Muhimbi Ltd - Data Processing Terms

This Data Processing Terms Addendum ("Addendum") forms part of the agreement for provision of the Muhimbi file conversion services contracted for under Muhimbi’s Terms of Service between Muhimbi Ltd, (“Muhimbi”) and the entity specified as the Customer on an Order Form under the Terms of Service ("Customer”).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined in this Addendum shall have the meaning given to them in the Terms of Service. Except as modified below, the terms of the Terms of Service shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Terms of Service. Except where the context requires otherwise, references in this Addendum to the Terms of Service are to the Terms of Service as amended by, and including, this Addendum.
 

Definitions

In this Addendum:

Applicable Law

means as applicable and binding on the Customer, Muhimbi and/or the Services:

(a) any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of;

(b) the common law and laws of equity as applicable to the parties from time to time;

(c) any binding court order, judgment or decree; or

(d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Appropriate Safeguards

means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

Data Controller

has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws;

Data Processor

has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws;

Data Protection Laws

means as applicable and binding on the Customer, Muhimbi and/or the Services:

(a) in the United Kingdom:

(i) the Data Protection Act 1998 and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive); and/or

(ii) the GDPR, and/or any corresponding or equivalent national laws or regulations;

(b) in member states of the European Union: the Data Protection Directive or the GDPR, once applicable, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and

(c) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;

Data Protection Losses

means all liabilities, including all:

(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and

(b) to the extent permitted by Applicable Law:

(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;

(ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and

(iii) the reasonable costs of compliance with investigations by a Supervisory Authority;

Data Subject

has the meaning given to that term in Data Protection Laws;

Data Subject Request

means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

GDPR

means the General Data Protection Regulation (EU) 2016/679;

GDPR Date

means from when the GDPR applies on 25 May 2018;

International Organisation

means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

International Recipient

has the meaning given to that term in paragraph 6.1;

Personal Data

has the meaning given to that term in Data Protection Laws;

Personal Data Breach

means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

processing

has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);

Processing Instructions

has the meaning given to that term in paragraph 2.1.1;

Protected Data

means Personal Data received from or on behalf of the Customer to the extent that it is processed by Muhimbi on Customer’s behalf in connection with the performance of Muhimbi’s obligations under the Terms of Service;

Services

means the Services as defined under the Terms of Service.

Sub-Processor

means another Data Processor engaged by Muhimbi for carrying out processing activities in respect of the Protected Data on behalf of the Customer; and

Supervisory Authority

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

 

Specific interpretive provision(s)

In this Addendum:

(a) references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable;

(b) a reference to a law includes all subordinate legislation made under that law; and

(c) references to “paragraph numbers” are to paragraphs of this Addendum.

 

Data processing provisions

1 Data Processor and Data Controller

1.1 The parties agree that, for the Protected Data, the Customer shall be the Data Controller and Muhimbi shall be the Data Processor.

1.2 Muhimbi shall process Protected Data in compliance with:

1.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under the Terms of Service; and

1.2.2 the terms of the Terms of Service.

1.3 The Customer shall comply with:

1.3.1 all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under the Terms of Service, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

1.3.2 the terms of the Terms of Service.

1.4 The Customer warrants, represents and undertakes, that:

1.4.1 all data sourced by the Customer for use in connection with the Services, prior to such data being provided to or accessed by Muhimbi for the performance of the Services under the Terms of Service, shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;

1.4.2 all instructions given by it to Muhimbi in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and

1.4.3 it has undertaken due diligence in relation to Muhimbi's processing operations, and it is satisfied that:

(a) Muhimbi’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Muhimbi to process the Protected Data; and

(b) Muhimbi has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

1.5 The Customer shall not withhold, delay or condition its agreement to any Change requested by Muhimbi in order to ensure the Services and Muhimbi (and each Sub-Processor) can comply with Data Protection Laws.

 

2 Instructions and details of processing

2.1 Insofar as Muhimbi processes Protected Data on behalf of the Customer, Muhimbi:

2.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this paragraph 2 and Schedule 1 (Data processing details), as updated from time to time in accordance with the Change Control Procedure (Processing Instructions);

2.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and

2.1.3 shall inform the Customer if Muhimbi becomes aware of a Processing Instruction that, in Muhimbi’s opinion, infringes Data Protection Laws, provided that:

(a) this shall be without prejudice to paragraphs 1.3 and 1.4;

(b) to the maximum extent permitted by mandatory law, Muhimbi shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information; and

(c) this paragraph 2.1.3 shall only apply from the GDPR Date.

2.2 The processing of Protected Data to be carried out by Muhimbi under the Terms of Service shall comprise the processing set out in Schedule 1 (Data processing details), as may be updated from time to time by agreement between the parties.

 

3 Technical and organisational measures

3.1 Muhimbi shall implement and maintain, at its cost and expense, the technical and organisational measures:

3.1.1 in relation to the processing of Protected Data by Muhimbi, as set out in Schedule 1 (Technical and organisational measures); and

3.1.2 from the GDPR Date, taking into account the nature of the processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data.

3.2 Any additional technical and organisational measures shall be at the Customer’s cost and expense.

 

4 Using staff and other processors

4.1 Muhimbi may engage third-party Sub-Processors in connection with the provision of the Services. Muhimbi shall have entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Protected Data to the extent applicable to the nature of the services provided by such Sub-Processor.

4.2 A list of Sub-Processors as of December 2017 for the Services is set out below. Muhimbi shall make available to Customer an updated list of Sub-Processors in the event that it appoints any new Sub-Processors. Customer may object to Muhimbi’s use of a new Sub-Processor by notifying Muhimbi in writing. In the event Customer objects to a new Sub-Processor, Muhimbi will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-Processor without materially disadvantaging the Customer. If Muhimbi is unable to make available such change within a reasonable period of time, Customer may terminate the Agreement with respect only to those Services which cannot be provided by Muhimbi without the use of the objected-to new Sub-Processor, by providing written notice to Muhimbi. Muhimbi will refund to Customer any prepaid fees covering the remainder of Customer’s Subscription following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

4.3 List of Current Sub-Processors

  • Microsoft Azure - who we use for application hosting purposes.
  • Zendesk - who we use for our support desk user interface and may therefore occasionally have access to some Protected Data to process support requests.
  • Planando – an independent software developer who may have access to Protected Data in the course of providing support.
  • Zevenseas / Rapid Circle – support and development services which may involve access to Protected Data.

4.4 Muhimbi shall:

4.4.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under paragraphs 1 to 11 (inclusive) that is enforceable by Muhimbi;

4.4.2 ensure each such Sub-Processor complies with all such obligations; and

4.4.3 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

4.5 From the GDPR Date, Muhimbi shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Muhimbi shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).

 

5 Assistance with the Customer’s compliance and Data Subject rights

5.1 Muhimbi shall refer all Data Subject Requests it receives to the Customer within three Business Days of receipt of the request, provided that if the number of Data Subject Requests exceeds 5 per calendar month, the Customer shall pay Muhimbi’s charges calculated on a time and materials basis at Muhimbi’s then current rates for recording and referring the Data Subject Requests in accordance with this paragraph 5.1.

5.2 From the GDPR Date, Muhimbi shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Muhimbi) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:

5.2.1 security of processing;

5.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);

5.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and

5.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,

provided the Customer shall pay Muhimbi’s charges for providing the assistance in this paragraph 5.2, such charges to be calculated on a time and materials basis at Muhimbi’s then-current rates.

 

6 International data transfers

6.1 The Customer agrees that Muhimbi may transfer Protected Data to countries outside the United Kingdom or to any International Organisation(s) (an International Recipient), provided all transfers by Muhimbi of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of the Terms of Service shall constitute the Customer’s instructions with respect to transfers in accordance with paragraph 2.1.

 

7 Records, information and audit

7.1 Muhimbi shall maintain, in accordance with Data Protection Laws binding on Muhimbi, written records of all categories of processing activities carried out on behalf of the Customer.

7.2 Muhimbi shall, in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Muhimbi's compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer:

7.2.1 giving Muhimbi reasonable prior notice of such information request, audit and/or inspection being required by the Customer;

7.2.2 ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);

7.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Muhimbi's business, the Sub-Processors’ business and the business of other customers of Muhimbi; and

7.2.4 paying Muhimbi's reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.

 

8 Breach notification

8.1 In respect of any Personal Data Breach involving Protected Data, Muhimbi shall, without undue delay:

8.1.1 notify the Customer of the Personal Data Breach; and

8.1.2 provide the Customer with details of the Personal Data Breach.

 

9 Deletion or return of Protected Data and copies

9.1 Muhimbi shall, at the Customer’s written request, either delete or return all the Protected Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the earlier of:

9.1.1 the end of the provision of the relevant Services related to processing; or

9.1.2 once processing by Muhimbi of any Protected Data is no longer required for the purpose of Muhimbi’s performance of its relevant obligations under the Terms of Service,
and delete existing copies (unless storage of any data is required by Applicable Law and, if so, Muhimbi shall inform the Customer of any such requirement).

 

10 Liability, indemnities and compensation claims

10.1 The Customer shall indemnify and keep indemnified Muhimbi in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, Muhimbi and any Sub-Processor arising from or in connection with any:

10.1.1 non-compliance by the Customer with the Data Protection Laws;

10.1.2 processing carried out by Muhimbi or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Law; or

10.1.3 breach by the Customer of any of its obligations under paragraphs 1 to 11 (inclusive),
except to the extent Muhimbi is liable under paragraph 10.2.

10.2 Muhimbi shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with the Terms of Service:

10.2.1 only to the extent caused by the processing of Protected Data under the Terms of Service and directly resulting from Muhimbi’s breach of paragraphs 1 to 11 (inclusive); and

10.2.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of the Terms of Service by the Customer (including in accordance with paragraph 2.1.3(b) of this Addendum).

10.3 If a party receives a compensation claim from a person relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:

10.3.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and

10.3.2 consult fully with the other party in relation to any such action, but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under the Terms of Service for paying the compensation.

10.4 The parties agree that the Customer shall not be entitled to claim back from Muhimbi any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify Muhimbi in accordance with paragraph 10.1.

10.5 This paragraph 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

10.5.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and

10.5.2 that it does not affect the liability of either party to any Data Subject.

 

11 Survival of data protection provisions

11.1 Paragraphs 1 to 11 (inclusive) shall survive termination (for any reason) or expiry of the Terms of Service and continue:

11.1.1 indefinitely in the case of paragraphs 9 to 11 (inclusive); and

11.1.2 until 12 months following the earlier of the termination or expiry of the Terms of Service in the case paragraphs 1 to 8 (inclusive),

provided always that any termination or expiry of paragraphs 1 to 8 (inclusive) shall be without prejudice to any accrued rights or remedies of either party under any such paragraphs at the time of such termination or expiry.

 

Schedule 1 - Data Processing Details

1 Subject-matter of processing:

Any personal data comprised within documents in respect of which the Services are provided and associated user logs.

 

2 Duration of the processing:

For the duration of the order placed under the Terms of Service

 

3 Nature and purpose of the processing:

To provide Services (as defined in the Muhimbi Terms of Service) to the Customer.

 

4 Type of Personal Data:

All such data as the Customer includes in any document in respect of which the Services are used, and associated user logs.

 

5 Categories of Data Subjects:

Individuals referenced or identified in any document in respect of which the Services are used, and individuals using the Services.

 

6 Technical and Organisational Security measures applied to the Protected Data.

The Services are operated in accordance with the following security related procedures:

  • Passwords are stored using encryption and are never transmitted unencrypted.
  • Passwords are not logged under any circumstances.
  • Security logs are maintained, and reviewed, to track failed login attempts.
  • Muhimbi's internal accounts use Multi Factor Authentication.
  • Physical hardware is hosted in Microsoft Azure, which implements strict access control. For details see this document.
  • Where possible, data is kept in memory and not persisted to disk.
  • When needed, data is persisted to disk for the shortest possible time.
  • Temporary files, and processed data, are removed automatically.
  • Penetration tests are carried out periodically.

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.