Data Processing Notice

This Elemental Data Processing Agreement reflects the agreement between Elemental and its customers with respect to the terms governing the Processing of Personal Data under the Elemental Terms of Service (“Terms of Service”) and is designed to meet the obligations contained in Article 28(3) of the UK GDPR.

Agreed Terms

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this Agreement.

Definitions:

  • Business Purposes: the services to be provided by the Provider to the Customer as described in the Terms of Service.
  • Commissioner: the Information Commissioner (see Article 4(A3) UK GDPR and section 114 DPA 2018).
  • Controller, Processor, Data Subject, Personal Data, Personal Data Breach, and Processing: have the meanings given to them in the Data Protection Legislation.
  • Controller: has the meaning given to it in section 6 DPA 2018.
  • Customer: any person to which the Provider provides services under the Terms of Service.
  • Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
  • Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
  • EEA: the European Economic Area.
  • Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of or in connection with the provision of the services under the Terms of Service; an identifiable living individual is one who can be identified directly or indirectly in particular by reference to an identifier such as a name identification number location data an online identifier or to one or more factors specific to the physical physiological genetic mental economic cultural or social identity of the individual.
  • Processing: any activity that involves the use of the Personal Data. It includes but is not limited to any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data whether or not by automated means such as collection recording organisation structuring storage adaptation or alteration retrieval consultation disclosure by transmission dissemination or otherwise making available alignment or combination restriction erasure or destruction. Processing also includes transferring the Personal Data to third-parties.
  • Provider: Elemental Cosec Limited incorporated and registered in England and Wales with company number 07707780 whose registered office is at 27 Old Gloucester Street London WC1N 3AX.
  • Personal Data Breach: a breach of security leading to the accidental unauthorised or unlawful destruction loss alteration disclosure of or access to the Personal Data.
  • Processor: a natural or legal person public authority agency or other body which processes personal data on behalf of the Controller.
  • Records: has the meaning given to it in Clause 12.
  • Term: this Agreement’s term as defined in Clause 10.
  • UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

This Agreement is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this Agreement.

The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.

A reference to writing or written includes faxes but not email.

In the case of conflict or ambiguity between:

  • any provision contained in the body of this Agreement and any provision contained in the Annexes the provision in the body of this Agreement will prevail;
  • the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes the provision contained in the Annexes will prevail; and
  • any of the provisions of this Agreement and the provisions of the Terms of Service the provisions of this Agreement will prevail.

2. Personal data types and processing purposes

The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:

  • the Customer is the Controller and the Provider is the Processor.
  • the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation including but not limited to providing any required notices and obtaining any required consents and for the written processing instructions it gives to the Provider.

ANNEX A describes the subject matter duration nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purposes.

3. Provider’s obligations

The Provider will only process the Personal Data to the extent and in such a manner as is necessary for the Business Purposes in accordance with the Customer’s written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider must promptly notify the Customer if in its opinion the Customer’s instructions do not comply with the Data Protection Legislation.

The Provider must comply promptly with any Customer written instructions requiring the Provider to amend transfer delete or otherwise process the Personal Data or to stop mitigate or remedy any unauthorised processing.

The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this Agreement specifically authorises the disclosure or as required by domestic law court or regulator (including the Commissioner). If a domestic law court or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement unless the domestic law prohibits the giving of such notice.

The Provider will reasonably assist the Customer at no additional cost to the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation taking into account the nature of the Provider’s processing and the information available to the Provider including in relation to Data Subject rights data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.

The Provider must notify the Customer promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider’s performance of the Terms of Service or this Agreement.

4. Provider’s employees

The Provider will ensure that all its employees:

  • are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data; and
  • are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.

5. Security

The Provider must at all times implement appropriate technical and organisational measures against accidental unauthorised or unlawful processing access copying modification reproduction display or distribution of the Personal Data and against accidental or unlawful loss destruction alteration disclosure or damage of Personal Data including but not limited to the security measures set out in ANNEX B.

The Provider must implement such measures to ensure a level of security appropriate to the risk involved including as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality integrity availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing assessing and evaluating the effectiveness of the security measures.

6. Personal data breach

The Provider will without undue delay notify the Customer in writing if it becomes aware of:

  • the loss unintended destruction or damage corruption or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible.
  • any accidental unauthorised or unlawful processing of the Personal Data; or
  • any Personal Data Breach.

Where the Provider becomes aware of (a) (b) and/or (c) above it will without undue delay also provide the Customer with the following written information:

  • description of the nature of (a) (b) and/or (c) including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
  • the likely consequences; and
  • a description of the measures taken or proposed to be taken to address (a) (b) and/or (c) including measures to mitigate its possible adverse effects.

Immediately following any accidental unauthorised or unlawful Personal Data processing or Personal Data Breach the parties will co-ordinate with each other to investigate the matter. Further the Provider will reasonably co-operate with the Customer at no additional cost to the Customer in the Customer’s handling of the matter including but not limited to:

  • assisting with any investigation;
  • providing the Customer with physical access to any facilities and operations affected;
  • facilitating interviews with the Provider’s employees former employees and others involved in the matter including but not limited to its officers and directors;
  • making available all relevant records logs files data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
  • taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental unauthorised or unlawful Personal Data processing.

The Provider will not inform any third-party of any accidental unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer’s written consent except when required to do so by domestic law.

The Provider agrees that the Customer has the sole right to determine:

  • whether to provide notice of the accidental unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects the Commissioner other in-scope regulators law enforcement agencies or others as required by law or regulation or in the Customer’s discretion including the contents and delivery method of the notice; and
  • whether to offer any type of remedy to affected Data Subjects including the nature and extent of such remedy.

The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer’s specific written instructions negligence wilful default or breach of this Agreement in which case the Customer will cover all reasonable expenses.

7. Cross-border transfers of personal data

The Provider (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or the EEA without obtaining the Customer’s prior written consent.

8. Subcontractors

The Provider may only authorise a third-party (subcontractor) to process the Personal Data if:

  • the Customer is provided with an opportunity to object to the appointment of each subcontractor within 10 working days after the Provider supplies the Customer with full details in writing regarding such subcontractor;
  • the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement in particular in relation to requiring appropriate technical and organisational data security measures and upon the Customer’s written request provides the Customer with copies of the relevant excerpts from such contracts;
  • the Provider maintains control over all the Personal Data it entrusts to the subcontractor; and
  • the subcontractor’s contract terminates automatically on termination of this Agreement for any reason.

Those subcontractors approved as at the commencement of this Agreement are as set out in ANNEX A.

Where the subcontractor fails to fulfil its obligations under the written agreement with the Provider which contains terms substantially the same as those set out in this Agreement the Provider remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.

The Parties agree that the Provider will be deemed by them to control legally any Personal Data controlled practically by or in the possession of its subcontractors.

9. Complaints data subject requests and third-party rights

The Provider must take such technical and organisational measures as may be appropriate and promptly provide such information to the Customer as the Customer may reasonably require to enable the Customer to comply with:

  • the rights of Data Subjects under the Data Protection Legislation including but not limited to subject access rights the rights to rectify port and erase personal data object to the processing and automated processing of personal data and restrict the processing of personal data; and
  • information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.

The Provider must notify the Customer immediately in writing if it receives any complaint notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.

The Provider must notify the Customer within 14 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

The Provider will give the Customer at no additional cost to the Customer its full co-operation and assistance in responding to any complaint notice communication or Data Subject request.

The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer’s written instructions or as required by domestic law.

10. Term and termination

This Agreement will remain in full force and effect so long as:

  • The Terms of Service remain in effect; or
  • the Provider retains any of the Personal Data related to the Terms of Service in its possession or control (Term).

Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Terms of Service in order to protect the Personal Data will remain in full force and effect.

If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Terms of Service the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation either party may terminate the services with immediate effect on written notice to the other party.

11. Data return and destruction

At the Customer’s request the Provider will give the Customer or a third-party nominated in writing by the Customer a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

On termination of the services for any reason or expiry of its term the Provider will securely delete or destroy or if directed in writing by the Customer return and not retain all or any of the Personal Data related to this Agreement in its possession or control.

If any law regulation or government or regulatory body requires the Provider to retain any documents materials or Personal Data that the Provider would otherwise be required to return or destroy it will notify the Customer in writing of that retention requirement giving details of the documents materials or Personal Data that it must retain the legal basis for such retention and establishing a specific timeline for deletion or destruction once the retention requirement ends.

12. Records

The Provider will keep written records regarding any processing of the Personal Data including but not limited to the access control and security of the Personal Data the processing purposes categories of processing and a general description of the technical and organisational security measures referred to in Clause 5.1 (Records).

The Provider will update the information listed in the Annexes to this Agreement when required to reflect current practices.

13. Audit

The Provider will permit the Customer and its third-party representatives to audit the Provider’s compliance with its Agreement obligations on at least 90 days’ notice during the Term. The costs of any audit will be borne by the Customer. The Provider will give the Customer and its third-party representatives all reasonably necessary assistance to conduct such audits.

The notice requirements in Clause 13.1 will not apply if the Customer reasonably believes that a Personal Data Breach has occurred or is occurring or the Provider is in material breach of any of its obligations under this Agreement or any of the Data Protection Legislation.

If a Personal Data Breach occurs or is occurring or the Provider becomes aware of a breach of any of its obligations under this Agreement or any of the Data Protection Legislation the Provider will:

  • conduct its own audit to determine the cause;
  • produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
  • provide the Customer with a copy of the written audit report; and
  • remedy any deficiencies identified by the audit.

ANNEX A: Personal Data processing purposes and details

Subject matter of processing:

The provision of services as set out in the Terms of Service.

Duration of Processing:

For the duration of the provision of the services as set out in the Terms of Service and up to six years following the termination of the services unless a longer period is mandated by Data Protection Legislation.

Nature of Processing:

Collection; recording; organisation; structuring; storage; adaptation; alteration; retrieval; consultation; use; disclosure (by transmission dissemination or otherwise making available); alignment; combination; restriction; erasure; destruction.

Personal Data Categories:

  • Identity Data including first name maiden name last name username or similar identifier marital status title date of birth and gender.
  • Contact Data including billing address email address and telephone numbers.
  • Financial Data including bank account and payment card details.
  • Transaction Data including details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data including internet protocol (IP) address your login data browser type and version time zone setting and location browser plug-in types and versions operating system and platform and other technology on the devices you use to access this website.
  • Usage Data including information about how you use our website products and services.
  • Marketing and Communications Data including your preferences in receiving marketing from us and our third parties and your communication preferences.

Data Subject Types:

  • Staff and officers of Customer (current/former/potential);
  • Customers (current/former/potential);
  • Contractors;
  • Vendors;
  • Business contacts;
  • Complainants/correspondents/enquirers;
  • Shareholders/investors/partners;
  • Members/supporters;
  • Website users;
  • Other third parties

Approved Subcontractors

  • Adobe Sign provided by Adobe Systems Software Ireland Limited
  • British Monomarks Limited
  • Chaser Technologies Limited
  • Dext Software Limited
  • Diligent Entities provided by Diligent Boardbooks Limited
  • Iris Software Group Limited
  • IT4Business Solutions Limited (trading as Cloud10)
  • Microsoft Corporation
  • OnBoard provided by Passageways Inc.
  • Rabbitsoft Ltd (trading as Clinked)
  • Staffology Limited
  • Trust ID Limited
  • Xero Limited

Annex B: Security measures

Systems Setup and Management

  • All IT systems are configured and managed in compliance with Cyber Essentials Plus certification standards.

System Access Controls

  • Multi-Factor Authentication (MFA): Two-factor authentication is mandatory.
  • Password Security: Enforced strong password policies including minimum length requirements and mandatory use of alphanumeric characters and symbols.
  • Centralized Access Management: System access is centrally controlled to ensure consistency and security.
  • Automated Session Management: Automated screen locks and session timeouts are enforced after periods of inactivity to prevent unauthorized access.
  • Account Lockout Mechanisms: Accounts are locked automatically after a predetermined number of unsuccessful login attempts.

Data Integrity Controls

  • Antivirus and Malware Protection: Antivirus and malware protection are centrally managed to ensure up-to-date and comprehensive coverage.
  • Endpoint Security: Endpoint firewalls are deployed to protect all devices.
  • Policy and Update Management: Security policies and software updates are centrally managed and enforced.
  • Device Encryption: Devices are encrypted with recovery keys managed centrally to prevent unauthorized access.
  • Email Security: Cloud-based email filtering and quarantine including Zero-Hour Auto Purge (ZAP) are in place to mitigate email-based threats.
  • Audit Trails: Detailed logging and audit trails are maintained for critical data activities.

Data Access Controls

  • Administrator Access Control: User administrator access is disabled to limit the risk of unauthorized changes.
  • Security Group Permissions: Permissions are assigned based on security groups to ensure that users only have access to necessary data.

Transmission Controls

  • Data Encryption: Data is encrypted during transmission and while at rest to protect against unauthorized access.

Input Controls

  • Malware Scanning: Uploaded data is automatically scanned for viruses and malware.
  • Automated Session Management: Automated screen locks and session timeouts are enforced after periods of inactivity to prevent unauthorized data entry.

Data Backups

  • Cloud-Based Backups: Reliance on cloud service providers’ inherent backup and resiliency mechanisms.
  • Retention Policies: Data retention policies are enforced in accordance with regulatory and business requirements.
  • Data Loss Prevention: Data loss prevention (DLP) policies are implemented to safeguard sensitive information.
  • Cloud Storage: Data is stored within cloud services and not on individual user devices.

Data Segregation

  • Identity and Access Management (IAM): Access to data is controlled through IAM protocols.
  • Security Group-Based Access: Data is segregated by location using security group-based access controls.
  • Cloud Storage: Data is stored in cloud services ensuring segregation and security.

Configuration Control

  • Configuration standards: Configuration standards are developed documented implemented and updated for IT assets
  • Information Security: Information security requirements are incorporated into the configuration standards for assets
  • Logs: System and user activity logs are enabled
Get Started Find out how we can help

We’re here to keep things simple

If you would like to find out more about our services and how we can help support your business, please get in touch.

+44 (0)203 286 6229
[email protected]