Data Processing Agreement
Version number: 3.0
This DPA took effect on 28 March 2023.
In a hurry? No problem. Here’s a quick summary of the key points:
2. What do we do and what do you do?
2.1 Status. You’re the Controller and we’re the Processor of any Personal Data you provide us. If you are purchasing Services via our Platform, this will also cover any Personal Data provided to us by your clients for the purpose of completing any checks initiated by you.
2.2 Details of the processing. All the information you might need about the Personal Data we process for you is described in Schedule 1.
2.4 Processor obligations. We’ll:
(a) only process Personal Data to provide the Services and with your instructions;
(b) inform you immediately if (in our opinion) your instructions infringe Data Protection Laws;
(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved with the processing;
(d) only allow our personnel access to Personal Data who need it to perform the Services;
(e) notify you in writing without undue delay if we become aware of a Personal Data breach, take steps to mitigate the breach and provide you with reasonable assistance and details of what happened;
(f) provide reasonable assistance to allow you to:
(i) conduct data protection impact assessments;
(ii) respond to Data Subjects' requests to exercise their rights under Data Protection Laws; and
(iii) consult with data protection supervisory authorities;
(g) if requested, provide information necessary to show that we comply with Data Protection Laws;
3. How can we use sub-processors?
3.1 Use of sub-processors. You allow us to use sub-processors to process Personal Data.
3.2 Sub-processor obligations. We’ll:
(a) require our sub-processors to comply with obligations equivalent to those in this DPA;
(b) ensure appropriate safeguards are in place before internationally transferring Personal Data to our sub-processors; and
(c) be liable for our sub-processors’ actions.
3.3 Approvals. We may appoint new sub-processors provided we notify you in writing within 30 days, but we shall be entitled to appoint third parties as general suppliers of technology and services without notice, provided that such third parties do not carry out processing activities of your or your clients' Personal Data.
4. Will Personal Data be transferred internationally?
4.1 Transfer Mechanism. Where we transfer or process Personal Data outside the UK, the EEA or an Adequate Country, we agree to comply with the EU Transfer Clauses or the UK Transfer Clauses as applicable, which are incorporated into this DPA by reference and are completed with the additional information contained in Schedule 2. Under the Transfer Clauses, we act as the data importer, and you are the data exporter.
4.2 Additional measures. If the Transfer Clauses are not sufficient to safeguard the transfer due to applicable surveillance laws, we’ll implement any additional technical, contractual or policy measures as needed to ensure Personal Data is protected to a standard equivalent to that under the Data Protection Laws.
4.3 Disclosures. If a public authority requests access to Personal Data, where legally possible, we’ll:
(a) challenge the request and promptly notify you;
(b) not disclose any Personal Data without your consent;
(c) notify you and provide you with information of such requests; and
(d) if we are required to disclose Personal Data, we’ll only disclose the minimum amount required and keep a record of the disclosure.
5. What else do you need to know?
5.1 Changes. We reserve the right to make any updates and changes to this DPA. We will provide at least 30 days prior written notice to you when an update is required as a result of:
(a) changes in Applicable Data Protection Laws;
(b) a merger, acquisition, or other similar transaction; or
(c) the release of new products or services or material changes to any of the existing Services.
5.2 Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
Schedule 1: Details of processing
Our security measures are set out at https://thirdfort.com/security-measures/
Schedule 2: Transfer Clauses
Purpose. This Schedule supplements the DPA entered into between the parties to govern the international transfer of Personal Data.
1. EU Transfer Clauses
Appendix to the clauses
2. UK Transfer Clauses
Part 1: Tables
Part 2: Mandatory Clauses