Prime AI LTD -- Data Processing Addendum

This Data Processing Addendum (“DPA”), including its Attachments and Appendices, forms part of the Subscription Agreement or the Service Agreement, Prime AI’s Terms of Service available at https://www.primeai.co.uk/policies/terms-of-service or other written or electronic agreement (the “Agreement”), including any written or electronic service orders, purchase orders or other order forms (each a “Service Order”) entered into between Prime AI and Subscriber, pursuant to which Prime AI provides the “Services” as defined in the Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of Subscriber Personal Data. The parties agree to comply with this DPA with respect to any Subscriber Personal Data that the Prime AI may process in the course of providing the Services pursuant to the Agreement.

Effective date: 2nd of October 2018

This DPA shall not replace or supersede any data processing addendum or agreement executed by the parties prior to the DPA Effective Date without the prior written consent of the parties (electronically submitted consent acceptable). This DPA will take effect on the DPA Effective Date and, notwithstanding expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Subscriber Data by Prime AI as described in this DPA. If the Subscriber entity entering into or accepting this DPA is neither a party to a Service Order nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Subscriber entity that is a party to the Agreement executes this DPA.

For the purposes of this DPA, the Prime AI entity entering into this DPA as the data processor By signing or accepting the Agreement or this DPA, Subscriber enters into this DPA as of the DPA Effective Date on behalf of itself and in the name and on behalf of its Covered Affiliates if and to the extent the Prime AI processes personal data for which such Covered Affiliates qualify as the controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Subscriber" shall include Subscriber and its Covered Affiliates.

1. Definitions

  • 1.1. “Prime AI” means Prime AI Limited, Registered in England & Wales No.11599467, Oakwood Lodge, Thornden Wood Road, Herne Bay, CT6 7NX.

  • 1.2. “Affiliates” means its Affiliates engaged in the processing of Subscriber Personal Data in connection with the subscribed Services which (a) is subject to the Data Protection Laws; and (b) is permitted to use the Services pursuant to the Agreement between Subscriber and Prime AI, but has not signed its own Service Order with Prime AI and is not a "Subscriber" as defined under the Agreement.

  • 1.3. “Data Incidents” means a breach of Prime AI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Subscriber Data transmitted, stored or otherwise processed by Prime AI. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Subscriber Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. "Data Protection Laws" means all applicable data protection and privacy laws and regulations, including EU/UK Data Protection Laws.

  • 1.4. “DPA Effective Date” means, as applicable, (a) when Subscriber clicked to accept or the parties otherwise agreed to this DPA prior to or on such date;

  • 1.5. “EEA” means the European Economic Area. “EU/UK Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time. "Restricted Transfer" means (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

  • 1.6. “Security Documentation” means all documents and information made available by Prime AI to demonstrate compliance by Prime AI with its obligations under this DPA, including the Security Measures, Additional Security Information and any third-party certifications or audit reports, as applicable.

  • 1.7. “Security Measures” means the technical and organisational safeguards adopted by Prime AI applicable to the Services subscribed by Subscriber as described in Technical and Organisational Measures Policy that is available to Subscriber on request.

  • 1.8. “Sub-processor” means any third-party engaged by Prime AI, including any member of the Affiliates which processes Subscriber Data in order to provide parts of the Services as listed on https://www.primeai.co.uk/policies/infrastructure/ .

  • 1.9. “Subscriber Data” has the meaning given to it in the Agreement or, if no such meaning is given, means data submitted by or on behalf of Subscriber to the Services under the Subscriber’s Prime AI account for Services. Subscriber Data may also be referred to as “Customer Data” in the Agreement from time to time.

  • 1.10. “Subscriber Personal Data” means the personal data contained within Subscriber Data. Subscriber Personal Data may also be referred to as “Customer Personal Data” in the Agreement from time to time.

  • 1.11. “Term” means the period from the DPA Effective Date until the end of Prime AI provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Prime AI may continue providing the Services for transitional purposes.

  • 1.12. The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the EU/UK Data Protection Laws, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses, in each case irrespective of whether other Data Protection Laws apply.

2. Personal Data Processing Terms

  • 2.1. The parties agree that if the EU/UK Data Protection Laws apply to the processing of Subscriber Personal Data, the parties acknowledge and agree that:

    • 2.1.1. With respect to Subscriber Personal Data, Subscriber is the controller (or, where Subscriber is instructing Prime AI on behalf of a third party controller, a processor on behalf of that controller) and Prime AI is either (i) the processor or, (ii) where Subscriber is a processor on behalf of a third party controller, Prime AI shall be a sub-processor to Subscriber.

    • 2.1.2. Prime AI may engage Sub-processors pursuant to Section 7 (Sub-processors).

    • 2.1.3. The subject-matter of the data processing covered by this DPA is the provision of the Services and the processing will be carried out for the duration of the Agreement or so long as Prime AI is providing the Services.

    • 2.1.4. Each party will comply with the obligations applicable to it under the EU/UK Data Protection Laws, including with respect to the processing of Subscriber Personal Data.

    • 2.1.5. If Subscriber is a processor itself, Subscriber warrants to Prime AI that Subscriber’s instructions and actions with respect to the Subscriber Personal Data, including its appointment of Prime AI as a sub-processor, have been authorised by the relevant controller. 2.1.6. For the avoidance of doubt, Subscriber’s instructions to Prime AI for the processing of Subscriber Personal Data shall comply with all applicable laws, including the EU/UK Data Protection Laws. As between Prime aI and Subscriber, Subscriber shall be responsible for the Subscriber Data and the means by which Subscriber acquired Subscriber Data, and shall maintain such authorisations and all other approvals, consents and registrations as are required to carry out lawful personal data processing activities under Data Protection Laws. 2.1.7. For the purposes of this DPA, the following is deemed an instruction by Subscriber to process Subscriber Personal Data (a) to provide the Services; (b) as further specified via Subscriber’s use of the Services (including the Services’ user interface dashboard and other functionality of the Services); (c) as documented in the Agreement (including this DPA and any Service Order that requires processing of Subscriber Personal Data); and (d) as further documented in any other written instructions given by Subscriber (which may be specific instructions or instructions of a general nature as set out in this DPA, the Agreement or as otherwise notified by Subscriber to Prime aI from time to time), where such instructions are consistent with the terms of the Agreement.

    • 2.1.8. When Prime AI processes Subscriber Personal Data in the course of providing the Services, Prime AI will:

      • 2.1.8.1. Process the Subscriber Personal Data only in accordance with (a) the Agreement and (b) Subscriber’s instructions as described in Section 2.1.7, unless Prime AI is required to process Subscriber Personal Data for any other purpose by UK, European Union or member state law to which Prime AI is subject. Prime AI shall inform Subscriber of this requirement before processing unless prohibited by applicable laws on important grounds of public interest.

      • 2.1.8.2. Notify Subscriber without undue delay if, in Prime AI’s opinion, an instruction for the processing of Subscriber Personal Data given by Subscriber infringes applicable EU/UK Data Protection Laws.

  • 2.2. The parties acknowledge and agree that the parties will comply with all applicable laws with respect to the processing of Subscriber Personal Data.

3. Data Security

  • 3.1. Security Measures

    • 3.1.1. Prime AI will implement and maintain appropriate technical and organizational measures designed to protect or secure (i) Subscriber Data, including Subscriber Personal Data, against unauthorised or unlawful processing and against accidental or unlawful loss, destruction or alteration or damage, unauthorised disclosure of, or access to, Subscriber Data, and (ii) the confidentiality and integrity of Subscriber Data, as set forth in the Security Measures. Prime AI may update or modify the Security Measures from time to time provided that such updates and modifications will not materially decrease the overall security of the Services. The most up to date Security Measures will be made available on Subscriber’s request.

    • 3.1.2. In addition to the Security Measures, Prime AI will, from time to time, make additional security guidelines available that provide Subscriber with information about, in Prime AI’s opinion, best practices for securing, accessing and using Subscriber Data including best practices for password and credentials protection (“Additional Security Information”).

    • 3.1.3. Prime AI will take reasonable steps to ensure the reliability and competence of Prime AI personnel engaged in the processing of Subscriber Personal Data.

    • 3.1.4. Prime AI will take appropriate steps to ensure that all Prime AI personnel engaged in the processing of Subscriber Personal Data (i) comply with the Security Measures to the extent applicable to their scope of performance, (ii) are informed of the confidential nature of the Subscriber Personal Data, (iii) have received appropriate training on their responsibilities, and (iv) have executed written confidentiality agreements. Prime AI shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

  • 3.2. Data Incidents

    • 3.2.1. If Prime AI becomes aware of a Data Incident, Prime AI will: (a) notify Subscriber of the Data Incident without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimise harm and secure Subscriber Data.

    • 3.2.2. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and, as applicable, steps Prime AI recommends Subscriber to take to address the Data Incident. Notification(s) of any Data Incident(s) will be delivered to Subscriber in accordance with the “Manner of Giving Notices” Section of the Agreement or, at Prime AI discretion, by direct communication (for example, by phone call or an in-person meeting). Subscriber is solely responsible for ensuring that any contact information, including notification email address, provided to Prime AI is current and valid.

    • 3.2.4. Prime AI will not assess the contents of Subscriber Data in order to identify information subject to any specific legal requirements. Subscriber is solely responsible for complying with incident notification laws applicable to Subscriber and fulfilling any third-party notification obligations related to any Data Incident(s).

    • 3.2.5. Prime AI’s notification of or response to a Data Incident under this Section 3.2 (Data Incidents) will not be construed as an acknowledgement by Prime AI of any fault or liability with respect to the Data Incident.

  • 3.3. Subscriber’s Security Responsibilities and Assessment of Prime AI.

    • 3.3.1. Subscriber agrees that, without prejudice to Prime AI’s obligations under Section 3.1 (Security Measures) and Section 3.2 (Data Incidents):

      • 3.3.1.1. Subscriber is solely responsible for its use of the Services, including: (i) making appropriate use of the Services and any Additional Security Information to ensure a level of security appropriate to the risk in respect of the Subscriber Data; (ii) securing the account authentication credentials, systems and devices Subscriber uses to access the Services; and (iii) backing up the Subscriber Data; and

      • 3.3.1.2. Prime AI has no obligation to protect Subscriber Data that Subscriber elects to store or transfer outside of Prime AI’s and its Sub-processors’ systems (for example, offline or on-premises storage).

    • 3.3.2. Subscriber is solely responsible for reviewing the Security Measures and evaluating for itself whether the Services, the Security Measures, the Additional Security Information and Prime AI’s commitments under this Section 3 (Data Security) will meet Subscriber’s needs, including with respect to any security obligations of Subscriber under the Data Protection Laws. Subscriber acknowledges and agrees that the Security Measures implemented and maintained by Prime AI as set out in Section 3.1 (Security Measures) provide a level of security appropriate to the risk in respect of the Subscriber Data.

  • 3.4. Subscriber Assessment and Audit of Prime AI Compliance Upon Subscriber’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Prime AI will make available to Subscriber that is not a competitor of Prime AI (or Subscriber’s independent, third-party auditor that is not a competitor of Prime AI) information regarding Prime AI’s compliance with the obligations set forth in this DPA including in the form of independent audit results and/or third-party certifications, as applicable, to the extent Prime AI makes them generally available to its subscribers. The most recent independent third-party certifications or audits obtained by Prime AI are set forth in the Security Measures.

  • 3.5. Subscriber’s Audit Rights

    • 3.5.1. No more than once per year, Subscriber may contact Prime AI in accordance with the “Manner of Giving Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Subscriber Data. Subscriber shall reimburse Prime AI for any time expended for any such audit. Before the commencement of any such audit, Subscriber and Prime AI shall mutually agree upon the scope, timing, and duration of the audit, that reasonably does not interfere with normal business operations, in addition to the reimbursement rate for which Subscriber shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Prime AI. Subscriber shall promptly notify Prime AI with information regarding any non-compliance discovered during the course of an audit.

    • 3.5.2. Subscriber may conduct such audit (a) itself, (b) through an Affiliate that is not a competitor of Prime AI or (c) through an independent, third-party auditor that is not a competitor of Prime AI.

    • 3.5.3. Subscriber may also conduct an audit to verify Prime AI’s compliance with its obligations under this DPA by reviewing the Security Documentation.

4. Return or Deletion of Subscriber Data

  • 4.1. Prime AI will enable Subscriber to delete during the Term Subscriber Data in a manner consistent with the functionality of the Services. If Subscriber uses the Services to delete any Subscriber Data during the Term and that Subscriber Data cannot be recovered by Subscriber, this use will constitute an instruction to Prime AI to delete the relevant Subscriber Data from Prime AI systems in accordance with applicable law. Prime AI will comply with this instruction as soon as reasonably practicable within a maximum of 90 days, unless UK, European Union or member state law requires storage.

  • 4.2. Upon expiry of the Term or upon Subscriber’s written request, subject to the terms of the Agreement, Prime AI shall either (a) return (to the extent such data has not been deleted by Subscriber from the Services) or (b) securely delete Subscriber Data, to the extent allowed by applicable law, in accordance with the timeframes specified in Section 4.3, as applicable. 4.3. Prime aI will, after a recovery period of up to 30 days following expiry of the Term, comply with this instruction as soon as reasonably practicable and within a maximum period of 90 days, unless UK, European Union or member state law requires storage. Without prejudice to Section 5 (Data Subject Rights; Data Export), Subscriber acknowledges and agrees that Subscriber will be responsible for exporting, before the Term expires, any Subscriber Data it wishes to retain afterwards.

5. Data Subject Rights, Data Export

  • 5.1. As of the DPA Effective Date for the duration of the period Prime AI provides the Services:

    • 5.1.1. Prime aI will, in a manner consistent with the functionality of the Services, enable Subscriber to access, rectify and restrict processing of Subscriber Data, including via the deletion functionality provided by Prime AI as described in Section 4 (Return or Deletion of Subscriber Data), and to export Subscriber Data;

    • 5.1.2. Prime AI will, without undue delay, notify Subscriber, to the extent legally permitted, if Prime AI receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and

    • 5.1.3. if Prime aI receives any request from a data subject in relation to Subscriber Personal Data, Prime aI will advise the data subject to submit his or her request to Subscriber and Subscriber will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.

    • 5.1.4. Taking into account the nature of the processing, Prime AI will assist Subscriber by appropriate technical and organisational measures, insofar as it is possible, for the fulfilment of Subscriber’s obligation to respond to a Data Subject Request under EU/UK Data Protection Laws. In addition, to the extent Subscriber, in its use of the Services, does not have the ability to address a Data Subject Request, Prime AI shall, upon Subscriber’s written request, provide Subscriber with reasonable cooperation and assistance to facilitate Subscriber’s response to such Data Subject Request, to the extent Prime AI is legally permitted to do so and the response to such Data Subject Request is required under EU/UK Data Protection Laws. To the extent legally permitted, Subscriber shall be responsible for any costs arising from Prime AI’s provision of such assistance.

6. Data Protection Impact Assessment

Upon Subscriber's written request, Prime AI will provide Subscriber with reasonable cooperation and assistance needed to fulfill Subscriber's obligation under the GDPR to carry out a data protection impact assessment related to Subscriber's use of the Services, to the extent Subscriber does not otherwise have access to the relevant information, and to the extent such information is available to Prime AI. Prime AI will provide reasonable assistance to Subscriber in the cooperation or prior consultation with the applicable data protection authority in the performance of its tasks relating to this Section 6 (Data Protection Impact Assessment) to the extent required under EU/UK Data Protection Laws.

7. Sub-processors

  • 7.1. Subscriber specifically authorises the engagement of Prime AI’s Affiliates as Sub-processors. In addition, Subscriber acknowledges and agrees that Prime AI and Prime AI’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Prime AI or an Prime AI Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Subscriber Data to the extent applicable to the nature of the Services provided by such Sub-processor.

  • 7.2. Prime AI will make available to Subscriber the current list of Sub-processors for the Services at https://www.primeai.co.uk/policies/infrastructure (“Infrastructure and Sub-processor List”). Prime AI shall provide notification of a new Sub-processor(s) before authorising any new Sub-processor(s) to process Subscriber Personal Data in connection with the provision of the Services either by sending an email.

  • 7.3. Subscriber may object to Prime AI’s use of a new Sub-processor by notifying Prime AI promptly in writing within 10 (ten) business days after receipt of Prime AI’s notice. In the event Subscriber objects to a new Sub-processor, as permitted in the preceding sentence, Prime AI will use reasonable efforts to make available to Subscriber a change in the Services or recommend a commercially reasonable change to Subscriber’s configuration or use of the Services to avoid processing of Subscriber Personal Data by the objected-to new Sub-processor without unreasonably burdening the Subscriber. If Prime aI is unable to make available such change within a reasonable period of time, which shall not exceed 30 (thirty) calendar days, Subscriber may terminate the applicable Service Order(s) with respect to only those Services which cannot be provided by Prime AI without the use of the objected-to new Sub-processor by providing written notice to Prime AI.

  • 7.4. Prime AI shall be liable for the acts and omissions of its Sub-processors to the same extent Prime AI would be liable if performing the services of each Sub-processor directly under the terms of this DPA subject to the limitations set forth in Section 9. (Limitation of Liability) and the Agreement.

If any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

9. Limitation of Liability

  • 9.1. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA), and all DPAs (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA) between Covered Affiliates and Prime AI, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

  • 9.2. For the avoidance of doubt, Prime AI’s and its Affiliates’ total liability for all claims from the Subscriber and all of its Covered Affiliates arising out of or related to the Agreement and each DPA (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA) shall apply in the aggregate for all claims under both the Agreement and all DPAs (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA) established under this Agreement, including by Subscriber and all Covered Affiliates, and, in particular, shall not be understood to apply individually and severally to Subscriber and/or to any Affiliate that is a contractual party to any such DPA.

  • 9.3. For the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Attachments and Appendices (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or this DPA).

If any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.