriate:

1. encryption of Personal Data in transit and at rest;
2. pseudonymization and minimization;
3. logical access controls and role-based permissions;
4. multi-factor authentication for administrative access;
5. logging and monitoring of system access;
6. vulnerability management and penetration testing;
7. disaster recovery and business continuity procedures;
8. backup and restoration procedures;
9. secure software development lifecycle practices;
10. employee privacy and security training;
11. vendor risk management procedures;
12. incident response and breach escalation procedures;
13. least privilege access principles.

Prior to Processing Relevant Personal Data, and regularly thereafter, Service Provider shall document such measures and review them periodically.

2.3 Processor Obligations

The parties acknowledge and agree that Customer is a Controller/Business and Service Provider is a Processor/Service Provider/Contractor with respect to the Processing of Relevant Personal Data.

Service Provider shall:

1. Process Only on Instructions

   comply with Customer’s documented instructions and applicable Data Protection Laws.

2. Purpose Limitation

   only Process Relevant Personal Data:

   1. as necessary to provide the Services; and
   2. in accordance with documented instructions from the Customer.

   Service Provider shall not:

   1. Process Relevant Personal Data for its own purposes;
   2. Sell or Share Personal Information;
   3. retain, use, or disclose Relevant Personal Data outside the direct business relationship between the Parties;
   4. combine Personal Information received from Customer with information obtained from other sources except as permitted by the CCPA;
   5. determine the purposes or means of Processing except as permitted under applicable law;
   6. use Sensitive Personal Information except as necessary to provide the Services.

   If Service Provider becomes legally unable to comply with Customer’s instructions, it shall promptly:

   1. notify Customer; and
   2. cease affected Processing activities until lawful instructions are agreed.
3. Records of Processing

   Service Provider shall maintain complete and accurate records of Processing activities and make them available to Customer or competent authorities upon lawful request.

4. Confidentiality

   Service Provider shall:

   1. ensure Relevant Personal Data remain confidential;
   2. ensure Personnel and Subprocessors are reliable and appropriately trained; and
   3. ensure all authorized persons are bound by confidentiality obligations.

   These confidentiality obligations shall survive termination of this Agreement for so long as the Service Provider retains Relevant Personal Data.

5. Subprocessors

   Customer hereby grants Service Provider general authorization to engage Subprocessors.

   Service Provider shall:

   1. maintain an up-to-date list of Subprocessors;
   2. notify Customer at least thirty (30) days before appointing a new Subprocessor;
   3. provide Customer the opportunity to object on reasonable data protection grounds; and
   4. impose written contractual obligations on each Subprocessor equivalent to those imposed under this Agreement.

   If Customer reasonably objects to a new Subprocessor and the Parties cannot resolve the issue, Customer may terminate the affected Services without penalty.

   Service Provider shall remain fully liable for acts and omissions of Subprocessors.

3. International Data Transfers

Where Processing involves transfers of Relevant Personal Data outside the EEA, UK, or Switzerland to jurisdictions not recognized as providing adequate protection, the Parties shall implement appropriate safeguards including:

1. the EU SCCs;
2. the UK Addendum; or
3. another legally recognized transfer mechanism.

The EU SCCs and UK Addendum are incorporated into this Agreement by reference.

Service Provider shall:

1. conduct transfer impact assessments where required;
2. implement supplementary safeguards where necessary; and
3. provide reasonable cooperation regarding international transfer compliance.

4. General

1. Term

   This Agreement commences upon execution and terminates automatically upon termination or expiration of the Services Agreement.

2. Counterparts

   This Agreement may be executed in counterparts.

3. Governing Law

   This Agreement shall be governed by English law and subject to the exclusive jurisdiction of the English Courts.

5. Security

1. Infrastructure

   All Services operate in cloud infrastructure environments.

2. Hosting Provider

   The Services are built on Amazon Web Services (AWS), which maintains industry-standard security certifications and controls.

   Service Provider shall make available information regarding the geographic regions where Relevant Personal Data is hosted or accessed.

3. Pseudonymization

   Applications pseudonymize data where feasible to reduce identifiability of Data Subjects.

4. Security Documentation

   Further details regarding security controls are available in Service Provider’s Security & Compliance Policy.

Schedule 1 – Data Processing Activities

Scope of Processing

Service Provider’s Processing activities include:

1. provision of the Services;
2. maintenance, support, and updates;
3. security monitoring and fraud prevention;
4. customer communications;
5. lawful internal analytics and service improvements.

Duration

Processing continues for the duration of the Agreement and any legally required retention periods.

Service Provider shall retain Relevant Personal Data only for as long as necessary to perform the Services or comply with legal obligations.

Categories of Data Subjects

1. Personnel of Customer and affiliates;
2. prospective and current clients;
3. users of Customer websites, applications, or services.

Categories of Personal Data

1. contact details (email, name, profile picture);
2. time zone;
3. login credentials (e.g. LinkedIn, Gmail);
4. IP address;
5. browser, device, and operating system information;
6. metadata, headers, and account settings.

Special Categories of Data

It is not anticipated that Special Categories of Personal Data or Sensitive Personal Information will be Processed.

Customers shall not intentionally submit Special Categories of Personal Data unless expressly agreed in writing by the Parties.

Processing Purposes

Relevant Personal Data are Processed for:

1. provision of Services;
2. customer communications;
3. lawful analytics and service improvements;
4. security, fraud prevention, and troubleshooting;
5. compliance with legal obligations.

Service Provider may generate aggregated and de-identified statistical information only where:

1. such information cannot reasonably identify any individual or Customer;
2. measures are implemented to prevent re-identification; and
3. such Processing complies with applicable Data Protection Laws.

Schedule 2 – Subprocessors

Service Provider shall maintain and make available an up-to-date list of Subprocessors used in connection with the Services, including:

1. legal entity name;
2. processing purpose;
3. processing location;
4. applicable transfer mechanism.

Schedule 3 – International Transfers

The Parties agree that:

1. Module Two (Controller-to-Processor) of the EU SCCs shall apply where Customer acts as Controller;
2. the UK Addendum shall apply to UK transfers;
3. the governing law of the SCCs shall be Ireland unless otherwise required by law.

Contact Information

If you have questions regarding this Agreement, please contact:
[email protected]