Last updated: March 25, 2024
This Data Processing Addendum (the “DPA”) supplements and forms part of the TagPoint Software-as-a-Service Agreement (the “Agreement”) between:
Nuzzl Ltd., registered address: SWWS Belliver Way, Roborough, Plymouth Devon, PL6 7BP, UK, (the “Provider”), and
the entity that uses TagPoint and related services under the terms of the Agreement (the “Customer”),
collectively referred to as "Parties", and separately as a "Party".
The Provider and the Customer have agreed on the terms of this DPA in order to meet the requirements of the GDPR and to ensure the protection of the rights of data subjects.
This DPA shall be effective as of the Effective Date of the Agreement and replaces and supersedes any data processing agreement entered by the Parties prior to such date.
This Data Processing Agreement consists of:
The main body of the Data Processing Agreement
Annex A: Details of Processing
Annex B: List of Sub-processors
Terms used in this DPA shall have the meanings defined below. Terms that are not defined in this DPA, shall have the meanings given in the Agreement.
1.1. TagPoint means the Software-as-a-Service (SaaS) platform for facility management and service request management.
1.2. Customer Account Data means data associated with an account or instance within TagPoint, including administrator and user accounts, which enables a Permitted User to access and use the Services.
1.3. Customer Content Data means all data, content, messages, or files and information (including Personal Information) owned, held, used or created by or on behalf of the Customer that is stored on, or uploaded to, or generated by the Services (excluding analytics data relating to the use of the Services and server log files).
1.4. Customer Personal Data means Customer Content Data that constitutes personal data, processed by the Provider on behalf of the Customer for the purposes of providing the Services to the Customer.
1.5. Data Subject Request means the request of a Data Subject to exercise rights under the GDPR.
1.6. The terms “data controller”, “data processor”, “data subject”, “personal data” and “processing” shall have the meanings given in the GDPR.
1.7. External Users means those users who use TagPoint to send service requests to the Customer and who are not Customer’s Permitted Users.
1.8. GDPR means the United Kingdom General Data Protection Regulation (UK GDPR).
1.9. Permitted Users means those personnel of the Customer who are team members and are authorized to access and use the Services on the Customer’s behalf.
1.10. Related Services means any service related to TagPoint that the Provider agrees to provide to the Customer under the Agreement.
1.11. Services means TagPoint and any Related Services.
1.12. Sub-processor means any data processor engaged by the Provider to process Customer Personal Data for the purposes of providing the Services to the Customer.
2.1. The Customer appoints the Provider as a processor to process Customer Personal Data on behalf of, and in accordance with the Customer’s instructions as set forth in this DPA.
2.2. The Customer instructs the Provider to process Customer Personal Data to provide the Services as authorized by the Agreement. The Agreement and Customer’s use of the Services are the complete expression of such instructions.
2.3. The Parties acknowledge that the Customer is the data controller, and the Provider is the data processor of Customer Personal Data.
2.4. The personal data that is processed under the terms of the Agreement is specified in Annex A of this DPA.
3.1. The Customer is solely responsible for its use of the Services, including (i) making appropriate use of the Services to maintain a level of security appropriate to the risk posed to Customer Content Data; (ii) securing the account authentication credentials, systems and devices Customer or end users use to access the Services.
3.2. The Customer warrants that it complies and shall continue to comply with its obligations as a data controller under the GDPR in obtaining and processing Customer Personal Data, in particular that it has fairly and lawfully obtained Customer Personal Data, any permissions or consents from its Permitted Users and External Users, so as to enable the Provider to provide the Services:
the Customer has obtained all necessary consents and rights necessary to collect and process Customer Personal Data, to transfer Customer Personal Data to third parties, including counterparties;
the Customer has obtained all necessary consents and rights necessary to transfer Customer Personal Data outside of the UK and European Economic Area, including to jurisdictions other than the Customer’s registration or place of operation.
3.3. The Provider encourages the Customer to instruct its Permitted Users to avoid or limit the inclusion of personal data when adding and uploading texts, documents, images and videos into the Service.
4.1. The Provider warrants that it complies and shall continue to comply with its obligations as a data processor under the GDPR and is authorized to process Customer Personal Data to provide the Services to the Customer.
4.2. The Provider shall process Customer Personal Data only in accordance with the Customer's instructions in order to provide the Services to the Customer. Notwithstanding the foregoing, the Provider may process Customer Personal Data as required under applicable law.
4.3. Taking into account the nature of processing and the information available to the Provider, the Provider shall assist the Customer with its obligations under Articles 32 to 36 of the GDPR.
4.4. At the Customer’s cost, the Provider shall allow the Customer, on prior written notice, to conduct audits during business hours, throughout the term of the Agreement and provide reasonable assistance to the Customer in exercising its audit rights under this clause 4.4 for the purpose of demonstrating compliance with Article 28(3)(h) of the GDPR.
5.1. The Customer is solely responsible for responding to Data Subject Requests.
5.2. The Provider shall assist with the Customer's obligation to respond to requests from data subjects of Customer Personal Data seeking to exercise their rights under the GDPR.
5.3. The Provider shall promptly forward to the Customer any Data Subject Request that the Provider receives and the Provider shall not be obligated to respond to any Data Subject Request, but may instruct the Data Subject to submit the request to the Customer.
6.1. The Parties have implemented and shall continue to implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
6.2. The Provider shall ensure that the security measures are of reasonable level, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6.3. The Provider shall take suitable measures to ensure that only persons who are entrusted with the performance of the Services have access to Customer Personal Data and ensure that the persons who access Customer Personal Data are carefully selected, adequately informed with regard to data protection regulations and are subject to a binding obligation of confidentiality in respect of such personal data.
6.4. The Customer acknowledges that the security measures are subject to technical progress and development and that the Provider may update or modify the security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
6.5. The Provider shall, to the best of its ability and without undue delay after becoming aware of such circumstances, inform the Customer in writing about:
any request of an authority for disclosure of personal data, shared and transferred under this DPA;
any suspicion or observation of (a) security breaches leading to unauthorized or unlawful destruction, access, use, disclosure, copying, modification and destruction of personal data shared and transferred under this DPA, or (b) any other non-compliance with the requirements of the GDPR.
7.1. The Customer generally authorizes the Provider to engage sub-processors to process Customer Personal Data in order to provide the Services.
7.2. A list of the Provider’s Sub-processors as of the date of this DPA is provided in Annex B, and may be updated from time to time.
7.3. To the extent applicable to the nature of the services a Sub-processor provides, the Provider shall ensure that its sub-processors are capable of providing the level of protection for Customer Personal Data required by the agreement(s) between the Provider and the Customer and this DPA and meet the requirements of Article 28(3) of the GDPR.
7.4. When the Provider engages a new Sub-processor, the Provider shall provide the Customer with a reasonable prior notice if it intends to engage a new sub-processor. Legitimate objections must contain reasonable and documented grounds relating to a sub-processor's non-compliance with applicable data protection legislation. In such event, the Parties shall discuss such concerns in good faith with a view to achieving resolution and if this is not possible, the Customer may suspend or terminate its use of the Services which cannot be provided by the Provider without the use of the objected-to sub-processor by providing written notice to the Provider.
8.1. Nuzzl Ltd. is located in the UK, and the EU Commission has recognized the UK GDPR as providing adequate protection. This means that data can flow freely from the EU to the UK in the majority of cases and there is no need for other safeguards.
8.2. The Parties acknowledge that the Customer is the Data Exporter and that the Provider is a Data Importer. The Parties shall take all steps necessary to provide suitable safeguards to protect the personal data during the international data transfers.
8.3. The processing of personal data will include transfer of personal data to a third country outside of the UK and the EEA, as the Provider’s Sub-processors operate from multiple locations. Such transfer is accepted by the Customer.
8.4. Where necessary, Nuzzl Ltd. has entered into standard European Commission (for transfers from the EEA) or UK (for transfers from the UK) approved form model data protection clauses (“Standard Contractual Clauses”, International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers) with third parties, to provide the Services required.
9.1. Regardless of the period of the Agreement, this DPA remains in force as long as the processing of personal data is required to perform obligations under the Agreement.
9.2. At the request of the Customer and/or by termination or expiration of the Agreement, the Provider shall delete or return to the Customer all Customer Personal Data in its possession unless otherwise provided by applicable data protection regulation or other applicable law.
10.1. In the event of any conflict or inconsistency between the provisions of the Agreement and the provisions contained in this DPA, this DPA shall prevail. Except for the provisions specifically modified and amended in this DPA, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect.
Customer Personal Data shall include the categories of personal data specified below.
Nature and Purpose of the Processing
The Provider provides the Customer with TagPoint SaaS platform, which companies can use to automate their facility management tasks, process incoming service and support requests, and coordinate their teams, on the terms outlined in the Agreement. The Provider will process personal data as necessary to provide the Services as described in the Agreement.
Categories of Data Subjects
Customer’s end users, including Permitted Users and External Users.
Categories of Personal Data
Customer Personal Data, including contact details, content, messages, or files and other categories of personal data that users choose to store on, or upload to, or generate with the Services.
Special categories of personal data
Sensitive data, data relating to criminal convictions and offenses, data regarding children, or other personal data requiring additional restrictions must not be processed.
Frequency of transfer
Continuous
Access to personal data
To provide the Services as described in the Agreement, access to personal data is provided to:
Permitted Users of the Customer
Authorized personnel of the Provider who are engaged in development, maintenance, support, legal, sales and marketing operations legal, sales and marketing operations
Sub-processors in order to fulfill a contractual obligation to the Provider
Duration of Processing
Concurrent with term of the Agreement and then thereafter pursuant to Section 9 of the DPA.
Transfers to Sub-processors
As described in Annex B (as may be updated from time to time in accordance with the DPA) for the purposes described therein.
The Customer generally authorizes the Provider to engage the following Sub-processors for the purposes described below.
|
Third party name |
Description of services |
Data provided |
Place of processing
|
| Amazon Glacier (Amazon Europe) (Amazon Web Services Inc.) |
Backup saving and management |
Different types of data as specified in the privacy policy of the service |
Luxembourg – Privacy Policy |
| Amazon Web Services (AWS) (Amazon Web Services, Inc.) |
Hosting and backend infrastructure |
Different types of data as specified in the privacy policy of the service |
United Kingdom – Privacy Policy |
| Apple App Store (Apple Inc.) |
Platform services and hosting to distribute TagPoint on Apple's App Store |
Usage data |
United States – Privacy Policy
More information on how to manage analysis settings can be found on this page |
| Google Play Store (Google Ireland Limited) |
Platform services and hosting to distribute TagPoint on the Google Play Store |
Usage data |
Ireland – Privacy Policy
More information on how to manage analysis settings can be found on this page |
| Metabase, Inc. |
Analytics solution to generate custom dashboards in Customer Accounts (activated optionally) |
Different types of data as specified in the privacy policy of the service |
Place of processing: USA – Privacy Policy |
| SendGrid (Twilio Ireland Limited) |
Email automation services to send email notifications and marketing newsletters |
Different types of data as specified in the privacy policy of the service |
Place of processing: Ireland – Privacy Policy |
| Duklas ApS |
Reseller of TagPoint and Related Services
|
Different types of data of Reseller’s Customers as specified in this Privacy Policy |
Place of processing: Denmark – Privacy Policy |
This DPA is accepted by the Customer when entering into the SaaS Agreement.
CUSTOMER / DATA EXPORTER DETAILS
Name: As provided in the Agreement or applicable Customer Account.
Contact details for data protection: As provided in the Agreement or applicable Customer Account.
Customer Activities: As described on Customer’s website or applicable Customer Account.
Role: data controller
PROVIDER / DATA IMPORTER DETAILS
Name: Chris Mason, director of Nuzzl Ltd.
Contact details for data protection: SWWS Belliver Way, Roborough, Plymouth Devon, PL6 7BP, UK; email privacy@tagpoint.co.uk
Provider’s Activities: Nuzzl Ltd. develops and provides TagPoint, the Software-as-a-Service (SaaS) platform for facility management and service request management.
Role: data processor