DATA PROTECTION ADDENDUM

1. Definitions

1.1 For the purposes of this DPA, the following definitions shall apply:
(i) “Controller” 
(ii) “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data, including but not limited to the General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018.
(iii) “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
(iv) “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(v) “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(vi) “Processor” means Coders Team Limited, a company registered in the UK, with company number 11793218, and registered office at20, BEACONSFIELD ROAD, GREAT YARMOUTH, UNITED KINDOM, NR 30 4JW.
(vii) “Services” means the services provided by Processor to Controller pursuant to the Agreement.

2. Processing of Personal Data

2.1 The Parties acknowledge that in connection with the Services, Processor may process Personal Data on behalf of Controller. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Schedule 1 of this DPA.

2.2 Processor shall process Personal Data only in accordance with Controller’s documented instructions, as set out in this DPA or as otherwise notified by Controller to Processor from time to time, except where otherwise required by applicable law. Processor shall inform Controller if it considers that any instruction from Controller infringes Data Protection Laws.

2.3 Processor shall ensure that all employees, agents and subcontractors who are authorized to process Personal Data on behalf of Controller are bound by obligations of confidentiality and that they receive appropriate training on their responsibilities under Data Protection Laws.

2.4 Processor shall take appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the Processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the likelihood and severity of the risk to the rights and freedoms of Data Subjects. Processor shall, upon request, provide Controller with reasonable information to demonstrate compliance with its obligations under this Section 2.4.

2.5 Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach, providing Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects of the Personal Data breach under Data Protection Laws.

2.6 Processor shall not transfer Personal Data outside of the European Economic Area (“EEA”) without Controller’s prior written consent, unless the transfer is made in accordance with Data Protection Laws. If Personal Data is transferred outside of the EEA, Processor shall ensure that appropriate safeguards are in place to ensure an adequate level of protection for the rights and freedoms of Data Subjects.

3. Sub-Processors

3.1 Controller hereby authorizes Processor to engage third-party sub-processors to process Personal Data on Controller’s behalf in connection with the provision of the Services (“Sub-Processors”), provided that Processor enters into a written agreement with the Sub-Processor that contains data protection obligations no less protective than those set out in this DPA.

3.2 Processor shall remain fully liable to Controller for any acts or omissions of any Sub-Processor appointed by Processor, and shall ensure that any Sub-Processor complies with the obligations set out in this DPA. Processor shall ensure that all Sub-Processors are bound by obligations of confidentiality and that they receive appropriate training on their responsibilities under Data Protection Laws.

3.3 Processor shall provide Controller with prior written notice of any intended changes concerning the addition or replacement of any Sub-Processor, including details of the processing to be undertaken by the Sub-Processor. Controller shall have the right to object to such changes within [insert number] days of receipt of such notice. If Controller objects to such changes, Processor shall have the right to terminate the Agreement or the affected part of the Services, without liability to Controller, except for the return of any fees paid by Controller for the affected part of the Services.

4. Data Subject Rights

4.1 Processor shall assist Controller, to the extent reasonably necessary, in responding to any request from a Data Subject to exercise any of its rights under Data Protection Laws, including but not limited to the right to access, rectification, erasure, restriction, objection and data portability. Processor shall provide Controller with full cooperation and assistance in relation to any such request, including by providing Controller with sufficient information to enable Controller to respond to the request within the time limits set out in Data Protection Laws.

4.2 If a Data Subject makes a request to Processor directly, Processor shall promptly inform Controller and shall not respond to the request, except on Controller’s documented instructions or as required by applicable law. Processor shall provide Controller with reasonable assistance in relation to any such request, including by providing Controller with sufficient information to enable Controller to respond to the request within the time limits set out in Data Protection Laws.

5. Audit Rights

5.1 Controller shall have the right to audit Processor’s compliance with its obligations under this DPA. Such audits may be conducted by Controller or an independent third-party auditor appointed by Controller and shall be subject to reasonable confidentiality obligations.
5.2 Processor shall provide Controller with all necessary information to demonstrate compliance with its obligations under this DPA and shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor appointed by Controller.
5.3 The costs of any audit conducted under this Section 5 shall be borne by Controller, unless the audit reveals material non-compliance with this DPA by Processor, in which case the costs shall be borne by Processor.

6. Termination

6.1 This DPA shall remain in effect until the termination of the Agreement or until Processor has deleted all Personal Data processed on behalf of Controller, whichever is later.
6.2 Upon termination of the Agreement or upon Controller’s written request, Processor shall delete or return all Personal Data processed on behalf of Controller, except to the extent that Processor is required by applicable law to retain some or all of the Personal Data.
6.3 The provisions of this DPA that by their nature are intended to survive termination or expiration of this DPA shall survive, including but not limited to Sections 2.4, 3.2, 4, 5.

7. International Transfers

7.1 If Processor processes Personal Data in a country outside of the European Economic Area (“EEA”) or a country recognized by the European Commission as providing an adequate level of protection for Personal Data, Processor shall ensure that the transfer of Personal Data is in compliance with Data Protection Laws. Processor shall provide appropriate safeguards for such transfers, including but not limited to executing standard contractual clauses approved by the European Commission or implementing binding corporate rules.

7.2 If Processor transfers Personal Data to a country that is not recognized by the European Commission as providing an adequate level of protection for Personal Data, Processor shall obtain Controller’s prior written consent for such transfers and shall ensure that appropriate safeguards are in place, including but not limited to executing standard contractual clauses approved by the European Commission or implementing binding corporate rules.

7.3 Processor shall provide reasonable assistance to Controller in relation to its obligations under Data Protection Laws in respect of international transfers of Personal Data.

7.4 In the event that any supervisory authority or other regulatory body requires Processor to take any action in relation to the transfer of Personal Data, Processor shall promptly notify Controller of such request or requirement, unless prohibited by law from doing so. Processor shall provide reasonable assistance to Controller in relation to such request or requirement, to the extent legally permitted.

This section provides provisions related to international transfers of Personal Data outside of the EEA. It outlines the measures that Processor must take to ensure that such transfers are made in compliance with Data Protection Laws. These measures include obtaining Controller’s prior written consent, executing standard contractual clauses approved by the European Commission, or implementing binding corporate rules. Additionally, Processor must provide reasonable assistance to Controller in relation to its obligations under Data Protection Laws in respect of international transfers of Personal Data. Finally, Processor must promptly notify Controller of any requests or requirements from supervisory authorities or other regulatory bodies related to the transfer of Personal Data.

8. Audit and Records

8.1 Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA, including but not limited to documentation of Processor’s technical and organizational measures to ensure the security of Personal Data.

8.2 Controller may, at its own expense and on reasonable prior written notice, audit Processor’s compliance with this DPA. Processor shall provide Controller with all necessary assistance to facilitate such audit, including but not limited to access to Processor’s premises, personnel, and systems. Any such audit shall be conducted during Processor’s normal business hours and shall not unreasonably interfere with Processor’s business activities.

8.3 If any audit reveals that Processor is not in compliance with this DPA, Processor shall promptly take appropriate corrective actions to remedy any identified deficiencies. Processor shall bear the costs of any such corrective actions.

8.4 Processor shall maintain complete and accurate records of its processing of Personal Data under this DPA, including but not limited to records of all processing activities, security incidents, and data breaches. Processor shall make these records available to Controller upon request.

8.5 Processor shall retain Personal Data only for as long as necessary to fulfill its obligations under this DPA, or as required by applicable law.

This section outlines the audit and records provisions of the DPA. Processor must make available to Controller all information necessary to demonstrate compliance with this DPA, including documentation of its technical and organizational measures to ensure the security of Personal Data. Controller may, at its own expense and on reasonable prior written notice, audit Processor’s compliance with this DPA, and Processor shall provide all necessary assistance to facilitate such audit. If any audit reveals that Processor is not in compliance with this DPA, Processor shall promptly take appropriate corrective actions to remedy any identified deficiencies. Processor must maintain complete and accurate records of its processing of Personal Data under this DPA, and make these records available to Controller upon request. Finally, Processor must retain Personal Data only for as long as necessary to fulfill its obligations under this DPA, or as required by applicable law.

9. Deletion or Return of Data

9.1 Upon termination or expiration of this DPA, Processor shall, at the option of Controller, delete or return all Personal Data processed under this DPA, except to the extent that Processor is required by applicable law to retain some or all of the Personal Data.10.2 Processor shall provide written certification to Controller upon completion of the deletion or return of Personal Data in accordance with this section.

10. Limitation of Liability

10.1 The liability of Processor under this DPA, whether in contract, tort (including negligence), or otherwise, shall be subject to the limitations and exclusions of liability set out in the Agreement.

10.2 In no event shall Processor’s liability under this DPA exceed the total amount of fees paid by Controller to Processor under the Agreement during the twelve (12) months immediately preceding the event giving rise to the liability.

10.3 Processor shall not be liable for any indirect, incidental, consequential, or punitive damages arising out of or in connection with this DPA, even if Processor has been advised of the possibility of such damages.

This section outlines the limitations and exclusions of liability for Processor under this DPA. The liability of Processor under this DPA, whether in contract, tort (including negligence), or otherwise, shall be subject to the limitations and exclusions of liability set out in the Agreement. In no event shall Processor’s liability under this DPA exceed the total amount of fees paid by Controller to Processor under the Agreement during the twelve (12) months immediately preceding the event giving rise to the liability. Finally, Processor shall not be liable for any indirect, incidental, consequential, or punitive damages arising out of or in connection with this DPA, even if Processor has been advised of the possibility of such damages.

11. Miscellaneous

11.1 This DPA and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of [Insert governing law]. The Parties submit to the exclusive jurisdiction of the courts of [Insert jurisdiction] for the resolution of any disputes arising out of or in connection with this DPA.

11.2 This DPA represents the entire agreement between the Parties and supersedes all prior negotiations, representations, and understandings between the Parties relating to the subject matter of this DPA. This DPA may only be amended or modified in writing and signed by authorized representatives of both Parties.

11.3 Any notice or communication required or permitted to be given under this DPA shall be in writing and shall be deemed given: (a) if delivered personally, on the date of delivery; (b) if sent by email, on the date of transmission if the email is sent during normal business hours of the recipient and otherwise on the next business day; or (c) if sent by registered or certified mail, return receipt requested, on the date of receipt by the recipient or five (5) business days after being deposited in the mail, whichever is earlier.

11.4 If any provision of this DPA is found to beinvalid or unenforceable, the remaining provisions shall remain in full force and effect.

11.5 This DPA shall be binding upon and inure to the benefit of the Parties and their respective successors and assigns.

11.6 Each Party shall comply with all applicable laws and regulations related to the performance of its obligations under this DPA.

11.7 This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

IN WITNESS WHEREOF, the Parties have executed this Data Protection Addendum as of the date first written above.