Data Processing Agreement

This Data Processing Agreement ("DPA"), forms part of the Agreement between Let Me Search trading as OkaySend ("the Processor") and the Customer ("the Controller").

This agreement has been entered into on the date the Controller signed up for the Processor's service and accepted the terms of this DPA.

1. Definitions and Interpretations

a. Data Protection Legislation All applicable data protection laws including GDPR and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).

b. Data Subject An individual who is the subject of Personal Data.

c. GDPR General Data Protection Regulation ((EU) 2016/679).

d. Personal Data Personal Data is any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services under the Services Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

e. Personal Data Breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

f. Processing Processing may be any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The Schedules form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.

A reference to writing or written includes email.

These definitions and rules of interpretation will apply in this Data Processing Agreement.

2. Processing Purposes

The Controller and the Processor acknowledge that the Controller is the controller and the Processor is the processor and that the Controller retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation.

3. Processor's Obligations

The Processor shall:

The Processor will promptly comply with any request by or instruction from the Controller to process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

The Processor will keep all Personal Data confidential and not disclose such data to third parties unless specifically authorised in writing by the Controller or as required by law. If the Processor is required by law, court, regulator or supervisory authority to process or disclose any Personal Data, the Processor will first inform the Controller of this and allow the Controller to object or challenge the requirement, unless the law prohibits the Processor from informing the Controller.

4. Subprocessing

The Processor may engage Sub-processors to process Customer Data on the Controller's behalf. The Sub-processors currently engaged by The Processor and authorized by the Controller are listed in Schedule 1.

5. Security

The Processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

6. Responses to Data Subjects

a. The Processor will put in place such technical and organisational measures as may be appropriate to enable the Controller to comply with the rights of Data Subjects under Data Protection Legislation, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing and the right to object to automated individual decision making.

b. If the Processor receives any complaint or other communication relating to the processing of the Personal Data or a Subject Access Request from a Data Subject, it must notify the Controller as soon as possible after it receives it and in any event within 3 working days and will provide the Controller with all reasonable assistance in helping the Controller to reply to such communications.

c. The Processor will provide to the Controller such information as the Controller may reasonably require in order for the Controller to comply with the rights of Data Subjects under Data Protection Legislation. The Processor may not charge an additional amount for fulfilling its obligations under this clause 6.

d. The Processor will provide all appropriate assistance to the Controller to enable it to comply with any information or assessment notices served on the Controller by any supervisory authority under the Data Protection Legislation.

e. The Processor shall not disclose Personal Data to any third party other than at the Controller's written request or as set out in this agreement or as required by law.

7. Personal Data Breach

a. If any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable ("Personal Data Loss"), the Processor will notify the Controller without undue delay (and in any event within 72 hours) after learning of such Personal Data Loss and the Processor shall to the extent possible restore any such data at its own expense.

b. If the Processor becomes aware of any unauthorised or unlawful processing of the Personal Data or any Personal Data Breach, it will notify the Controller without undue delay (and in any event within 72 hours)

c. The Processor's notification of, or response to, a Data Breach under this Section 7.2 will not be construed as an acknowledgement by the Processor of any fault or liability with respect to the Data Breach.

d. The Processor will not assess the content of the Controller's data. Controller is solely responsible for complying with data breach notification laws applicable to the Controller and fulfilling any third party notification obligations related to any Data Breach(es).

e. The parties will co-ordinate and co-operate with each other to investigate any matters arising as contemplated by this clause.

f. The Processor shall take all reasonable steps to mitigate the effects and reduce the impact of any Personal Data Breach or unlawful Personal Data processing.

g. The Processor agrees that it shall not (and the Controller is solely responsible to) provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or any other third party, except when the Processor (as opposed to the Controller) is required by law or regulation to provide such notice.

h. The Processor agrees that it shall not (and the Controller is solely responsible to) offer any type of remedy to affected Data Subjects.

8. Term and Termination

This Agreement will continue for so long as the Processor processes any Personal Data related to the Services Agreement (Term).

If the Processor breaches this Agreement, such breach shall constitute a material breach of the Services Agreement and the Controller may terminate the Services Agreement immediately on written notice to the Processor without further liability or obligation for the Controller.

9. Data Return and Destruction

a. The Processor will, on the request of the Controller, provide the Controller with a copy of or access to the Personal Data in its possession or control in the format and on the media reasonably specified by the Controller.

b. On termination or expiry of the Services Agreement, the Processor will at least 7 days prior to the date of expiry or termination ask the Controller whether the Controller wants the Personal Data to be deleted, destroyed, returned or retained and shall follow the Controller's instructions accordingly.

c. If the Processor is required by any law, regulation, or government or regulatory body to retain any documents or materials, the Processor will inform the Controller in writing of such requirement, providing details of the legal basis for retention and setting out the timings for deletion when such retention period ends.

d. If the Controller requires the Processor to delete or destroy certain documents or materials or anything else containing Personal Data, the Processor shall certify in writing that it has so deleted or destroyed the Personal Data within 3 days of doing so.

10. Audit

The Controller (and any third-party representatives) may audit the Processor's compliance with its obligations under this Agreement and the Processor will give the Controller assistance and co-operation to conduct such audits.

The Processor shall provide written, confidential responses to all reasonable requests for information made by the Controller, including responses to information security and audit questionnaires that are necessary to confirm the Processors compliance with this DPA, provided that the Controller shall not exercise this right more than once per year.

Schedule 1

Note that below, "Client Data" refers to data that is uploaded or provided by the Controller's clients that are invited into OkaySend.

EntityPurposeLocationClient Data
Google Cloud PlatformApplication, database and file storageUnited StatesYes
GoogleFile backups, analyticsUnited StatesYes
ResendEmailsUnited StatesYes
TwilioSMSUnited StatesYes
TypesenseSearch engineUnited StatesYes
StripeBillingUnited States