Data Processing Addendum

Effective Date: 16 September 2021, Version: 1.0

1.    INITIAL PROVISIONS
  1. This Data Processing Addendum forms an integral part of the Agreement and is referenced in the Terms of Service.
  2. This Data Processing Addendum is subject to change. The current version is always available at https://www.velaris.io/data-processing-addendum.
  3. By entering into the Agreement with Velaris, You, the Customer, acknowledge that you have read and understood this Data Processing Addendum and agree to be bound by it.
2.    DEFINITIONS
  1. Capitalised definitions not otherwise defined below shall have the meaning given to them in the Terms of Service.
  2. In this Data Processing Addendum, the following capitalised definitions have the following meaning:
"CCPA"
means the California Consumer Privacy Act, California Civil Code §§1798.100et seq., including any amendments and implementing regulations that become effective on or after the effective date of this Data Processing Addendum;
"Data Breach"
means a breach of security of the Service leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Velaris under this Data Processing Addendum;
"Data Protection
Legislation"
means, as applicable to a party and its Processing of Personal Data: (i) UK Data Protection Law, (ii) CCPA and any national data protection laws made under the CCPA, (iii) any other law applicable for the provision of the Service;
"Personal Data"
means any information that (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by Velaris on behalf of the Customer in the course of providing the Service, as more particularly described in Annex A of this Data Processing Addendum;
"Restricted
Transfer"
means a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
"Sub-processor"
means any third party engaged by Velaris to assist in fulfilling its obligations with respect to providing the Service and that Processes Personal Data as Processor;
"Standard
Contractual
Clauses"
mean standard data protection clauses adopted pursuant to Article 46(2)(c)or (d) of the UK GDPR (the "UK SCCs");
"UK Data
Protection Law"
means: (i) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case, as may be amended or superseded from time to time; and
the terms "Controller", "Processor", "Process", "Processing" and "Data Subject" shall have the same meanings given to them under the UK GDPR, and the terms "business", "service provider"and "sale" have the same meaning given to it under the CCPA.
3.    VELARIS' OBLIGATION
  1. Roles. For the purposes of the UK GDPR and similar Data Protection Legislation, the Customer(or third party on whose behalf the Customer is authorised to instruct Velaris) is the Controller of Personal Data, and Velaris shall Process Personal Data as a Processor (or sub-Processor, as applicable to the Customer's use of the Service); and for the purposes of the CCPA (to the extent the CCPA is applicable), the Customer is the "business" and Velaris is the "service provider".
  2. Permitted Purposes. Velaris shall Process Personal Data for the purposes described in Annex A and in accordance with the Customer's documented lawful instructions ("Permitted Purposes"), except where otherwise required by law(s) that are not incompatible with applicable Data Protection Legislation. In particular and to the extent the CCPA is applicable, the Customer's transfer of Personal Data to Velaris is not a sale, and Velaris provides no monetary or other valuable consideration to the Customer in exchange for Personal Data. To the extent required by Data Protection Legislation, this Clause 3.b constitutes the certification from Velaris to the Processing instructions herein. Velaris is obliged at all times to Process Personal Data in compliance with Data Protection Legislation and fulfil all its obligations arising out of Data Protection Legislation.
  3. Processing Instructions. Velaris shall immediately inform the Customer if it becomes aware that the Customer's Processing instructions infringe Data Protection Legislation. If Velaris is unable to Process Personal Data in accordance with the Customer's documented lawful instructions, Velaris is obliged to promptly notify the Customer of its inability to comply.
  4. Security Measures. Velaris shall implement and maintain reasonable and appropriate technical and organisational measures designed to protect all data, including Personal Data, from Data Breaches and preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, these measures must include the measures identified in Annex C of this Data Processing Addendum.
  5. Access and Confidentiality. Velaris shall ensure that any person it authorises to Process the Personal Data (including Velaris' staff, agents and Sub-processor's) ("Personnel") are under appropriate obligations of confidentiality (whether a contractual or statutory duty), have received proper training, and are informed about the confidential nature of the Personal Data and their obligations related to it and have access to Personal Data only in accordance with the need-to-know principle. Velaris shall ensure that all Personnel Process the Personal Data only as necessary for the Permitted Purposes.
  6. Data Returns and Deletion. Upon termination or expiration of the Agreement, Velaris must delete or return to the Customer all Personal Data (including copies) in its possession or control in accordance with the Agreement.
  7. Audit Rights.
    • Records of Processing. Velaris shall maintain records of its Personal Data Processing activities in accordance with Data Protection Legislation. Upon the first request, Velaris shall provide the records to the Customer, any auditor appointed by it or any supervisory authority. Velaris shall also respond to any written audit questions submitted to it by the Customer and that are necessary to confirm Velaris' compliance with this Data Processing Addendum.
    • Certifications. If Velaris maintains records in accordance with Information Security Management System ("ISMS") standards, Velaris shall, on the Customer's request, provide to the Customer copies of relevant external ISMS certifications, audit report summaries or other documentation necessary to demonstrate compliance with this Data Processing Agreement and Data Protection Legislation.
    • Audit. Velaris shall allow the Customer (or a third party licensed auditor engaged by the Customer) to carry out the remote audit of the electronic data files, systems, and documentation relating to the Processing of Personal Data, provided that the Customer bears all costs of the audit.
    • Scope of Audit. The audit under the preceding Clause shall:
      • occur no more than once in any 12-month period;
      • be agreed by the Parties no fewer than thirty (30) days in advance; and
      • take no more time than reasonably necessary, in any case, fewer than 16 business hours.
4.    CUSTOMER'S OBLIGATIONS
  1. Customer's Processing of Personal Data. The Customer shall, in its use of the Service, Process Personal Data in accordance with Data Protection Legislation. The Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and how the Customer acquired Personal Data.
  2. Customer's Compliance. Customer agrees that:
    • it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its Processing of Personal Data and any Processing instructions it issues to Velaris;
    • it has provided notice and obtained (or shall obtain) all consents or any other necessary authorisations (as applicable) under Data Protection Legislation for Velaris to Process Personal Data for the Permitted Purposes;
    • it has fulfilled (or shall fulfil) all registration or notification obligations to which the Customer is subject to under the Data Protection Legislation; and
    • it is responsible for its own Processing of Personal Data, including integrity, security, maintenance and appropriate protection of Personal Data under the Customer's control.
  3. Technical and Organisational Measures. The Customer is responsible for its secure use of theService, including securing the Account, protecting the security of Personal Data when in transit to and from the Service and taking any appropriate technical, organisational and security measures to securely encrypt or backup any Personal Data uploaded to the Service.The Customer is also responsible for the use of the Service by any person the Customer authorised to access or use the Service, and any person who gains access to its Personal Data or the Service as a result of its failure to use reasonable security precautions, even if theCustomer did not authorise such use. The Customer agrees to, immediately upon awareness, notify Velaris of any unauthorised use of Service or the Account or of any other breach ofsecurity involving the Service.
  4. Use of Cookies. Where the Service employ the use of cookies or similar tracking technologies ("Cookies"), the Customer shall maintain appropriate notice and consent mechanisms as required by Data Protection Legislation and industry best practice (or as otherwise reasonably requested by Velaris) to enable Velaris to deploy Cookies lawfully on, and collect data from, the devices of Data Subjects to provide the Service. Velaris, upon request, shall provide theCustomer with all information reasonably required by the Customer (including details about the Cookies) to enable the Customer to provide such notice. The Customer shall promptly notify Velaris if it is unable to comply with these obligations.
5.    COOPERATION
  1. Data Subject Rights. To the extent that the Customer is unable to access the relevant Personal Data within the Service independently, Velaris shall, taking into account the nature of the Processing, provide assistance (including by appropriate technical and organisational measures) to enable the Customer to:
    • respond to any requests from a data subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and
    • any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data (collectively "Correspondence").
    In the event that any such Correspondence is made directly to Velaris, it shall promptly notify the Customer and shall not respond directly unless legally completed to do so. If Velaris is required to respond to such Correspondence, Velaris shall promptly notify the Customer and provide it with a copy of the request, unless legally prohibited from doing so.
  2. Data Protection Impact Assessment. To the extent required by Data Protection Legislation, Velaris shall provide all requested information regarding the Service to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation.
  3. Request for Disclosure. Velaris is obliged to promptly notify the Customer about any legally binding request for disclosure of the personal data by a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry and to assist the Customer therewith (at the Customer's expense).
6.    SECURITY INCIDENTS
  1. Data Breach. Upon becoming aware of a Data Breach, Velaris shall notify the Customer without undue delay and shall provide such timely information and cooperation as the Customer may reasonably require in order to fulfil its data breach reporting obligations under Data Protection Legislation, including the type of data affected and the identity of the affected person(s) as soon as such information becomes known or available to Velaris.
  2. No Acknowledgement. The Customer agrees that any notification that Velaris provides to the Customer in relation to a Data Breach shall not be construed or understood as an acknowledgement of any fault or liability.
  3. Further Conduct. Velaris shall further take all such measures and actions as are reasonable to remedy or mitigate the effects of the Data Breach and shall keep the Customer informed of all developments in connection with the Data Breach.
  4. Cooperation. If a Data Breach is caused or materially contributed to by the Customer, Velaris will cooperate in the investigation of the Data Breach subject to the Customer's obligation to compensate Velaris for its expenses and costs.
7.    SUB-PROCESSING
  1. Authorised Sub-processors. The Customer provides a general authorisation for Velaris to engage Sub-processors to Process Personal Data on the Customer's behalf. The Sub-processors currently engaged by Velaris are listed in Annex B.
  2. New Sub-processors. Velaris shall not subcontract any Processing of the Personal Data to a Sub-processor, other than listed in Annex B, without the Customer's prior written consent. Notwithstanding this, the Customer consents to the Vendor engaging Sub-processors to process the Personal Data provided that:
    • Velaris provides at least 30 days prior written notice to the Customer of the engagement of any new Sub-processor (including details of the Processing and location), and Velaris shall update the list of all Sub-processors engaged in processing of Personal Data under this Agreement at Annex B and send such updated version to the Customer prior to the engagement of the Sub-processor;
    • Velaris imposes the same data protection terms on any Sub-processor it engages as contained in this Data Processing Addendum (including the Standard Contractual Clauses, where applicable); and
    • Velaris remains fully liable for any breach of this Data Processing Addendum or the Agreement caused by an act, error or omission of such Sub-processor.
  3. Objections. If the Customer objects to the engagement of any Sub-processor on reasonable data protection grounds, then either Velaris will provide sufficient further safeguards, not engage the Sub-processor to process the Personal Data, or the Customer may elect to suspend or terminate the Processing of Personal Data under the Agreement without penalty. If it is not commercially reasonable for the Customer to use the Service without such Data Processing, the Customer is entitled to terminate the Agreement without penalty, whereas the Customer shall be entitled to receive a pro-rata refund of Fees already paid to Velaris but not utilised.
8.    DATA TRANSFERS
  1. International Data Transfers. Velaris shall take all such measures necessary to ensure that the Processing and transfer of Personal Data in or to a territory other than the territory in which the Personal Data was first collected complies with Data Protection Legislation.
  2. Restricted Transfers. The Parties agree that when and to the extent the transfer of Personal Data (i) from the Customer to Velaris; or (ii) from Velaris to a Sub-processor, is a Restricted Transfer, it shall be subject to the Standard Contractual Clauses as follows:
    • subject to Clauses 7.b.ii and 7.b.iii below, the Standard Contractual Clauses shall be incorporated by reference into and form an integral part of this Data Processing Addendum;
    • for the purposes of the UK SCCs, Annex A and Annex C and of this Data Processing Addendum shall replace Appendix 1 and 2 accordingly; and
    • in the event that any provision of this Data Processing Addendum contradicts, directly or indirectly, the Standard Contractual Clauses, the appropriate Standard Contractual Clauses shall prevail to the extent of such conflict.
9.    LIMITATION OF LIABILITY
  1. The Customer's remedies, including its Affiliates, and Velaris' liability arising out of or inr elation to this Data Processing Addendum, are subject to those limitations of liability and disclaimers set forth in the Agreement (incl. Terms of Service).
10.    FINAL PROVISIONS
  1. Third-Party Beneficiaries. Data Subjects are the sole third party beneficiaries to the Standard Contractual Clauses, and there are no other third-party beneficiaries to the Agreement and this Data Processing Addendum.
  2. Governing Law and Jurisdiction. This Data Processing Addendum shall be governed by and construed with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.
  3. Scope of this DataProcessing Addendum. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this Data Processing Addendum.
  4. Term. This Data Processing Addendum shall continue to be in effect for the term of the Agreement plus the period from expiry of the Agreement until Velaris ceases to process Personal Data on behalf of the Customer.
ANNEX A - Description of the Processing Activities / Transfer
ANNEX A(1) List of Parties:
Data Exporter
Data Importer
Name: The Customer
Name: MANANTIAL LTD
Address: As identified in the Agreement
Address: 17 Mary Shunn Way, Wantage, Oxfordshire, OX128GN, United Kingdom.
Contact Person's Name, position and contact details: As identified in the applicable Sales Order.
Contact Person's Name, position and contact details: Jose Fernandez-Castano (jose@velaris.io)
Activities relevant to the transfer: See Annex A(2) below
Activities relevant to the transfer: See Annex A(2) below
Role: Controller
Role: Processor
ANNEX A(2) Description of Transfer:
Description
Categories of data subjects:
  • Users: any of the Customer's employees or other personnel, suppliers and other third parties authorised under the Agreement to use the Service.
  • Employees and Contractors of Customer's Clients: any existing or future employee or contractor of the Customer's client that is in contact with the Customer through a connection (e.g., email, analytical software) connected by the Service or whose personal data is otherwise uploaded by the Customer or its Users to the Service.
Categories of personal data:
Depending on the Service purchased by the Customer, the Personal Data may include:
  • Users: identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility); IT related data (computer ID, user ID, password, IP address, log files).
  • Employees and Contractors of Customer's Clients: identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility); IT related data (computer ID, user ID, password, IP address, log files), other personal data shared by a user herself.
Sensitive data:
Velaris does not require any special categories of data to provide the Service and does not intentionally collect or process such data in connection with the provision of the Service.
Frequency of the transfer:
Continuous
Nature and subject matter of processing:
The Personal Data may be subject to the following processing activities:
  • storage (hosting) and other processing necessary to provide, maintain and improve the Service provided to Customer under the Agreement;
  • technical support provided to the Customer on a case by case basis;
  • disclosures in accordance with the Agreement and the Data Processing Agreement, as compelled by law; and
  • collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Duration of the processing:
Processing Term
Purpose(s) of the data transfer and further processing:
  1. Processing to provide, maintain, support, and improve the Service provided to the Customer in accordance with the Agreement;
  2. Processing initiated by the Users in their use of the Service; and
  3. Processing to comply with other documented reasonable instructions provided by the Customer (e.g. via email) where such instructions are consistent with the terms of the Agreement (including this Data Processing Agreement).
Retention period (or, if not possible to determine, the criteria used to determine that period):
Processing Term
ANNEX A(3) Competent supervisory authority
In accordance with Clause 13 of the UK SCCs, the competent supervisory authority is the Information Commissioners Office (the "ICO").
ANNEX B - Approved Sub-processors
Amazon Web Services (EMEA) SARL,
38 Avenue John F. Kennedy, Luxembourg 1855, Luxembourg
Hosting provider
TINYBIRD LABS,
Calle Moreno Nieto, 2,28005 Madrid, SPAIN
Analytics
Manantial (Pvt) Ltd,
156/1B, LaxhapathiyaRoad, Laxhapathiya,Moratuwa, Sri Lanka
Servicing company, a wholly-owned subsidiary of MANANTIAL LTD (Velaris)
ANNEX C - Technical and Organisational Measures
The technical and organisational measures implemented by Velaris (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context, and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described at https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf and https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/welcome.html

The Customer Data is fully hosted on Amazon Web Services and Velaris adheres to all AmazonWeb Services security best practices.