Data Processing Agreement

Effective starting 29th May 2024

This Data Processing Addendum (“DPA”) forms part of the Agreement between Little Pond Limited (“Prommt”) and Client Name. Capitalised terms used but not defined herein shall have the meaning set out in the Agreement. This DPA consists of (a) the main body of the DPA; (b) the Data Processing Details Addendum at Attachment 1

DEFINITIONS

Affiliate means, with respect to a party, an entity that (directly or indirectly) controls, is controlled by or is under common control with, such party, where control refers to the power to direct or cause the direction of the management policies of another entity, whether through ownership of voting securities, by contract or otherwise.

Agreement means the commercial arrangement between Customer and Prommt pursuant to which Prommt provides Customer and Certain of its Affiliates certain Payment Communication services and includes this DPA.

Controller means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Customer means Client Name

Data Protection Laws means all laws and regulations applicable to each party (and to any Affiliates making use of the Services pursuant to clause 3.2) in relation to the Processing of Personal Data under the Agreement in force from time to time, including, as appropriate, the GDPR, the UK GDPR, the Data Protection Act 2018 (as enacted in each of the UK and Ireland), and other applicable laws and regulations of the UK, European Union, the EEA and their member states relating to data protection, and any binding guidance or codes of practice issued by any Regulator (all as amended, updated or re-enacted from time to time).

Data Subject means the individual to whom Personal Data relates.
Data Subject Request means a Data Subject’s request to exercise that person’s rights under Data Protection Laws in respect of that person’s Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the processing of, block or delete such Personal Data.

EEA means European Economic Area.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
Personal Data means any information relating to an identified or identifiable natural person made available to Prommt in connection with the Services; an identifiable natural person, is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person.

Processing or Process means any operation or set of operations which is performed by or on behalf of Prommt as part of the Services upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Processor means the entity which Processes Personal Data on behalf of the Controller.

Prommt means Little Pond Limited

Regulator means the data protection authority or other regulatory, governmental or supervisory authority with authority over all or any part of (a) the provision or receipt of the Services, (b) the Processing of Personal Data in connection with the Services or (c) Prommt’s business or personnel relating to the Services, and for the avoidance of doubt shall include the European Data Protection Board.

Security Incident means any Personal Data Breach (as defined in GDPR and if, and to the extent, applicable, UK GDPR) or other incident that has resulted, or is reasonably likely to result, in any accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, access to or encryption of (a) Personal Data or (b) other information under Prommt’s control where such incident has the potential to harmCustomer’s business, clients, employees, systems or reputation.

Services means the services to be provided by Prommt to Customer and its Affiliates under the Agreement.

Standard Contractual Clauses means, as applicable by reference to the Data Protection Laws relevant to the Processing, the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries, as set out in the Annex to Commission Decision 2010/87/EU, standard clauses made by the UK Secretary of State under Section 119A of the DPA 2018, or such alternative clauses as may be approved from time to time by the European Commission or the UK Secretary of State.

Subcontractor means a third-party subcontractor engaged by or on behalf of Prommt that will Process Personal Data as part of the performance of the Services.

UK GDPR means the retained version of GDPR in the UK pursuant to s.3 of the European Union (Withdrawal) Act 2018, and as defined in s.3(10) and s.205(4) of the UK Data Protection Act 2018, as the same may be amended or updated from time to time.

Relationship with the Agreement

Prommt’s obligations under this DPA are in addition to and not in lieu of its obligations under other provisions of the Agreement. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms that afford Customer the greater protection shall apply.

In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Processing of Personal Data

Roles of the Parties. The parties acknowledge and agree that with regard to Personal Data:

• Customer may be Controller or a Processor acting on its client’s behalf, depending on Customer’s relationship with the client and the relevant data subjects;
• Where Customer is a Controller, Prommt shall be a Processor; and
• Where Customer is a Processor, Prommt shall be sub-processor.

Customer Affiliates. Prommt shall also provide the Services to, and Process Personal Data provided by or on behalf of Affiliates of Customer. In such circumstances, each Affiliate shall have the same Controller or Processor status as the Customer in respect of the Personal Data that it provides to Prommt and such Affiliate shall have the same rights that Customer has under this DPA.

Prommt’s Processing of Personal Data

• Prommt shall Process Personal Data only on Customer’s behalf and in accordance with <Customer>’s instructions and shall treat Personal Data as confidential information subject to the confidentiality provisions of the Agreement. Customer instructs Prommt to Process Personal Data in accordance with the Agreement and this DPA and to comply with Customer’s other reasonable instructions (e.g., via email) where such instructions are consistent with the Agreement.
• Prommt shall notify Customer in writing immediately if, in Prommt’s reasonable opinion, Prommt believes that any instruction given by Customer infringes Data Protection Laws.
• Prommt’s Processing of Personal Data shall comply with its obligations under Data Protection Laws and Prommt shall not perform the Services in a manner that causes Customer to violate Data Protection Laws.
• Without limitation of clause (c), Prommt shall maintain reasonably detailed records of (a) its Processing activities, (b) its compliance with this Agreement and (c) Security Incidents.

Purpose; Categories of Personal Data and Data Subjects. The purpose of Processing of Personal Data by Prommt is the performance of the Services pursuant to the Agreement and the duration of the Processing shall, subject to the provisions of the Agreement, be the term of the Agreement.  The types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Attachment 1 (Data Processing Details Addendum).

Limitation on Disclosure. Other than as expressly permitted by the Agreement or required by law, Prommt shall not disclose Personal Data to any third parties without Customer’s prior consent.

Data Subject Rights; Other Complaints and Requests

Prommt shall, to the extent permitted by law, promptly notify Customer upon (and in no event later than two business days after) receipt of a Data Subject Request or any other request or complaint of a Data Subject relating to Personal Data. Prommt shall not respond to any such Data Subject request without Customer’s prior written instructions.

Prommt shall promptly and without undue delay provide such co-operation and assistance and take such action as Customer may reasonably request (including assistance by appropriate technical and organisational measures) to allow Customer to fulfil its obligations to clients or under Data Protection Laws in respect of such requests or complaints, including, without limitation, meeting any deadlines imposed by such obligations.

Prommt Personnel

Prommt shall ensure that its personnel engaged in Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements in respect of the Personal Data that survive termination of the personnel engagement.

Subcontractors

Prommt shall not authorise a Subcontractor to process Personal Data without the prior written consent of Customer. Prommt shall ensure that the subcontract entered into with any Subcontractor imposes on the Subcontractor equivalent obligations as those to which Prommt is subject under this DPA. Prommt shall be responsible and liable for the acts, omissions or defaults of its Subcontractors in the performance of obligations under this Agreement or otherwise as if they were Prommt’s own acts, omissions or defaults.

Security

Prommt shall take technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of Prommt systems used for Processing Personal Data and protect against the unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise Processed.

Prommt agrees to notify Customer immediately (but in no case later than 48 hours) after becoming aware to a reasonable degree of certainty of a Security Incident. Notification must include a phone call and email to Customer’s primary account contact, with a copy email to Client Contact email. Notification shall include at a minimum (a) a description of the Security Incident including impact and likely consequences thereof, (b) the expected resolution time (if it has not already been resolved), (c) corrective measures to be taken, evaluation of alternatives, and next steps, and (d) the name and phone number of the Prommt representative that Customer may contact to obtain further information and updates.

Audits

Prommt will perform regular (i.e. at least quarterly) vulnerability tests and assessments against all systems Processing Personal Data, and shall perform regular (i.e. at least annually) penetration tests against any Internet-facing systems used in connection with the Services. Prommt further agrees to perform regular (i.e. at least annually) risk assessments of the physical and logical security measures and safeguards it maintains applicable to its protection of Personal Data. With respect to systems Processing Personal Data, Prommt will provide Customer, upon request, a summary report of such tests and assessments, including a description of any significant (i.e. moderate or greater) risks identified and an overview of the remediation effort(s) undertaken to address such risks.

In addition to any other audit obligations that may be contained in this Agreement, Customer or its designated third party, at its sole expense, may inspect (i) Prommt’s information security and privacy policies, practices and procedures applicable to the systems, applications, and facilities Processing Personal Data, including data centres or premises where the Personal Data is stored at or accessed from, and (ii) Prommt’s Processing practices, (“Inspection”). Prommt shall make relevant personnel available for interviews and provide all information and assistance reasonably requested by Customer in connection with any such Inspections, including, without limitation, such information as Customer requires to verify compliance with the Agreement, this DPA and Data Protection Laws. Prommt shall take such remedial actions as are reasonably required by Customer following the Inspection.

Transfers Outside of the United Kingdom or the European Economic Area

Prommt shall not transfer or otherwise process, or permit Personal Data to be Processed, outside the EEA/UK (as applicable) unless the prior written consent of the Customer has been obtained and

• the transfer is on the basis of an adequacy decision granted pursuant to Article 45(3) of the GDPR (or where applicable, UK GDPR),

Or

• the following conditions are fulfilled:
  1. the Prommt has provided appropriate safeguards in relation to the transfer in accordance with its obligations under Data Protection Laws including Article 46 of the GDPR (or where applicable, UK GDPR), for example by entering into all relevant Standard Contractual Clauses if reasonably required by the Customer (in which case the parties shall complete all relevant details in, and execute, the Standard Contractual Clauses, and take all other actions required to legitimise the transfer pursuant to the Standard Contractual Clauses); and
  2. the Prommt complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data

Co-operation with Regulators and Conduct of Claims

Prommt shall promptly and without undue delay notify Customer of all enquiries or requests from a Regulator that Prommt receives which relate to the Processing of Personal Data, the provision or receipt of the Services or either party’s obligations under this Agreement, unless prohibited from doing so at law or by the Regulator. If Prommt or Customer receives such an enquiry or request from a Regulator, Prommt shall promptly and without undue delay provide Customer with such information as Customer may reasonably request to satisfy such inquiry or request.

Unless a Customer notifies Prommt that Prommt will be responsible for handling a particular communication or correspondence with a Regulator or a Regulator requests in writing to engage directly with Prommt, Customer will handle all communications and correspondence relating to Personal Data or the Services.

Customer shall have the right, at its sole discretion, to assume control of the defence and settlement of any governmental or regulatory proceeding or third-party claim that relates to the Processing of Personal Data, including claims against Prommt or its Subcontractors, provided that Customer shall not enter into any compromise or settlement of such claim or compromise any such claim without Prommt’s prior written consent if such compromise or settlement would assert any liability against Prommt, increase the liability (including under an indemnity) of Prommt, or impose any obligations or restrictions on Prommt, such as imposing an injunction or other equitable relief upon Prommt. Where required, such consent shall not be unreasonably withheld or delayed. Customer’s exercise of such right under this clause 10.3 shall (a) not be construed to require Customer to bear the costs of such defence and settlement and (b) be without prejudice to its contractual, legal, equitable or other rights to seek recovery of such costs.

Where Prommt interacts directly with a Regulator in accordance with clause 10.2, Prommt shall do so in an open and co-operative way at its own expense and in consultation with <Customer >. With respect to such interaction with a Regulator, Prommt shall (and shall cause its Personnel and Subcontractors to):

• make itself readily available for meetings with the Regulator as reasonably requested;
• subject to clause 10.4(c) below, answer the Regulator’s questions truthfully, fully and promptly; and provide the Regulator with such information and co-operation as the Regulator may require; and
• where permitted by law, notify Customer of any Regulator’s request for information relating to Customer or the Personal Data and before disclosing such requested information, co-operate with Customer’s efforts to prevent the disclosure of, or obtain protective treatment for, such information, and comply with Customer’s reasonable instructions regarding the response to such request.

Prommt shall provide Customer with such assistance and information as Customer may reasonably request in order for Customer to comply with any obligation to carry out a data protection impact assessment or consult with a Regulator pursuant to Articles 35 and 36 of GDPR (or where applicable, UK GDPR), respectively.

Indemnity

Prommt shall, at all times during and after the term of the Agreement, indemnify Customer and its Affiliates against losses, damages, costs or expenses and other liabilities (including legal fees) incurred by Customer and its Affiliates arising out of or in connection with any (a) breach of Prommt’s obligations under this DPA, (b) Prommt’s negligence or wilful misconduct or (c) any Security Incident.

Termination and General

This DPA and (where applicable) the Standard Contractual Clauses will terminate when Prommt ceases to Process Personal Data, unless otherwise agreed in writing between the parties. On termination of the DPA for whatever reason, or upon written request from Customer at any time, Prommt will cease Processing Personal Data, return a copy of the Personal Data to Customer and then securely delete or destroy, as applicable, all Personal Data in Prommt’s possession (except as prohibited by law or other explicit data retention and/or return provisions in the Agreement) within 90 days.

Change in Law

In this DPA, unless the context otherwise requires, references to a statutory provision include references to that statutory provision as from time to time amended, extended or re-enacted and any regulations made under it. In the event that the amendment, extension or re-enactment of any statutory provision or introduction of any new statutory provision, or the publication of a relevant court judgment or guidance, code of practice or similar document by a Regulator,  has a material impact on the obligations of either party, the parties will negotiate in good faith to agree such amendments to this DPA as may be appropriate in the circumstances. If, within a reasonable period of time, the parties cannot reach agreement on the nature of the changes required, Customer may terminate this DPA and the Agreement without incurring any liability to Prommt, upon at least thirty (30) days written notice.

Limitation of Liability

Neither party excludes or limits liability to the other party for:

• fraud or fraudulent misrepresentation;
• death or personal injury caused by negligence;
• any matter for which it would be unlawful for the parties to exclude liability.

Subject to clause 11.3.1, the Data Processor shall not in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:

• any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
• any loss or corruption (whether direct or indirect) of Data or information (other than as is set out in the Data Protection Laws)
• loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or
• any loss or liability (whether direct or indirect) under or in relation to any other contract.

Clause 11.3.2 shall not prevent claims, which fall within the scope of clause 11.3.4, for:

• direct financial loss that are not excluded under any of the categories set out in clause 11.3.2.1 to clause 11.3.2.4; or
• tangible property or physical damage.

Subject to clause 11.3.1, the Data Processor’s total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement or any collateral contract shall in all circumstances be limited to €1,000,000.

Exclusion of third-party rights

Customer’s Affiliates shall have third-party rights in accordance with clause 3.2 and Data Subjects are granted third-party rights under the Standard Contractual Clauses.  All other third-party rights are excluded.

Governing Law

To the extent required by applicable Data Protection Laws (e.g., in relation to the governing law of the Standard Contractual Clauses), this DPA shall be governed by the law of the applicable jurisdiction.  In all other cases, this DPA shall be governed by the laws of the jurisdiction specified in the Agreement.