Legal

Data Processing Agreement

Last updated: 17th June 2024

Prospect Ai Ltd · Company No. 14809013124 City Road, London, EC1V 2NXICO Registration: ZB629188

Background

A. The Supplier is providing services to the Customer where the Supplier is required to process Customer Personal Data to fulfil the Purpose (as defined in the Contract Details).

B. This Agreement sets out the terms on which the Supplier will process the Customer Personal Data, in accordance with Data Protection Laws.

1. Definitions and Interpretation

In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

Agreement
Refers to this data processing agreement and includes the Contract Details and any Schedules attached to it.
Customer Personal Data
The personal data processed by the Supplier on behalf of the Customer under this Agreement, as detailed in the Contract Details.
Contract Details
Refers to the terms agreed between the Parties on the front pages of this Agreement titled 'Contract Details'.
Data Protection Laws
All applicable data protection and privacy legislation in force in the United Kingdom, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, as amended from time to time.
Duration of Processing
The length of time the Supplier will process the Customer Personal Data as described in the Contract Details.
DP Regulator
A valid supervisory authority as defined under the UK GDPR (in the UK, the Information Commissioner's Office).
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Purpose
The purpose for processing the Customer Personal Data, as detailed in the Contract Details.
Sub-Processor(s)
Any processor, including any agent, sub-contractor or other third party, engaged by the Supplier for carrying out any processing activities in respect of the Customer Personal Data.

A person means an individual, a firm, a company, an unincorporated body or a government entity and any of its successors, permitted transferees or permitted assignees.

Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.

References to statutes, regulations or other legislation referenced herein shall be deemed to be references to that enactment as amended, supplemented, re-enacted or replaced from time to time.

The words include, including and similar words or expressions will not limit the meaning of the words that come before them.

Reference to writing or written includes e-mail but not any other form of electronic communication.

2. Data Protection Roles and Relationship

The Parties acknowledge that the Customer is the data controller of the Customer Personal Data provided by the Customer to the Supplier and the Supplier is the data processor of the Customer Personal Data.

Both Parties will comply with all applicable requirements of Data Protection Laws in relation to personal data that is shared or processed under this Agreement. This Agreement does not relieve, remove or replace, a Party's obligations or rights under applicable Data Protection Laws.

3. Data Processing Obligations

Each Party shall maintain records which indicate how that Party processes personal data under its responsibility, containing at least the minimum information required by Data Protection Laws, and shall make that information available to any DP Regulator on request.

To the extent that the Supplier processes Customer Personal Data on behalf of the Customer, the Supplier shall:

3.2.1

Process that Customer Personal Data only on the documented instructions of the Customer, unless otherwise required by applicable laws. The Supplier shall notify the Customer if its instructions infringe Data Protection Laws.

3.2.2

Implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data, including pseudonymisation, encryption, resilience of processing systems, and a process for regularly testing and evaluating the effectiveness of such measures.

3.2.3

Maintain the confidentiality of the Customer Personal Data and not disclose it to any third party other than as authorised under this Agreement.

3.2.4

Assist the Customer in responding to any request from a data subject and in ensuring compliance with Data Protection Laws, including referring all requests from data subjects or any DP Regulator to the Customer promptly and in any event within five days of receipt.

3.2.5

Promptly, and in any event within 24 hours, notify the Customer if it becomes aware of any actual or suspected Personal Data Breach in respect of any Customer Personal Data, and provide all information required to report the circumstances to a DP Regulator.

4. Sub-Processors

The Customer hereby provides its prior, general authorisation for the Supplier to appoint Sub-Processors to process the Customer Personal Data, provided that the Supplier:

4.1.1

Shall ensure any Sub-Processors comply with applicable Data Protection Laws, and with terms materially similar to those imposed on the Supplier in this clause.

4.1.2

Shall remain responsible for the acts and omissions of any such Sub-Processor as if they were the acts and omissions of the Supplier.

4.1.3

Shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving the Customer the opportunity to object to such changes.

5. International Transfers

The Supplier may transfer Customer Personal Data outside of the United Kingdom and European Economic Area as required to process the Customer Personal Data for the Purpose under this Agreement, provided that the Supplier shall ensure that all such transfers are made in accordance with applicable Data Protection Laws. The Customer shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses to safeguard international transfers, as adopted by the UK Information Commissioner.

6. Liability

Neither Party excludes nor limits any liability for personal injury to the extent that such injury results from the negligence or wilful default of a Party or its employees; for fraud or fraudulent misrepresentation; or for any other liability to the extent it cannot be excluded or limited by law.

Subject to the above and the indemnity provisions, the Parties' total aggregate liability arising under or in connection with this Agreement, or applicable Data Protection Laws, shall be limited as set out in the Contract Details.

7. Audit

The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer.

Such records shall include all information necessary to demonstrate compliance with this Agreement and the information referred to in Articles 30(1) and 30(2) of the UK GDPR.

The Supplier shall make copies of such records available to the Customer promptly on written request.

The Supplier shall make available to the Customer (at no cost) such information as is required to demonstrate compliance with their obligations under this Agreement and Data Protection Laws, and allow for audits including inspections, annually if requested and in the event of an actual or suspected Personal Data Breach.

Except in the event of an actual or suspected Personal Data Breach, the Customer shall provide no less than 30 days' notice of any audit and shall use reasonable endeavours to cause minimal disruption to the Supplier's business during any such audit.

8. Termination and Effect of Termination

This Agreement shall remain in full effect for the Duration of Processing following which it shall automatically terminate.

Where the Supplier no longer requires the Customer Personal Data for the Purpose, it shall, at the written direction of the Customer, delete (so far as technically possible) or return Customer Personal Data and any copies to the Customer within 30 days of termination of this Agreement, unless the Supplier is required by any applicable law to continue to process that Customer Personal Data.

For the purposes of this clause, Customer Personal Data shall be considered deleted where it can no longer be used further by the Supplier.

9. Indemnity

The Supplier shall indemnify and keep indemnified the Customer against all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to data subjects, demands and legal and other professional costs arising out of or in connection with any breach by the Supplier of its obligations under this Agreement.

The Supplier shall also indemnify the Customer against all amounts paid or payable by the Customer to a third party which would not have been paid or payable if the Supplier's breach of this Agreement had not occurred.

For the avoidance of doubt, the limit of liability at clause 6 shall not apply to the indemnity in this clause.

10. General

10.1 Costs

Each Party is responsible for its legal and other costs in relation to the preparation and performance of this Agreement.

10.2 Survival of terms

The Parties intend the following terms to survive termination: clauses 1, 6, 7, 8, 9 and 10 and all clauses required for their interpretation.

10.3 Relationship of the Parties

The Parties are independent businesses and not partners, principal and agent, or employer and employee, or in any other relationship of trust to each other.

10.4 Third party rights

This Agreement is not intended to and does not give any person who is not a party to it any right to enforce any of its provisions under the Contracts (Rights of Third Parties) Act 1999.

10.5 Assignment

No Party may assign, subcontract or encumber any right or obligation under this Agreement, in whole or in part, without the other Party's prior written consent.

10.6 Entire Agreement

This Agreement contains the whole agreement between the Parties relating to its subject matter and supersedes any prior agreements, representations or understandings between them unless expressly referred to in this Agreement.

10.7 Variation

No amendment or variation of this Agreement will be valid unless agreed in writing by an authorised signatory of each Party.

10.8 Severability

If any clause in this Agreement is or becomes illegal, invalid or unenforceable, the remaining provisions shall continue in full force and the Parties shall seek to negotiate a replacement provision consistent with the original intent.

10.9 Waiver

No delay, act or omission by either Party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

10.10 Notices

Notices under this Agreement must be in writing and sent to the other Party's address as set out in the Contract Details. Letters sent in the UK will be deemed delivered 3 business days after sending. Emails will be deemed delivered the same day.

10.11 Counterparts

This Agreement may be signed in any number of counterparts, each of which when signed and dated will be an original. This Agreement will not be effective until each Party has signed one counterpart.

10.12 Governing law

This Agreement is governed by the law of England and Wales. All disputes under this Agreement will be subject to the exclusive jurisdiction of the courts of England and Wales.

Execution

By signing below the Parties agree to the terms set out in this data processing agreement, with effect from the date that it is signed by both Parties. To request an executable copy or to discuss DPA terms, please contact kanoj@prospectai.co.

Prospect Ai Ltd · 124 City Road, London, EC1V 2NX · Company No. 14809013 · kanoj@prospectai.co