Data processing agreement

Our agreement with you

This Data processing agreement applies to the extent that Amiqus Resolution Limited processes personal data on behalf of Amiqus clients, which together with:

Your Contract schedule
Amiqus’ Business terms
Amiqus’ Service user terms
Amiqus’ Privacy policy

form the contract between you (“the ‘Client”) and us. This agreement supersedes any written or oral representations, statements, understandings or agreements.

Any obligation imposed on the supplier under this agreement in relation to the processing of personal data shall survive any termination or expiration of the main agreement.

With regard to the subject matter of this agreement, in the event of any conflict or inconsistency between any provision of the main agreement and any provision of this agreement, the provision of this agreement shall prevail. In the event of any conflict or inconsistency between the main agreement or this agreement and the standard contractual clauses, as applicable, the UK International Data Transfer Agreement or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall prevail.

Definitions

The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning as described in Data protection laws;
“Agreement” means this Data processing agreement;
“Authorised sub-processors” means (a) those sub-processors set out in the agreement (Authorised Sub-processors).
“Commissioner” means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018);
“Data Protection Laws” means:
- To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data and privacy.
- To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier or the Client is subject, which relates to the protection of personal data and privacy.
“EU GDPR”: the General Data Protection Regulation ((EU) 2017/679);
“EEA” means the European Economic Area;
“Personal data” means the data described (details of processing of personal data) and any other personal data processed by the supplier on behalf of the client pursuant to or in connection with the main agreement;
“Main agreement” means the Amiqus Business terms into which this agreement is incorporated;
“Sub-processor” means any data processor (including any affiliate of Amiqus) appointed by Amiqus to process personal data on behalf of the Amiqus client.
“Supervisory authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; (b) the Commissioner; and (c) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
“Supplier” means Amiqus Resolution Limited, provider of the service;
“The Client” means you, the company, firm, corporation or public authority who wishes to purchase the Service;
“The Service” means the service described in the Amiqus Business terms.
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

Processing of personal data

Data controller and data processor

The parties agree that:

the client is a data controller and that,
the supplier is a data processor

for the purposes of processing personal data.

Each party shall at all times in relation to processing connected with the main agreement, comply with data protection laws.

Details of the processing of personal data

As required by Article 28(3) GDPR, the information below outlines the details of the personal data processed by Amiqus on behalf of the client.

The supplier shall only process the types of personal data relating to the categories of data subjects for the purposes of the main agreement and for the specific purposes in each case as set out therein and shall not process, transfer, modify, amend or alter the personal data or disclose or permit the disclosure of the personal data to any third party other than in accordance with the client’s documented instructions and the data protection laws, unless processing is required by applicable law to which the supplier is subject, in which case the supplier shall to the extent permitted by such law inform the client of that legal requirement before processing that personal data.

The supplier will reasonably assist the client with meeting the client’s compliance obligations under the data protection laws, taking into account the nature of the supplier’s processing and the information available to the supplier, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the data protection laws.

Subject matter	Employee or customer of the client
Duration	The Supplier will continue to process any data in accordance with the clients instructions until the client deletes from Amiqus or the main agreement ends, whichever is first – except where a requirement exists to retain data for legal or regulatory purposes. For example, DBS requires records of checks undertaken to be retained for 12 months. Any such data are retained in accordance with this provision shall continue to be subject to the security and confidentiality restrictions contained in this Agreement.
Nature and purpose	Employee vetting and screening Customer due diligence to meet risk, legal, compliance standards
Types of personal data	Name, date of birth, address history, personal email address, telephone number, an identification card, professional registration details, National Insurance Number. Image of identification documents.
Types of special category personal data	Image of passport Image and video of face Political information
Criminal history data	Indicative notice of disclosure Disclosure certificate Client notes about disclosures

The supplier shall immediately inform the client, if in its opinion, an instruction pursuant to the Main Agreement or this agreement infringes data protection laws.

The Client warrants to and undertakes to the Supplier that: (i) it is entitled to disclose the Personal Data to the Supplier; all data subjects of the personal data; (ii) it has and will maintain for the term of the Agreement a valid lawful basis to process and share the Personal Data with the Supplier; (iii) it will ensure that the Personal Data is accurate and is kept up to date; (iv) all data subjects of the Personal Data have been or will be provided with appropriate privacy notices and information in accordance with Data protection laws; (v) where the legal basis relied on is consent or explicit consent, all consents have been obtained in accordance with Data protection laws to establish and maintain for the relevant term the necessary legal grounds, under Data protection laws for transferring the Personal Data to the Supplier to enable the Supplier to process the personal data in accordance with this Agreement and the Main Agreement.

Liability

The Client acknowledges that the Supplier is reliant on the Client for direction as to the extent to which it is entitled to use and process the personal data. Consequently, the supplier will not be liable for any claim arising from any action or omission by the supplier to the extent that such action or omission resulted from the client’s express instructions. The liability provisions in the Main Agreement shall apply to this agreement. Nothing in this Agreement shall exclude or limit any party’s liability which cannot legally be limited or excluded by applicable laws.

Processor personnel
The supplier shall treat all personal data as strictly confidential and shall inform all its employees, agents, contractors and/or authorised sub-processors engaged in processing the personal data of the confidential nature of such Personal Data.

The supplier shall take reasonable steps to ensure the reliability, integrity, and trustworthiness of any employee, agent, contractor and/or authorised sub-processor who may have access to the personal data, ensuring in each case that access is limited to those persons or parties who need to access the relevant personal data, as necessary for the purposes set out above in the context of that person’s or party’s duties to the supplier.

The supplier shall ensure that all such persons or parties involved in the processing of personal data are subject to:
- confidentiality undertakings or are under an appropriate statutory obligation of confidentiality;
- have undertaken training on the data protection laws relating to handling personal data and how it applies to their particular duties;
- are aware both of the client’s duties and their personal duties and obligations under the data protection laws and this agreement; and
- user authentication processes when accessing the personal data.

Security
The supplier shall implement appropriate technical and organisational measures to ensure a level of security of the personal data appropriate to the risks that are presented by the processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

More information about Amiqus’ commitment to security can be found here.

Sub-processing

Authorised sub-processors

Entity name	Subprocessing activities
Amazon Web Services UK Ltd	Cloud computing platforms for all application infrastructure including; web servers, databases, and DNS.
Disclosure and Barring Service	Obtain details of convictions and conditional cautions for provision of Amiqus’ Basic Disclosure Check.
Disclosure Scotland	Obtain details of convictions and conditional cautions for provision of Amiqus’ Basic Disclosure Check.
Equifax Ltd	QCB1 AML/EWC services, provision of Amiqus’ identity checks.
GoCardless Ltd	Outsourced payment management.
HubSpot, Inc	Marketing automation and customer relation management.
IVSX UK Ltd, (trading as Comply Advantage)	Obtain global sanctions, politically exposed persons and adverse media data for the provision of Amiqus’ PEPs & Sanctions and Adverse Media checks.
Onfido Ltd	Document verification services, provision of Amiqus’ Photo ID check.
Stripe, Inc	Outsourced payment management.
TransUnion Information Group Ltd. (formerly CallCredit)	CallValidate and CallReport services, provision of Amiqus’ Identity and Adverse Credit checks.
Zendesk, Inc	Online ticketing and customer support services.
Dolby Laboratories, Inc	Dolby.io video and audio services, provision of Amiqus’ Face Capture check.
TrueLayer Limited	Open banking platform, provision of Amiqus’ Banking information check.This check type is used for the collection and processing of financial information. Amiqus does not permit storage, processing or transmitting of cardholder and sensitive authentication data.

Appointing sub-processors

The supplier shall not engage any sub-processor to process personal data other than with the prior specific or general written authorisation of the client. As at the date of the main agreement or (if later) implementation of this agreement, the client hereby authorises the supplier to engage those sub-processors set out in the table above (authorised sub-processors) or those specifically outlined in the Contract schedule.

Changes to sub-processors

In the case of general written authorisation, the supplier shall inform the client of any intended changes concerning the addition or replacement of other processors with 10 working days’ notice, thereby giving the client the opportunity to object to such changes.

With respect to each Sub-processor, the Supplier shall:

Sub-processor due diligence

Carry out adequate due diligence on each sub-processor to ensure that it is capable of providing the level of protection for the personal data as is required by this agreement including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of data protection laws and this agreement;

Agreement with sub-processors

Include terms in the contract between the supplier and each sub-processor which contains terms substantially the same as those set out in this agreement, in particular, in relation to requiring appropriate technical and organisational data security measures agreement and shall supervise compliance thereof;

Transfer of personal data outside of the UK and EEA

Insofar as that contract involves the transfer of personal data outside of the UK and EEA, transfer to a territory which is subject to adequacy regulations under the Data protection laws to a territory provides adequate protection for the privacy rights of individuals; or incorporate valid cross-border transfer mechanism under Data protection laws; or such other mechanism as directed by the client into the contract between the supplier and each sub-processor to ensure the adequate protection of the transferred personal data, provided it is compliant with the Data protection laws, or such other arrangement as the client may approve as providing an adequate protection in respect of the processing of personal data in such third country(ies); and

Sub-processor failure

Remain fully liable to the client for any failure by each sub-processor to fulfil its obligations in relation to the processing of any personal data.

Data subject rights
The Supplier shall without undue delay, and in any case within two (2) working days, notify the client if it receives a request from a data subject under any data protection laws in respect of personal data, including requests by a data subject to exercise rights in chapter 3 of GDPR, and shall provide full details of that request.

The supplier shall cooperate as reasonably requested by the client to enable the client to comply with any exercise of rights by a data subject under any data protection laws in respect of personal data and to comply with any assessment, enquiry, notice or investigation under any data protection laws in respect of personal data or the main agreement, which shall include:
- the provision of all information reasonably requested by the client within any reasonable timescale specified by the client in each case, including full details and copies of the complaint, communication or request and any personal data it holds in relation to a data subject;
- where applicable, providing such assistance as is reasonably requested by the client to enable the client to comply with the relevant request within the timescales prescribed by data protection laws; and
- implementing any additional technical and organisational measures as may be reasonably required by the client to allow the client to respond effectively to relevant complaints, communications or requests.

Personal data breach management
In the case of a personal data breach, the supplier shall without undue delay notify the personal data breach to the client providing sufficient information which allows the client to meet any obligations to report a personal data breach under data protection laws. Such notification shall as a minimum:
- describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned;
- communicate the name and contact details of the supplier’s data protection officer or other relevant contact from whom more information may be obtained; and
- describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Supplier co-operation

The supplier shall fully cooperate with the client and take such reasonable steps as are directed by the client to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the client to (i) perform a thorough investigation into the personal data breach, (ii) formulate a correct response and to take suitable further steps in respect of the personal data breach in order to meet any requirement under data protection laws.

Public Statement

The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The supplier shall not inform any third party without first obtaining the client’s prior written consent, unless notification is required by law to which the supplier is subject, in which case the supplier shall to the extent permitted by such law inform the client of that legal requirement, provide a copy of the proposed notification and consider any comments made by the client before notifying the personal data breach.

Data protection impact assessments and consultation
The supplier shall, at the client’s request, provide reasonable assistance with any data protection impact assessments and any consultations with any supervisory authority of the client’s as may be required.

Deletion or return of controller personal data
The supplier shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of personal data by the supplier; or (ii) termination of the main agreement, at the choice of the client securely dispose of personal data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the supplier to store such personal data or where a requirement exists to retain data for legal or regulatory purposes. For example, DBS requires records of checks undertaken to be retained for 12 months. Any such data are retained in accordance with the provision shall continue to be subject to the security and confidentially restrictions contained in the Agreement.

Audit rights
The supplier shall make available to the client on request all information necessary to demonstrate compliance with this agreement and data protection laws and allow for and contribute to audits, including inspections by the client or another auditor mandated by the client of any premises where the processing of personal data takes place.

The supplier shall permit the client or another auditor mandated by the client during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the client may satisfy itself that the provisions of data protection laws and this agreement are being complied with.

The supplier shall provide full cooperation to the client in respect of any such audit and shall at the request of the client, provide evidence of compliance with its obligations under this agreement and data protection laws.

International transfers of controller personal data
The supplier shall not (permanently or temporarily) process the personal data nor permit any authorised sub-processor to (permanently or temporarily) process the personal data in a country outside of the UK and EEA without an adequate level of protection, other than in respect of those recipients in such countries listed in the Contract Schedule (Authorised Transfers of Personal Data), unless authorised in writing by the client in advance.