THIS AGREEMENT is dated      2022 (“Agreement”)

BETWEEN:

  1. KAIZAN LIMITED incorporated and registered in England and Wales with company number 13082820 whose registered office is at The Beeches Perivale Lane, Perivale, Greenford, England, UB6 8TW (“Processor”).
  2. the party entering into a licence agreement for the use of Kaizan AI software ****(“Controller”); and

collectively the, “Parties” and each a, “Party”.

BACKGROUND

This Agreement is intended to ensure that Controller and the Processor comply with applicable Data Protection Laws.

AGREED TERMS

  1. INTERPRETATION
    1. In this Agreement, the following capitalised terms shall have the meanings set out below:

Untitled Database

  1. The terms, “Commission”, “Data Subject”, “Member State”, “Processing” and “Supervisory Authority” shall have the meanings given to them in the Data Protection Laws. In the event of any discrepancy between the terms of the EU GDPR and the UK GDPR, the UK GDPR will apply.
  2. By entering into the Licence Agreement, agreeing to the terms of service applicable to the Processor’s software, or by using the Processor’s software, the Controller is agreeing to be bound by the terms of this Agreement.
  3. PROCESSING OF Controller PERSONAL DATA
    1. Processor shall:
      1. comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and
      2. not Process Controller Personal Data other than on Controller’s documented instructions unless Processing is required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Laws, inform Controller of that legal requirement before the relevant Processing of that Controller Personal Data.
    2. The Controller and the Processor agree and acknowledge that for the purpose of the Data Protection Laws:
      1. the Controller is the Data Controller and the Processor is the Data Processor; and
      2. the Controller retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Processor.
    3. Controller instructs the Processor to Process Controller Personal Data as reasonably necessary for the provision of the software pursuant to the Licence Agreement.
    4. The Processor will promptly notify the Controller if, in its opinion, the Controller’s instructions do not comply with the Data Protection Laws.
    5. The Processor must comply promptly with any Controller written instructions requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
    6. The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Controller or this Agreement specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Commissioner). If a domestic or EU law, court or regulator (including the Commissioner) requires the Processor to process or disclose the Personal Data to a third-party, the Processor must first inform the Controller of such legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.
    7. Schedule 1 to this Agreement sets out certain information regarding the Processors’ Processing of Controller Personal Data as required by Article 28(3) of the UK GDPR.
  4. PROCESSOR PERSONNEL
    1. The Processor will ensure that all of its employees:
      1. are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
      2. have undertaken training on the Data Protection Laws and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
      3. are aware both of the Processor’s duties and their personal duties and obligations under the Data Protection Laws and this Agreement.****
  5. SECURITY AND CONFIDENTIALITY OF DATA
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to Controller Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the UK GDPR.
    2. In assessing the appropriate level of security, Processor shall in particular take account of the risks that are presented by Processing, including from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Controller Personal Data transmitted, stored or otherwise Processed.
  6. SUBPROCESSING
    1. Controller authorises the Processor to appoint Subprocessors in accordance with this Clause 5.
    2. Processor shall give Controller prior written notice of the appointment of any Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. Processor shall not appoint (nor disclose any Controller Personal Data to the proposed Subprocessor except with the prior written consent of Controller.
    3. With respect to each proposed Subprocessor, Processor shall:
      1. before the Subprocessor first Processes Controller Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Controller Personal Data;
      2. ensure that the arrangement between Processor and Subprocessor, is governed by a written contract including (i) terms which offer at least the same level of protection for Controller Personal Data as those set out in this Agreement and (ii) meet the requirements of Article 28(3) of the UK GDPR;
      3. provide to Controller, for review such copies of the agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement) as Controller may request from time to time; and
      4. ensure the subcontractor's contract terminates automatically on termination of this Agreement for any reason.
  7. DATA SUBJECT RIGHTS
    1. The Processor must, at no additional cost to the Controller, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Controller as the Controller may reasonably require, to enable the Controller to comply with:
      1. the rights of Data Subjects under the Data Protection Laws, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
      2. information or assessment notices served on the Controller by the Commissioner or other relevant regulator under the Data Protection Laws.
    2. The Processor must notify the Controller immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Laws.
    3. The Processor must notify the Controller within 10 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Laws.
    4. The Processor will give the Controller, at no additional cost to the Controller, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
    5. The Processor must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Controller’s written instructions, or as required by domestic or EU law.****
  8. PERSONAL DATA BREACH
    1. The Processor shall:
      1. notify Controller without undue delay and in any event no later than 48 hours upon becoming aware of a Personal Data Breach affecting Controller Personal Data (“Controller Data Breach”);
      2. provide Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects of an Controller Data Breach under or in connection with the Data Protection Laws;
      3. meaningfully consult with Controller in respect of the external communications and public relations strategy related to an Controller Data Breach;
      4. subject to Applicable Law, not notify any Supervisory Authorities or other data protection regulator of an Controller Data Breach without having obtained prior written approval by Controller; and
      5. not issue a press release or communicate with any member of the press in respect of a Controller Data Breach, without having obtained prior written approval by Controller.
    2. The notification set out in Clause 7.1.1 above, shall as a minimum:
      1. describe the nature of the Controller Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
      2. communicate the name and contact details of Processor’s data protection officer or other relevant contact from whom more information may be obtained;
      3. describe the likely consequences of the Controller Data Breach; and
      4. describe the measures taken or proposed to be taken to address the Controller Data Breach.
    3. The Processor shall co-operate with Controller and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each Controller Data Breach.
    4. The Processor agrees that the Controller has the sole right to determine:
      1. whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Controller’s discretion, including the contents and delivery method of the notice; and
      2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
  9. DATA PROTECTION IMPACT ASSESSMENT