Data processing addendum

1. This DPA sets out additional terms, requirements and conditions on which Vouchsafe will process End User Data when providing the Services. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (‘UK GDPR’) for contracts between controllers and processors.
2. This DPA is incorporated into the Agreement, in the event of conflict between the two, the provisions of the DPA shall prevail.
3. Defined terms in this DPA unless indicated otherwise herein or within the Agreement, shall have the same meaning as in Data Protection Laws.
4. Vouchsafe and the Customer acknowledge that the Customer is the Data Controller and Vouchsafe is the Data Processor of End User Data.
5. The Customer warrants that at all times it shall, comply with applicable provisions of Data Protection Laws, including but not limited to;
   • retaining control of the End User Data;
   • remaining responsible for the written processing instructions it gives to Vouchsafe, which are outlined below in ’Details of Data Processing’.
   • ensuring that there is an appropriate lawful basis for the transfer of the End User Data to Vouchsafe for Vouchsafe to process the End User Data for the purposes of supplying the Services; and
   • providing any required notices to Data Subjects.

Details of Data Processing

1. Scope – Processing of the End User Data in the provision of Services to the Customer.
2. Nature and purpose of processing – Processing activities include the collection, recording, structuring, storage, adaptation, retrieval, consultation, use, disclosure (where authorised), alignment, restriction, erasure, and destruction of End User Data.
3. Duration of processing – For the Term and any period required to complete the Services or comply with legal or regulatory obligations, after which the End User Data will be deleted or returned in accordance with the DPA.
4. Types of personal data – including Identification details, contact information, government-issued ID data, biometric data used for verification (where applicable), device or technical data, and verification results.
5. Categories of data subject – End Users, and prospective End Users and other individuals whose identity must be verified in connection with Customer’s services.

6. Vouchsafe shall, in relation to the End User Data:
   • comply with all applicable provisions of Data Protection Laws;
   • process the End User Data only on written instructions of the Customer as set out in the ‘Details of Data Processing’;
   • keep the End User Data confidential and ensure that all personnel with access to the End User Data are subject to a duty of confidentiality;
   • comply with the Customer’s reasonable instructions with respect to processing the End User Data;
   • not transfer the End User Data outside of the UK unless it ensures that:
     • the transfer is to a country approved as providing an adequate level of protection; or
     • there are appropriate safeguards in place; or
     • binding corporate rules are in place; or
     • one of the derogations for specific situations applies to the transfer.
   • ensure that it has in place appropriate technical or organisational measures, to protect against unauthorised or unlawful processing of the End User Data and against accidental loss or destruction of, or damage to, the End User Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures
   • assist the Customer in responding to any Data Subject rights requests and to ensure compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, privacy impact assessments and consultations with supervisory authorities or regulators;
   • notify the Customer without undue delay on becoming aware of a Personal Data Breach or communication which relates to the Customer’s or Vouchsafe’s compliance with the Data Protection Laws;
   • at the written request of the Customer, delete or return the End User Data (and any copies of the same) to the Customer on termination of the Agreement unless required by the Data Protection Laws to store the Personal Data; and
   • maintain complete and accurate records and information to demonstrate compliance with this DPA and allow for audits by the Customer or the Customer’s designated auditor on provision of reasonable notice.
7. Subject to the provisions of clause 8, Customer consents generally to the appointment of third parties as sub-processors of End User Data. Vouchsafe shall make details of which sub-processors are appointed at the commencement of the Term available to Customer upon written request.
8. Vouchsafe confirms that a) it shall impose on all sub-processors the same data protection obligations as set out in this DPA and shall remain liable for the actions of its sub-processors.
9. Vouchsafe shall give the Customer notice of the appointment of any changes to the list of sub-processors and provide the Customer with full details of the processing to be undertaken by any new sub-processor, thereby giving the Customer the opportunity to object to such appointment. If Vouchsafe so notifies the Customer of any changes to sub-processors and the Customer objects to such changes, the Customer will be entitled to terminate this Agreement (without liability for either party, and such termination will be deemed to be a no-fault termination) provided always that the Customer has reasonable grounds for objecting to such changes by reason of the changes causing or being likely to cause the Customer to be in breach of the Data Protection Laws.