Data Processing Agreement

1. DEFINITIONS 
“data controller” (or “controller”), “data processor” (or “processor”), “data subject”, “personal data”, “sensitive data”,“processing” and “appropriate technical and organizational measures” shall be interpreted in accordance with applicable Data Protection Legislation (as defined in the Agreement”). 
“Children’s Data” means personal data relating to an individual under 18 years. 
“Security Breach” means any accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, or access to Customer Personal Data. 
“Sensitive Personal Data” means the categories of personal data defined in Article 9 of the GDPR, and in particular data relating to health data comprising voice features and location data. 
“Subject” means the person(s) whose voice data is intended to by analysed for the benefit of the Subject and the Customer 


2. LAWFUL BASIS FOR PROCESSING 
2.1 Customer will ensure that it and any other data controllers of the Customer Personal Data and Subject sensitive data : 
a. have complied and will continue to comply with their obligations under the Data Protection Legislation, including ensuring that it is fair and lawful for Verenigma Limited, its staff and sub-contractors to process the Service Data; 
b. have all necessary and appropriate consents and notices in place so that Verenigma may lawfully receive, transfer, use and process the Service Data for the duration and purposes of the Agreement; 
2.2 Customer warrants that it and any other data controllers of the Customer Personal Data shall not knowingly transmit Children’s Data or Sensitive Personal Data to Verenigma without having explicitly gained the consent of the person(s) data the subject of the data processing where appropriate. 
2.3 Customer shall defend, indemnify and hold harmless Verenigma against all claims, fines (including regulatory fines), actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with Customer’s breach of its obligations hereunder. 
2.4 Verenigma shall, in providing the Services, comply with its data protection and information security policies relating to the privacy and security of the Customer Personal Data, as such documents may be amended from time to time by Verenigma in its sole discretion. 
2.5 Verenigma shall inform the Customer and Subject data of any change in the way privacy and security of the Customer and Subject data and shall request reconfirmation of consent in those terms. 

3. PROCESSING ON CUSTOMERS INSTRUCTIONS 
3.1 When processing Customer Personal Data in connection with sensitive data with the performance of Verenigma’s obligations under the Agreement, Verenigma will act only in accordance with the lawful and documented instructions of the Customer as set out in this Data Processing Agreement or as provided in the protocol provided by the instructions by Verenigma from time to time. 
3.2 Customer hereby instructs Verenigma to process the Customer Personal Data: 
a. for the provision of the Services (and for each of these purposes Verenigma shall not share such Customer Personal Data with Sub-processors except as necessary to provide the Services); 
b. for the purpose of fulfilling its obligations and exercising its rights under the Agreement; 
c. as may be required by law, court order or any governmental or regulatory authority; and 
d. until the date that Verenigma ceases to provide the Services to Customer. 
3.3 Customer acknowledges that Verenigma processes the Service Data on Customer’s instructions. Consequently, Verenigma shall not be liable for any claim brought by a data subject arising from any action or omission by Verenigma , to the extent that such action or omission resulted directly from Customer’s instructions. 

4. VERENIGMA OBLIGATIONS 
4.1 In relation to any Customer Personal Data processed in connection with the performance of its obligations under the Agreement, Verenigma shall: 
a. Implement appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Customer Personal Data and against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access to Customer Personal Data and to the requisite level regarding Sensitive Health Data of any Subject or Customer; 
b. At Customer’s written request, assist Customer in responding to any request from a data subject necessary for compliance with its obligations under the Data Protection Legislation; 
c. Notify Customer and Subject without undue delay upon becoming aware of any Security Breach involving Customer or Subject Personal Data; 
d. At Customer’s written request, taking into account the nature of processing and the information available to Verenigma, assist Customer with its obligations under Articles 32 to 36 of the GDPR and the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 
e. ; 
f. Maintain complete and accurate records of all processing operations under its responsibility. Such records shall contain the information required by the Data Protection Legislation. Verenigma shall make such information available to Customer and/or any competent supervisory authority on written request; 
g. At Customer’s and/or the Data Subjects written request, delete or return to Customer or Data Subject any Customer or Data Subject(s)’ Personal Data after the end of the provision of the Services, unless applicable law requires longer storage of the Customer Personal Data; 
h. Ensure that all Verenigma’s or subcontractor(s)’ personnel who have access to or process the Customer Personal Data are subject to a binding duty of confidentiality and have received appropriate training on the Data Protection Legislation. 


5. SUB-PROCESSORS AND DATA TRANSFERS 
5.1 Customer agrees that Verenigma may transfer the Customer Personal Data or give access to Customer Personal Data to third party suppliers as Sub-processors for the purpose of providing the Services, provided that Verenigma complies with the provisions of this paragraph 4. 

5.2 Verenigma shall ensure that it enters into written agreements with its Sub-processors which incorporate terms which are materially equivalent to those in paragraph 3 and as are required by applicable Data Protection Legislation. 

5.3 Verenigma shall remain responsible for its Sub-processor’s compliance with the obligations of this Schedule subject to the limitation of liability in respect of damages found at a level of compatible with the requirements of GDPR. 

5.4 Verenigma can at any time appoint a new Sub-processor provided that Customer is given ten (10) Business Days’ prior notice. 

5.5 Customer hereby agrees that Verenigma may transfer the Customer Personal Data outside the EEA or to Sub-processors outside the EEA where Verenigma participates in a cross-border transfer mechanism which is valid under the Data Protection Legislation and after providing Customer with sufficient notice (as set out in this paragraph 4). Valid cross-border transfer mechanisms include: 
a. transfers to a country which is subject to an adequacy decision of the European Commission; 
b. transfers permitted under the EU-US Privacy Shield; 
c. transfers permitted under an approved code of conduct pursuant to Article 40 of the GDPR or an approved certification mechanism pursuant to Article 42 of the GDPR, in each case together with binding and enforceable commitments of the Sub-processor to apply the appropriate safeguards, including as regards data subject’s rights; 
d. transfers permitted through execution of the Standard Contractual Clauses (controller to processor transfers). Customer hereby authorizes Verenigma to enter into the Standard Contractual Clauses (as set out at https://eur-lex.europa.eu/eli/dec/2010/87/oj) with the Sub-processor in Customer’s name and on its behalf. Verenigma shall be the “data exporter” on behalf of the Customer and the Sub-processor shall be “data importer”. Verenigma will make the executed Standard Contractual Clauses available to the Customer on request. 

6. MISCELLANEOUS 
6.1 In the event of any conflict or inconsistency between the provisions of the Agreement and this Data Processing Agreement, the provisions of these terms shall prevail. Save as specifically modified and amended in these terms, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern these terms. 

6.2 Verenigma will provide Analytics Data to Customer as required to provide the Services, including the provision of tracking information, analytics relating to Customer or Data Subject(s)’ voice and location data. 

6.3 Verenigma shall be entitled to retain and process Analytics Data for internal business purposes, anonymous profiling, benchmarking, trend evaluation, for researching and developing further services in health data provision and commercially exploiting products and services offered to third parties that incorporate Analytics Data including those made available in the Services. In all such cases Analytics Data will only be shared with third parties in a form that does not enable the third party to identify data subjects. Customer hereby authorizes and irrevocably licenses Verenigma to use Analytics Data for the purposes specified above, subject always to Analytics Data being supplied to third parties on an anonymized and aggregated basis. 
For the purpose of this clause “Analytics Data” means any derived analysis from the aggregated data supplied by the customer. 

7. PROCESSING ACTIVITIES 
7.1 Subject matter and duration of the processing 
a. The Customer and Subject Personal Data shall be provided to Verenigma by Customer and processed in accordance with Customer’s instructions in order to allow Verenigma to provide the Services. 
b. The processing shall take place for the duration of the Agreement, unless otherwise directed by the Customer or the intervention /cancellation by any Data Subject. 

7.2 Nature and purpose of the processing 

7.3 Categories of data subjects. The Customer Personal Data processed relates to the following categories of data subjects: 

7.4 Types of Personal Data 

o email addresses 
o telephone numbers 
o Usernames and passwords 
o Other data as set out in the Verenigma website privacy policy, which is available on http://www.verenigma.com/legal\#privacy-policy 
• Customer’s Subject Personal Data 
o Names 
o Telephone Numbers 
o Email Addresses 
• And optionally, dependent on the configuration chosen by Customer: 
o Dates of birth (e.g. for Carrier verification of age-restricted products) 
o Other personal data as provided to Verenigma by Customer 
• . 
b. Customer acknowledges that it has control over the content of the Service Data which it shares with Verenigma. 
c. Customer shall not knowingly provide special categories of data, nor Children’s Data without warranting that they are in a position of legal care over that person or have specific permission from that person. 

Verenigma Limited is registered with the ICO, registration number ZA765485 

For further information or questions regarding processing of data, please email dataprotection@sensetel.co.uk

© Copyright 2021 Verenigma Ltd. All Rights Reserved.