Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Rebasoft End User Licence Agreement (“Agreement”) between Rebasoft Limited (“Rebasoft”, “Processor”) and the Customer (“Controller”) as defined in the Agreement.

1. Definitions

  • Applicable Data Protection Law: The UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and any other applicable UK data protection or privacy laws.
  • Personal Data, Processing, Controller, Processor, Data Subject, Sub-Processor: As defined in UK GDPR.
  • Customer Data: Any Personal Data processed by Rebasoft on behalf of the Customer under the Agreement.

2. Roles and Scope

  • The Customer is the Controller and Rebasoft is the Processor, except where Rebasoft acts as a Controller for its own business operations.
  • This DPA applies only to the extent Rebasoft processes Personal Data on behalf of the Customer.

3. Processing Instructions

  • Rebasoft shall process Customer Data only on documented instructions from the Customer, unless required by law.
  • The Agreement and Customer’s use of the Services constitute documented instructions.

4. Confidentiality

  • Rebasoft shall ensure that all personnel authorised to process Customer Data are subject to confidentiality obligations.

5. Security

  • Rebasoft shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by UK GDPR Article 32.
  • Rebasoft may update its security measures provided they do not materially reduce the protection of Customer Data.

6. Sub-Processing

  • The Customer authorises Rebasoft to appoint Sub-Processors as necessary for the provision of services.
  • Rebasoft shall ensure Sub-Processors are subject to data protection obligations no less protective than those in this DPA.
  • Rebasoft shall remain liable for the acts and omissions of Sub-Processors.
  • Rebasoft will provide a list of current Sub-Processors upon request and notify the Customer of any intended changes, giving the Customer the right to object on reasonable grounds.

7. International Transfers

  • Rebasoft shall not transfer Customer Data outside the UK unless it ensures appropriate safeguards are in place under UK GDPR Chapter V (e.g., UK IDTA, adequacy regulations).

8. Data Subject Rights

  • Rebasoft shall assist the Customer, at the Customer’s cost, in responding to Data Subject requests under Applicable Data Protection Law.
  • Rebasoft shall not respond directly to any Data Subject request unless required by law.

9. Personal Data Breach

  • Rebasoft shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data.
  • Rebasoft shall provide sufficient information to assist the Customer in meeting its breach notification obligations.

10. Data Protection Impact Assessments

  • Rebasoft shall provide reasonable assistance to the Customer, at the Customer’s cost, with data protection impact assessments and prior consultations with supervisory authorities.

11. Deletion or Return of Data

  • Upon termination or expiry of the Agreement, Rebasoft shall, at the Customer’s choice, delete or return all Customer Data, unless retention is required by law.
  • Certification of deletion will be provided upon written request.

 

12. Audit Rights

  • Rebasoft shall make available information necessary to demonstrate compliance with this DPA and allow for audits by the Customer or its auditor (subject to confidentiality and security obligations), no more than once per year, with at least 30 days’ notice, and at the Customer’s cost.
  • Rebasoft may satisfy audit obligations by providing third-party certifications or audit reports.

13. Liability

  • Rebasoft’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.
  • The Customer shall indemnify Rebasoft against all claims, losses, and costs arising from the Customer’s breach of this DPA or Applicable Data Protection Law.

14. General

  • In the event of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict.
  • This DPA is governed by the laws of England and Wales.

© Rebasoft Limited – Digitally accepted. Governed by the laws of England and Wales.