DPA

Last updated: 3 May, 2023

This DPA sets out the additional terms, requirements and conditions which shall apply to Seenit and Customer in relation to the Personal Data that will be processed when providing Services under the Contract. 

This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

AGREED TERMS

1. Definitions and Interpretation
   1. In this Section, the following terms shall have the following meanings: 
      1. “Business Purposes” means the services to be provided by Seenit to the Customer as described in the Contract and any other purpose specifically identified in Annex A.
      2. “controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given in the Privacy Law;
      3. “Data” means the personal data that is the subject of the Contract; 
      4. “Privacy Law” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any and all applicable national data protection laws made under or pursuant to (i) or (ii); in each case as may be amended or superseded from time to time; and
      5. “Order Form”, “Services”, “Seenit Platform”, “Customer Content”, “Subscription Fees”, “Users” and “Contributors” have the meaning set out in the Contract.
   2. This DPA is subject to the terms of the Contract and is incorporated into the Contract. Interpretations and defined terms set forth in the Contract apply to the interpretation of this DPA.
   3. The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
   4. A reference to writing or written includes email provided that are sent to the email addresses specified in the Contract.
   5. In the case of conflict or ambiguity between:
      1. any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
      2. the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
      3. any of the provisions of this DPA and the provisions of the Contract, the provisions of this DPA will prevail.
2. Relationship of the parties 
   1. The Customer and Seenit agree and acknowledge that for the purpose of the Applicable Privacy Law:
      1. The Customer is the controller;
      2. Seenit is the processor appointed by the controller to process the Data;
      3. The Customer retains control of the Data and remains responsible for its compliance obligations under Privacy Law, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing; and
      4. Annex A describes the subject matter, duration, nature and purpose of the processing and the Data categories and Data Subject types in respect of which Seenit may process the Data to fulfil the Business Purposes.
3. Compliance with applicable laws
   1. The Customer as the controller shall comply with the obligations that apply to it under Privacy Law.  
   2. Seenit as processor shall process the Data in compliance with the Privacy Law in force  from time to time in the UK and the European Union (“Applicable Privacy Law”) and the Customer’s instructions which are set out in the DPA.
   3. The Customer is responsible for deciding where its Users and/or Contributors use the Services from and understands that Seenit does not have advance visibility on such locations. Accordingly, Seenit will rely on the Customer’s reasonable instructions in relation to compliance with any Privacy Laws other than the Applicable Privacy Law provided that any incremental effort on Seenit shall be at the Customer’s  cost.
4. Purpose limitation  
   1. Seenit shall process the Data Annex A as necessary to perform its obligations under the Contract and strictly in accordance with the documented instructions of the Customer (the “Permitted Purpose”), except where otherwise required by any law applicable to Seenit. 
   2. Seenit shall not process the Data for its own purposes or those of any third party in any circumstances.  Seenit shall promptly inform the Customer if it becomes aware that the Customer’s processing instructions infringe Privacy Law (but without obligation to actively monitor Customer’s compliance with Privacy Law).
5. International transfers  
   1. Seenit shall not transfer the Data (nor permit the Data to be transferred) outside of the United Kingdom (“UK”) or the European Economic Area (“EEA”) unless (i) it has first obtained the Customer’s prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Privacy Law. 
   2. Such measures may include (without limitation) transferring the Data to a recipient in a country that the Secretary of State for the Department for Digital, Culture Media & Sport and/or the European Commission (as applicable) have decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Privacy Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission and/or the Information Commissioner Office (“ICO”).
6. Confidentiality of processing 
   1. Seenit shall ensure that any person that it authorises to process the Data (including staff, agents and subcontractors) (“Authorised personnel”) shall be subject to a contractual or statutory duty of confidentiality and shall not permit any person who is not under such a duty of confidentiality to process the Data. Seenit shall ensure that all Authorised personnel process the Data only as necessary for the Permitted Purpose.
7. Security 
   1. Seenit shall implement adequate technical and organisational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident”) as set out in Annex B. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
8. Sub-processing  
   1. Seenit shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of the Customer. 
   2. Notwithstanding paragraph 8.1, the Customer consents to Seenit engaging third party sub processors to process the Data provided that: 
      1. Seenit provides at least 30 days’ prior written notice of the addition or removal of any subprocessor (including details of the processing it performs or will perform) and, (a) the Customer has not notified Seenit in writing within two (2) weeks of Seenit’s notice date of any objections (on reasonable grounds) to the proposed appointment, or (b) the Customer has notified Seenit in writing within two (2) weeks of Seenit’s notice date of objections (on reasonable grounds) to the proposed appointment but Seenit has taken reasonable steps to address the objections raised by the Customer. If Customer is not satisfied with Seenit’s steps, the Customer may stop using the Services and terminate the Contract notwithstanding which Seenit shall be under no obligation to refund the Subscription Fees; 
      2.  Seenit imposes data protection terms on any subprocessor it appoints that protect the Data to materially the same standard provided for by this DPA; and 
      3. Seenit remains liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor.
   3. The Customer has approved the list of subprocessors set out in Annex C which may be given by posting details of such addition or removal at a URL shared with you by email, in the Order Form, or otherwise.
9. Cooperation and data subjects’ rights 
   1. Seenit shall provide all reasonable and timely assistance to the Customer (at the Customer’s expense) to enable the Customer to respond to: 
      1. any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and
      2. any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.   
   2. In the event that any such request, correspondence, enquiry or complaint is made directly to Seenit, Seenit shall promptly inform the Customer providing full details of the same as soon as reasonably practicable.
10. Data Protection Impact Assessment  
    1. Seenit shall, at the Customer’s cost (unless agreed otherwise in an Order Form), provide the Customer with all such reasonable and timely assistance as the Customer may require in order to conduct a data protection impact assessment in accordance with Privacy Law including, if necessary, to assist the Customer to consult with its relevant data protection authority. 
11. Security incidents 
    1. Upon becoming aware of a Security Incident, Seenit shall inform the Customer without undue delay (and, in any event, within 48 hours) and shall provide all such timely information and cooperation as the Customer may require to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Privacy Law. Seenit shall further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident.
12. Deletion or return of Data
    1. Within sixty (60) days of the termination or expiry of the Contract, Seenit shall (at the Customer’s choice) destroy all Data in its possession or control (including any Data subcontracted to a third party for processing).  This requirement shall not apply to the extent that Seenit is required by any UK or EU (or any EU Member State) law to retain some or all of the Data, in which event Seenit shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.
13. Audit: 
    1. Subject to (i) giving Seenit at least 15 days’ prior written notice, (ii) Seenit’s confidentiality obligations to its other customers and (c) the Customer minimising business disruption, Seenit shall, at the Customer’s cost (unless agreed otherwise in an Order Form):
       1. permit the Customer (or its appointed third-party auditors), to audit Seenit’s compliance with this DPA, and 
       2. make available to the Customer all information, systems and staff necessary for the Customer (or its third-party auditors) to conduct such audit. 
    2. The Customer will not exercise its audit rights set out in paragraph 13.1 above more than once in any twelve (12) calendar month period, except:
       1. if and when specifically required by instruction of a competent data protection authority; or 
       2. the Customer believes a further audit is necessary due to a Security Incident suffered by Seenit. 
    3. Upon request, Seenit shall supply a summary copy of its internal audit report(s) to the Customer, which reports shall be subject to the confidentiality provisions of the Contract.

Annex A

Data Processing Description

This Annex A forms part of the DPA and describes the processing that Seenit will perform on behalf of the Customer.  

Where the EU Standard Contractual clauses (“SCCs”) and if applicable the UK Addendum to the SCCs  apply (together “Standard Clauses”), Annex A constitutes Schedule 1 of the Standard Clauses. 

Controller

The controller is the Customer specified in the Contract who shall be using Seenit to support its Talent Acquisition, Employer Brand and Internal Communications.

Processor

The processor is Seenit Digital Limited who shall use the Data for the purpose of providing Services in connection with the Contract. 

The Seenit Platform will collect user generated content recorded and submitted by the categories of individuals described in the data subject section below and process such content so that the Customer’s authorised users can use the Seenit Platform functionalities to, amongst other things, edit and use such content to create materials for their recruitment, marketing and other internal business purpose as further detailed in the Contract.  

Data subjects

The personal data to be processed concern the following categories of data subjects (please specify):

• Controller employees and/or contractors
• Employees and/or contractors of Controller’s clients
• Visitors to Controller’s website (if specified in an Order Form)
• Such other data subject specified in an Order Form

Categories of data

The personal data to be processed concern the following categories of data (please specify):

The Processor collects names, business contact information (email), Web browsing metadata captured while using the Seenit Platform (e.g., URLs viewed, clicks, time stamps, time spent on pages, order of pages viewed); photos; audio; voice recordings; videos; and Free text fields.

Special categories of data (if appropriate)

The personal data to be processed concern the following special categories of data (please specify):

special categories of data which may be contained in Customer Content, to be specified by Customer

Location of Data Subjects

The World excluding Russia, Cuba, Iran, North Korea, Syria, Venezuela and other countries which are on the US, UK and/or EU sanctioned countries lists.

Processing operations

The personal data will be subject to the following basic processing activities:

The processing activities that are necessary for the processor to provide the Services (as defined in the Contract) including without limitation capturing, storing and retrieving personal data in connection with the management of the Seenit Platform, opening accounts, hosting Customer Content, facilitating the production of Customer Content.

Annex B

Minimum Security Measures

Where the EU Standard Contractual Sections apply, Annex B constitutes Schedule 2 of the SCCs. 

1. Automated privacy controls include access provisioning, automatic log out, Single-Sign-On, system logging. 
2. Information auditing - audit trails of who has accessed what information. 
3. Restricted sharing - data is only provided to parties that need the data. 
4. System segregation.  
5. The system architecture prevents direct access to the data sets. 
6. Two-factor authentication is required for our key systems.
7. All cloud storage is Encrypted at rest
8. Login policy is configured to enforce sessions and workstations to automatically lock after a period of inactivity. 
9. Users’ passwords are required to unlock the workstation and two-factor authentication is required to reconnect to the secure environment. 
10. All workstations are encrypted and can be remotely wiped
11. Data Transmission - All data is encrypted while in transit on the network. 
12. Digital Security – The application runs on the environment protected by firewalls. Administration access is blocked from the outside and is accessible only to system administrators. It is additionally protected via SSH key-based authentication. 
13. Penetration Testing – Seenit performs penetration tests annually using a trusted third party. The results can be shared in a summary form with clients upon request. 
14. Authorized Data Access – Access to all data is restricted to client authorized users. Users are granted access to data by either supplying a username and password, using a social login e.g. Google, Facebook, Microsoft login, or a SAML based SSO solution. Authorized user passwords are secured using industry standard techniques. All data access is audited. 
15. Production Access: Only key system administrator members of the Seenit product system team have access to the production environment and such access is highly restricted to key members of the engineering team. All activities on the production servers are monitored and audited. 

Annex C

Approved Subprocessors