DATA PROCESSING AGREEMENT

 

BACKGROUND

This document (“Data Processing Agreement” or “DPA”) is incorporated into the Order Form executed by Client and tomato pay (as such terms are defined in the Order Form) and forms part of the Agreement between tomato pay and Client. 

This DPA applies to Personal Data processed in connection with its provision of the Services. Terms not expressly defined in this DPA shall have the meaning given in the Order Form.

1. Definitions

For the purpose of the Agreement, including this DPA:

Term

Definition

Data Breach

has the meaning given in paragraph 5.1 of Annex A of this DPA.

Data Protection Legislation

means:   

  1. (i) the retained EU law version of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) including the recitals (the “UK GDPR”) and any equivalent or implementing legislation, including the Data Protection Act 2018;
  2. (ii) he Freedom of Information Act 2000, the Freedom of Information (Scotland) Act 2002, the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699);
  3. (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Electronic Communications Data Protection Directive 2002/58/EC (the ePrivacy Directive);
  4. (iv) the Digital Economy Act 2017; and
  5. (v) all other applicable laws (including judgments of any relevant court of law) and regulations relating to the processing of personal data, data privacy, electronic communications, marketing and/or data security,

in each case as from time to time in force and as from time to time amended, extended, consolidated, re-enacted, replaced, superseded or otherwise converted, succeeded, modified or incorporated into law and all orders, regulations, statutes, instruments and/or other subordinate legislation made under any of the above in any jurisdiction from time to time.

Data Subject Right

means the rights of any data subjects to exercise their data subject access rights and/or right to rectification, to be forgotten, to restrict processing, to data portability and to object to processing (including for direct marketing) or automated decision-making, as set out in the Data Protection Legislation.

DP Guidance

means any and all guidelines, recommendations, best practice, opinions, directions, decisions, codes of practice and codes of conduct issued, adopted or approved by the European Commission, the European Data Protection Board, the UK’s Information Commissioner’s Office and/or any other supervisory authority or data protection authority from time to time (whether or not legally binding) in relation to the processing of personal data, data privacy, electronic communications, marketing and/or data security.

International Transfer

has the meaning given in paragraph 2.1(d) of Annex A of this DPA.

Personal Data

means personal data as such term is defined in the UK GDPR interpreted in accordance with the relevant DP Guidance. 

Regulator

means any person having regulatory or supervisory authority over all or any part of the Services or Client’s business in relation to the processing of personal data.

 

The terms “controller”, “processor”, “personal data”, “personal data breach”, “data subject” and “processing” have the meanings given to these terms in the UK GDPR interpreted in accordance with the relevant DP Guidance.

2. Rights and Obligations

2.1 Where tomato pay is providing Services as a Regulated Entity under the Agreement, in relation to the processing of Personal Data in connection with the Agreement:

  1. (a) the Parties shall be deemed to be independent controllers;
  2. (b) the Parties warrant that they:
    1. (i) will comply with Data Protection Legislation; and
    2. (ii) will maintain a privacy policy in compliance with Data Protection Legislation and will only process Personal Data in accordance with such privacy policy; 
  3. (c) tomato pay warrants that it will at all relevant times ensure that it has obtained the Personal Data in accordance with Data Protection Legislation and has provided all necessary notices to data subjects and has procured all necessary consents, or satisfied another legal basis, to disclose the Personal Data to the Client and for the Client to process the Personal Data for the Client’s own business purposes including the purposes set out in the Agreement, and for such processing to be in compliance with Data Protection Legislation;  
  4. (d) tomato pay shall process the Personal Data in compliance with Open Banking Regulations; and
  5. (e) in processing Personal Data in its capacity as a controller, tomato pay also expressly undertakes to comply with the provisions of paragraphs 2.1(c) to 2.1(g) (inclusive) of Annex A of this DPA. 

2.2 Where tomato pay is providing services as a Technical Services Provider under the Agreement:

  1. (a) the Client appoints tomato pay as its processor for the purpose of processing Personal Data; and
  2. (b) the Parties shall comply with their respective rights and obligations under Annex A of this DPA. 

2.3 This DPA applies in addition to and does not amend or replace either Party’s obligations under Data Protection Legislation.

2.4 Each Party will comply with its obligations in this DPA at no additional charge or cost to the other Party.

 

Annex A

Processing of Personal Data

1. Description of personal data, data subjects and processing etc

1.1. The types of Personal Data, categories of data subject to whom it relates, and the subject matter, duration, nature and purposes of the processing to be carried out under the Agreement are set out in Annex B (Description of Personal Data) of the DPA.

1.2. tomato pay or Client may from time to time notify the other in writing if Annex B (Description of Personal Data) needs to be amended to reflect any changes made (or proposed to be made) to the processing of Personal Data under the Agreement, in which case both Parties will act reasonably and in good faith in agreeing appropriate amendments to Annex B (Description of Personal Data) to ensure that it remains accurate and complete.

2. tomato pay obligations in relation to processing Personal Data

2.1. tomato pay will:

  1. (a) in relation to the processing of Personal Data, comply with its obligations under the Data Protection Legislation and ensure the protection of the rights of data subjects, and will not do or omit to do anything which causes either Party to breach any of its obligations under the Data Protection Legislation; 

Client’s written instructions

  1. (b) process (and will procure that its personnel will process) the Personal Data (including any transfer to an international organisation or a country (other than the United Kingdom) outside the European Union) only:
    1. (i) in accordance with Client’s written instructions from time to time; or
    2. (ii) as otherwise required by law (subject to tomato pay first notifying Client of the relevant legal requirement unless such notification is itself prohibited by law on important grounds of public interest) 
    3. (iii) and only to the extent and in such a manner as is necessary for tomato pay to provide the Services and to perform its other obligations under the Agreement in accordance with the Agreement and not for any other purpose;
    4. (iv) immediately notify Client in writing if tomato pay (or any of its sub-contractors) believes any of Client’s instructions relating to processing Personal Data breaches any Data Protection Legislation and in such a case tomato pay will be entitled without penalty to suspend performance of the relevant instructions until Client has confirmed such instructions in writing;

tomato pay personnel

  1. (c) only disclose the Personal Data to, and ensure that access to the Personal Data is limited to, those of its personnel:
    1. (i) who are bound by contractual or statutory confidentiality obligations in relation to the Personal Data;
    2. (ii) who have had appropriate and recent training in data protection and security; and
    3. (iii) whose access to and/or processing of the Personal Data is (in tomato pay’s reasonable opinion) required in order to provide the Services to Client or perform tomato pay’s other obligations under the Agreement in each case in accordance with the Agreement, and tomato pay will ensure that any such access is revoked when no longer required for such purposes;

International transfer

  1. (d) not transfer any Personal Data to an international organisation or any country (other than the United Kingdom) outside the European Union, (an “International Transfer”) or store any Personal Data in the cloud unless on servers situated in the United Kingdom or a country within the European Union unless:
    1. (i) the International Transfer is to a country which recognised by the European Commission as ensuring an adequate level of protection in relation to data processing; or
    2. (ii) the International Transfer has in place such safeguards as required by the applicable Data Protection Legislation to protect the relevant Personal Data, and also ensure that the applicable data subjects have enforceable rights and effective legal remedies;

Security

  1. (e) taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing, implement appropriate technical and organisational measures to ensure a level of security appropriate to the data security risks presented by processing the Personal Data, including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed; 
  2. (f) regularly review and update the technical and organisational measures implemented pursuant to paragraph 2.1(e) in order to ensure, and to demonstrate to Client, that the processing of the Personal Data pursuant to the Agreement is performed in accordance with the Data Protection Legislation;

Data protection by design and default

  1. (g) taking into account the data protection by design and data protection by default principles under the Data Protection Legislation, ensure that the processing of Personal Data will at all relevant times comply with the Data Protection Legislation and protect rights of data subjects;  and

Return or deletion of Personal Data

  1. (h) when tomato pay ceases to provide Services relating to processing pursuant to the Agreement:
    1. (i) at Client’s option, delete or return to Client (or as Client may direct) (by bulk transfer in an industry standard format specified by Client, and if no format is specified by Client by bulk transfer in a platform-agnostic, structured, commonly used, machine readable and interoperable format) all Personal Data; and 
    2. (ii) delete all copies of the Personal Data except insofar as tomato pay is required by law to continue to store such copies.

3. Information, co-operation and assistance

3.1. tomato pay will promptly notify Client in writing of any complaint, request, notice or other communication tomato pay (or any of its sub-contractors) receives from any third party which relates directly or indirectly to the processing of any Personal Data pursuant to the Agreement including:

  1. (a) subject access requests;
  2. (b) any request by any data to exercise any Data Subject Right; and
  3. (c) any other request, notice, complaint or other communication from any Regulator, law enforcement authority, data subject or the European Data Protection Board,
  4. (d) and will comply with Client’s reasonable instructions and provide information and assistance as reasonably requested by Client in relation to such requests, notices, complaints and other communications.

3.2 tomato pay will take (and procure that its sub-processor and their sub-contractors take) appropriate technical and organisational measures (without undue delay and in any event within the timescales reasonably specified by Client to enable Client to comply with the timescales set out in the Data Protection Legislation) to assist Client in fulfilling Client’s obligations to respond to any request by any data subject to exercise any Data Subject Right.

3.3 tomato pay will at Client’s request assist (and procure that tomato pay’s sub-processor and their sub-contractors assist) Client in complying with Client’s obligations pursuant to the Data Protection Legislation to:

  1. (a) implement appropriate technical and organisational measures to ensure appropriate security of processing;
  2. (b) notify personal data breaches to the Regulator and relevant data subjects;
  3. (c) carry out a data protection impact assessment; and/or
  4. (d) consult with the Regulator before processing if any data protection impact assessment indicates processing would result in a high risk in the absence of mitigating measures;
  5. (e) any notices given by any Regulator; and/or
  6. (f) any other notification given pursuant to, and Client’s other obligations set out, in the Data Protection Legislation

but in each case only to the extent that Client’s request relates to the processing of Personal Data by tomato pay (or any DP Sub-processor or its sub-contractors) pursuant to the Agreement.

4. Records, audit and inspection

4.1. tomato pay will make available to the Client all information necessary to demonstrate compliance with this Data Processing Agreement and Art. 28 UK GDPR (or equivalent provisions of Data Protection Legislation) and allow for and contribute to audits (including inspections) of that compliance, conducted by the Client or another auditor mandated by the Client, limited to once per annum, with prior notification of at least 10 business days, any such audit shall not exceed 2 business days). 

4.2. The audit under paragraph 4.1 shall not require access to any data pertaining to other customers of tomato pay and shall ensure the continuity of the security of assets and data associated with other customers of tomato pay. Client will procure its auditors are subject to confidentiality obligations no less stringent to those set out in the Agreement. Except where any audit is related to a Data Breach (when such breach is solely caused by tomato pay actions), Client will pay the reasonable costs of the tomato pay in relation to such audit, to be agreed in advance between the Parties acting reasonably.

5. Data breach

5.1. If tomato pay becomes aware that it (or any sub-contractor processing Personal Data pursuant to the Agreement) has suffered an actual or suspected personal data breach, breach of security or in any other way is processing or has processed Personal Data in contravention of this DPA (each a “Data Breach”), tomato pay will notify Client in writing without undue delay and in any event within twelve (12) hours after becoming aware of the same.

5.2. tomato pay will co-operate with and assist Client in relation to:

(a) all measures to be taken in response to any Data Breach, as reasonably requested by Client, including to remedy or mitigate the effects of any Data Breach; and

(b) any matter which Client reasonably considers is required to ensure Client’s continued compliance with the Data Protection Legislation in the light of the Data Breach, including notification to and correspondence with any Regulator and/or data subjects.

5.3. tomato pay will report in writing to Client all identified unsuccessful attempts by any unauthorised person (including unauthorised persons who are employees or agents of Client or tomato pay) to access or interfere with any Personal Data and make such report without undue delay.

5.4. tomato pay will not, except to the extent required to do so for legal or regulatory reasons, make any announcement or disclosure in relation to any Data Breach without the prior written approval of Client.

6. Sub-processing

6.1. The Client authorizes tomato pay’s use of sub-processor(s) engaged by tomato pay for the provision of the Services. Should tomato pay appoint any new or replacement sub-processor, tomato pay shall inform the Client of any intended changes concerning such addition or replacement via an update to the list of sub-processors on tomato pay’s website at www.tomatopay.co.uk/subprocessors ("sub-processor Change"). If the Client has a reasonable basis to object to the use of any such new or additional sub-processor, the Client shall notify tomato pay promptly in writing within 14 calendar days after receipt of the sub-processor Change. In the event the Client objects to a new or additional sub-processor, and that objection is not unreasonable, tomato pay will use reasonable efforts to make available to the Client a change in the Services or recommend a commercially reasonable change to the Client’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new or additional sub-processor without unreasonably burdening the Client. If tomato pay is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) calendar days, the Client may terminate the affected part of the Agreement with respect only to those Services which cannot be provided by tomato pay without the use of the objected-to new or additional sub-processor by providing written notice to tomato pay.

6.2. tomato pay shall engage sub-processors in writing on terms that provide equivalent protections to those set out in this Data Processing Agreement as applicable to the subprocessing.

7. Replacement with standard clauses

Either Party may at any time propose to the other Party by notice in writing that this DPA is replaced with standard contractual clauses laid down by the European Commission or adopted by the Information Commissioner’s Office or another relevant Regulator, in each case in accordance with the Data Protection Legislation. The Parties will act reasonably and in good faith in considering such proposal and if the proposed substitution is agreed by both Parties, this DPA will be replaced by the relevant standard contractual clauses. If tomato pay and Client do not agree the proposed substitution, the provisions of this DPA will continue to apply.

Annex B 

Description of Personal Data

 

In this Annex B, the terms “controller”, “data subject”, “Personal Data”, “processing” and “processor” shall have the meanings given to these terms in the DPA.

1. The name and contact details of tomato pay and any applicable sub-processors 

1.1    Fractal Labs Ltd t/a tomato pay - privacy@tomatopay.co.uk

1.2    Yapily Ltd - info@yapily.com

1.3    AWS - https://aws.amazon.com/contact-us/compliance-support/

1.4    Mixpanel - dpo@mixpanel.com

1.5    Segment - privacy@segment.com

1.6    Intercom - legal@intercom.com 

2. The subject matter and duration of the processing of the Personal Data

Client and Customer data required for providing the Services.

The processing will continue:

2.1 for the duration of the Agreement; and

2.2 after the termination for any reason and/or expiry of the Agreement insofar as expressly permitted by the controller from time to time.

3. The purpose of the processing of the Personal Data

The Personal Data will be processed in order to provide:

3.1 setting up, providing and monitoring the Services

3.2 providing technical support

3.3 providing customer support

3.4 storage

3.5 payment processing

3.6 financial information aggregation

3.7 creating an algorithm for cashflow forecasting and transaction categorization

4. The nature of the processing of the Personal Data

The Personal Data will be used for the purposes of 

4.1 providing Services

5. A description of the types of Personal Data

The Personal Data will be 

5.1    name

5.2    contact details (including postal address, email address and telephone number)

5.3    bank details (Client’s Customers only)

5.4    bank account details (Client’s Customers only)

5.5    transaction history (Client’s Customers only)

5.6    unique identifiers ( (Client’s Customers only)

5.7    correspondence information (Client’s Customers only)

6. A description of the categories of data subjects

The data subjects will be:

6.1 Client’s Customers 

6.2 employees, directors and personnel of Client

7. The name of any sub-processors engaged by tomato pay pursuant to paragraph 6 of Annex A of the DPA. 

Please see the list of sub-processors on tomato pay’s website at www.tomatopay.co.uk/subprocessors.

8. Any transfers of Personal Data to  an international organisation or a country (other than the United Kingdom) outside the European Union including, where applicable, documentation of the suitable safeguards implemented by tomato pay to protect such personal data

USA - covered by Standard Contractual Clauses.

9. The obligations and rights of Client as controller.

As set out in the Agreement.