Data Processing Agreement

Introduction

This data processing agreement (“DPA”), including the annex below, is part of our Terms of Use and Sale for Businesses and applies only to the extent stated within them (see the Privacy and data use section).

Definitions

Words or expressions defined in “quotation marks” have the same meanings each time they are used in this DPA. Unless we say otherwise below, any words or expressions that are defined in the Terms of Use and Sale for Businesses have the same meanings when used in this DPA too. 

• “Applicable Data Protection Law” means all laws and regulations applicable to Esagio’s processing of Relevant Data under the Terms of Use and Sale for Businesses, including the GDPR and any legislation and/or regulations implementing, or made under or pursuant to the GDPR, such as the UK GDPR or the UK Data Protection Act 2018. 
• “Personal Data”, “Special Categories of Personal Data”, “Controller” and “Processor” have the meanings given in the GDPR.
• “Relevant Data” means personal data data as described in the annex below.
• “Esagio”, “we”, “us” or “our” means Esagio, London.

Relationship between you and Esagio

1. To the extent that Esagio delivers review invitation services to you and you are a Controller of the Relevant Data under GDPR, then you (the Controller) appoint Esagio as a Processor to process that Relevant Data.
2. This DPA will apply to you and us for as long as our Terms of Use and Sale for Businesses apply to you, or for as long as we process Relevant Data on your behalf – whichever is longer.

Instructions

1. You instruct Esagio to process the Relevant Data in accordance with this DPA and only for the purpose described in the annex below (or as otherwise may be agreed between you and Esagio in writing) (the “Purpose”). Esagio may not process the Relevant Data for any other purpose, unless it is required to under EU law, EU member state law or UK law. In that case, Esagio will write to you about why it needs to process the Relevant Data, unless it is restricted by law from informing you.
2. If Esagio believes that an instruction given by you violates the Applicable Data Protection Law, Esagio will let you know immediately.
3. Esagio is not currently aware of being subject to legislation that would prevent it from fulfilling the DPA, but it will let you know without undue delay if that changes or is expected to change.

Transfers of Relevant Data

1. Esagio will not transfer Relevant Data outside of the European Economic Area and the UK unless it has taken necessary measures to ensure that the transfer complies with the Applicable Data Protection Law. These measures may include transferring the Relevant Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

Prohibited data

1. You agree that you won’t disclose to Esagio for processing any Personal Data for which you do not have the rights, permissions or consents required under Applicable Data Protection Law to enable Esagio to lawfully process it.

Confidentiality

1. Esagio will ensure that any person that it authorises to process the Relevant Data will keep the Relevant Data confidential under a statutory obligation of confidentiality or other commitment.

Security practices

1. Esagio currently implements the technical and organisational measures described in our white paper on security practices for Esagio review invitation services.
2. Esagio may change these measures from time to time, but will always maintain appropriate technical and organisational measures that ensure a level of security appropriate to the risk and protect the Relevant Data from being:
   • accidentally or unlawfully destroyed, lost or altered,
   • disclosed or made available without authorisation, or
   • otherwise processed in violation of the Applicable Data Protection Law.
   •  
3. Esagio will also comply with any other applicable data security requirements that are directly imposed on it, including the data security requirements of the country in which Esagio is established and where the data processing will be performed.
4. The appropriateness of the technical and organisational security measures will be based on:
   • the current state of the art;
   • the cost of their implementation; and
   • the nature, scope, context and purposes of processing, as well as the likelihood of risks and the impact on the data protection rights and freedoms of data subjects.
   •  
5. On your request, Esagio will provide you with sufficient information to enable you to check that Esagio is complying with its obligations under the DPA, including that it has implemented the technical and organisational security measures described above.

Audit

1. You may at your own cost appoint an independent expert who (so long as the expert isn’t a competitor of Esagio) will be given access to Esagio premises and the information necessary to audit whether Esagio complies with its obligations under the DPA – including whether the appropriate technical and organisational security measures have been implemented.
2. You’ll need to let us know at least 14 days before you want your expert to have access. And, before we give them access, they’ll need to enter a customary non-disclosure agreement with Esagio that ensures that they treat all information they obtain or receive from Esagio and/or its affiliates confidentially – and may only share that information with you.
3. Any findings or reports created on the basis of the expert’s inspection and audit must be shared with Esagio and will be treated as confidential information.

Requests from authorities

1. Esagio will give authorities, which have a right under EU law, EU member state law or UK law to enter your suppliers’ facilities, access to Esagio physical facilities, provided that their representatives can show proper proof of identity.
2. Esagio must, without undue delay after becoming aware of the facts, notify you in writing about any request from an authority for disclosure of the Relevant Data, unless Esagio is expressly prohibited from informing you under EU law,EU member state law or UK law.

Security incidents

1. Esagio shall, without undue delay after becoming aware of the facts, inform you in writing about any suspicion or finding of:
   • a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Relevant Data transmitted, stored or otherwise processed by Esagio; and
   • any other material failure to comply with Esagio obligations under sections 10 and 11 of this DPA.
   •  
   • Cooperation and data subjects’ rights

1. Esagio will promptly assist you with the handling of any requests from data subjects under Chapter III of the GDPR and, where commercially practicable, under any other Applicable Data Protection Law, including requests for access, rectification, blocking or deletion, which relates to our processing of the Relevant Data.
2. If Esagio receives such a request, Esagio will not respond to it other than to inform the requesting data subject:
   • whether a review invitation email has been sent to the data subject on your behalf; and
   • that he/she should submit his/her request to you, given that you will be responsible for responding to these requests.
   •  
3. Esagio will assist you with meeting the other obligations that may be imposed on you under EU law, EU member state law or UK law related to data processing where our assistance is necessary for you to comply with your obligations. This includes providing reasonable cooperation to you in connection with any data protection impact assessment that may be required in accordance with article 35 and 36 of the GDPR.
4. Esagio will also provide information related to the provision of the services to authorities or your external advisors and auditors if this is necessary for the performance of their duties in accordance with EU law, EU member state law or laws in the UK.
5. In the annex below, Esagio has stated the servers, offices etc. used to provide the services under the Terms of Use and Sale for Businesses. You may request information about the servers, offices used by Esagio in connection with these services and Esagio will respond within 30 days.

Sub-processors

1. Esagio may engage third-party sub-processors to process the Relevant Data for the Purpose, provided that Esagio imposes data protection obligations on each sub-processor that require it to protect the Relevant Data to at least the same standard imposed on Esagio in this DPA. Esagio lists its current sub-processors here. If Esagio intends to add a newsub-processor, Esagio will inform you in advance about any such addition.
2. You can object to any additional or replacement sub-processor before it is appointed, provided that your objection is based on objective and reasonable grounds relating to data protection. If Esagio chooses not to suggest an alternative sub-processor, or if you object to all of Esagio alternative sub-processors, you may terminate your subscription (if any) by giving us 14 days’ notice. See section 37 of the Terms of Use and Sale for Businesses if you want those terms (including this DPA) to be terminated immediately.
3. On your request, we will give you a copy of the data protection obligations in Esagio agreement with the sub-processor.
4. Esagio will be liable for any breach of this DPA that is caused by an act, error or omission of one or more of its sub-processors.

Deletion or return of Relevant Data

1. Esagio will retain the Relevant Data for the following periods:
   • 30 days for all BCC emails; and
   • 3 years for all other Relevant Data.
   •  
2. After these periods have ended, or on your earlier request, Esagio will immediately return or delete (including anonymise) the Relevant Data in a manner and form decided by Esagio, acting reasonably. This won’t apply to the extent that Esagio is required by applicable law to retain some or all of the Relevant Data.

Data Protection Officer

You can reach our data protection officer by sending an email to: privacy@Esagio.com

ANNEX

Purpose

• Providing you with one or more of our review invitation services, as defined in the Terms of Use and Sale for Businesses (when you send (or we send on your behalf) invitations to your consumers asking them to write a review on our platform about your services and/or your products).

Categories of data subjects

• Your consumers

Categories of Personal Data

• Name
• Email address
• Reference number, such as an order ID or similar
• Any other Personal Data included in the order confirmation messages that you send to your consumers who make purchases from you.

Special Categories of Personal Data

Esagio does not intentionally collect or process any Special Categories of Personal Data, as it is not needed for the purposes of providing you with the review invitation services. However, Special Categories of Personal Data may be processed if you choose to include this data within the order confirmation messages that you send to your consumers who make purchases from you and the type of review invitation service used involves Esagio being copied on such messages.

Processing locations

• United Kingdom