Data Processing Terms

Between “You” as the Client of RealtimeCRM (“Controller”) and Cambridge Kinetics Ltd (“Processor”)

Controller and Processor may be referred to as a “party” and collectively as “parties”.

This Data Processing Addendum (“DPA”) forms part of the Terms & Conditions or other written or electronic agreement between Cambridge Kinetics Ltd and the Customer for the purchase of online services (including “RealtimeCRM”) from Cambridge Kinetics Ltd (identified either as “Services” or “Service” otherwise in the applicable agreement, and hereinafter defined as “Services”). This “DPA” reflects the parties’ agreement with regard to the Processing of Personal Data.

BACKGROUND

**(A)**​ The Controller processes Personal Data in connection with its business activities;

(B) The Processor processes Personal Data on behalf of other businesses and organisations;

(C) The Controller wishes to engage the services of the Processor to process personal data on its behalf;

THE PARTIES HEREBY MUTUALLY AGREE AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

1.1 ​In this Agreement the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified:

**“Data Protection Directive”**​ shall mean Directive 95/46/EC of the European Parliament and Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

**“Data Subject”**​ shall mean an individual who is the subject of personal data.

**“national law”**​ shall mean the law of the Member State in which the Processor is established;

**“personal data”**​ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;

**“processing of personal data”**​ shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

**“Effective​ ​Date”**​ means the date upon which this Agreement is accepted by the Client;

**“subprocessor”**​ and **“subprocessing”**​ shall mean the process by which either party arranges for a third party to carry out its obligations under this Agreement and “Sub Processor” shall mean the party to whom the obligations are subcontracted; and

**“Technical and organisational security measures”**​ shall mean measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing.

2. CONSIDERATION

2.1 ​In consideration of the Controller engaging the services of Cambridge Kinetics Ltd to process personal data on its behalf Cambridge Kinetics Ltd shall comply with the security, confidentiality and other obligations imposed on it under this Agreement.

3. SECURITY OBLIGATIONS OF Cambridge Kinetics LTD

3.1 “Cambridge Kinetics Ltd” shall only carry out those actions in respect of the personal data processed on behalf of the Controller as are expressly authorised by the Controller.

3.2 Cambridge Kinetics Ltd shall take such Technical and Organisational Security Measures as are required under its own national law to protect personal data processed by “Cambridge Kinetics Ltd” on behalf of the Controller against unlawful forms of processing. Such Technical and Organisational measures shall include, as a minimum standard of protection, compliance with the legal and practical security requirements set out in Appendix 1 of this Agreement.

4. CONFIDENTIALITY

4.1 ​**“Cambridge Kinetics Ltd”** agrees that it shall maintain the personal data processed by **“Cambridge Kinetics Ltd”** on behalf of the Controller in confidence. In particular, **“Cambridge Kinetics Ltd”** agrees that, save with the prior written consent of the Controller, it shall not disclose any personal data supplied to **“Cambridge Kinetics Ltd”** by, for, or on behalf of, the Controller to any third party.

4.2 “Cambridge Kinetics Ltd” shall not make any use of any personal data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller.

4.3 Nothing in this agreement shall prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties shall however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.

5. Cambridge Kinetics LTD OBLIGATIONS

5.1 ​Personal data to which “Cambridge Kinetics Ltd” may receive access concern the following data subjects (**“Data Subjects”**​):

6. Data Processing

6.1 The data processing activities will generally include the following categories of personal data **“Personal Data”**​:

Cambridge Kinetics Ltd will not have any knowledge or control over the categories or identities of the Data Subjects whose Personal Data the Controller may elect to record or upload into the Service.

6.2 ​Cambridge Kinetics Ltd will not collect, process or use any Personal Data made available to it for any purposes other than for the performance of the Services. Copies or duplicates of any Personal Data made available hereunder may only be compiled with the approval of the Controller.

6.3 Cambridge Kinetics Ltd will notify Controller without undue delay if Cambridge Kinetics Ltd is of the opinion that a written instruction received from Controller is in violation of applicable data protection law and/or in violation of contractual duties under this DPA.

6.4 ​Cambridge Kinetics Ltd will notify Controller without undue delay if Cambridge Kinetics Ltd becomes aware that Cambridge Kinetics Ltd’s employees have violated any data protection law, or the provisions of the Agreement if the violation occurs in the course of the processing of the data by Cambridge Kinetics Ltd. Furthermore, if Cambridge Kinetics Ltd is of the opinion that Personal Data have been or might have been illegally transferred or otherwise illegally disclosed to or accessed by a third party, Cambridge Kinetics Ltd will notify Controller thereof without undue delay. In case of any loss of, or unauthorized access to Personal Data stored on the Service, Cambridge Kinetics Ltd will inform Controller without undue delay, and assist Controller in fulfilling its statutory obligations under applicable data protection laws.

6.5 Cambridge Kinetics Ltd will use reasonable efforts to fully cooperate and to comply with any instructions, guidelines and orders received from the relevant supervisory authority when such instructions, guidelines or orders pertain to the Personal Data.

7. Obligations of Controller

7.1 ​Controller will be responsible for the evaluation of the admissibility of the data processing and for ensuring the rights of the data subjects concerned.

7.2 ​Controller will be entitled to issue written instructions regarding the scope and the procedure of the data processing.

8. Data Subject Rights and Requests

8.1 ​To the extent permitted by law, Cambridge Kinetics Ltd will inform Controller of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Cambridge Kinetics Limited regarding Controller Personal Data. Controller shall be responsible to respond to such requests of Data Subjects. Cambridge Kinetics Ltd will reasonably assist Controller in responding to such Data Subject requests.

8.2 ​If a Data Subject brings a claim directly against Cambridge Kinetics Ltd for a violation of the Data Subject rights, Controller will indemnify Cambridge Kinetics Ltd for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that Cambridge Kinetics Limited notified Controller about the claim and given Controller the opportunity to cooperate with Cambridge Kinetics Ltd in the defence and settlement of the claim.

9. AUDIT

9.1 ​Cambridge Kinetics Ltd shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller of Cambridge Kinetics Limited processing Controller personal data in accordance with the following procedures:

9.2 Each party will bear its own costs in respect of paragraphs 9.1.1 and 9.1.2 of Section 9.

10. Subprocessors

10.1 Cambridge Kinetics Ltd currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and email notifications. Prior to engaging any third party Subprocessor, Cambridge Kinetics Ltd performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.

10.2 Cambridge Kinetics Ltd may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with delivery of our Services:

Integrations

The Controller has access to the following Subprocessors whom they may enable via the Integrations page in RealtimeCRM:

10.3 ​As Cambridge Kinetics Ltd’s business grows and evolves, the Subprocessors Cambridge Kinetics Ltd engages may also change. Cambridge Kinetics Ltd will endeavor to provide the Controller with notice of any new Subprocessors to the extent required under the Agreement.

11. Term and Termination

This Agreement commences on the Effective Date. This Agreement shall continue in full force and effect for so long as Cambridge Kinetics Ltd is processing personal data on behalf of the Controller.

Upon termination or expiration of this agreement Cambridge Kinetics Ltd will delete Controller personal data in its possession as set out by the applicable law.

Appendix 1 to Data Processing Addendum

Technical and Organisational Measures

1. Personnel

1.1 ​Cambridge Kinetics Ltd will oblige its employees to process and use the Personal Data only in accordance with this Data Processing Agreement, including its appendix, and any written instructions received from Controller.

2. Transmission Control Cambridge Kinetics Ltd will implement suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorised parties during the transmission thereof or during the transport of the data media. This will be accomplished by:

2.1 ​Using a ​Service that is hosted on cloud providers who use state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels.

2.2 Using a Service that is only accessible via HTTPS, providing end to end encryption using TLS.

3. Access control to Data Processing Systems Cambridge Kinetics Ltd will implement suitable measures to prevent its data processing systems from being used by unauthorized persons. This will be accomplished by:

3.1 ​identification of the terminal user to the Controller.

3.2 Cambridge Kinetics Ltd takes advantage of cloud based data centres to ensure availability, redundancy and physical restrictions to access data processing systems. For a complete description of security measures for the underlying systems please read the following documentation.

4. Input Control Cambridge Kinetics Ltd will implement suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This will be accomplished by:

4.1 ​authentication of the authorized personnel;

4.2 ​utilization of user codes (passwords);

4.3 ​an authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;

4.4 ​protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data.