Data Processing Agreement

Data Protection Legislation: The General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time in England and Wales, the UK GDPR and then any successor legislation to the GDPR or the Data Protection Act 2018.

DEFINITIONS

In this Data Processing Agreement (the “Agreement”), the following terms shall have the meaning set out in the Data Protection Legislation: “data controller”, “data processor”, “data subject”, “personal data”, “processing/processes” (and cognate terms thereof) and “supervisory authority”.

“Customer” is the purchaser of the services from Team Blue Internet Services UK Limited, t/a Catalyst2.

“Company Supplied Software” is a piece of software supplied and installed by Team Blue Internet Services UK Limited, t/a Catalyst2 such as (but not limited to) the operating system, web server and database server on a managed server.

“Logical Security” the protection of computer software (“Operating System“) of Team Blue Internet Services UK Limited, t/a Catalyst2’s platform, including user identification and password access, authentication, access rights. These measures are to ensure that only authorised users are able to perform actions or access information on our platform.

“Parties” are Team Blue Internet Services UK Limited, t/a Catalyst2 (“Catalyst2”) together with the Customer.

“Physical Security” the protection of hardware, software, network and data from physical action and events that could cause serious loss or damage to Team Blue Internet Services UK Limited, t/a Catalyst2’s platform. This includes protection from fire, flood, natural disasters, theft and vandalism.

“Customer Supplied Software” is defined as (but not limited to) any application that is developed or used by the Customer including WordPress, Magento and any custom applications developed by or for the customer.

“UK GDPR” shall have the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

1. Team Blue Internet Services UK Limited, t/a Catalyst2 (“Catalyst2”) (including its subsidiaries) adheres to the measures set out in the EU Regulation no. 2022/2065 – Digital Services Act (“DSA”). Users are responsible for the content they upload, share, or otherwise make available on our services. Any content that violates the DSA, other applicable law or our Terms & Conditions may be subject to removal, and users may be subject to account suspension or termination on Catalyst2’s initiative.
2. We will cooperate with relevant authorities as required by the relevant regulation and DSA, including providing information (including personal data) and assistance in investigations. The single point of contact will be reachable, at the following email address: abuse@catalyst2.com (the “Abuse Email”).
3. If any person or entity is aware of the presence of specific items of information and/or content on Catalyst2 service that individual or entity considers to be illegal content, the individual or entity may contact Catalyst2 at the Abuse Email and send a report (the “Report”) that meets all the requirements below:
   1. a sufficiently substantiated explanation of the reasons why the individual or entity alleges the information in question to be illegal content; and
   2. a clear indication of the exact electronic location of that information, such as the exact URL or URLs, and, where necessary, additional information enabling the identification of the illegal content adapted to the type of content and to the specific type of hosting service; and
   3. the name and email address of the individual or entity submitting the notice, except in the case of information considered to involve one of the offences referred to in Articles 3 to 7 of Directive 2011/93/EU; and
   4. a statement confirming the genuine belief of the individual or entity submitting the notice that the information is accurate and complete.
4. Once Catalyst2 receives a report, it will send a confirmation receipt to the individual or entity without undue delay. Where a Report meets the above requirements, Catalyst2 will notify that person or entity of its decision, providing a “statement of reason.” Catalyst2 is not required to undertake a detailed legal examination of the facts in the Report but must carry out a review at the level expected of a diligent hosting provider.
5. If the individual or entity does not agree with Catalyst2’s decision, they may contact Catalyst2 once again, at the Abuse Email, setting out the reasons they do not agree with the decision. Catalyst2 will examine the request and communicate the final decision to the individual or entity. Notwithstanding the above process, the individual or entity may also report the allegedly illegal content or activity to public authorities in order to defend its rights.
6. To enhance transparency and in compliance with the DSA, Catalyst2 may publish reports outlining its content moderation practices, including the number and nature of content removals and user accounts suspended or terminated.
7. Catalyst2’s representative regarding the DSA is Hannah Bushell, General Counsel UK & IE.

1. DATA PROTECTION LEGISLATION
   Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a parties’ obligations under the Data Protection Legislation.
2. ROLES
   1. The parties acknowledge that for the purposes of the Data Protection Legislation, Team Blue Internet Services UK Limited, t/a Catalyst2 (“Catalyst2”) is the data processor and the Customer is the data controller.
   2. This Agreement should be read in conjunction with Catalyst2’s acceptable use policy and terms and conditions. To the extent there is a conflict between this Agreement
      and the acceptable use policy and terms and conditions, the terms of this Agreement shall take precedence.
   3. The duration of the processing shall be from the date of the Customer’s acceptance of this Agreement, until the Agreement expires or terminates in accordance with the expiry or termination of the Customer’s services with Catalyst2. The subject matter, nature and purpose of the processing shall be the provision of the Services by Catalyst2 to the Customer.
   4. The categories of data subjects and types of personal data are those provided or made available to Catalyst2 by or on behalf of the Customer through the use or provision of the services purchased by the Customer (the “Services”) and shall exclude special categories of personal data or data relating to criminal convictions and offences.
   5. Catalyst2 shall process the personal data for the Customer in accordance with article 4 no. 2 and article 28 of the UK GDPR.
3. CATALYST2 RESPONSIBILITIES
   1. Catalyst2’s responsibilities with regard to the processing of personal data provided by the Customer in its use of the Services is limited to providing adequate security measures to store the data uploaded by the Customer onto the hosting platform. Catalyst2 is responsible for the Physical Security of its platform, and the Logical Security of the Operating System and the Company Supplied Software which serves the Customer’s database. Catalyst2 is not responsible for the security of the data however populated within such databases and/or hosting space by the Customer, or Customer Supplied Software managed by the Customer and the access to the data that this has. This is the sole responsibility of the Customer.
   2. Catalyst2 shall, in relation to any personal data processed in connection with the performance by Catalyst2 of its obligations under this Agreement:
      1. process that personal data only on the written instructions of the Customer, unless Catalyst2 is otherwise required to do so by the laws of any member of the European Union or by the laws of the European Union that apply to Catalyst2 (“Applicable Laws”). Where Catalyst2 is required by Applicable Laws to process personal data, Catalyst2 shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prevent Catalyst2 from notifying the Customer;
      2. pursuant to article 32 of the GDPR, ensure that it has appropriate technical and organisational measures in place in order to protect against any unauthorised or unlawful processing of personal data, accidental loss or destruction of personal data, and damage being caused to personal data.
      3. ensure only personnel required for the purposes of carrying out this Agreement have access to, and that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
      4. if the Customer is unable to access the relevant information, to assist the Customer, and in any event, at the Customer’s cost, provide reasonable assistance in responding to any request from a supervisory authority or a data subject (taking into account the nature of the processing) and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators (taking into account the nature of processing and the information available to Catalyst2);
      5. notify the Customer without undue delay upon becoming aware of a personal data breach;
      6. in accordance with Catalyst2’s standard policies, delete, or return (at the Customer’s cost) in a format determined by Catalyst2, personal data and copies thereof, on termination of the Agreement, unless required by any Applicable Laws to continue to store the personal data; and
      7. maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits to be carried out by the Customer, only so far as is necessary in order to demonstrate compliance, provided that the Customer (a) provides Catalyst2 with no less than 30 days’ notice of such audit or inspection; (b) refunds Catalyst2 for all reasonable costs and expenses that it incurs as a result of any such audit or inspection (c) both parties agree the scope, duration and purpose of such audit or inspection. If the Customer becomes privy to any Confidential Information of Catalyst2 as a result of this clause, the Customer shall hold such Confidential Information in confidence and, unless required by law, not make the Confidential Information available to any third party, or use the Confidential Information for any other purpose. The Customer acknowledges that Catalyst2 shall only be required to use reasonable endeavours to assist the Customer in procuring access to any third party assets, records or information as part of any audit; and
      8. to provide a list of sub-processors engaged to full Services by sending an email request to privacy@catalyst2.com.
4. THE CUSTOMER’S RESPONSIBILITIES
   1. The Customer acknowledges that Catalyst2 has no knowledge of the type/content of any personal data received, stored, or transmitted to Catalyst2 platform, by using the Services.
   2. If Catalyst2 believes or becomes aware that its processing of Customer personal data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform the Customer and provide reasonable cooperation to the Customer (at the Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
   3. In respect of personal data which the Customer receives, stores, or transmits using the Services, the Customer:
      1. will ensure, and warrants that, it has all necessary and appropriate consents and notices in place to lawfully transfer the personal data to Catalyst2, for the duration and purposes of this Agreement;
      2. undertakes that its use of the Services for processing personal data will each (i) comply with privacy laws or regulations applicable to its Processing of Customer Personal Data, (ii) not cause Catalyst2 to infringe Applicable Data Protection Law. The Customer will ensure that it has all necessary consents, notices and other requirements in place to enable lawful processing of the Customer personal data by Catalyst2 for the duration and purposes of this Agreement;
      3. shall, unless otherwise provided for in the Agreement, be solely responsible for the legality, confidentiality, integrity, availability, accuracy and quality of all data it processes;
      4. shall be solely responsible for ensuring the safety and security of all the data it controls and processes. The Customer warrants it has relevant and appropriate security measures in place to adequately protect the personal data it collects/processes. The Customer must verify the adequacy of Catalyst2’s security measures as appropriate for the type of personal data the Customer collects/processes and stores on Catalyst2’s platform. The Customer should refer to the Acceptable Use Policy to ensure it is not in breach of Catalyst2’s terms and conditions.
      5. is solely responsible for responding to any request from a data subject and in ensuring its own compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
      6. shall indemnify Catalyst2 against any claims, actions, liabilities, proceedings, direct losses, damages, expenses, fines and costs (including without limitation court costs and reasonable legal fees) incurred by Catalyst2 as a direct result of any negligence, wilful misconduct, or breach of the Data Protection Legislation of the Customer.
5. THIRD PARTY PROCESSING
   1. The Customer grants Catalyst2 the authorisation to appoint (and permit each third party processor appointed in accordance with this section 5) third party sub- processors in accordance with this section 5.
   2. Catalyst2 may appoint alternative third party processors to provide materially like for like services to the Customer as part of the Services subject to: (a) Catalyst2 entering into a written agreement with such third party processor incorporating terms which are substantially similar to those set out in this Agreement; and (b) such third party processor being able to demonstrate at least as high a standard of service quality and compliance to the previously appointed third party processor.
   3. The Customer agrees to Catalyst2 giving any such sub-processors access to the Customer’s details so that Catalyst2 can deliver the Services under the agreement. The Customer further agrees that those sub-processors may be based outside of the country in which the Customer has chosen to store Customer Personal Data, subject to Catalyst2 taking steps to ensure transfer protections are in place if transfers are made to those sub-processors. Catalyst2 requires that its sub-processors maintain security and data protection practices that are consistent with this Agreement.
6. GOVERNING LAW
   This Agreement and any dispute or claim arising out of or in connection with it, or its subject matter or formation, including non-contractual disputes or claims, shall be governed by, and construed in accordance with the laws of England and Wales. The parties agree that the courts of England and Wales will have exclusive jurisdiction to settle any dispute, whether contractual or non-contractual, arising from or in connection with this Agreement.
7. JURISDICTION
   Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation.