This DATA PROCESSING AGREEMENT (the “DPA”) is entered into by and between:
(1) Fresh Projects Cloud Ltd (registration number 10011315), with its primary office located at 1a Colinette Road, London SW156QG, England (“Fresh Projects” including any Fresh Projects affiliates); and
(2) Client as set forth in the Proposal to which this DPA relates (the “Client”).
Fresh Projects and Client are each referred to as a “Party” and together as the “Parties”.
By signing the Proposal, Client accepts all terms and conditions set forth in this DPA.
(A) Client has entered into the Proposal and Software-as-a-Service Terms and Conditions (“T&Cs”) with Fresh Projects to use the service in connection with Client’s business which forms the subject matter of the processing of Personal Data under this DPA.
(B) Fresh Projects service is a software-as-a-service solution in which data processing is carried out (“Service”) rendering Client the data controller (or equivalent terminology), whilst Fresh Projects qualifies as data processor (or equivalent terminology) under the applicable data protection laws. In light of the above, Fresh Projects and Client have agreed on the following terms and conditions set out in this written DPA concerning the processing of Personal Data under this DPA.
“Applicable Laws” shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.
“Data Protection Laws” shall mean the applicable national laws (including the UK) concerning data protection and, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regulation no. 2016/679) and their national implementations and related national legislation.
“EEA” shall mean the European Economic Area.
“Personal Data” shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address, location data, etc.
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Processing” “Process” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, dissemination, retrieval, use, disclosure by transmission or otherwise making available, combining, restricting, erasing, or destroying such information (in whole or in part).
“UK” shall refer to the United Kingdom.
Fresh Projects may under this DPA Process Personal Data on behalf of Client according to the instructions of Client. The Personal Data is and shall remain the property of Client, and Client takes full responsibility for the Personal Data, including that such data does not infringe any third-party rights or in any other way violate Applicable Laws.
This DPA is intended to constitute and shall be interpreted as a written data processing agreement between Client and Fresh Projects pursuant to applicable Data Protection Laws.
Fresh Projects shall Process the Personal Data relating to the categories of data subjects and shall consist of the Processing operations as set out in Schedule 1.
Fresh Projects shall Process the Personal Data for the purpose of providing the Service to Client.
4.1. This DPA shall enter into force on the Effective Date of the Proposal, subject to the below Section 4.2, shall remain effective until the Agreement (as referenced in the Proposal or T&Cs as applicable) is terminated or expires.
5.1 Fresh Projects may Process Personal Data only for purposes necessary for the due performance of the Agreement and only in accordance with the Data Protection Laws applicable to Fresh Projects and in accordance with the written instructions from Client as further detailed in Schedule 1 and as otherwise instructed by Client in writing from time to time. Fresh Projects may not disclose any Personal Data to a third party without the prior written approval from Client or if required by law.
5.2 If Fresh Projects does not have sufficient instructions to enable Fresh Projects to deliver the Services and/or other deliverables or otherwise fulfil its obligations, Fresh Projects shall inform Client hereof and specify the need for further instructions and await further written instructions from Client prior to continuing the relevant Processing of the Personal Data.
5.3 Fresh Projects shall implement and maintain appropriate and adequate technical and organizational measures as set forth in Schedule 1 to ensure the security for the Processed data. The measures shall as a minimum protect the Processed data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored, or otherwise Processed by Fresh Projects. The measures shall consider the particular risks associated with the Processing of the Personal Data and the sensitivity of the Personal Data which is Processed. The measures shall ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymization and encryption of the Processed data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d) a Process for regularly testing assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5.4 Fresh Projects undertakes to oblige all persons, including but not limited to its employees, who access the Processed Personal Data in the course of the Processing operations carried out by Fresh Projects to comply with confidentiality obligations and access restrictions with regard to the Processing of Personal Data. Fresh Projects shall ensure only such employees have access to Personal Data who have received training and/or instruction in the care and handling of Personal Data.
5.5 Considering the nature of the Processing, Fresh Projects shall, at Client’s cost upon Client’s request in accordance with Client’s written instructions, assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to requests for exercising data subject's rights under applicable Data Protection Laws.
5.6 Fresh Projects, taking into account the nature of Processing and the information available to the processor, undertakes to assist Client, at Client’s cost upon Client’s reasonable request substantiating the necessity, in ensuring compliance with applicable Data Protection Laws with regards to the security of Processing, notification to the data protection authority and communication to the data subjects of data breaches, data protection impact assessments and prior consultations with the data protection authority.
6.1 Fresh Projects shall immediately inform Client if, in its opinion, an instruction infringes or is contrary to applicable Data Protection Laws.
6.2 Fresh Projects shall notify Client without undue delay after becoming aware of a Personal Data Breach.
6.3 In the event Fresh Projects is required to disclose information, including but not limited to the Processed Personal Data or information relating to the Processing, according to Applicable Laws or the decisions of public authorities or courts, Fresh Projects shall be obligated to inform Client thereof immediately, insofar permitted by Applicable Laws, and request confidentiality in conjunction with the disclosure of requested information.
7.1 Fresh Projects is obliged to, upon Client’s reasonable request and at Client’s cost, make available to Client all information necessary and strictly limited to the purpose of demonstrating compliance with the obligations of Fresh Projects under applicable Data Protection Laws.
7.2 Client may, pursuant to the relevant provision of the Agreement but in any case notwithstanding what is set out in the Agreement once per calendar year at the cost of Client, carry out or mandate a third-party auditor, which is not direct competitor to Fresh Projects and acting under confidentiality undertaking, to carry out an audit strictly limited to verifying Fresh Projects compliance with the obligations of Fresh Projects under applicable Data Protection Laws. The audit shall be carried out during Fresh Projects normal working hours without disturbance to the normal operations of Fresh Projects.
8.1 Client hereby gives general written authorization for Fresh Projects to engage subprocessors for carrying out specific Processing activities on behalf of Client. When engaging subprocessors, Fresh Projects undertakes to ensure the contract entered into between Fresh Projects and any subprocessor shall impose, as a minimum, the same data protection obligations as set out in this DPA. A current list of Fresh Projects subprocessors is set forth in Schedule 2 hereof.
8.2. Fresh Projects shall notify Client of any intended changes concerning the addition or replacement of subprocessors, to which Client may object. If Client has made no such objection within 10 calendar days from the date of receipt of the notification, Client is assumed to have made no objection.
8.3 Fresh Projects may transfer (including allowing access to) Personal Data to its subprocessors outside the EEA and UK. The parties shall jointly take all reasonably required measures necessary for ensuring that such transfers are in accordance with Applicable Laws, which may include entering into model clauses for data transfer outside of the European Economic Area (EEA) and the UK.
9.1 If and to the extent another legal entity than Client is the controller, independently or jointly, for all or part of the Personal Data Processed by Fresh Projects on behalf of Client under this DPA, Client warrants that it has necessary authority and mandate to enter into this DPA on behalf of such legal entity.
1.2 Client warrants that the Processing of Personal Data is carried out in accordance with Applicable Laws, including obtaining necessary licenses, permits or approvals for the Processing and notifying the Processing to competent authorities or data protection officials and informing the data subjects of the Processing.
10.1 Unless expressly provided, each Party shall only be liable for direct losses caused by negligence and the total aggregate liability of each Party shall be limited to an amount corresponding to the limitation of liability clause set forth in the T&Cs. This limitation of liability shall not create a separate limitation of liability but shall rather be within such limitation of liability set forth in the T&Cs.
10.2 Each Party shall not be liable for any loss of production, loss of data, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages.
10.3 Notwithstanding what is set out in this DPA, Fresh Projects shall be exempt from any and all liability under this DPA, if such liability is incurred due to instruction of Client contravening the applicable Data Protection Laws.
10.4 The above limitations shall not apply
(a) in the event of any loss which is caused by any Party’s gross negligence, intentional breach;
(b) to the breach of the confidentiality undertaking set out in this DPA;
(c) to the indemnification obligations set out in Section 11;
(d) to death, personal injury.
Client shall hold Fresh Projects harmless and indemnify for third party claims, damages as well as administrative penalties or fines issued by courts or authorities if and to the extent Fresh Projects is held liable by a competent court, authority, or any other dispute resolution body for processing of personal that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of Fresh Projects failure to perform its obligations under this DPA.
Fresh Projects is entitled to remuneration on the basis of the provisions of this DPA and shall, unless otherwise explicitly set out in this DPA, charge Client under this DPA in accordance with the Agreement.
When the provisions of this DPA cease to be effective, Fresh Projects shall, upon and in accordance with Controller's request, delete all Personal Data or delete and return all Personal Data to Client, unless Applicable Laws require Fresh Projects to store Personal Data.
14.1 Client may only assign the rights or obligations under this DPA to a third-party with the prior written consent of Fresh Projects.
14.2 Fresh Projects may assign its obligations under this DPA to third parties. Any such assignment of rights shall not be considered as Fresh Projects engaging a subprocessor.
15.1 This DPA shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof. The DPA may be digitally entered into, copied, and stored—and if introduced as evidence in any judicial, arbitration, mediation or administrative proceedings, will be admissible to the same extent and under the same conditions as other business records originated and maintained in documentary form and neither Party will object on the basis that such business records were not originated or maintained in documentary form under any rule of evidence.
15.2. Fresh Projects is entitled to amend this DPA if it is necessary to comply with requirements of applicable data protection laws. Such amendments enter into force at the latest thirty (30) days after Fresh Projects has sent an amendment notice to Client, or such other time period which Fresh Projects is obliged to adhere to according to Personal Data Legislation and regulations or relevant authorities. Other alterations of and amendments to this DPA shall be made in writing and be signed by duly authorized representatives of the Parties to be binding.
16.1 Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination, or invalidity thereof, shall be finally settled pursuant to Section 16.1 of the T&Cs.
Purposes
Purposes for which Personal Data will be Processed by Fresh Projects as Client’s data Processor
Fresh Projects Processes Personal Data for the purpose of fulfilling the Service under the Agreement. Personal Data may also be Processed for IT-support, payment processing, and related services
Categories of data
Personal Data Processed by Fresh Projects as data Processor.
Fresh Projects processes the following categories of Personal Data:
Unless otherwise elected by Client, Personal Data is limited to essential information such as names, titles, contact details such as professional phone numbers and email addresses, location and/or device information, as well as IMEI numbers for mobile devices.
Fresh Projects does not Process sensitive Personal Data, Client is responsible for ensuring that sensitive Personal Data is not transferred to Fresh Projects services unless Fresh Projects has provided Client with written consent in advance to such Processing.
Categories of Data subjects
Categories of Data subjects whose Personal Data will be Processed by Fresh Projects as data Processor.
Fresh Projects processes the following categories of Data Subjects:
Processing operations
Processing activities to be conducted by Fresh Projects as Processor.
Fresh Projects stores data on behalf of Client. Fresh Projects does not actively manipulate this data without explicit requests and permission by Client. Client can actively restrict access to data (including Personal Data) it saves in Fresh Projects from Fresh Projects personnel.
Location of processing operations
Locations where the Personal Data will be Processed by Fresh Projects.
The main datacenter is located in London, England, Europe. The second datacenter, which is located in London, England, Europe is mainly used as backup datacenter. Unless stated otherwise, no Personal Data stored in Fresh Projects is Processed outside of the EU or UK. Additional technical information can be found in our IT guidelines.
Retention requirements
Retention time of Personal Data stored by Fresh Projects.
Personal Data must be deleted at Client's request and according to Client's instructions. To be able to offer access to Fresh Projects, core data is required as credentials: name and email address.
Fresh Projects has a retention period of 90 days after termination of the Agreement. Fresh Projects will retain Personal Data at least 45 days after the cancellation to help with potential migration issues unless Client requests the deletion of this data before that time.
Information security measures
Access control
Only trusted Fresh Projects employees have access to Clients Personal Data and can only access this using a proprietary two-factor authentication method. One part is a personal authentication and secure password, augmented by a personal key generated for each log in, this key is only valid for 15 minutes.
The datacenters are locked and under surveillance and can only be accessed by authorized personnel. Monitored closed circuit television systems and security teams protect our datacenters around the clock, while pass card access and provide even further security.
Back-up
All Fresh Projects Databases are stored on hot swappable RAID system. Fresh Projects exclusively uses SSDs disks on application servers for best reliability and performance. Fresh Projects automatically creates a full database backup every hour, backups are initially made to a separate disk array on the server itself. Local backup files are stored for every hour during the last 24-hour period, every 4 hours for the last 48 hours, and every day for the last 7 days. Backup files further back can be found on secondary level backup. Backup files are transferred immediately after creation to a redundant disk array on a separate machine in the same location.
Backup files are then further replicated to an additional physical location. Every backup file is automatically verified for consistency by automated tools. Additionally, spot checks are performed manually on backups at regular intervals to further ensure validity.
Logging of access to data
All actions taken by Fresh Projects employees in a Clients’ Fresh Projects environment are logged and can be easily monitored and reverted.
Authorization and permission
This account requires two-factor authentication with an active password-protected Fresh Projects Team Account as well as a unique key tied to the individual and valid only a few minutes.
Clients can disable and enable this access to have full control over when and how Fresh Projects can have access to this data.
As per Fresh Projects policy, Fresh Projects employees will ask Clients for specific access to resolve support issues or offer proactive support. Client can revoke this permission.
Encryption and safety of data communication
The data is encrypted in the transport between client and server, where we employ the industry-standard SSL encryption technology. The encryption keys are stored on the server, and at the issuer.
The network and backbone environments are redundant and multi-homed, connected to multiple peering points and Tier1 carriers using its own Dark fiber network and full-table BGP sessions.