Data Processing Addendum

Last Updated February 2024

Parties

This Data Processing Addendum (DPA) is between Assurestor and the other party to the Principal Services Agreement.

Background

  • Assurestor provides the Services and Support to Resellers and End Users pursuant to Principal Services Agreements.
  • The provision and use of the Services and Support involves the processing of Relevant Data by Assurestor, Resellers and End Users.
  • This DPA sets out the responsibilities of Assurestor, Resellers and End Users with respect to the processing of Relevant Data in connection with the provision and use of the Services and Support.

1. Status and effect of this DPA

1.1 This DPA supplements and forms a binding part of the Principal Services Agreement.

1.2 Except as amended or varied by this DPA, the provisions of the Principal Services Agreement shall continue in full force and effect in accordance with its terms.

1.3 In the event of any conflict or inconsistency between the provisions of this DPA and the Principal Services Agreement, the provisions of this DPA shall prevail with regard to the parties’ obligations, rights and liability in connection with the processing of Relevant Data.

2. Definitions

2.1 The following definitions apply in this DPA:

Account Data:
information relating to Users and other Distributor, Reseller and End User staff that is uploaded to, stored in and/or transmitted to Assurestor via a Service Portal or other account required to access a Service, as described in Schedule 1.
Assurestor:
Assurestor Limited, a company incorporated in England and Wales with company number 08249507, whose registered office is at Leytonstone House, 3 Hanbury Drive, Leytonstone, London, England, E11 1GA.
Assurestor’s Privacy Notice:
Assurestor’s privacy notice, available at Privacy Policy | Assurestor.
Controller Purposes:
the processing purposes carried out by the parties as controllers, as set out in Schedule 2.
Data Protection Laws:
all laws applicable to the processing of Personal Data in connection with the Principal Services Agreement, including but not limited to the UK GDPR and the UK Data Protection Act 2018 and, if the processing of Personal Data in connection with the Principal Services Agreement is subject to the EU GDPR, the EU GDPR.
Data Security Measures:
the technical and organisational measures that Assurestor applies to Relevant Data, as set out in the Data Security Measures Policy available at https://www.assurestor.com/legal.
Direct Reseller Agreement:
an agreement between Assurestor and a Reseller for the provision of Services for onward sale to End Users as Reseller Services.
Distributor:
a business entity that distributes Services to Resellers pursuant to a Distributor Agreement.
Distributor Agreement:
an agreement between Assurestor and a Distributor for the provision of Services for onward sale by the Distributor to Resellers.
Distributor-Reseller Agreement
an agreement between a Distributor and a Reseller for the provision of a Service for onward sale by Reseller to End Users as Reseller Services.
End User:
a person or entity that receives Services from Assurestor under an End User Agreement or receives Reseller Services from a Reseller under an agreement with that Reseller.
End User Agreement:
an agreement between Assurestor and an End User for the provision of Services.
End User Systems:
the hardware and software systems of End Users that interact with, or may reasonably be expected to interact with, the Services.
EU:
the member states of the European Union, the member states of the European Economic Area and Switzerland.
EU GDPR:
the General Data Protection Regulation (Regulation (EU) 2016/679).
My2Cloud Portal:
the online portal operated and made available to Reseller and End Users by Assurestor for the purposes of accessing live and analytics data about the Platforms they use, including billing and support information such as issued invoices and support tickets.
Order Form:
an order form prepared by Assurestor and executed by Reseller or End User pursuant to and in accordance with the Principal Services Agreement.
Online Reseller Service Terms:
the terms and conditions set out at the URL in the Distributor-Reseller Agreement, which govern use of the Services by Resellers who purchase Services from a Distributor pursuant to a Distributor-Reseller Agreement.
Partner Portal:
the online portal managed and made available by Assurestor at https://partner.assurestor.com to enable and Referrers to access information about the Services.
Permitted Purposes:
the purposes for which the parties may process Relevant Personal Data, as set out in Schedule 2.
Personal Data:
as defined in the UK GDPR.
Platform:
a platform managed by Assurestor and used by Assurestor to provide the Services, including the application and database software for the Services, the system and server software used to provide the Services, and the computer hardware on which that application, database, system and server software is installed.
Principal Services Agreement:
the applicable End User Agreement or Reseller Agreement.
Processor Purposes:
the processing purposes carried out by Assurestor and/or Resellers as processors, as set out in Schedule 2.
Processor Terms:
the processing terms between controllers and processors required by Article 28 of the UK GDPR and EU GDPR, as set out in Schedule 3.
Referrer:
a business entity that refers potential End Users to Assurestor to receive Services under an End User Agreement.
Relevant Data:
Account Data, Service Data, Usage Data and User Data.
Relevant Personal Data:
Personal Data comprised in Relevant Data.
Reseller:
any agent, reseller, managed service provider, distributor, OEM or any other kind of sales channel that sells, licenses, markets or distributes the Services as Reseller Services pursuant to a Direct Reseller Agreement or Distributor-Reseller Agreement.
Reseller Agreement:
a Direct Reseller Agreement or an agreement between Assurestor and a Reseller pursuant to the Online Reseller Service Terms.
Reseller Services:
the provision by Reseller of the Services, support of the Services and other services built on or related to the Services to End Users.
Schedule:
a schedule to this DPA.
Service Data:
any data, programs or other information of End Users stored on End User Systems and copied, or to be copied, to a Platform via the Services, as described in Schedule 1.
Services:
any services made available by Assurestor from time to time and purchased by Reseller or End User under the Principal Services Agreement.
Service Portal:
any of the My2Cloud Portal, Partner Portal, Support Portal and Service-specific portals.
Service Term:
the term for the provision of a Service by Assurestor to a Reseller or End User, being the term of the Order Form for the Service or the subscription term for the Service under the Online Reseller Service Terms, as applicable.
Support:
the provision of support in relation to the use of, and the identification and resolution of errors in, the Services.
Support Portal:
Assurestor’s support portal made available at https://support.assurestor.com.
Third Party Services:
software, platforms and services operated by third party providers with which the Services are integrated or on which the Services are built, as identified in the applicable Principal Services Agreement.
Transfer Mechanism:
a condition set out in Chapter V of the UK GDPR or EU GDPR for ensuring an adequate level of protection for Personal Data transferred to a third country, including an adequacy decision under Article 45, an appropriate safeguard under Article 46 or a derogation under Article 49.
UK:
means The United Kingdom of Great Britain and Northern Ireland.
UK GDPR:
the EU GDPR as transposed into UK law (including by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
Usage Data:
data related to use of the Services by End Users and Resellers, as described in Schedule 1.
User Data:
data related to use of the Platform, Services and Service Portals by Users, as described in Schedule 1.
User:
an individual end user who uses the Services and/or has access to a Service Portal on behalf of an End User, Reseller or Distributor.
Vendor:
a provider of Third Party Services.

2.2 Terms relating to the processing of Personal Data such as processing, controller, processor, data subject and supervisory authority have the meanings given to them in the applicable Data Protection Law.

3. Purposes for processing Relevant Personal Data
3.1 Assurestor, End Users and Resellers may process Relevant Personal Data as reasonably necessary for the Permitted Purposes set out in Schedule 2.

4. Roles of the parties
4.1. Schedule 2 sets out the roles of the parties as controllers, processors or sub-processors in respect of the processing of Relevant Personal Data.

5. Application of Processor Terms
5.1. The Processor Terms shall apply to the processing of Service Data, which is processed by Assurestor and Resellers only for Processor Purposes.
5.2. The Processor Terms shall not apply to the processing of Account Data, which is processed by the parties only for Controller Purposes, User Data, which is processed by Assurestor only for Controller Purposes or Usage Data, which does not contain Personal Data.

6. Data security
6.1. Assurestor shall apply the Data Security Measures to Relevant Data.
6.2. End User and Reseller shall take reasonable steps to ensure that:
6.2.1. no unauthorised person gains access to the Platform or Services via a User account; and
6.2.2. persons it authorises to use the Platform and Services as Users have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, are adequately trained in data security and are reliable and aware of the confidential nature of Service Data and Account Data.

7. Data sharing
7.1. Assurestor may share :
7.1.1. Relevant Data with Vendors, to the extent necessary for the provision of the Services or Third Party Services;
7.1.2. Service Data and Account Data with any subcontractor appointed by Assurestor to provide Support, to the extent necessary for the provision of the Support requested;
7.1.3. User Data with any providers of services used by Assurestor in connection with the Services, such as web analytics , to the extent necessary for the provision of those services to Assurestor;
7.1.4. Relevant Data with other third parties if Assurestor is under a duty to disclose data in order to comply with any legal obligation, in connection with a merger or sale of Assurestor’s business or to protect the rights, property, or safety of Assurestor, Distributors, Resellers, End Users, Users or others, provided that Assurestor must only share Relevant Data with such recipients if and to the extent necessary for the relevant processing purpose and in accordance with the Data Protection Laws.
7.2. Assurestor shall comply with its obligations as a processor under the Processor Terms when sharing Service Data.

8. Data retention and deletion
8.1. Assurestor shall retain Relevant Data in accordance with the retention and deletion provisions set out in Schedule 1.

9. Assurestor’s obligations
9.1. Assurestor shall comply with its obligations as a controller under the Data Protection Laws when processing Account Data or User Data for the Controller Purposes. Further information about Assurestor’s processing for the Controller Purposes is set out in Assurestor's Privacy Notice.
9.2. Assurestor shall comply with its obligations as a processor under the Data Protection Laws and the Processor Terms when processing Service Data for the Processor Purposes.

10. End User obligations
10.1. End User shall comply with its obligations as a controller under the Data Protection Laws when processing Relevant Personal Data, including, without limitation, ensuring that it:
10.1.1. has a legal basis for that processing; and
10.1.2. provides data subjects with information about that processing.
10.2. End User shall comply with its obligations as a controller under the Processor Terms when processing Service Data via the Services.

11. Reseller obligations
11.1. Reseller shall comply with its obligations as a controller under the Data Protection Laws when processing Account Data for the Controller Purposes.
11.2. Reseller shall comply with its obligations as a processor under the Data Protection Laws when processing Service Data for the Processor Purposes on behalf of End Users and:
11.2.1. Reseller shall comply with all Reseller obligations set out in the Processor Terms;
11.2.2. Reseller shall enter into binding data processing terms with its End Users that comply with the Data Protection Laws and are consistent with the Processor Terms;
11.2.3. Reseller shall be responsible for obtaining and providing Assurestor with the End User’s processing instructions and authorisation for international transfers of Service Data and engagement of sub-processors by Assurestor to process Service Data (Instructions and Authorisations);
11.2.4. Reseller shall ensure that all Instructions and Authorisations it provides to Assurestor are in accordance with the End User’s processing instructions, the data processing terms between Reseller and the End User and the Data Protection Laws;
11.2.5. Reseller warrants that all Instructions and Authorisations set out in the Processor Terms and any document agreed between Assurestor and Reseller in writing in respect of the Processor Purposes are in accordance with the End User’s processing instructions, the data processing terms between Reseller and the End User and the Data Protection Laws;
11.2.6. Assurestor may treat all Instructions and Authorisations contained in the Processor Terms and any document agreed between Assurestor and Reseller in writing in respect of the Processor Purposes as the End User’s processing instructions;
11.2.7. Reseller shall indemnify Assurestor in respect of any losses, damages, claims, penalties or other liabilities incurred by Assurestor arising out of a breach of the warranty in Clause 11.2.5.

12. Co-operation between the parties
12.1. Each party shall co-operate with the other, to the extent reasonably requested, in relation to:
12.1.1. any request by a data subject to exercise any of their rights as a data subject under the Data Protection Laws in respect of Relevant Personal Data;
12.1.2. any other communication from a data subject concerning the processing of their Personal Data comprised in Relevant Data; and
12.1.3. any communication from a supervisory authority concerning the processing of Relevant Personal Data.

13. Liability in respect of data processing
13.1. Each party’s liability to the other in respect of any breach of this DPA shall be governed by the liability provisions of the Principal Services Agreement.

14. Notices under this DPA
14.1. Any notice or other communication required under this DPA, including under the Processor Terms, shall be given in accordance with the notice provisions of the Principal Services Agreement and this Clause 14.
14.2. Notices between the parties to the Principal Services Agreement shall be sent directly to each other using the notice address details in the Principal Services Agreement.
14.3. For notices to be given to End User as a controller of Service Data if the Services are provided to End User under an End User Agreement:
14.3.1. Assurestor shall send notices directly to End User using the notice address details in the applicable End User Agreement; and
14.3.2. End User shall send notices directly to Assurestor using the notice address details in the applicable End User Agreement.
14.4. For notices to be given to End Users as controllers of Service Data if the Services are provided to End Users under a Reseller Agreement:
14.4.1. Assurestor shall send notices to Reseller using the notice address details in the applicable Reseller Agreement;
14.4.2. Reseller shall forward Assurestor’s notices to its End Users who are affected by the notice; and
14.4.3. Reseller shall receive and respond to all responses to the notices from its End Users in accordance with the services agreement and data processing terms between Reseller and each End User.
14.5. If the Services are provided to End Users under a Reseller Agreement, provided that Assurestor has complied with this Clause 14, Assurestor shall have no liability to Resellers or End Users in respect of the delivery of notices under this DPA to End Users or the outcome of the notices, including the use of new sub-processors and international transfers of Service Data pursuant to the Processor Terms.

15. Effect of termination of the Principal Services Agreement
15.1. Upon termination of the Principal Services Agreement, the obligations in this DPA shall survive and continue to have effect in respect of any Relevant Data retained by Assurestor after termination.

16. Changes in laws
16.1. If any changes or prospective changes to the Data Protection Laws or other applicable laws result or will result in one or both parties not complying with those laws in relation to their processing of data pursuant to the Principal Services Agreement, the parties shall use their best endeavours to promptly agree such variations to this DPA and/or the Principal Services Agreement as may be necessary to remedy such non-compliance.

Schedule 1 to the Data Processing Addendum
Data descriptions and retention periods

Data type
Description
Data subjects
Retention period
Start of retention period
Service Data
Fully determined by End User. It includes any data, programs or other information of End User stored on End User Systems and copied, or to be copied, to a Platform via the Services.
Any individual to whom Personal Data comprised in Service Data relates.
The date that End User or Reseller copies Service Data to a Platform via the Services.
Account Data
Names, usernames, work email addresses, work telephone numbers, job titles, authorisation in respect of the Services and Support, access credentials.
Users and other End User, Reseller and Distributor staff.
Account Data will remain in the Service Portal account(s) for the duration of the Principal Services Agreement.
Creation of the account on the Service Portal.
User Data
Identification numbers, unique IDs, IP addresses, error reports, pages visited, browser information.
Users and other End User, Reseller and Distributor staff.
User Data will remain in the Service Portals for the duration of the Principal Services Agreement.
Date of collection.
Usage Data
Service usage information and counters used for billing purposes.
N/A (Usage Data does not contain Personal Data).
Usage Data will remain in the My2Cloud Portal for up to 12 months whilst the Principal Services Agreement is in force.
Date of collection.

Schedule 2 to the Data Processing Addendum
Permitted Purposes for processing Relevant Personal Data

Service Data

End User
Assurestor
Reseller
Purpose
Using the Services and obtaining Support in accordance with the End User Agreement or equivalent agreement with Reseller.
Providing the Services and Support in accordance with the applicable Principal Services Agreement.
Providing the Reseller Services in accordance with the applicable Principal Services Agreement.
Role
Controller
Processor under an End User Agreement. Sub-processor under a Reseller Agreement.
Processor

Account Data

End User
Assurestor
Reseller
Purpose
Accessing and using the Services and obtaining Support in accordance with the End User Agreement or equivalent agreement with Reseller. Accessing Service-related information via the My2Cloud Portal and Support Portal.
Enabling access to the Services by End Users and Resellers and providing Support to End Users and Resellers in accordance with the Principal Services Agreement. Marketing Assurestor products and services and providing information about the Services to Resellers and Distributors via the Partner Portal. Providing Service-related information, such as scheduled maintenance, changes to Services and changes to authentication processes, to End Users and Resellers via the My2Cloud Portal and Support Portal.
Accessing and using the Services and obtaining Support itself and/or on behalf of its End Users in accordance with the applicable Principal Services Agreement. Accessing information made available by Assurestor via the Partner Portal. Accessing Service-related information via the My2Cloud Portal and Support Portal.
Role
Controller
Controller
Controller

User Data

End User
Assurestor
Reseller
Purpose
No access to User Data.
Developing and improving the Services and other Assurestor products and services. Managing and monitoring access to and use of the Services, Platform and Service Portals by Resellers and End Users for the purposes of: ensuring compliance with the terms of the applicable Principal Services Agreement ensuring the security, integrity, resilience and operationality of the Services and Platform.
No access to User Data.
Role
N/A
Controller
N/A

Usage Data

End User
Assurestor
Reseller
Purpose
Accessing data about End User’s use of the Services and validating the fees charged for the Services.
Monitoring use of the Services by Resellers and End Users for the purposes of: billing providing Resellers and End Users with live and analytics data about the Platforms they, and in the case of Resellers, their End Users, use complying with reporting obligations to Vendors regarding use of Third Party Services by End Users and Resellers.
Accessing data about its and its End Users’ use of the Services and validating the fees charged for the Services.
Role
N/A (Usage Data does not contain Personal Data).
N/A (Usage Data does not contain Personal Data).
N/A (Usage Data does not contain Personal Data).

Schedule 3 to the Data Processing Addendum
Processor Terms

1. Detail of the processing of Service Data in connection with the Principal Services Agreement

Subject matter
Pursuant to the Principal Services Agreement, Service Data is stored on the Platform and processed via the Services for backup and/or disaster recovery purposes, as determined by End User or Reseller on behalf of End User according to their instructions and use of the Services.
Nature
End User or Reseller on behalf of End User processes Service Data via the Services as a result of using the Services. Assurestor processes Service Data as a result of operating the Platform and providing the Services to End Users and Resellers and may also process Service Data in connection with the provision of Support or professional services if and to the extent that the provision of Support or those services involves access to Service Data or the performance of any operation on Service Data, such as deleting, updating, restoring, copying and exporting Service Data. Reseller processes Service Data as a result of providing Reseller Services to End Users and may also process Service Data in connection with the provision of Support or professional services as part of the Reseller Services if and to the extent that the provision of Support or those services involves access to Service Data or the performance of any operation on Service Data.
Purpose
The provision of the Services by Assurestor to End Users and Resellers under the Principal Services Agreement.
Categories of data subjects
Fully determined by End User. It includes any individual to whom Personal Data comprised in Service Data relates.
Types of Personal Data
Fully determined by End User. It includes any Personal Data comprised in Service Data.
Duration of processing
The applicable Service Term.

2. Processing Instructions
2.1. Assurestor shall only process Service Data on the documented instructions of End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement), including with regard to transfers of Service Data outside the UK or EU, as set out in these Processor Terms or any other document agreed by the parties in writing (Processing Instructions).
2.2. End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement) instructs Assurestor to process Service Data as reasonably necessary for the purpose of providing the Services in accordance with the Principal Services Agreement and to transfer Service Data outside the UK or EU in the circumstances, and subject to the Transfer Mechanisms, set out in Schedule 4 of this DPA.
2.3. Assurestor shall promptly inform End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement), if, in Assurestor’s opinion, any Processing Instruction infringes the Data Protection Laws. Once Assurestor has informed End User or Reseller under this Paragraph 2.3, Assurestor shall have no further liability to End User or Reseller in respect of the relevant processing being found to infringe the Data Protection Laws.
2.4. Notwithstanding any other provision of these Processor Terms, Assurestor may process Service Data otherwise than in accordance with the Processing Instructions if and to the extent that Assurestor is required to do so by applicable law. In such a case, Assurestor shall inform End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement) of the legal requirement before processing, unless that law prohibits such information .

3. Security
3.1. Assurestor shall ensure that persons it authorises to process Service Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and shall take reasonable steps to ensure that such persons are reliable and aware of the confidential nature of Service Data.
3.2. Assurestor, End User and Reseller shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for Service Data, including but not limited to:
3.2.1. in Assurestor’s case, applying the Data Security Measures to Service Data; and
3.2.2. in End User’s and Reseller’s case, taking reasonable steps to ensure that: (i) no unauthorised person gains access to the Platform or Services via a User account; and (ii) persons it authorises to use the Platform and Services as Users have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, are adequately trained in data security and are reliable and aware of the confidential nature of Service Data.

4. Sub-processors
4.1. Assurestor must not engage any third party sub-processor to process Service Data without the prior specific or general written authorisation of End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement).
4.2. Assurestor is authorised by End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement) to engage, as sub-processors with respect to Service Data, the Vendors identified in Schedule 4 of this DPA ("Authorised Sub-Processors").
4.3. Assurestor shall inform End User (if the Services are provided to End User under an End User Agreement) or Reseller (if the Services are provided to End User under a Reseller Agreement) at least 14 days in advance of any intended changes concerning the addition or replacement of any Authorised Sub-Processor (the date of this notice being the “Notification Date”). Assurestor shall have no obligation to notify End Users directly if the Services are provided to them under a Reseller Agreement. If the Services are provided to End User under an End User Agreement and End User objects to a new sub-processor, End User may terminate the Order Form for the Service(s) affected by the change in sub-processor by giving written notice to Assurestor within 14 days of the Notification Date (“the Notice Period”). Such termination shall take effect at the end of the Notice Period or 7 days after the date of End User’s termination notice, whichever is later, and shall be subject to the provisions of the End User Agreement relating to consequences of termination of an Order Form. This termination right is End User’s sole and exclusive remedy if End User objects to any new or replacement Authorised Sub-Processor. If no termination notice is received by Assurestor, End User shall be deemed to have authorised the new sub-processor. Any addition to or replacement of an Authorised Sub-Processor under this Paragraph 4.3 shall be deemed to be an Authorised Sub-Processor. If the Service is provided to End User under a Reseller Agreement and End User objects to a new sub-processor, Reseller shall respond to the objection in accordance with the data processing terms between Reseller and End User, and Assurestor shall have no liability to Reseller or End User in respect of such new sub-processor.
4.4. Assurestor shall ensure that each Authorised Sub-Processor it engages to process Service Data is engaged pursuant to a written agreement containing equivalent legal obligations to those imposed on Assurestor by these Processor Terms and where an Authorised Sub-Processor fails to fulfil such obligations Assurestor shall remain fully liable to End User (if the Services are provided to End User under an End User Agreement) or Reseller (if the Services are provided to End User under a Reseller Agreement) for the performance of that Authorised Sub-Processor’s obligations.

5. International transfers of Service Data
5.1. End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement) authorises and instructs Assurestor to transfer Service Data outside the UK or EU in the circumstances, and subject to the Transfer Mechanisms, set out in Schedule 4 of this DPA.

6. Assistance with End User controller obligations
6.1. Assurestor shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement) with the fulfilment of End User’s controller obligation to respond to requests exercising a data subject's rights under the Data Protection Laws in respect of Service Data. Assurestor may charge End User (if the Services are provided to End User under an End User Agreement) or Reseller (if the Services are provided to End User under a Reseller Agreement) at its standard time-based charging rates for any work performed by Assurestor at the request of End User or Reseller in connection with responding to such requests where the End User or Reseller is able to respond to such requests itself using the functionality of the Services.
6.2. Assurestor shall assist End User (if the Services are provided to End User under an End User Agreement) or Reseller on behalf of End User (if the Services are provided to End User under a Reseller Agreement) in ensuring compliance with the obligations relating to security of the processing of Personal Data, the notification of Personal Data breaches to the supervisory authority, the communication of Personal Data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws in respect of Service Data. Assurestor shall report any Personal Data breach relating to Service Data to End User (if the Services are provided to End User under an End User Agreement) or Reseller (if the Services are provided to End User under a Reseller Agreement) without undue delay following Assurestor becoming aware of the breach. Assurestor may charge End User (if the Services are provided to End User under an End User Agreement) or Reseller (if the Services are provided to End User under a Reseller Agreement) at its standard time-based charging rates for any work performed by Assurestor at the request of End User or Reseller pursuant to this Paragraph 6.2, except where such work is necessitated by a breach by Assurestor of its obligations under these Processor Terms or the Data Protection Laws.

7. Information and audit
7.1. Assurestor shall make available to End User (if the Services are provided to End User under an End User Agreement) or Reseller (if the Services are provided to End User under a Reseller Agreement) on request Assurestor’s ISO 27001 Internal and External Audit Reports and Cyber Essentials Audit Report to demonstrate the compliance of Assurestor with its obligations under these Processor Terms and the Data Protection Laws.
7.2. Assurestor shall allow for and contribute to audits, including inspections, conducted by End User or Reseller on behalf of End User or another auditor mandated by End User or Reseller on behalf of End User in respect of the compliance of Assurestor's processing of Service Data with these Processor Terms and the Data Protection Laws. Reseller or End User must give Assurestor at least 14 days’ written notice of an audit unless the audit is required as a result of a Personal Data breach affecting Service Data or a breach by Assurestor of its obligations under these Processor Terms or the Data Protection Laws, in which case Reseller or End User must give Assurestor reasonable written notice. The audit must take place within Business Hours (as defined in the Principal Services Agreement). Audits shall not be carried out more than once in any 12-month period unless an audit is required as a result of a Personal Data breach affecting Service Data or a breach by Assurestor of its obligations under these Processor Terms or the Data Protection Laws. Assurestor may charge End User (if the Services are provided to End User under an End User Agreement) or Reseller (if the Services are provided to End User under a Reseller Agreement) at its standard time-based charging rates for any work performed by Assurestor at the request of End User or Reseller on behalf of End User pursuant to this Paragraph 7.2, except where such work is necessitated by a breach by Assurestor of its obligations under these Processor Terms or the Data Protection Laws.

8. Return and deletion of Service Data
8.1. End User acknowledges (if the Services are provided to End User under an End User Agreement), and Reseller shall make End User aware (if the Services are provided to End User under a Reseller Agreement), that because the purpose of the Services is the backup and storage of Service Data on the Platform, after the end of the provision of a Service to End User, Assurestor shall delete all Service Data stored on the Platform in accordance with the data retention and deletion provisions set out in Schedule 1 and shall delete any copies of it in its possession or control save to the extent that applicable law requires storage of the relevant Personal Data.

Schedule 4 to the Data Processing Addendum
Vendors and international transfers

This Schedule sets out the Vendors of Third Party Services used by Assurestor in the provision of the Services and the services they provide, the countries to which Services Data is transferred and the Transfer Mechanism used to protect any Services Data transferred out of the UK or EU.

Service
Vendor
Service
Purpose
Country(ies)
Transfer Mechanism
saas2cloud
CloudAlly Limited (an OpenText company)
CloudAlly Cloud-to-Cloud Backup Service
Online backup system that enables End Users to backup and archive cloud-based data.
Service Data is stored in the AWS regional datacentre(s) selected by End User or by Reseller on behalf of End User. Support staff from CloudAlly Limited (Israel) and OpenText Inc. (USA) may access Service Data, but only on and in accordance with the instructions and authorisation of End User or Reseller on behalf of End User.
Standard Contractual Clauses as referenced in the OpenText Customer DPA.
backup2cloud
Zadara Ltd
Cloud compute and storage services
Provision of cloud services for servers and storage of Service Data outside the UK.
Service Data is stored in the Zadara regional data centre(s) selected by End User or by Reseller on behalf of End User. Zadara will not transfer Service Data from the selected region except as necessary to comply with the law or a valid and binding order of a law enforcement agency.
Standard Contractual Clauses as referenced in the Zadara Customer DPA.
dr2cloud
N/A
N/A
N/A
Service Data is stored in the regional datacentre(s) selected by End User or by Reseller on behalf of End User.
As the transfer of Service Data to the selected datacentre is initiated and agreed by End User or Reseller on behalf of End User, the End User or Reseller on behalf of End User is responsible for complying with the transfer rules under Data Protection Laws.
veeam2cloud
N/A
N/A
N/A
Service Data is stored in the regional datacentre(s) selected by End User or by Reseller on behalf of End User.
As the transfer of Service Data to the selected datacentre is initiated and agreed by End User or Reseller on behalf of End User, the End User or Reseller on behalf of End User is responsible for complying with the transfer rules under Data Protection Laws.
All Services
N/A
N/A
Provision of Support to End Users and Resellers.
Assurestor staff based in the UK may access Service Data if and to the extent that the provision of Support or professional services involves access to Service Data or the performance of any operation on Service Data, but only on and in accordance with the instructions and authorisation of End User or Reseller on behalf of End User.
Transfers of Service Data to Assurestor staff based in the UK are subject to the European Commission’s UK Adequacy Decision.