DATA PROCESSING ADDENDUM
This Data Processing Addendum including its Annex (“Data Processing Addendum”) sets out the terms and conditions upon which Xledger will process Customer Personal Data and forms part of the Agreement (as defined below) between Xledger Limited (“Xledger”) and the Customer (“Customer”)
The Agreement, including without limitation this Data Processing Addendum, takes effect in accordance with the General Terms.
AGREED TERMS
1. Definitions and Interpretation
1.1 In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of the Agreement. In addition, in this Data Protection Addendum, the following definitions have the meanings given below:
Agreement: shall have the meaning given in the General Terms;
Business Purposes: the services to be provided by Xledger to the Customer as described in the Agreement and any other purpose specifically identified in Part A of Annex 1.
Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
Customer Personal Data: Personal Data supplied by or on behalf of the Customer and processed by Xledger on the Customer’s behalf in connection with Xledger’s performance of its obligations relating to or arising from the Agreement;
Customer Personal Data Breach: a Personal Data Breach affecting Customer Personal Data;
Data Processing Instructions: the documented instructions from the Customer, including those set out in the relevant Order, in relation to the processing of the Customer Personal Data;
Data Protection Legislation:
a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of Personal Data.
Delete: to remove or obliterate Personal Data on Xledger’s live systems such that it cannot be recovered or reconstructed (to the extent technically and legally practicable) and “Deletion” shall be construed accordingly;
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
EEA: the European Economic Area.
Records: has the meaning given to it in clause 10.
Standard Contractual Clauses: (a) the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, or (b(b) the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries, as set out in the Annex to Commission Decision 2021/914/EU, or (c) any standard data protection clauses specified in regulations made by the UK Secretary of State under the Data Protection Laws and for the time being in force;
UK GDPR: the General Data Protection Regulation ((EU) 2016/679), as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018) (as supplemented by section 205(4) of the Data Protection Act 2018);
1.2 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this Data Processing Addendum and any provision contained in the Annexes, the provision in the body of this Data Processing Addendum will prevail; and
(b) any of the provisions of this Data Processing Addendum and the provisions of the remaining terms of the Agreement, the provisions of the Agreement will prevail.
2. Personal data types and processing purposes
2.1 The Customer and Xledger agree and acknowledge that in relation to the Customer Personal Data and for the purpose of the Data Protection Legislation:
(a) the Customer is the Controller and Xledger is the Processor.
(b) the Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Xledger.
(a) Part A of Annex 1 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Xledger may process the Customer Personal Data to fulfil the Business Purposes.
3. Xledger’s obligations
3.1 Xledger shall, in relation to the Customer Personal Data:
(a) only process the Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Data Processing Instructions. Xledger will not process the Customer Personal Data for any other purpose or in a way that does not comply with this Data Processing Addendum or the Data Protection Legislation. Xledger shall inform the Customer if, in its opinion, any of the Data Processing Instructions infringe Data Protection Laws.
(b) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data, having regard to the state of the art, the cost of implementing any measures and the nature, scope, context and purposes of processing.
(c) comply promptly with any Customer written instructions requiring Xledger to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
(d) reasonably assist the Customer, with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of Xledger’s processing and the information available to Xledger, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.
4. Customer’s obligations
4.1 The Customer shall
(a) ensure that the Customer Personal Data does not contain any special categories of personal data (as defined by Article 9 of the GDPR) or personal data relating to criminal convictions and offences.
(b) comply with all applicable requirements of the Data Protection Laws, including in relation to the Customer Personal Data and providing Xledger with its Data Processing Instructions. In particular, the Customer shall ensure that it provides any required notices and obtain any required consents and registrations and comply with Chapter 5 of the GDPR (or any equivalent transfer requirements in the relevant jurisdiction) in order to enable lawful transfer of Customer Personal Data to Xledger (and Xledger’s third-party processors) and lawful collection and processing of Customer Personal Data by Xledger (and Xledger third-party processors) for the duration and purposes of this Data Processing Addendum.
(c) provide Xledger with its Data Processing Instructions in relation to the Customer Personal Data.
4.2 The Customer warrants and represents that Xledger’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
5. Personal data breach
5.1 After becoming aware of a Customer Personal Data Breach, Xledger shall:
(a) notify the Customer without undue delay (and if feasible within seventy-two (72) hours); and
(b) use reasonable efforts to provide the Customer with the following information (whether at the same time as or subsequent to the notification in clause 5.1(a)):
(i) the name and contact details of the relevant individual to contact for more information about the Customer Personal Data Breach;
(ii) details of the nature of the Customer Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(iii) details of the measures taken or proposed to be taken by Xledger to address the Customer Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. Cross-border transfers of personal data
6.1 Xledger (and any subcontractor) must not transfer or otherwise process the Customer Personal Data outside the EEA without obtaining the Customer’s prior written consent.
6.2 By entering into the Agreement, the Customer hereby give consent under clause 7 of this Data Processing Addendum to Xledger transferring the Customer Personal Data outside the UK, including without limitation to Xledger’s data centres located in Norway and other subcontractors located in Ireland and Sweden. The Customer hereby provides its prior, general authorisation for Xledger to transfer Customer Personal Data outside of the UK as required for the Business Purpose, provided that Xledger shall ensure that all such transfers are effected in accordance with Data Protection Legislation. For these purposes, the Customer shall promptly comply with any reasonable request of Xledger, including any request to enter into the Standard Contractual Clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).
7. Subcontractors
7.1 The Customer hereby give Xledger
(a) specific authorisation to engage the subcontractors set out in Part B of Annex 1 to process the Customer Personal Data and
(b) consent to transfer the Customer Personal Data to those third parties.
Xledger confirms that it has entered into and shall maintain, with those third-party processors, a written agreement incorporating data protection obligations which are substantially similar to those set out in this Data Processing Addendum. Xledger shall remain liable to the Customer for the performance of that third-party processor’s obligations.
7.2 The Customer hereby gives Xledger general authorisation to engage third-party processors (other than those set out in Part B of Annex 1) to process the Customer Personal Data in connection with the provision of the Licensed Materials and the performance of the Services, provided that:
(a) Xledger notifies the Customer of the proposed third-party processor, including providing details of the processing intended to be undertaken by that third-party processor; and
(b) The Customer are provided with an opportunity to object to the appointment of such proposed third-party processor within ten (10) Business Days after such notification.
7.3 If, within ten (10) Business Days of the notification in clause 7.2(a), the Customer notifies Xledger in writing of any objections to the proposed appointment:
(a) The Parties shall discuss such objections and work together in good faith: (i) to address the Customer’s objections or (ii) to agree a change in the provision of the Licensed Materials or the Services which avoids the use of that proposed third-party processor; and
(b) if, within thirty (30) Business Days of Xledger’s receipt of the Customer’s notification pursuant to this clause 7.3, the Customer’s objections have not been addressed and the relevant change has not been agreed pursuant to clause 7.3(a), the Customer may by written notice to Xledger with immediate effect terminate the Agreement to the extent that it relates to the Licensed Materials or the Services which require the use of that proposed third-party processor.
7.4 Where Xledger engage a third-party processor pursuant to clause 7.2 in relation to any Customer Personal Data, Xledger confirms that it has entered or (as the case may be) will enter with that third-party processor into a written agreement incorporating data protection obligations which are substantially similar to those set out in this Data Processing Addendum. As between Xledger and the Customer, where a third-party processor engaged by Xledger pursuant to clause 7.2 fails to fulfil its data protection obligations in relation to any Customer Personal Data, Xledger shall remain liable to the Customer for the performance of that third-party processor’s obligations.
8. Data subject requests
8.1 Xledger shall, to the extent permitted by applicable laws and regulations , promptly notify the Customer if it receives a Data Subject Request.
8.2 Taking into account the nature of the processing and the information available to Xledger, Xledger shall provide reasonable assistance to the Customer, at the Customer’s cost, in responding to any Data Subject Request, to the extent that: (i) the Customer is unable to respond to the Data Subject Request without Xledger assistance; (ii) such response is required by Data Protection Laws; (iii) the Customer request such assistance in writing; and (iv) Xledger is permitted by Data Protection Laws to provide such assistance. Xledger shall provide details of its fees for assisting the Customer upon request.
9. Data return and destruction
9.1 On termination of the Agreement for any reason or expiry of its term, subject to clause 9.2, Xledger shall:
(a) at the Customer’s written request, Delete or return all the Customer Personal Data to the Customer. In the event that Xledger has not received such written request within thirty (30) days of termination or expiry of the Agreement, the Customer shall be deemed to have requested the Deletion of the Customer Personal Data; and
(b) Delete all existing copies of the Customer Personal Data in Xledger’s possession.
Xledger shall comply with its obligations under this clause 9.1 promptly and in any event within thirty (30) days of receipt of the Customer’s written request or deemed request and, on the Customer’s written request, Xledger shall confirm in writing to the Customer that it has done so.
9.2 Xledger shall be entitled to retain or store the Customer Personal Data after termination or expiry of the Agreement to the extent that Xledger are required by Applicable Laws or any applicable governmental or regulatory authority to retain or store the Customer Personal Data. This Data Processing Addendum shall continue to apply to any such Customer Personal Data.
10. Records
10.1 Xledger will keep detailed, accurate and up-to-date written records regarding any processing of the Customer Personal Data, including but not limited to, the access, control and security of the Customer Personal Data, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in clause 3.1 (Records).
10.2 Xledger will ensure that the Records are sufficient to enable the Customer to verify Xledger’s compliance with its obligations under this Data Processing Addendum and the Data Protection Legislation and Xledger will provide the Customer with copies of the Records upon request.
11. Audit
11.1 Subject to clause 11.2, Xledger shall on no more than one occasion in every twelve (12) calendar months and on thirty (30) Business Days’ written notice from the Customer, allow the Customer or the Customer’s designated auditor (other than a competitor of Xledger) to access the Records at Xledger’s registered office on a date agreed during normal business hours to the extent necessary to demonstrate compliance by Xledger with its obligations in this Data Processing Addendum. The Customer will ensure that such access does not unreasonably disrupt Xledger operations.
11.2 To the extent that
(a) the scope of any audit relates to Xledges’s information technology and information security controls used in complying with its obligations under this Data Processing Addendum; and
(b) Xledger has, within a period of 12 months of the Customer’s written request for an audit, obtained its own ISAE, ISO or similar report of such systems from a qualified third party (Third Party Report), then
subject to Xledger confirming in writing, that there have been no system changes since the date of the Third Party Report, the Customer agrees to accept the Third Party Report in place of a further audit in respect of those elements. The Customer will treat such Third Party Reports as Xledger’s confidential information under the Agreement.
11.3 The Customer is responsible for the costs of the Audit. If the Customer requires assistance from Xledger that Xledger reasonably believes goes beyond its obligations in applicable laws and regulations, Xledger may request payment at its standard rates for any additional service provided.
12. Indemnification
12.1 Xledger agrees to indemnify, keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses incurred by the Customer or for which the Customer may become liable due to any failure by Xledger or its employees, subcontractors or agents to comply with any of its obligations under this Data Processing Addendum and/or the Data Protection Legislation.
12.2 The limitation of liability set forth in the General Terms will apply to this Data Processing Addendum’s indemnity or reimbursement obligations.
ANNEX 1: Personal Data processing purposes and details
PART A: Xledger will act as Processor of Personal Data in relation to Customer Personal Data. The purposes of and details of the Processing are set out in the following table
| Subject matter of processing | The performance of the Services or Xledger’s obligations, including provision of the Licensed Materials, under or in connection with the Agreement. |
| Business Purposes | The purpose of the processing is the (i) performance by Xledger of the Agreement as described above in “Subject matter of processing” of this Annex and (ii) to improve, enhance or analyse the performance of the Services, including the aggregation or anonymization of data. |
| Duration of processing | Xledger will process Customer Personal Data for the duration of the Agreement. |
| Nature of processing | In relation to the Customer Personal Data, the processing by Xledger (and its third-party processors) includes [collection, recording, organisation, structuring, storage, retrieval, accessing, consultation, reviewing, use, sharing or making available, restriction, anonymisation, erasure or destruction, all for the processing purposes set out above. |
| Type of Personal Data | First and last name, address, email address, telephone number, bank account information, personal ID number, payroll information.
No special categories of personal data (as defined by Article 9 of the GDPR) or personal data relating to criminal convictions and offences or shall be processed under the Agreement. |
| Categories of data subjects | Employees, officers, members, contractors, customers, suppliers, donors, company contacts, next of kin, prospects, leads of the Customer and its Affiliates |
PART B: Approved Subcontractors:
| Name of Sub-processor | Delivery area | Urban location |
| Xledger Labs AS | Data center, hosting, backup IT support services, R&D | Oslo, Norway |
| Xledger Group AS | Consulting and support services, R&D | Oslo, Norway |
| Xledger AB | Consulting and support services | Stockholm, Sweden |
| Xledger AS | Consulting and support services | Oslo, Norway |
| AccessPay | Bank Statement Imports and Direct Debit processing | London, United Kingdom |
| Bottomline | BACS payment processing | London, United Kingdom |
| Yapily | Open Access Banking | Dublin, Eire |
| Cyclr | iPAAS provider | London, United Kingdom |