1.1 “Addendum” means this data protection and security addendum to the Agreement.
1.2 “Agreement” means any Order currently in force which is subject to the Existing Terms and Conditions
1.3 “Alternative Transfer Solution” means a solution that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).
1.4 “Customer” means the named entity that is a customer of Wirehive under the Agreement;
1.5 “Customer Data” means any data (including “Personal Data” as defined in Data Protection Laws), provided by the Customer to Wirehive under the Agreement
1.6 “Data Controller”, “Data Processor”, “Personal Data” and “Processing” all have the meanings set out in the Data Protection Laws; and
1.7 “Data Protection Laws” means the Data Protection Act 1998, and from 25 May 2018, the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), and the Electronic Communications (EC Directive) Regulations 2003, and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time.
1.8 “Existing Terms and Conditions” means the terms and conditions for the supply of services between Wirehive and the Customer, being document version [insert] and earlier versions.
1.9 “Optional Security Controls” means encryption, logging and monitoring, identity and access management, security scanning, and firewalls, and other security tools made available by Wirehive from time to time.
1.10 “Order” means as defined in the Agreement.
1.11 “Order Term” means as defined in the Agreement.
1.12 “Portal” means the Wirehive customer support portal located at https://wirehive.support/ (or as otherwise notified to the Customer from time to time);
1.13 “Security Measures” means Wirehive’s security policy document as set out at https://www.wirehive.com/compliance/security/security-measures, and as may be updated by Wirehive on notice to the Customer from time to time;
1.14 “Servers” means the servers specified in the applicable Order;
1.15 “Services” means the services to be provided by Wirehive to the Customer pursuant to any Order, including the Support and Maintenance Services set out in Schedule 1, and which may (subject to the applicable Order) include Wirehive Managed SysOps and/or AWS Services set out in Schedule 4 and/or the Consultancy Services set out in an executed Statement of Work;
1.16 “Sub-Processors” means third parties authorised under these Terms to have logical access to and process Customer Data in order to provide parts of the Services.
1.17 “Wirehive” means Wirehive Limited (company number 05451011), whose registered address is 23-24 Hercules Way, Farnborough, Hampshire, GU14 6UU
2.1 This Addendum supplements the Existing Terms and Conditions that govern the relationship between Wirehive and Customer as of 25 May 2018, and as the Existing Terms and Conditions apply to data processing and security.
2.2 All the other terms of the Agreement remain in full force and effect.
2.3 To the extent of any inconsistency between the Agreement and this Addendum, then the provision in this Addendum shall supersede and apply.
3. DATA PROTECTION & SECURITY
3.1 During the Term of each existing Order, the Customer shall continue to have the ability to choose what Customer Data is processed on the Servers made available by Wirehive pursuant to the Agreement. The Customer shall process Personal Data on the Servers in accordance with applicable Data Protection Laws.
3.2 The Customer shall choose in which countries and how it wishes to protect this data including by way of backups of the Customer Data.
3.3 Outside of the Security Measures, the Customer acknowledges that Wirehive is unable to tailor the Servers to any individual customer’s use case for Data Processing and therefore Wirehive shall continue to provide the same level of security irrespective of whether or not Customer Data is actually processed by a Customer on the Servers.
3.4 Customer acknowledges that it is solely responsible for its selection and use of the Services, and will continue to:
3.4.1 make appropriate use of the Services and the Security Measures to ensure a level of security appropriate to the risk in respect of the Customer Data;
3.4.2 keep secure the account authentication credentials, systems and devices Customer uses to access the Services; and
3.4.3 back up its Customer Data separately from the Servers.
4. CUSTOMER OBLIGATIONS
4.1 The Customer has reviewed and approved the Security Measures as an appropriate level of security for the processing of the Customer Data.
4.2 The Customer will:
4.2.1 keep adequate backups of the Customer Data separately from the Servers or otherwise request Wirehive to create backups as part of an Order;
4.2.2 choose any of the Optional Security Controls that it deems necessary and prudent and which is appropriate to the risk of the Customer Data;
4.2.3 be responsible for ensuring that it shall implement its own technical and organisational measures to ensure a level of security appropriate to the risks of the data processing.
4.3 The Customer controls how Personal Data is stored, classified, exchanged or otherwise Processed when using the Services. The Customer may select the territory in which it stores or processes the Personal Data and may purchase Optional Security Controls from Wirehive as it deems appropriate for the nature and volume of Personal Data that it processes on the Servers.
4.4 The Customer will ensure that it has all necessary and appropriate consents and notices in place to enable the lawful processing of the Personal Data, and for the purpose of Wirehive performing the Services, and the Customer shall indemnify Wirehive against any losses, damages, claims and expenses incurred by or suffered by Wirehive from a breach by Customer of this clause 4.4.
4.5 The Customer shall use the Servers made available by Wirehive to process their Personal Data in accordance with applicable Data Protection Laws.
4.6 Wirehive may terminate an Order on written notice to Customer where it has actual knowledge that Customer’s use of the Servers is contrary to Data Protection Laws and Customer fails to provide reasonable written evidence which is satisfactory to Wirehive that Customer has immediately remedied the same.
5. RECORDS AND WRITTEN INSTRUCTIONS
5.1 Customer acknowledges that Wirehive is required under Data Protection Laws to:
5.1.1 collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Wirehive is acting, and where applicable, of such processor’s or controller’s local representative and data protection officer; and
5.1.2 make such information available to the supervisory authorities. Accordingly, if where applicable under Data Protection Laws, Customer will, where requested, provide such information to Wirehive via the Portal or other means provided by Wirehive, and will use the Portal or such other means to ensure that all information provided is kept accurate and up-to-date.
5.2 The Customer shall keep a record of the scope, nature and purpose of the processing to be carried out on Wirehive’s infrastructure and the duration of its own processing and types of data. Customer shall supply a copy of the record to Wirehive on reasonable notice.
5.3 The Server features and functionalities and Portal made available to Customer as part of the Services shall from part of the Customer’s written instructions to Wirehive in relation to the processing of Personal Data, as well as this Addendum, the Agreement and the terms of any Order.
5.4 Customer’s instructions for the processing of Personal Data will comply with Data Protection Laws, and the Customer will have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which the Customer obtained the Personal Data.
5.5 On expiry of the Order Term, Customer instructs Wirehive to delete all Customer Data (including existing copies) from Wirehive’s systems in accordance with applicable law. Wirehive will comply with this instruction as soon as is reasonably practicable and within a maximum period of 180 days unless applicable Data Protection Laws requires storage. Customer acknowledges and agrees that Customer will be responsible for exporting, before the Order Term expires, any Customer Data it wishes to retain afterwards.
5.6 If Customer uses the Services to delete any Customer Data during the Order Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Wirehive to delete the relevant Customer Data from Wirehive’s systems in accordance with applicable law.
6. SECURITY MEASURES
6.1 Wirehive will provide the security procedures as set out in the Security Measures, and where set out in an Order the Optional Security Controls, for the duration of the Order Term.
6.2 As part of providing the Security Measures, Wirehive will maintain appropriate technical and organisational measures at its data centre facilities that are within its control and are used to provide the Services, and which are designed to help the Customer secure its Customer Data against unauthorised processing and accidental or unlawful loss, access or disclosure.
6.3 Wirehive may update its Security Measures from time to time but will provide at least the same level of security as is described in the Security Measures as of the effective date of this Addendum. Notwithstanding the foregoing, the Customer acknowledges that Customer is responsible for the security of guest operating systems, applications hosted on the service, data in transit and at rest, Customer’s service log-in credentials and permissions policies for Customer personnel using the Services and Servers.
7. NATURE AND PURPOSE OF DATA PROCESSING
7.1 Both parties will comply with all applicable requirements of the Data Protection Laws as it applies to them in the provision and receipt of the Services. The parties acknowledge that for the purposes of the Data Protection Legislation, and for the performance of the Services under the Agreement:
7.1.1 the Customer is the Data Controller and Wirehive is the Data Processor, where the Customer determines the purpose for which and how the Personal Data will be processed, including choosing Wirehive’s Services;
7.1.2 the Customer will be a Data Processor in relation to the Personal Data where the Customer is merely processing the Personal Data on the Servers on behalf of and according to the wishes of a third party or its own customers;
7.1.3 and in respect to the Customer’s account information (usernames, email address, billing information), Wirehive is Data Controller.
7.2 To the extent that Wirehive process any Personal Data, then it shall do so:
7.2.1 solely as necessary to perform its Services under the Order and to provide the Services requested by the Customer pursuant to an Order in accordance with the Agreement;
7.2.2 to carry out Processing initiated by the Customer in using the Servers and Services; and
7.2.3 as further instructed by the Customer in writing as part of its use of the Services and which is consistent with the terms of the Agreement.
7.3 Where Wirehive Processes Personal Data, it shall Process the Personal Data for the duration of the Order Term (unless otherwise agreed in writing or permitted by law), and which processing includes computing, storage and content delivery on the Servers.
8. CATEGORIES OF DATA SUBJECTS AND TYPES OF PERSONAL DATA
8.1 The Customer may submit Personal Data to the Servers and the extent of the Personal Data submitted is determined and controlled solely by the Customer. The categories of Data Subjects shall include any living individual whose Personal Data is uploaded to the Servers.
8.2 The Customer may submit Personal Data to the Servers and the extent of the Personal Data submitted is determined and controlled solely by the Customer. The categories of Personal Data shall include all the Personal Data submitted by the Client to the Servers.
9. WIREHIVE OBLIGATIONS
9.1 Wirehive will, at all times in connection with the performance by it of its Processing obligations under the Agreement:
9.1.1 not access or use any Customer Data except as necessary to provide the Services to the Customer under the Agreement or with the Customer’s written instructions;
9.1.2 carry out all Processing of Customer Data strictly in accordance with the Agreement, the Security Measures, any Optional Security Controls, and the Customer’s reasonable written instructions from time to time unless Wirehive is required by the laws of any member of the European Union or by the laws of the United Kingdom to process Customer Data (and in such a circumstance it shall notify the Customer of this before performing the processing required unless it is prohibited from so notifying the Customer);
9.1.3 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures, save that it shall be the Customer’s responsibility to request Wirehive to provide backups of the Customer Data as set out in an Order;
9.1.4 notify the Customer without undue delay on becoming aware of a Customer Data breach (promptly take reasonable steps to minimise harm and secure Customer Data);
9.1.5 provide the Customer with an opportunity to download the Customer Data following which Wirehive may delete Customer Data and copies thereof on termination of the Order Term unless required by Applicable Law to store the Customer Data;
9.1.6 promptly carry out any request from the Customer to amend, transfer, delete or return (and then delete) the Customer Data;
9.1.7 not disclose the Customer Data to a third party other than at the Customer’s request or as otherwise set out in the Agreement or this Addendum;
9.1.8 it shall not transfer the Customer Data outside of the EEA unless it has the prior written consent of the Customer and subject to the parties entering into the EU Standard Contractual Clauses or Alternative Transfer Solution; and
9.1.9 maintain complete and accurate records and information to demonstrate its compliance with this clause 9;
9.2 The Customer consents to Wirehive appointing the applicable third-party processors set out at https://www.wirehive.com/compliance/gdpr which may apply to an Order and as necessary to provide those Services.
10. WIREHIVE PERSONNEL
10.1 Wirehive shall ensure that its personnel engaged in the Services are informed of the confidential nature of the Customer Data and shall receive ongoing and appropriate training on their responsibilities.
10.2 Wirehive personnel shall enter into written confidentiality agreements prior to carrying out any of the Services to the Customer.
10.3 Wirehive shall ensure that access to the Customer Data is limited to its personnel who need access solely to provide the Services to the Customer.
11. DATA SUBJECT REQUESTS
11.1 Wirehive will, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject where the Data Subject is exercising its right of access, rectification, restriction of processing, erasure (i.e. the right to be forgotten), data portability, objection to processing, or its right not to be subject to automated individual decision making (“a Data Subject Request”).
11.2 Wirehive will assist the Customer, at the Customer’s cost, in responding to any Data Subject Request (save that beyond providing the Customer the ability to rectify, erase, restrict or retrieve Customer Data, Wirehive shall not be required to provide any further assistance).
12.1 Wirehive will provide reasonable cooperation and assistance to the Customer, at the Customer’s cost, to enable the Customer to fulfil its obligation under Data Protection Laws to carry out a data protection impact assessment relating to the use of the Services, and to the extent that the information is not already included in the Security Measures document or generally made available by Wirehive on its website.
12.2 Wirehive will provide reasonable cooperation and assistance to the Customer, at the Customer’s cost, in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
13.1 Wirehive will achieve and maintain the ISO/IEC 27001 Certification to evaluate and help ensure the continued effectiveness of the Security Measures and will make available to Customer the certificate highlighting its compliance.
13.2 Pursuant to Data Protection Laws, Wirehive will allow an independent auditor appointed by Customer (and approved by Wirehive) to conduct audits (including inspections) to verify Wirehive’s compliance with its obligations under this Schedule.
13.3 Customer may also conduct an audit to verify Wirehive’s compliance with its obligations under the Security Measures by reviewing the Security Measures documentation (which reflects the outcome of audits conducted by Wirehive’s own third-party auditor).
13.4 Customer must send any requests for audits under this section 13 to Wirehive’s data protection team.
13.5 Following receipt by Wirehive of a request under this section 13 Wirehive and Customer will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit.
13.6 Wirehive may charge a fee (based on Wirehive’s reasonable costs) for any review and/or audit under this section 13. Wirehive will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
13.7 Wirehive may object in writing to an auditor appointed by Customer to conduct any audit under section 13 if the auditor is, in Wirehive’s reasonable opinion, not suitably qualified or independent, a competitor of Wirehive, or otherwise manifestly unsuitable. Any such objection by Wirehive will require Customer to appoint another auditor or conduct the audit itself.
14.1 Information about the locations of Wirehive’s data centres is available at https://www.wirehive.com/compliance/gdpr (as may be updated by Wirehive from time to time).
14.2 Customer specifically authorises the engagement of Wirehive’s Sub-Processors to provide the Services from the start of the Order Term. In addition, Customer generally authorises the engagement of any other third-parties as Sub-Processors (“Third-Party Sub-Processors”) as part of the provision of the Services. Information about such Sub-Processors, including their functions and locations, is available at https://www.wirehive.com/compliance/gdpr (as may be updated by Wirehive from time to time in accordance with these Terms).
14.3 When engaging any Sub-Processor, Wirehive will:
14.3.1 ensure via a written contract that:
(a) the Sub-Processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (and this Schedule) and any Alternative Transfer Solution adopted by Wirehive; and
(b) if Data Protection Laws applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Sub-Processor; and
14.3.2 remain fully liable for all obligations subcontracted to, and all acts of omissions of, the Sub-Processor.
14.4 In the event that Wirehive wishes to appoint a new sub-processor who will be involved in providing the Services on behalf of Wirehive, then Wirehive shall provide reasonable written notice to the Customer (and such notice shall include the details of the sub-processor) and should the Customer not approve of the appointment, then its sole remedy shall be to terminate the Order to which the appointment relates.
14.5 Where Wirehive wishes to appoint a new Sub-Processor, then the Customer may object to that appointment in writing to Wirehive within twenty (20) business days of Wirehive’s notice of its intended appointment. If the Customer objects to the appointment, and the parties cannot resolve how to manage the provision of the Services to the satisfaction of the Customer, then the Customer’s sole remedy shall be to terminate the Order to which the sub-processor applies.
15. TRANSFERS OF DATA OUT OF THE EEA
15.1 If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EEA, and Data Protection Laws applies to the transfers of such data (the “ Transferred Personal Data”), Wirehive will offer an Alternative Transfer Solution, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to Customer about such Alternative Transfer Solution.
15.2 In respect of Transferred Personal Data, Customer agrees that if under the Data Protection Laws Wirehive reasonably requires Customer to use an Alternative Transfer Solution offered by Wirehive, and reasonably requests that Customer take any action (which may include execution of documents) strictly required to give full effect to such solution, Customer will do so.
16. DISCLOSURE OF CUSTOMER DATA
16.1 Wirehive will not disclose Customer Data to a third country law enforcement agency unless it is necessary for Wirehive to comply with a valid and legally binding court judgement, order or request. Wirehive will not disclose more Customer Data than is necessary to comply with the relevant court judgement, order or request.
16.2 If Wirehive receives a valid and legally binding court judgement, order or request from any law enforcement or governmental authority to disclose Customer Data, then, unless prohibited by law, Wirehive will inform the Customer before disclosure to provide the Customer with the opportunity to seek protection from disclosure.
17.1 Nothing in this Addendum or the Agreement shall exclude or restrict Customer’s liability for any breach of Data Protection Laws.
17.2 These Terms and Conditions have been produced by Wirehive in conjunction with legal counsel to protect the interests of both Parties. Unless otherwise notified by Wirehive, where the Customer has amended, varied, negotiated, required Wirehive to waive any term, or requested or made any other modification to this Addendum (or part thereof) prior to execution by the Parties, by signing these Terms and Conditions the Customer agrees to pay to Wirehive, promptly upon demand, the amount of: (a) £500 (ex. VAT), or such other sum as Wirehive may specify in advance of execution, and (b) any and all costs and expenses (including all reasonable fees, costs, expenses, and disbursements of Wirehive’s legal counsel, experts, and/or agents) that Wirehive incurs in connection with such amendment, variation, negotiation, waiver, or other modification.
17.3 This Addendum may be executed electronically using electronic signature or advanced electronic signature or a duly authorised officer of each Party. If this Addendum is executed electronically, each Party hereby irrevocably consents to this Addendum being communicated, presented, and retained wholly or partly in electronic form.
17.4 This Addendum may be executed in any number of counterparts, including electronic counterparts, each of which (including electronic counterparts) will be an original but all of which together will constitute one and the same instrument. No counterpart (including electronic counterparts) shall be effective until each Party has executed at least one counterpart.
17.5 This Addendum and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance, with the law of England. The Parties hereby irrevocably agree that the courts of England have the exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Addendum or its subject matter or formation (including non-contractual disputes or claims).