Skip to main content Link Menu Expand (external link) Document Search Copy Copied

COLLABORIS LIMITED

DOCREAD 365 DATA PROCESSING AGREEMENT

Version: 1.0, 2024-01-30

This Data Processing Agreement (“DPA”, “Agreement”) regulates Collaboris Limited (“Collaboris”, “Data Processor”, “Processor”, “Service Provider”, “we”, “us”) processing of personal data on behalf of the customer (“Data Controller”, ”Controller”, “Customer”, “you”) and is attached as an addendum to the DocRead Software as a Service Agreement (“SAASA”) in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller.

Background

You should print a copy of this Agreement for future reference. You can also download a PDF copy of this agreement here.

  1. Definitions and Interpretation

    In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

    • “GDPR” means:

      1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the EU GDPR); and

      2. the EU GDPR as implemented or adopted under the laws of the United Kingdom (UK GDPR) (General Data Protection Regulation).

    • “Commencement Date” means the date the Customer accepts the terms of the SAASA;

    • “Commissioner” means the Information Commissioner (as defined in Article 4(A3) UK GDPR and section 114 Data Protection Act 2018;

    • “Data controller” shall have the meanings given to the term “controller” by Article 4(7) of the GDPR, and section 6 of the Data Protection Act 2018;

    • “Data Protection Legislation” means:

      1. to the extent the UK GDPR (as defined in section 3(10)(as supplemented by section 205(4) of the Data Protection Act 2018) applies, the law of the UK or of a part of the UK which relates to the protection of Personal Data; or

      2. to the extent EU GDPR (the General Data Protection Regulations (EU 2016/679)) applies, the law of the EU or any member state of the EU to which the Customer is subject, which relates to the protection of Personal Data.

      3. to the extent applicable, the data protection or privacy laws of any other country

    • “Data Subject” means an identified or identifiable living individual to whom Personal Data relates;

    • “Personal Data” means any information relating to an identified or identifiable living individual; an identified or identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual;

    • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed;

    • “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of a Controller;

    • “Quote” means Collaboris’ pre-contract offer to the Controller setting out the Services that it will carry out under the SAASA and DPA, price, number of Users and Term of the Services, and incorporating Collaboriss’ applicable policies and third party licences if applicable;

    • “Sub-Processor” means a sub-processor appointed by the Data Processor to process Personal Data;

    • “processing”,“process”,“processed”,“processes” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

    • “Services” means those services and facilities described in the SAASA which are provided by Collaboris to the Controller and which the Controller uses for the purposes described in it;

    • “Contract Year” means the period of 12 months commencing from the Commencement Date and each anniversary thereafter;

    • “Fees” means the sums payable by the Controller to Collaboris for the Services as stated in the Quote.

    1.1 Unless the context otherwise requires, each reference in this Agreement to:

    • 1.1.1. “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;

    • 1.1.2. a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;

    • 1.1.3. “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;

    • 1.1.4. a Schedule is a schedule to this Agreement; and

    • 1.1.5. a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.

    • 1.1.6. a “Party” or the “Parties” refer to the parties to this Agreement.

    1.2. The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.

    1.3. Words imparting the singular number shall include the plural and vice versa.

    1.4. References to any gender shall include any other gender.

    1.5. References to persons shall include corporations.

  2. Scope and Application of this Agreement

    2.1. The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 1, carried out for the Controller by Collaboris, and to all Personal Data held by Collaboris in relation to all such processing, whether such Personal Data is held at the date of this Agreement or received afterwards.

    2.2. Schedule 1 describes the type(s) of Personal Data, category or categories of Data Subject, the nature of the processing to be carried out, the purpose(s) of such processing, and the duration of such processing.

    2.3. Subject to sub-Clause 2.4, this Agreement is subject to the terms of the SAASA and is hereby incorporated into the SAASA. Definitions and interpretations set out in the SAASA shall apply to the interpretation of this Agreement.

    2.4. The provisions of this Agreement supersede any other arrangement, understanding, or agreement including, but not limited to, the SAASA made between the Parties at any time relating to the Personal Data.

    2.5. This Agreement shall continue in full force and effect for so long as Collaboris is processing Personal Data on behalf of the Controller, and thereafter as provided in Clause 9.

  3. Provision of the Services and Processing Personal Data

    3.1. Collaboris shall only provide the Services and process the Personal Data received from the Controller:

    • 3.1.1. for the purposes of those Services and not for any other purpose;

    • 3.1.2. to the extent and in such a manner as is strictly necessary for those purposes; and

    • 3.1.3. strictly in accordance with the express written authorisation and instructions of the Controller (which may be specific instructions or instructions of a general nature, or as otherwise notified by the Controller to Collaboris).

  4. Data Protection Compliance

    4.1. All instructions given by the Controller to Collaboris shall be made in writing and shall at all times be in compliance with the Data Protection Legislation. Collaboris shall act only on such written instructions from the Controller unless Collaboris is required by law to do otherwise (as per Article 29 of the GDPR).

    4.2. Collaboris shall promptly comply with any request from the Controller requiring Collaboris to amend, transfer, delete, or otherwise dispose of the Personal Data.

    4.3. Collaboris shall transfer all Personal Data to the Controller on the Controller’s request in the formats, at the times, and in compliance with, the Controller’s written instructions.

    4.4. Both Parties shall comply at all times with the Data Protection Legislation and shall not perform their obligations under this Agreement or any other agreement or arrangement between them in such way as to cause either Party to breach any of its applicable obligations under the Data Protection Legislation.

    4.5. The Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing, and that the Controller has in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to Collaboris.

    4.6. Collaboris shall comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and any best practice guidance issued by the Commissioner.

    4.7. Collaboris shall provide reasonable assistance (at the Controller’s cost) to the Controller in complying with its obligations under the Data Protection Legislation with respect to the security of processing, the notification of Personal Data Breaches, the conduct of data protection impact assessments, and in dealings with the Commissioner. What is reasonable, for the purposes of this sub-Clause 4.7 shall take account of the nature of Collaboris’ processing and the information available to Collaboris.

    4.8. Collaboris shall notify the Controller in a timely manner of any changes to the Data Protection Legislation that may adversely affect its performance of the Services or of its obligations under this Agreement.

    4.9. When processing the Personal Data on behalf of the Controller, Collaboris shall:

    • 4.9.1. process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as may be required by law (in which case, Collaboris shall inform the Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);

    • 4.9.2. implement appropriate technical and organisational measures, including those described in Schedule 2, and take all steps necessary to protect the Personal Data against accidental, unauthorised, or unlawful processing, access, copying, modification, reproduction, display, or distribution of the Personal Data, and against its accidental or unlawful loss, destruction, alteration, disclosure, or damage. Collaboris shall inform the Controller in advance of any changes to such measures;

    • 4.9.3. make available to the Controller any and all such information as is reasonably required and necessary to demonstrate Collaboris’ compliance with the Data Protection Legislation;

    • 4.9.4. inform the Controller immediately if it is asked to do anything that infringes the Data Protection Legislation.

  5. Data Subject Requests, Notices, Complaints, and Personal Data Breaches

    5.1. Collaboris shall, at the Controller’s cost, assist the Controller in complying with its obligations under the Data Protection Legislation. In particular, the provisions of this Clause 5 shall apply to requests by Data Subjects to exercise their rights (including, but not limited to, subject access requests), information or assessment notices served on the Controller by the Commissioner under the Data Protection Legislation, complaints, and Personal Data Breaches.

    5.2. Collaboris shall notify the Controller immediately in writing if it receives:

    • 5.2.1. a request from a Data Subject to exercise their rights; or

    • 5.2.2. any other complaint, notice, communication, or request relating to the processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation.

    5.3. Collaboris shall, at the Controller’s cost, cooperate fully with the Controller and assist as required in relation to any Data Subject request, or other complaint, notice, communication, or request, including by:

    • 5.3.1. providing the Controller with full details of the complaint, notice, communication, or request;

    • 5.3.2. providing the necessary information and assistance in order to comply with a request from a Data Subject;

    • 5.3.3. providing the Controller with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Controller); and

    • 5.3.4. providing the Controller with any other information requested by the Controller.

    5.4. Collaboris shall notify the Controller immediately if it becomes aware of any form of Personal Data Breach, including any unauthorised or unlawful processing, loss of, unintended damage to, or destruction of any of the Personal Data.

  6. Staff and Data Protection Officers

    6.1. Collaboris shall ensure that all personnel who are to access and/or process any of the Personal Data:

    • 6.1.1. be informed of the confidential nature of the Personal Data and be bound by contractual use restrictions and confidentiality requirements, as per sub-Clause 9.2;

    • 6.1.2. be given appropriate training on the Data Protection Legislation and how their job roles relate to it and are affected by it; and

    • 6.1.3. be made aware of both Collaboris’ duties, and their personal duties and obligations under the Data Protection Legislation and this Agreement.

  7. Liability and Indemnity

    7.1. The Controller shall be liable for, and shall indemnify (and keep indemnified) Collaboris in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, Collaboris arising directly or in connection with:

    • 7.1.1. any non-compliance by the Controller with the Data Protection Legislation;

    • 7.1.2. any processing carried out by Collaboris in accordance with instructions given by the Controller that infringe the Data Protection Legislation; or

    • 7.1.3. any breach by the Controller of its obligations under this Agreement,

    except to the extent that Collaboris is liable under sub-Clause 7.2.

    7.2. Collaboris shall be liable for, and shall indemnify (and keep indemnified) the Controller in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Controller arising directly or in connection with Collaboris’ processing activities that are subject to this Agreement:

    • 7.2.1. only to the extent that the breach results from Collaboris’ breach of, or non-compliance with, this Agreement, the Controller’s instructions, or the Data Protection Legislation; and

    • 7.2.2. not to the extent that the breach is, or are contributed to, by any breach of this Agreement by the Controller.

    7.3. The Controller shall not be entitled to claim back from Collaboris any sums paid in compensation by the Controller in respect of any damage to the extent that the Controller is liable to indemnify Collaboris under sub-Clause 7.1.

    7.4. Nothing in this Agreement (and in particular, this Clause 7) shall relieve either Party of, or otherwise affect, the liability of either Party to any Data Subject, or for any other breach of that Party’s direct obligations under the Data Protection Legislation. Furthermore, Collaboris hereby acknowledges that it shall remain subject to the authority of the Commissioner and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a Processor under the Data Protection Legislation may render it subject to the fines, penalties, and compensation requirements set out in the Data Protection Legislation.

    7.5. Subject to the provisions of this clause 7 Collaboris’ total aggregate liability arising in connection with this Agreement, or applicable Data Protection Legislation shall be limited to the Fees payable in the Contract Year in which the liability first arose

  8. Intellectual Property Rights

    All copyright, database rights, and other intellectual property rights in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Controller or Collaboris) shall belong to the Controller or to any other applicable third party from whom the Controller has obtained the Personal Data under licence (including, but not limited to, Data Subjects, where applicable). Collaboris is licensed to use such Personal Data only for the term of the SAASA, for the purposes of providing the Services, and in accordance with this Agreement.

  9. Confidentiality

    9.1. Collaboris shall maintain the Personal Data in confidence, and in particular, unless the Controller has given written consent for Collaboris to do so, Collaboris shall not disclose any Personal Data supplied to Collaboris by, for, or on behalf of, the Controller to any third party. Collaboris shall not process or make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of the Services to the Controller.

    9.2. Collaboris shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.

    9.3. The obligations set out in in this Clause 9 shall continue for a period of 2 years after the cessation of the provision of Services by Collaboris to the Controller.

    9.4. Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

  10. Appointment of Sub-Processors

    10.1. Collaboris shall not subcontract any of its obligations or rights under this Agreement without informing the customer beforehand

    10.2. An up-to-date list of Collaboris’ Sub-Processors, and the date on which they were appointed, can be found on Collaboris’ website https://docs.docread.app/sub-processors. Where a Sub-Processor has been appointed by Collaboris prior to the Commencement Date the entering into the SAASA shall be deemed written notice as required under clause 10.1

    10.3 If Collaboris appoints a sub-processor, Collaboris shall:

    • 10.3.1 enter into a written agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon Collaboris by this Agreement and which shall permit both Collaboris and the Controller to enforce those obligations;

    • 10.3.2 ensure that the Sub-Processor complies fully with its obligations under that agreement and the Data Protection Legislation and;

    • 10.3.3 that the agreement between Collaboris and the Sub-Processor shall terminate automatically upon the termination or expiry of this Agreement for any reason.

    10.4 In the event that a Sub-Processor fails to meet its obligations under any such agreement, Collaboris shall remain fully liable to the Controller for failing to meet its obligations under this Agreement.

    10.5 The Provider shall be deemed to have control legally over any Personal Data that is in the possession of or practically controlled by its Sub-Processors.

  11. Deletion and/or Disposal of Personal Data

    11.1 Collaboris shall:

      1. at the written request of the Customer; or
      1. within 60 days of the end of the provision of the Services under the SAASA,

    delete (or otherwise dispose of) the Personal Data or return it to the Customer in the format(s) reasonably requested by the Customer.

  12. Law and Jurisdiction

    12.1. This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.

    12.2. Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

SCHEDULE 1

Personal Data

Type of Personal Data Category of Data Subject Subject-Matter and Nature of Processing Purpose(s) of Processing Duration of Processing
Names, Emails Controller’s employees and other end users that have been authorised by the Controller to use the services outlined in the SAASA The subject-matter of Processing of Personal Data by Processor is the provision of the services to the Controller that involves the Processing of Personal Data To enable Collaboris to provide the services outlined in the SAASA Term of the SAASA

SCHEDULE 2

Technical and Organisational Data Protection Measures

The following are the technical and organisational data protection measures referred to in Clause 4:

  1. Collaboris shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Controller, it maintains security measures to a standard appropriate to:

    1.1 the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and

    1.2 the nature of the Personal Data.

  2. In particular, Collaboris shall:

    2.1 have in place, and comply with, a security policy which:

    • 2.1.1. defines security needs based on a risk assessment;

    • 2.1.2. allocates responsibility for implementing the policy to a specific individual (such as Collaboris’ data protection officer) or personnel;

    • 2.1.3. is provided to the Controller on or before the commencement of this Agreement;

    • 2.1.4. is disseminated to all relevant staff; and

    • 2.1.5. provides a mechanism for feedback and review.

    2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;

    2.3 prevent unauthorised access to the Personal Data;

    2.4 protect the Personal Data using pseudonymisation and encryption, where it is practical to do so;

    2.5 ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;

    2.6 have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using encryption);

    2.7 password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure, and that passwords are not shared under any circumstances;

    2.8 take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;

    2.9 have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:

    • 2.9.1. the ability to identify which individuals have worked with specific Personal Data;

    • 2.9.2. having a proper procedure in place for investigating and remedying breaches of the Data Protection Legislation; and

    • 2.9.3. notifying the Data Controller as soon as any such security breach occurs.

    2.10. have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;

    2.11. have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment.