Carveco Ltd Data Processing Agreement

These Terms contain the terms and conditions on which we supply your Account and the Software to you, whether the Services comprise of services and/or digital content. Please read these Terms carefully before you accept these Terms.

1. The Parties have entered into the Terms for the provision of Services.
2. In the processing of Transferred Personal Data in connection with the Terms, we act as a Processor, and you are a Controller.
3. We may also act as a Controller of Transferred Personal Data which we require from you in order for you to create an Account on the software.

• 1.1 This DPA will commence on the date that the Terms are entered into, and will continue for as long as the Terms remain in effect, or we retain any of the Transferred Personal Data in our possession or control (whichever is longer) (Term).
• 1.2 Where you make any deletions or other revisions to this DPA, this DPA will be null and void, unless otherwise agreed by us in writing.
• 1.3 By entering into this DPA, each Party agrees to be bound by the terms and conditions set out in this DPA, in exchange for the other Party also agreeing to be bound by this DPA.

• 2.1 Each Party agrees to comply with Applicable Data Protection Law in the Processing of Transferred Personal Data.
• 2.2 You instruct us to process Personal Data in accordance with this DPA (including in accordance with Annex 1).
• 2.3 We agree to not process Transferred Personal Data other than on your documented instructions, and to the extent applicable, clause 1 of this DPA.

We agree to take reasonable steps to ensure the reliability of any of our Personnel who may have access to the Transferred Personal Data, ensuring in each case that:

1. access is strictly limited to those individuals who need to know / access the relevant Transferred Personal Data, as strictly necessary for the purposes of the Terms; and
2. the relevant Personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

• 4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we agree to implement appropriate technical and organisational measures in relation to the Transferred Personal Data to ensure a level of security appropriate to that risk in accordance with Applicable Data Protection Law.
• 4.2 In assessing the appropriate level of security, we agree to take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

• 5.1 You authorise our engagement of the Sub-Processors already engaged by us at the date of this DPA, which are set out at Annex 2.
• 5.2 Where we wish to engage a new Sub-Processor, we agree to provide written notice to you of the details of the engagement of the Sub-Processor at least 14 days’ prior to engaging the new Sub-Processor (including details of the processing it will perform). You may object in writing to our appointment of a new Sub-Processor within 7 days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties are not able to achieve resolution, we may, at our election:
  1. not appoint the proposed Sub-Processor;
  2. not disclose any Transferred Personal Data we process on your behalf to the proposed Sub-Processor; or
  3. inform you that we may terminate the Terms (including this DPA) for convenience, in which case, clause 2 will apply.
• 5.3 You agree that the remedies described above in clauses 5.2(a)-(c) are the only remedies available to you if you object to any proposed Sub-Processor by us.
• 5.4 Where we engage a Sub-Processor to process Transferred Personal Data, we agree to enter into a written agreement with the Sub-Processor containing data protection obligations no less protective that those in this DPA with respect to the Transferred Personal Data, and to remain responsible to you for the performance of such Sub-Processor’s data protection obligations under such terms.
• 5.5 Where the the transfer of Transferred Personal Data from us to a Sub-Processor is a Restricted Transfer, it will be subject to the UK Addendum (and documents or legislation referred to within it), which shall be deemed to be incorporated into this DPA, and the UK Addendum is considered an appropriate safeguard.

• 6.1 Taking into account the nature of the Processing, we agree to assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations, as reasonably understood by the you, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Law.
• 6.2 We agree to:
  1. promptly notify you if we receive a request from a Data Subject under any Applicable Data Protection Law in respect of Transferred Personal Data; and
  2. ensure that we do not respond to that request except on your documented instructions or as required by Applicable Data Protection Law to which we are subject, in which case we shall, to the extent permitted by Applicable Data Protection Law, inform you of that legal requirement before we (or our Sub-Processor) respond to the request.

• 7.1 We agree to notify you without undue delay upon becoming aware of a Personal Data Breach affecting Transferred Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
• 7.2 We agree to co-operate with you and take reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
• 7.3 If you decide to notify a Supervisory Authority, Data Subjects or the public of a Transferred Personal Data Breach, you agree to provide us with advance copies of the proposed notices and, subject to Applicable Data Protection Law (including any mandated deadlines under the UK GDPR), allow us an opportunity to provide any clarifications or corrections to those notices.

We agree to provide reasonable assistance to you with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably consider to be required by article 35 or 36 of the UK GDPR or equivalent provisions of any other Data Protection Law (to the extent you do not otherwise have access to the relevant information and such information is in our control).

Subject to this clause 9, and subject to any document retention requirements at law, we agree to promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Transferred Personal Data (Cessation Date), delete and procure the deletion of all copies of those Transferred Personal Data.

• 10.1 Subject to this clause 10, where required by law, we shall make available to you on request all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by you or an auditor mandated by you in relation to the Processing of the Transferred Personal Data by us.
• 10.2 Where clause 10.1 applies, any audit (or inspection):
  1. must be conducted during our regular business hours, with reasonable advance notice (which shall not be less than 30 business days);
  2. will be subject to our reasonable confidentiality procedures;
  3. must be limited in scope to matters specific to you and agreed in advance with us;
  4. must not require us to disclose to you any information that could cause us to breach any of our obligations under Applicable Data Protection Law;
  5. to the extent we need to expend time to assist you with the audit (or inspection), this will be funded by you, in accordance with pre-agreed rates; and
  6. may only be requested by you a maximum of one time per year, except where required by a competent Supervisory Authority or where there has been a Personal Data Breach in relation to Transferred Personal Data, caused by us.
• 10.3 Information and audit rights of you only arise under section 10.1 to the extent that the Terms do not otherwise give it information and audit rights meeting the relevant requirements of Applicable Data Protection Law.

Despite anything to the contrary in the Terms or this DPA, to the maximum extent permitted by law, the Liability of each Party and its affiliates under this DPA is subject to the exclusions and limitations of Liability set out in the Terms.

• 12.1 Each Party agrees that a failure or inability to comply with the terms of this DPA and/or the Applicable Data Protection Law constitutes a material breach of the Terms. In such event, you may, without penalty:
  1. require us to suspend the processing of Transferred Personal Data until such compliance is restored; or
  2. terminate the Platform Terms and Conditions effective immediately on written notice to us.
• 12.2 In the case of such suspension or termination, we shall provide a prompt pro-rata refund of all sums paid in advance under the Terms which relate to the period of suspension or the period after the date of termination (as applicable).
• 12.3 Notwithstanding the expiry or termination of this DPA, this DPA will remain in effect until, and will terminate automatically upon, deletion by us of all Transferred Personal Data covered by this DPA, in accordance with this DPA.

• 13.1 Amendment: Other than as expressly permitted under this DPA and to the extent permitted by law, this DPA may only be amended by written instrument executed by the Parties.
• 13.2 Assignment: A Party must not assign or deal with the whole or any part of its rights or obligations under this DPA without the prior written consent of the other Party (such consent not to be unreasonably withheld).
• 13.3 Confidentiality: Each Party agrees to keep this DPA and any information it receives about the other Party and its business in connection with this DPA (Confidential Information) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
  1. disclosure is required by law; or
  2. the relevant information is already in the public domain.
• 13.4 Contracts (Rights of Third Parties) Act 1999: Notwithstanding any other provision of this DPA, nothing in this DPA confers or is intended to confer any right to enforce any of its terms on any person who is not a party to it.
• 13.5 Counterparts: This DPA may be executed in any number of counterparts that together will form one instrument.
• 13.6 Order of Precedence: In the event of any conflict or inconsistency between the agreements entered into between the Parties, the UK Addendum shall prevail, then the Annexes, followed by this DPA and then the Platform Terms and Conditions.
• 13.7 Governing law and disputes: This DPA is governed by the laws of England and Wales. Each Party irrevocably and unconditionally submits to the exclusive jurisdiction of the courts operating in England and Wales and any courts entitled to hear appeals from those courts and waives any right to object to proceedings being brought in those courts.
• 13.8 Notices: Any notice given under this DPA must be in writing addressed to the relevant address last notified by the recipient to the Parties. Any notice may be sent by standard post or email, and will be deemed to have been served on the expiry of 48 hours in the case of post, or at the time of transmission in the case of transmission by email.
• 13.9 Severance: If a provision of this DPA is held to be void, invalid, illegal or unenforceable, that provision is to be read down as narrowly as necessary to allow it to be valid or enforceable, failing which, that provision (or that part of that provision) will be severed from this DPA without affecting the validity or enforceability of the remainder of that provision or the other provisions in this DPA.

• 14.1 In this DPA, unless the context otherwise requires, all terms have the meanings given to them in the Appendices and Annexures, and:Applicable Data Protection Law means the laws and regulations applicable to the processing of Personal Data by the Parties in connection with the Terms, including the Data Protection Act 2018 (including the UK GDPR).Carveco Account has the meaning given to it in the Terms.DPA means this Data Processing Agreement and all Annexes attached to it.EU GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

  Liability means any expense, cost, liability, loss, damage, claim, notice, entitlement, investigation, demand, proceeding or judgment (whether under statute, contract, equity, tort (including negligence), misrepresentation, restitution, indemnity or otherwise), howsoever arising, whether direct or indirect and/or whether present, unascertained, future or contingent and whether involving a third party or a Party to this DPA or otherwise.

  Personnel means in respect of a Party, any of its employees, consultants, and subcontractors.

  Restricted Transfer means a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

  Services means the services the subject of the Terms.

  Software has the meaning given to it in the Terms.

  Transferred Personal Data means any Personal Data Processed by us on behalf of you in connection with the Platform Terms and Conditions (and where we are also acting as a Controller, any Personal Data we process in connection with the Platform Terms and Conditions).

  Sub-Processor means any person appointed by or on behalf of us to process Transferred Personal Data on behalf of you in connection with the Platform Terms and Conditions.

  UK GDPR means the EU GDPR as incorporated into United Kingdom law as the Data Protection Act 2018 by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

  UK Addendum means the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers approved by the Information Commissioner’s Office under section 119A of the Data Protection Act 2018 on 21 March 2022 (version B.1.0), and as updated from time to time.

• 14.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the EU GDPR or UK GDPR, as applicable.
• 14.3 The word include shall be construed to mean include without limitation.