Vendelux Data Processing Agreement

DATA PROTECTION

1. Definitions.
   1. In this Schedule:
      1. The terms controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organizational measures have the meanings given to them in the Data Protection Legislation;
      2. “Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) and the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder);
      3. “Protected Data” means personal data which Customer provides to Vendelux and which Vendelux processes, in the capacity of a processor on behalf of the Customer, in connection with its provision of Services which is subject to the Data Protection Legislation. 
2. Data Protection.
   1. The parties acknowledge that for the purposes of the Data Protection Legislation, in relation to Protected Data, the Customer is the Controller and Vendelux is the Processor. Paragraph 3 below sets out the scope, nature, and purpose of processing by Vendelux, the duration of the processing and the types of Protected Data and categories of data subject.
   2. Both parties will comply with all applicable requirements of the Data Protection Legislation in relation to the Protected Data. This Schedule is in addition to, and does not replace, relieve, or remove a party’s obligations or rights under the Data Protection Legislation.
   3. Without prejudice to the generality of paragraph 2.2, Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Protected Data to Vendelux for the duration and purposes of this Agreement.
   4. Without prejudice to the generality of paragraph 2.2, Vendelux shall, in relation to any Protected Data processed in connection with the performance by Vendelux of its obligations under this Agreement:
      1. process that Protected Data only on the documented written instructions of Customer unless Vendelux is required by applicable law to otherwise process that Protected Data. Where Vendelux is relying on applicable law as the basis for processing Protected Data, Vendelux shall promptly notify Customer of this before performing the processing required by the applicable law unless the applicable law prohibits Vendelux from so notifying Customer;
      2. implement appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Protected Data and against accidental loss or destruction of, or damage to, Protected Data; 
      3. ensure that all personnel who have access to and/or process Protected Data are obliged to keep the Protected Data confidential;
      4. cooperate with and assist Customer, at Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
      5. at the written direction of Customer, delete or return Protected Data and copies thereof to Customer on termination of this Agreement unless required by applicable law to store the Protected Data; and
      6. maintain complete and accurate records and information to demonstrate its compliance with this Schedule and allow for audits by Customer to audit compliance with this Schedule 1 where reasonably requested by Customer.
   5. Customer consents to Vendelux appointing third party processors to process the Protected Data, provided that Vendelux remains responsible for the acts and omission of any such third party processors as if they were the acts and omissions of Vendelux. If such entities are deemed sub-processors, Customer hereby consents to the usage of Vendelux’s respective affiliates and third party service providers as sub-processors.
   6. Customer authorizes Vendelux to store and/or process Protected Data in the United States or any other country in which Vendelux or its sub-processors operate or maintain facilities. Customer appoints Vendelux to perform any such transfer of Protected Data to any such country and to store and process Protected Data in order to provide the Services or by documented instructions of Customer. Any such transfer shall be effected by way of a legally enforceable safeguarding mechanism that is permitted under the Data Protection Legislation, including but not limited to the Standard Contractual Clauses. 
3. Processing, Protected Data and Data Subjects.

The table below includes details of the processing of Protected Data by Vendelux as required by Article 28(3) of the GDPR:

Subject matter of Protected Data	Business contact information (which may include the following or a subset: name, work email address, title, work phone number) relating to Customer personnel provided by Customer to Vendelux for the purpose of accessing the Services.
Duration of processing	For the duration of the Term unless (i) a longer retention period is required for audit, legal, or regulatory purposes; or (ii) Customer instructs Vendelux in writing to (a) keep certain Protected Data longer or (b) return certain Protected Data earlier.
Nature and purpose of processing	To create authorized user accounts in Vendelux’s system, to provision access, identify segregated system user accounts, monitor system functionality and security, and related purposes, and for the provision of the specific services contemplated by the parties under this Agreement.
Types of personal data processed	Business contact information (which may include the following or a subset: name, work email address, title, work phone number) relating to Customer personnel. provided by Customer to Vendelux for the purpose of accessing the Services.
Categories of data subjects	Customer personnel designated by Customer as Authorized Users of the Services