1. DEFINITIONS
1.1 In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of the EULA. In addition in this Data Protection Addendum the following definitions have the meanings given below:
| “Applicable Law” | means applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states from time to time together with applicable laws in the United Kingdom from time to time; |
| “Appropriate Safeguards” | means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time; |
| “Controller” | has the meaning given to that term in Data Protection Laws; |
| “Data Protection Laws” | means all Applicable Laws relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including the following laws to the extent applicable in the circumstances: (a) the GDPR; (b) the Data Protection Act 2018; (c) any laws which implement any such laws; and (d) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing (including where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 as modified by applicable domestic law from time to time); |
| “Data Protection Losses” | means all liabilities, including all: (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and (b) to the extent permitted by Applicable Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; (ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and (iii) the reasonable costs of compliance with investigations by a Supervisory Authority; |
| “Data Subject” | has the meaning given to that term in Data Protection Laws; |
| “Data Subject Request” | means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws; |
| “EULA” | means the End User Licence Agreement entered into between Redstor and its Licensee for the use of software as a service. |
| “GDPR” | means the General Data Protection Regulation, Regulation (EU) 2016/679; |
| “International Recipient” | means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Licensee’s prior written authorisation; |
| “List of Sub-Processors” | means the latest version of the list of Sub-Processors used by Redstor, as updated from time to time; |
| “Onward Transfer” | means a Transfer from one International Recipient to another International Recipient; |
| “Personal Data” | has the meaning given to that term in Data Protection Laws; |
| “Personal Data Breach” | means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data; |
| “Processing” | has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings); |
| “Processing Instructions” | has the meaning given to that term in paragraph 3.1.1; |
| “Processor” | has the meaning given to that term in Data Protection Laws; |
| “Protected Data” | means Personal Data in the Licensee Data; |
| “Sub-Processor” | means another Processor engaged by Redstor for carrying out processing activities in respect of the Protected Data on behalf of the Licensee; |
| “Supervisory Authority” | means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; |
| “Transfer” | bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (or to the extent wider the definition of ‘transfer’ in equivalent provisions of UK Data Protection Laws). Without prejudice to the foregoing, this term also includes all Onward Transfers. Related expressions such as “Transfers”, “Transferred” and “Transferring” shall be construed accordingly; and |
| “UK Data Protection Laws” | means Data Protection Laws that form part of the law of England and Wales, Scotland and/or Northern Ireland from time to time. |
2. Processor and Controller
2.1 The parties agree that, for the Protected Data, the Licensee shall be the Controller and Redstor shall be the Processor. Nothing in the EULA relieves the Licensee of any responsibilities or liabilities under any Data Protection Laws.
2.2 To the extent the Licensee is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct Redstor to process the Protected Data in accordance with the EULA.
2.3 Redstor shall process Protected Data in compliance with:
2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under the EULA; and
2.3.2 the terms of the EULA.
2.4 The Licensee shall ensure that it, its affiliates and each Authorised User shall at all times comply with:
2.4.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under the EULA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.4.2 the terms of the EULA.
2.5 The Licensee warrants, represents and undertakes, that at all times:
2.5.1 all Protected Data (if processed in accordance with the EULA) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws;
2.5.2 fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by Redstor and its Sub-Processors in accordance with the EULA;
2.5.3 the Protected Data is accurate and up to date;
2.5.4 all instructions given by it to Redstor in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
2.5.5 it has undertaken due diligence in relation to Redstor’s processing operations and commitments and it is satisfied (and all times it continues to use the Services remains satisfied) that:
(a) Redstor’s processing operations are suitable for the purposes for which the Licensee proposes to use the Services and engage Redstor to process the Protected Data;
(b) the technical and organisational measures set out in the EULA (as Updated from time to time) shall (if Redstor complies with its obligations) ensure a level of security appropriate to the risk in regards to the Protected Data; and
(c) Redstor has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
3. Instructions and details of processing
3.1 Insofar as Redstor processes Protected Data on behalf of the Licensee, Redstor:
3.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Licensee’s documented instructions as set out in this paragraph 3.1 and paragraphs 3.3 and 3.4 (including when making a Transfer of Protected Data to any International Recipient), as Updated from time to time (Processing Instructions);
3.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Licensee of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
3.2 The Licensee shall be responsible for ensuring all authorised affiliates’ and Authorised User’s read and understand the Privacy Policy (as Updated from time to time).
3.3 The Licensee acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Subscribed Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the user manual). The Licensee shall ensure that Authorised Users do not execute any such command unless authorised by the Licensee (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command Redstor is under no obligation to seek to restore it.
3.4 Subject to applicable terms in the EULA or the Order Form the processing of the Protected Data by Redstor under the EULA shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in schedule 1.
4. Technical and organisational measures
4.1 Taking into account the nature of the processing, Redstor shall implement and maintain technical and organisational measures:
4.1.1 in relation to the processing of Protected Data by Redstor; and
4.1.2 subject to paragraph 6.1, to assist the Licensee insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Licensee’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Licensee’s cost on a time and materials basis in accordance with Redstor’s standard pricing terms.
5. Using staff and other Processors
5.1 Redstor shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data (except in accordance with the EULA) without the Licensee’s written authorisation of that specific Sub-Processor (such authorisation not to be unreasonably withheld, conditioned or delayed).
5.2 The Licensee authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as updated from time to time.
5.3 Redstor shall:
5.3.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures); and
5.3.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
5.4 Redstor shall ensure that all natural persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Redstor shall, where practicable and not prohibited by Applicable Law, notify the Licensee of any such requirement before such disclosure).
6. Assistance with compliance and Data Subject rights
6.1 Redstor shall refer all Data Subject Requests it receives to the Licensee without undue delay. The Licensee shall pay Redstor for all work, time, costs and expenses incurred in connection with such activity, calculated at Redstor’s rates set out in Redstor’s standard pricing terms.
6.2 Redstor shall provide such assistance as the Licensee reasonably requires (taking into account the nature of processing and the information available to Redstor) to the Licensee in ensuring compliance with the Licensee’s obligations under Data Protection Laws with respect to:
6.2.1 security of processing;
6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Licensee in response to any Personal Data Breach,
provided the Licensee shall pay Redstor for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph 6.2, calculated at Redstor’s rates set out in Redstor’s standard pricing terms.
7. International data Transfers
7.1 Subject to paragraphs 7.2 and 7.5, Redstor shall not Transfer any Protected Data:
7.1.1 from any country to any other country; and/or
7.1.2 to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without the Licensee’s prior written authorisation except where Redstor is required to Transfer the Protected Data by Applicable Law (and shall inform the Licensee of that legal requirement before the Transfer, unless those laws prevent it doing so).
7.2 The Licensee hereby authorises Redstor to Transfer any Protected Data to any International Recipient(s), provided all Transfers by Redstor of Protected Data to an International Recipient (and any Onward Transfer) shall be (to the extent required under Data Protection Laws) effected by way of Appropriate Safeguards and in accordance with Data Protection Laws and the EULA. The provisions of the EULA (including this Data Protection Addendum) shall constitute the Licensee’s instructions with respect to Transfers in accordance with paragraph 3.1.1.
7.3 The Appropriate Safeguards employed by Redstor in connection with the EULA can be found within the EULA.
7.4 Redstor (or its Sub-Processors) may only process Protected Data in the locations specified within the EULA.
7.5 The Licensee acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the service further to access and/or computerised instructions initiated by Authorised Users. The Licensee acknowledges that Redstor does not control such processing and the Licensee shall ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Appropriate Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.
8. Information and audit
8.1 Redstor shall maintain, in accordance with Data Protection Laws binding on Redstor, written records of all categories of processing activities carried out on behalf of the Licensee.
8.2 On request, Redstor shall provide the Licensee (or auditors mandated by the Licensee) with a copy of the third party certifications and audits to the extent made generally available to its customers. Such information shall be confidential to Redstor and shall be Supplier’s Confidential Information as defined in the EULA, and shall be treated in accordance with applicable terms.
8.3 In the event that the Licensee, acting reasonably, deems the information provided in accordance with paragraph 8.2 insufficient to satisfy its obligations under Data Protection Laws, Redstor shall, on request by the Licensee make available to the Licensee such information as is reasonably necessary to demonstrate Redstor’s compliance with its obligations under this Data Protection Addendum and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Licensee (or another auditor mandated by the Licensee) for this purpose provided:
8.3.1 such audit, inspection or information request is reasonable, limited to information in Redstor’s possession or control and is subject to the Licensee giving Redstor reasonable (and in any event at least 60 days’) prior notice of such audit, inspection or information request;
8.3.2 the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Licensee or third party auditor shall comply (including to protect the security and confidentiality of other customers, to ensure Redstor is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.3);
8.3.3 the Licensee shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of Redstor;
8.3.4 the duration of any audit or inspection shall be limited to one Business Day;
8.3.5 all costs of such audit or inspection or responding to such information request shall be borne by the Licensee, and Redstor’s costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by the Licensee on a time and materials basis in accordance with Redstor’s standard pricing terms;
8.3.6 the Licensee’s rights under this paragraph 8.3 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority;
8.3.7 the Licensee shall promptly (and in any event within one Business Day) report any non-compliance identified by the audit, inspection or release of information to Redstor;
8.3.8 the Licensee agrees that all information obtained or generated by the Licensee or its auditor(s) in connection with such information requests, inspections and audits shall be Supplier’s Confidential Information as defined in the EULA, and shall be treated in accordance with applicable terms;
8.3.9 the Licensee shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of Redstor while conducting any such audit or inspection; and
8.3.10 this paragraph 8.3 is subject to paragraph 8.4.
8.4 The Licensee acknowledges and accepts that relevant contractual terms agreed with Sub-Processor(s) may mean that Redstor or Customer may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors pursuant to paragraph 8.3 and:
8.4.1 the Licensee’s rights under paragraph 8.3 shall not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s);
8.4.2 to the extent any information request, audit or inspection of any Sub-Processor are permitted in accordance with this paragraph 8.4, equivalent restrictions and obligations on the Licensee to those in paragraphs 8.3.1 to 8.3.10 (inclusive) shall apply together with any additional or more extensive restrictions and obligations applicable in the circumstances; and
8.4.3 paragraphs 5.3.1 and 8.3 shall be construed accordingly.
8.5 Notwithstanding paragraph 8.4, Redstor shall ensure that it has appropriate mechanisms in place to ensure its Sub-Processors meet their obligations under Data Protection Laws and Redstor’s obligations in respect of Protected Data under the EULA. The Licensee accepts that the provisions of paragraph 8.4 shall satisfy Redstor’s obligations in that regard.
9. Breach notification
9.1 In respect of any Personal Data Breach involving Protected Data, Redstor shall, without undue delay (and in any event within 72 hours):
9.1.1 notify the Licensee of the Personal Data Breach; and
9.1.2 provide the Licensee with details of the Personal Data Breach.
10. Deletion of Protected Data and copies
Following the end of the provision of the Services (or any part) relating to the processing of Protected Data Redstor shall dispose of Protected Data in accordance with its obligations under the EULA. Redstor shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with the EULA.
11. Compensation and claims
11.1 Redstor shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with the EULA:
11.1.1 only to the extent caused by the processing of Protected Data under the EULA and directly resulting from Redstor’s breach of the EULA; and
11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of the EULA by the Licensee (including in accordance with paragraph 3.1.3(b)).
11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with the EULA or the Services, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
11.2.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
11.2.2 consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under the EULA for paying the compensation.
11.3 The parties agree that the Licensee shall not be entitled to claim back from Redstor any part of any compensation paid by the Licensee in respect of such damage to the extent that the Licensee is liable to indemnify or otherwise compensate Redstor in accordance with the EULA.
11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
11.4.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and
11.4.2 that it does not affect the liability of either party to any Data Subject.
12. Survival
This Data Protection Addendum (as Updated from time to time) shall survive termination (for any reason) or expiry of the EULA and continue until no Protected Data remains in the possession or control of Redstor or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.
Schedule 1
Data processing details
Subject-matter of processing:
Performance of respective rights and obligations under the EULA and delivery and receipt of the Services under the EULA;
Duration of the processing:
Until the earlier of final termination or final expiry of the EULA, except as otherwise expressly stated in the EULA;
Nature and purpose of the processing:
Processing in accordance with the rights and obligations of the parties under the EULA;
processing as reasonably required to provide the Services; and
processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Licensee, in each case in a manner consistent with the EULA;
Type of Personal Data:
Personal Data including legal and other names, titles, positions, e-mail addresses, and phone numbers as further outlined in the EULA;
Categories of Data Subjects:
Categories of data subjects including customers, resellers, partners and employees as further outlined inyees as further outlined in the EULA.