Data processing agreement

All Policies / Terms

Contents

Our agreement with you

This Data processing agreement applies to the extent that Amiqus Resolution Limited processes personal data on behalf of Amiqus clients, which together with:

form the contract between you (“the ‘Client”) and us. This agreement supersedes any written or oral representations, statements, understandings or agreements.

Any obligation imposed on the supplier under this agreement in relation to the processing of personal data shall survive any termination or expiration of the main agreement.

With regard to the subject matter of this agreement, in the event of any conflict or inconsistency between any provision of the main agreement and any provision of this agreement, the provision of this agreement shall prevail. In the event of any conflict or inconsistency between the main agreement or this agreement and the standard contractual clauses, the standard contractual clauses shall prevail.

Definitions

  • The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning as described in Data protection laws;
  • “Agreement” means this Data processing agreement;
  • "Authorised sub-processors” means (a) those sub-processors set out in the agreement (Authorised Sub-processors).
  • “Data protection laws” means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and when in force the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
  • “EEA” means the European Economic Area;
  • “Personal data” means the data described (details of processing of personal data) and any other personal data processed by the supplier on behalf of the client pursuant to or in connection with the main agreement;
  • “Main agreement” means the Amiqus Business terms into which this agreement is incorporated;
  • “Standard contractual clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
  • “Sub-processor” means any data processor (including any affiliate of Amiqus) appointed by Amiqus to process personal data on behalf of the Amiqus client.
  • “Supervisory authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
  • “Supplier” means Amiqus Resolution Limited, provider of the service;
  • “The Client” means you, the company, firm, corporation or public authority who wishes to purchase the Service;
  • “The Service” means the service described in the Amiqus Business terms.

Processing of personal data

Data controller and data processor

The parties agree that:

  • the client is a data controller and that,
  • the supplier is a data processor

for the purposes of processing personal data.

Each party shall at all times in relation to processing connected with the main agreement, comply with data protection laws.

Details of the processing of personal data

As required by Article 28(3) GDPR, the information below outlines the details of the personal data processed by Amiqus on behalf of the client.

The supplier shall only process the types of personal data relating to the categories of data subjects for the purposes of the main agreement and for the specific purposes in each case as set out therein and shall not process, transfer, modify, amend or alter the personal data or disclose or permit the disclosure of the personal data to any third party other than in accordance with the client’s documented instructions and the data protection laws, unless processing is required by applicable law to which the supplier is subject, in which case the supplier shall to the extent permitted by such law inform the client of that legal requirement before processing that personal data.

The supplier will reasonably assist the client with meeting the client's compliance obligations under the data protection laws, taking into account the nature of the supplier's processing and the information available to the supplier, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the data protection laws.

Subject matter Employee or customer of the client
Duration The Supplier will continue to process any data until the client deletes from Amiqus or the main agreement ends
Nature and purpose

Employee vetting and screening

Customer due diligence

To meet risk, legal, compliance standards

Types of personal data

Name, date of birth, address history, personal e-mail address, telephone number an identification card, National Insurance Number. Image of identification documents.

Types of special category personal data

Image of passport

political information

Criminal history data

Indicative notice of disclosure

Client notes about disclosures

The supplier shall immediately inform the client, if in its opinion, an instruction pursuant to the main agreement or this agreement infringes data protection laws.

The client warrants to and undertakes to the supplier that all data subjects of the personal data: (i) have been or will be provided with appropriate privacy notices and information; (ii) all consents have been obtained in accordance with data protection laws to establish and maintain for the relevant term the necessary legal grounds, under data protection laws for transferring the personal data to the supplier to enable the supplier to process the personal data in accordance with this agreement and the main agreement.

Liability

The client acknowledges that the supplier is reliant on the client for direction as to the extent to which it is entitled to use and process the personal data. Consequently, the supplier will not be liable for any claim arising from any action or omission by the supplier to the extent that such action or omission resulted from the client’s express instructions. The liability provisions in the main agreement shall apply to this agreement. Nothing in this agreement shall exclude or limit any party's liability which cannot legally be limited or excluded by applicable laws.

Processor personnel

The supplier shall treat all personal data as strictly confidential and shall inform all its employees, agents, contractors and/or authorised sub-processors engaged in processing the personal data of the confidential nature of such Personal Data.

The supplier shall take reasonable steps to ensure the reliability, integrity, and trustworthiness of any employee, agent, contractor and/or authorised sub-processor who may have access to the personal data, ensuring in each case that access is limited to those persons or parties who need to access the relevant personal data, as necessary for the purposes set out above in the context of that person's or party's duties to the supplier.

The supplier shall ensure that all such persons or parties involved in the processing of personal data are subject to:

  • confidentiality undertakings or are under an appropriate statutory obligation of confidentiality;
  • have undertaken training on the data protection laws relating to handling personal data and how it applies to their particular duties;
  • are aware both of the client's duties and their personal duties and obligations under the data protection laws and this agreement; and
  • user authentication processes when accessing the personal data.

Security

The supplier shall implement appropriate technical and organisational measures to ensure a level of security of the personal data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

More information about Amiqus’ commitment to security can be found here.

Sub-processing

Authorised sub-processors

Entity name Subprocessing activities
Amazon Web Services UK Ltd Cloud computing platforms for all application infrastructure including; web servers, databases, and DNS.
Disclosure and Barring Service Obtain details of convictions and conditional cautions for provision of Amiqus’ Basic Disclosure Check.
Disclosure Scotland Obtain details of convictions and conditional cautions for provision of Amiqus’ Basic Disclosure Check.
Equifax Ltd QCB1 AML/EWC services, provision of Amiqus’ identity checks.
GoCardless Ltd Outsourced payment management.
HubSpot, Inc Marketing automation and customer relation management.
IVSX UK Ltd, (trading as Comply Advantage) Obtain global sanctions, politically exposed persons and adverse media data for the provision of Amiqus’ PEPs & Sanctions and Adverse Media checks.
Onfido Ltd Document verification services, provision of Amiqus’ Photo ID check.
Stripe, Inc Outsourced payment management.
TransUnion Information Group Ltd. (formerly CallCredit) CallValidate and CallReport services, provision of Amiqus’ Identity and Adverse Credit checks.
Zendesk, Inc Online ticketing and customer support services.
Dolby Laboratories, Inc Dolby.io video and audio services, provision of Amiqus’ Face Capture check.
TrueLayer Limited

Open banking platform, provision of Amiqus' Banking information check.

This check type is used for the collection and processing of financial information. Amiqus does not permit storage, processing or transmitting of cardholder and sensitive authentication data.

Appointing sub-processors

The supplier shall not engage any sub-processor to process personal data other than with the prior specific or general written authorisation of the client. As at the date of the main agreement or (if later) implementation of this agreement, the client hereby authorises the supplier to engage those sub-processors set out in the table above (authorised sub-processors) or those specifically outlined in the Contract schedule.

Changes to sub-processors

In the case of general written authorisation, the supplier shall inform the client of any intended changes concerning the addition or replacement of other processors with 10 working days’ notice, thereby giving the client the opportunity to object to such changes.

With respect to each Sub-processor, the Supplier shall:

Sub-processor due diligence

Carry out adequate due diligence on each sub-processor to ensure that it is capable of providing the level of protection for the personal data as is required by this agreement including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of data protection laws and this agreement;

Agreement with sub-processors

Include terms in the contract between the supplier and each sub-processor which contains terms substantially the same as those set out in this agreement, in particular, in relation to requiring appropriate technical and organisational data security measures agreement and shall supervise compliance thereof;

Transfer of personal data outside of the EEA

Insofar as that contract involves the transfer of personal data outside of the EEA, incorporate the standard contractual clauses or such other mechanism as directed by the client into the contract between the supplier and each sub-processor to ensure the adequate protection of the transferred personal data, or such other arrangement as the client may approve as providing an adequate protection in respect of the processing of personal data in such third country(ies); and

Sub-processor failure

Remain fully liable to the client for any failure by each sub-processor to fulfil its obligations in relation to the processing of any personal data.

Data subject rights

The Supplier shall without undue delay, and in any case within two (2) working days, notify the client if it receives a request from a data subject under any data protection laws in respect of personal data, including requests by a data subject to exercise rights in chapter 3 of GDPR, and shall provide full details of that request.

The supplier shall cooperate as reasonably requested by the client to enable the client to comply with any exercise of rights by a data subject under any data protection laws in respect of personal data and to comply with any assessment, enquiry, notice or investigation under any data protection laws in respect of personal data or the main agreement, which shall include:

  • the provision of all information reasonably requested by the client within any reasonable timescale specified by the client in each case, including full details and copies of the complaint, communication or request and any personal data it holds in relation to a data subject;
  • where applicable, providing such assistance as is reasonably requested by the client to enable the client to comply with the relevant request within the timescales prescribed by data protection laws; and
  • implementing any additional technical and organisational measures as may be reasonably required by the client to allow the client to respond effectively to relevant complaints, communications or requests.

Personal data breach management

In the case of a personal data breach, the supplier shall without undue delay notify the personal data breach to the client providing sufficient information which allows the client to meet any obligations to report a personal data breach under data protection laws. Such notification shall as a minimum:

  • describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned;
  • communicate the name and contact details of the supplier's data protection officer or other relevant contact from whom more information may be obtained; and
  • describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Supplier co-operation

The supplier shall fully cooperate with the client and take such reasonable steps as are directed by the client to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the client to (i) perform a thorough investigation into the personal data breach, (ii) formulate a correct response and to take suitable further steps in respect of the personal data breach in order to meet any requirement under data protection laws.

Public Statement

The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The supplier shall not inform any third party without first obtaining the client’s prior written consent, unless notification is required by law to which the supplier is subject, in which case the supplier shall to the extent permitted by such law inform the client of that legal requirement, provide a copy of the proposed notification and consider any comments made by the client before notifying the personal data breach.

Data protection impact assessments and consultation

The supplier shall, at the client’s request, provide reasonable assistance with any data protection impact assessments and any consultations with any supervisory authority of the client’s as may be required.

Deletion or return of controller personal data

The supplier shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of personal data by the supplier; or (ii) termination of the main agreement, at the choice of the client securely dispose of personal data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the supplier to store such personal data.

Audit rights

The supplier shall make available to the client on request all information necessary to demonstrate compliance with this agreement and data protection laws and allow for and contribute to audits, including inspections by the client or another auditor mandated by the client of any premises where the processing of personal data takes place.

The supplier shall permit the client or another auditor mandated by the client during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the client may satisfy itself that the provisions of data protection laws and this agreement are being complied with.

The supplier shall provide full cooperation to the client in respect of any such audit and shall at the request of the client, provide evidence of compliance with its obligations under this agreement and data protection laws.

International transfers of controller personal data

The supplier shall not (permanently or temporarily) process the personal data nor permit any authorised sub-processor to (permanently or temporarily) process the personal data in a country outside of the EEA without an adequate level of protection, other than in respect of those recipients in such countries listed in Schedule 3 (Authorised Transfers of Personal Data), unless authorised in writing by the client in advance.


Effective from 28/04/2021 Last reviewed 27/04/2021 Version 1.2