1.1. This DPS is subject to the terms of the Service Agreement and is incorporated into the Service Agreement. In the case of conflict or ambiguity between any of the provisions of this DPS and the provisions of the Service Agreement, the provisions of this DPS will prevail to the extent of such conflict or ambiguity. This DPS will remain in full force and effect so long as the Service Agreement remains in effect.
1.2. Capitalised terms used in this DPS and not otherwise defined herein, or in the Service Agreement shall bear the meaning given to them in the Data Protection Legislation.
2. Data Processing Obligations
2.1. The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, in respect of any Personal Data contained in the Customer Content (“Customer Personal Data”) the Customer is the Data Controller and Supplier is the Data Processor of such Customer Personal Data.
2.2. Notwithstanding the provisions of this DPS, the Parties will comply with applicable requirements of Data Protection Legislation.
3. Supplier’s processing obligations
3.1. To the extent that Supplier processes any Customer Personal Data on behalf of Customer in connection with the provision of the Service to the Customer, Supplier shall:
3.1.1. only Process the Customer Personal Data in accordance with the Customer’s instructions (which are set out in Annex A) and shall notify Customer immediately if in its opinion the Customer’s instructions infringes applicable law;
3.1.2. ensure that access to any such Customer Personal Data is restricted to those of its personnel who are subject to confidentiality obligations in respect of the Personal Data;
3.1.3. subject always to the provisions of clause 3.2, provide reasonable assistance to the Customer in responding to any Data Subject Requests and to ensure compliance with its obligations under the Data Protection Legislation with respect to security, Personal Data Breach notifications, privacy impact assessments and consultations with supervisory authorities or regulators;
3.1.4. notify Customer without undue delay if it becomes aware of a Personal Data Breach relating to the Customer Personal Data;
3.1.5. ensure that it has in place appropriate technical or organisational measures, to protect against unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
3.2. Customer shall be responsible for any costs arising from Supplier’s provision of assistance where such assistance requires support that is beyond the existing/normal functionality of the Software.
3.3. At the commencement of the Services Agreement, Customer acknowledges and consents generally to the Supplier’s appointment of third party Processors ‘Sub-processors’ to Process the Customer Personal Data as are listed here: https://www.shape.construction/trust-center. Supplier shall be entitled to make changes to the existing list provided always that Supplier shall:
3.3.1.inform Customer prior to the appointment or removal of any such Sub-processor, thereby giving Customer an opportunity to object to the appointment or removal by reason of the changes causing or being likely to cause the Customer to be in breach of the Data Protection Legislation. If Customer objects on these grounds, Supplier shall either: (a) alter its plans to use the Sub-Processor with respect to Customer Personal Data; or (b) take corrective steps to remove Customer’s objections. If none of the above options are reasonably available or the issue is not resolved within 30 days of the objection, either party may terminate the Service Agreement (without liability for either party, and such termination will be deemed to be a no-fault termination); and
3.3.2.ensure that each Sub-processor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on Supplier under this DSA, and shall ensure that it remains liable to the Customer for the performance of those obligations by each Sub-processor.
3.4. Customer acknowledges and agrees that Supplier and its Sub-Processors may transfer Customer Personal Data outside of the UK, provided always that Supplier shall take such measures as are necessary to ensure the transfer of any Customer Personal Data to any third country is in compliance with Data Protection Legislation and shall ensure that:
3.4.1. the transfer is to a country approved as providing an adequate level of protection for the Customer Personal Data; or
3.4.2. there are appropriate safeguards in place for the transfer of the Customer Personal Data; or
3.4.3. binding corporate rules are in place; or
3.4.4. one of the derogations for specific situations applies to the transfer.
3.5. Upon termination or expiry of the Service Agreement, at the written request of the Customer, Supplier shall delete or return the Customer Personal Data to the Customer unless required by the Data Protection Legislation to store the Customer Personal Data.
3.6. In order to demonstrate Supplier’s compliance with the Data Protection Legislation and the terms of this DPS, Supplier shall:
3.6.1. maintain complete and accurate records and information to demonstrate compliance with this DPS and the Data Protection Legislation; and
3.6.2. allow Customer, at Customer’s sole cost and expense access (on reasonable notice and no more than once a year) to audit its compliance with this DPS and the Data Protection Legislation and shall provide reasonable co-operation as requested by Customer in the performance of such audit. The Parties shall agree in advance on the reasonable start date, duration and security and confidentiality controls applicable to such audit.
4. Obligations of Customer
4.1. Customer warrants that it shall retain control of the Customer Personal Data and remains responsible for its compliance obligations under Data Protection Legislation, including but not limited to:
4.1.1. ensuring there is an appropriate lawful basis in place in order for the Customer Personal Data to be transferred to Supplier so that Supplier may fulfil its obligations under the Service Agreement; and
4.1.2. providing any required notices and obtaining any required consents to or from Data Subjects; and
4.1.3. for the written processing instructions it gives to Supplier which are set out in Annex A.
4.2 Customer will not instruct Supplier to Process any Personal Data, including Customer Personal Data in violation of Data Protection Legislation.
Annex A – Customer’s instructions of Data Processing
1. Scope Processing of the Customer Personal Data in the provision of Service to the Customer.
2. Nature and Purpose of Processing Supplier will Process Customer Personal Data as necessary to perform its obligations pursuant to the Service Agreement including but not limited to collecting, recording, organising, structuring, storing, retrieving, disclosing and transmitting.
3. Duration of Procession Supplier will Process Customer Personal Data for the duration of the Service Agreement.
4. Categories of Data Subjects Customer may submit Customer Personal Data to the Software, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data relating to the following categories of data subjects:
Authorised Users;
Other data subjects whose personal data may feature in content uploaded to the Software.
5. Type of Personal Data 5.1. Customer may submit Customer Personal Data to the Software, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Customer Personal Data:
Full name;
Address, email addresses and telephone numbers;
Job title and relationship to Customer;
Contact history, support tickets, activity logs;
Meta data relating to a Data Subject’s interactions;
IP address;
Any other PersonalData submitted to Supplier when registering for and engaging with the Service.
