Data Processing Agreement
By using our services, you are agreeing to these terms. Please read them carefully.
Data Processing Agreement
Effective From 28th March 2021
This Data Processing Agreement (“DP Terms”) governs data Processing by Clearvision for and on behalf of Client in relation to the goods and/or Services received by Client from Clearvision.
Any capitalized terms used but not defined have the meanings in the Master Services Agreement as executed between Clearvision and Client.
1.1 “Controller” has the meaning defined in Article 4 of the General Data Protection Regulation
1.2 “Personal Data” has the meaning defined in Article 4 of the General Data Protection Regulation
1.3 “Processor”has the meaning defined in Article 4 of the General Data Protection Regulation
1.4 “Processing” has the meaning defined in Article 4 of the General Data Protection Regulation
2.1 Clearvision provides Services to the Client which may involve the Processing of Personal Data by Clearvision on behalf of the Client. This may include Personal Data relating to the Client, its personnel and where applicable, its clients or other individuals with whom the Client deals in the course of its business as relevant to the Services (“Relevant Data Subjects”). Further information on the subject matter, nature, purpose and duration of Processing in relation to the provision of Services can be found in the applicable Statement of Work.
- Description of processing
3.1 The Processing to be carried out by Clearvision is as follows:
- the subject matter of the Processing is as described in clause 2.1;
- the duration of the Processing will be throughout the period within which Clearvision performs the Services;
- the nature of the Processing is described in clause 2.1;
- the purpose of the Processing is to enable Clearvision to perform the Services to the Client;
- the Personal Data Processed will be any Personal Data of the Relevant Data Subjects provided in order to enable or facilitate the provision of the Services by Clearvision as described in clause 2.1. and the categories of data subjects are the Relevant Data Subjects; and
- the obligations and rights of the data Controller are set out below.
- Compliance with Data Protection Legislation
4.1 Each Client and Clearvision represent and warrant that it will comply with and ensure that its employees and/or subcontractors comply with the Data Protection Legislation in Processing Personal Data in connection with the Services.
- Relationship of the Parties
5.1 In relation to the Processing of Personal Data in connection with the Services, the Parties acknowledge and agree that:
- Client is the data Controller; and
- Clearvision is the data Processor.
5.2 The Client instructs Clearvision to Process Personal Data where this is necessary to deliver the Services provided by Clearvision.
5.3 Clearvision agrees that it will Process the Personal Data in accordance with these DP Terms.
- Processing of Personal Data by Clearvision
6.1 In relation to the Processing of Personal Data in connection with the Services Clearvision shall:
- Process the Personal Data (including when making an international transfer of the Personal Data) only for the purpose of and to the extent necessary for provision of the Services and then only in accordance with:
- these DP Terms; and
- Clients written instructions from time to time, unless otherwise required by law. Where Clearvision is required by law to Process the Personal Data otherwise than as provided by these DP Terms, it will notify the Client before carrying out the Processing concerned (unless the law also prevents Clearvision from doing so for reasons of important public interest);
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the Processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed under these DP Terms, as set forth in Annex 1.
- take all reasonable steps to ensure that only authorised personnel have access to the Personal Data and that any persons whom it authorises to have access to the Personal Data will respect and maintain all due confidentiality in relation to the Personal Data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);
- not engage any sub-processors in the performance of the Services without the prior written consent of the Client and otherwise in accordance with clause 7 at all times;
- not do, or omit to do, anything, which would cause the Client to be in breach of its obligations under the Data Protection Legislation;
- immediately notify the Client if, in Clearvisions opinion, any instruction given to Clearvision infringes the Data Protection Legislation;
- where applicable in respect of any Personal Data Processed in relation to the Services, co-operate with and assist the Client in ensuring compliance with:
- the Clients obligations to respond to requests from data subject(s) seeking to exercise their rights under Chapter 3 of The General Data Protection Regulation, including by notifying the Client of any written subject access requests Clearvision receives relating to the Clients obligations under the Data Protection Legislation; and
- Clients obligations under Articles 32 – 36 of The General Data Protection Regulation to:
- ensure the security of the Processing;
- notify the relevant supervisory authority, and any data subjects(s), where relevant, of any breaches relating to Personal Data;
- carry out any data protection impact assessments (each a “DPIA”) of the impact of the Processing on the protection of Personal Data; and
- consult the relevant supervisory authority prior to any Processing where a DPIA indicates that the Processing would result in a high risk in the absence of measures taken by the Client to mitigate the risk.
- provide assistance where reasonably required by the Client in relation to the fulfilment of the Client’s obligations to co-operate with the relevant supervisory authority under Article 31 of The General Data Protection Regulation.
7.1 Clearvision will ensure that any sub-processor it engages to provide any services on its behalf in connection with the Services does so only on the basis of a written contract which imposes on such sub-processor terms equivalent to those imposed on Clearvision under these DP Terms or such other alternative terms as may be agreed with the Client (the “Relevant Terms”).Clearvision shall procure the performance by the sub-processor of the Relevant Terms and shall be directly liable to the Client for:
- any breach by the sub-processor of any of the Relevant Terms;
- any act or omission of the sub-processor which causes:
- Clearvision to be in breach of these DP Terms; or
- Client or Clearvision to be in breach of the Data Protection Legislation.
7.2 Where the Client has given a general authorisation to Clearvision to engage sub-processors, then prior to engaging a new sub-processor under the general authorisation Clearvision will notify the Client of any changes that are made that would affect that general authorisation and give the Client an opportunity to object to them.
- Monitoring and audit
8.1 The Client is entitled to monitor and audit Clearvisions compliance with the Data Protection Legislation and its obligations in relation to data Processing in connection with the Services at any time during normal business hours. Clearvision agrees to provide the Client promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If the Client believes that an on-site audit is necessary, Clearvision agrees to give the Client reasonable access to its premises (subject to any reasonable confidentiality and security measures), and to any stored Personal Data and data Processing programs it has on-site. The Client is entitled to have the audit carried out by a third party.
- International transfers
9.1 We may transfer Personal Data internationally, including outside the EEA, and to any third party located internationally (including to Clearvision Inc, in the US) where we are permitted to do so for that transfer under Articles 44 to 49 of The General Data Protection Regulation.
- Completion of services
10.1 Upon completion of the Services, Clearvision will at the Client’s discretion, on receipt of the Client’s written instruction, delete or return to the Client, all Personal Data (including copies) Processed in connection with the Services, except to the extent that Clearvision is required by law to retain any copies of the Personal Data and save to the extent that Clearvision receives instructions to the contrary from any applicable data subject(s).
Annex 1 – Technical and Organisational Measures, Key Controls
1.1 Clearvision has achieved and maintains the following certifications:
- ISO 27001 Information Security Standard; and
- Cyber Essentials
2 Information Security Management System
2.1 Clearvisions Information Security Management System details:
- Process and procedure;
- Roles and responsibilities;
- Assurance and audit process;
- Risk assessment and management; and
- Improvement plans.
3 Physical security
3.1 Clearvision’s key measures to prevent physical unauthorised access to Clearvision premises and with regard to the data centres utilised by Clearvision include:
- ISO 27001 certified data centres;
- the fitting of appropriate locks and other physical entry controls on doors and windows;
- surveillance facilities;
- physically securing devices containing Personal Data e.g. locked cupboard/draw;
- ensuring control of removable media;
- secure disposal of physical assets; and
- access control system including logging of visitors.
4 System access security
4.1 Clearvision’s key measures to prevent unauthorised system access to Clearvision’s IT systems include:
- password procedures;
- central management of access;
- auditing of user access;
- monitoring of suspicious activity; and
- joiner/leaver processes managed by IT admins and HR.
5 Data access security
5.1 Clearvision’s key measures to prevent unauthorised data access include:
- principle of least privilege applied;
- role based access; and
- management of logged access requests.
6 Vulnerability management
6.1 Clearvision’s key measures to prevent exploitation of technological vulnerabilities include:
- software installation restricted to approved software only;
- application of patching policy;
- email threat management;
- internet browser threat management;
- awareness training;
- virus scanning; and
- utilisation of Amazon GuardDuty on AWS estate.
7 Awareness, training, and personnel
7.1 Clearvision’s key measures to prevent personnel vulnerabilities include:
- performing reference checks on all new personnel;
- induction training to include information security/data protection;
- signed acceptance of compliance to information security policies;
- refresher training conducted at least annually; and
- clear job description including information security responsibilities.
8 Incident management and business continuity
8.1 Clearvision’s key measures to prevent and manage incidents and business continuity events include:
- incident management policies and procedures;
- incident management training;
- incident management key personnel;
- business continuity plan including key personnel, external contacts and contingency plans;
- incident and business continuity testing; and
- continued improvement.
9.1 Clearvision applies a program of regular external and internal audits to monitor and enforce compliance with its security and data protection policies and procedures.