Data Processing Agreement
Version 1.0
Date Updated: 16/07/2024
This Data Processing Agreement (“Agreement“) forms part of the Terms of Use (“Service Agreement”) between the Customer (“Customer”) and MADE WITH INTENT LIMITED (the “Data Processor”) (together as the “Parties”).
This Agreement governs the specific requirements of Data Protection Laws to the extent that Customer’s use of Made with Intent Services implies the processing of Personal Data subject to Data Protection Laws.
The term of this Agreement shall follow the term of the Service Agreement. Terms not defined in this Agreement shall be taken as defined in the Service Agreement.
WHEREAS
(A) The Customer acts as a Data Controller.
(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Service Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
1.1.8.1 a transfer of Customer Personal Data from the Customer to a Contracted Processor; or
1.1.8.2 an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 “Services” means the services provided by the Processor.
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of Customer in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Customer Personal Data
2.1 Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
2.1.2 not Process Customer Personal Data other than on the relevant Customer’s documented instructions.
2.2 The Parties acknowledge that for the purposes of the Data Protection Laws,
- Customer is the Controller of its users’ account data and profile data, and of Customer Data (as defined in the Service Agreement)
- MADE WITH INTENT LIMITED is a Processor of Customer Data and of such user’s account data and profile data.
2.3 The Customer warrants that it does and shall own all rights, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of such Customer Data. The Customer shall take all reasonable and appropriate steps to ensure that only such Customer Data as is necessary and relevant for the purposes of providing the Services is transferred to the Supplier.
2.4 The Customer, within the scope of the Service Agreement and in its use of the Services shall comply with the applicable Data Protection Laws with respect to the Customer’s Processing of Customer Personal Data and Customer’s instructions to the Data Processor. The Customer shall establish and have any and all required legal basis in order to collect, process and transfer to the Data Processor. The Customer will ensure that where required it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to the Data Processor for the duration and purposes of the Service Agreement.
2.5 Purpose of processing:
2.5.1 processing in accordance with the Service Agreement and this Agreement
2.5.2 processing to provide Services to the Customer
2.5.3 rendering Personal Data fully anonymous, non-identifiable and non-personal
2.5.4 processing as required under any applicable Data Protection Laws. The Data Processor shall promptly notify the Customer of such processing unless prohibited from doing so by law
2.6. The scope, nature and purpose of processing are further specified in Schedule 1 below.
3. Processor Personnel
3.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Service Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 The Processor shall ensure that it has in place suitable technical and organisational measures to protect Customer Personal Data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.
5. Subprocessing
5.1 The Customer consents to the Data Processor appointing hosting providers (such as Amazon Web Services (AWS) and/or Google LLC) as third-party processors of personal data under this Agreement and such other processors as the Data Processor shall notify to the Customer in writing. The Data Processor confirms that it has entered or (as the case may be) will enter with each third-party processor into a written agreement incorporating the terms which are substantially similar to those set out in this Agreement and in either case which the Data Processor undertakes reflect and will continue to reflect requirements of Data Protection Laws. As between the Customer and the Data Processor, the Data Processor shall remain fully liable for the acts or omissions of any third-party processor appointed by it pursuant to this Agreement.
5.2 The Customer may obtain an up to date list of data Subprocessors at any time by contacting privacy@madewithintent.ai; should a Customer wish to be informed of another Subprocessor being engaged, they should contact privacy@madewithintent.ai.
5.3 The Customer may reasonably object to the Data Processor’s use of a new Subprocessor by contacting privacy@madewithintent.ai and stating the reasons for objection. Not objecting to the use of a new Subprocessor will be deemed acceptance of that Subprocessor in the processing of Customer Personal Data.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1 Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8. Data Protection Impact Assessment and Prior Consultation
8.1 Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9. Deletion or return of Customer Personal Data
9.1 At the written direction of the Customer, the Processor will delete or return personal data and copies thereof to the Customer on termination of the Agreement unless required by the Data Protection Legislation to store the personal data. The Customer acknowledges and agrees that any such deletion of personal data may result in data loss of Derived Data collected during the time period when the personal data was so collected.
10. Audit rights
10.1 Subject to this section 10, Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors.
10.2 Information and audit rights of the Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11. Data Transfer
11.1 The Data Processor is permitted by the Customer to transfer any personal data outside of the European Economic Area and the United Kingdom provided that the following conditions are fulfilled:
11.1.1 the Customer or the Data Processor has provided appropriate safeguards in relation to the transfer;
11.1.2 the data subject has enforceable rights and effective legal remedies;
11.1.3 the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
11.1.4 the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data
12. General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
13. Governing Law and Jurisdiction
13.1 This Agreement will be governed in accordance with the “Governing Law and Jurisdiction” section of the Service Agreement.
SCHEDULE 1 - DETAILS OF THE PROCESSING
Duration of Processing
MADE WITH INTENT LIMITED will Process Personal Data pursuant to this Agreement for the duration of the Service Agreement, unless otherwise agreed in writing.
Types of Data Processed
1. Data of the Customer’s website and mobile app visitors including:
- Unique identifiers (including arbitrary cookie / local storage IDs and similar)
- DOM events and interactions such as click, scrolls, taps or zoom
- Browser contextual information such as user agent, screen size, page URL, user local time and timezone
2. Personal Data submitted by a Customer via the Services for any purpose including dashboard and tool access
Categories of Data Subjects
Customer may submit Personal Data to the Services which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
- Customer’s website and mobile app visitors;
- Customer’s employees, agents, advisors, freelancers and vendors (who are natural persons) authorised by Customer to use the Services.
Nature and Purpose of Processing
MADE WITH INTENT LIMITED will process Personal Data for the following purposes:
- Providing Services to the Customer, including aggregated visitor behaviour analysis and web and app performance
- Performing this Agreement and the Service Agreement
- Acting upon Customer’s instructions
- Providing support and technical maintenance as part of the Services
- Preventing, mitigating and investigating data privacy and security incidents
- Complying with applicable laws and regulations
- Customer participation in MADE WITH INTENT LIMITED promotional / marketing programmes