1. Interpretation
   1. Definitions:

1. 1. Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
   2. Conditions: these terms and conditions set out in 1 to 11 (inclusive).
   3. Contract: this contract under which the Customer appoints the Supplier to provide the Services, in accordance with the Contract Details and these Conditions.
   4. Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018 (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) And in the US the Privacy Act of 1974, as amended (5 U.S.C. § 552a) (and regulations made thereunder) as amended.
   5. Effective Date: the date the Contract takes effect, as set out in the Contract Details.

• Customer Intellectual Property: all intellectual property rights owned or used by the Customer in connection with the delivery and marketing of the Services (including trade marks, service marks, business names, goodwill and the right to sue for passing off, domain names, and rights in confidential information) in each case whether registered or unregistered and including all applications and rights to apply for and  be granted, renewals or extensions of such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world (such as logos or trademarks of the Customer or images or copy provided to the Supplier for the Supplier to use as part of provision of the Services).

• Supplier Intellectual Property: all intellectual property rights owned or used or created by the Supplier in connection with the delivery and marketing of the Services (including trade marks, service marks, business names, goodwill and the right to sue for passing off, domain names, and rights in confidential information) in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world and which rights include all materials or other deliverables created by the Supplier as part of the Services (such as images or copy for the advertisements). 

• Territory: the areas specified in the Contract Details.

• Interpretation

1. 1. A reference to legislation or a legislative provision: 
      1. is a reference to it as amended, extended or re-enacted from time to time;
      2. shall include all subordinate legislation made from time to time under that legislation or legislative provision.
   2. Any words following the terms including, include, in particular or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
   3. A reference to writing or written includes email.

• Appointment

• Appointment. The Customer appoints the Supplier to provide certain marketing services to the Customer in the Territory on the terms of this Contract and the Supplier accepts the appointment on those terms. Nothing in this Contract or otherwise shall make the Supplier or any of the Supplier’s employees an employee of the Customer.

• Exclusive appointment.

1. 1. 1. 1.    The Customer exclusively appoints the Supplier to provide meta advertising and/or Google advertising and any other advertising platforms to it and shall not appoint any other person or entity in relation to the same.
         2. The Customer shall not implement its own meta advertising, Google advertising or any other advertising platform campaigns at any time during the provision of the Services without the prior written consent of the Supplier.

• Supplier’s obligations

• General. Consistent with its general compliance obligations under 9, the Supplier shall comply with all the applicable obligations imposed on the Supplier by common law and statute. 

• Advertising. The Supplier shall provide the Services in the Territory and shall observe all reasonable directions and instructions given to it by the Customer in this regard. The production and use by the Supplier of any advertising materials and promotional literature (such as copy or images for the advertisements) not provided by the Customer shall be subject to the prior written consent of the Customer, except where the Customer has waived this right to approve such materials.

• Data Processing. The Supplier shall comply with the obligations on it as a data processor as set out in the Data Processing Schedule.

• Account Manager. The Supplier shall appoint a designated member of its team to act as the account manager in relation to the provision of the Services. The Supplier may from time to time change the account manager upon notice to the Customer. 

• Customer’s obligations

• Information. The Customer must as soon as reasonably practicable provide the Supplier with account details and log ins for its Google and Meta advertising accounts. If the Customer does not yet have such accounts, it will set them up as soon as possible. The Customer acknowledges that any delay on its behalf of providing this information to the Supplier means that there will be a corresponding delay in the commencement of the provision of the Services. 

• Marketing materials. The Customer shall supply such samples, sales literature and other documentation and information and such technical, market and other support as the Supplier may reasonably require for the purposes of enabling the Supplier to discharge its duties under this Contract.

• Expenses. The Customer shall reimburse any expenses, costs and charges reasonably incurred by the Supplier in performing this Contract (such as covering Meta advertising costs if problems with payment methods on the Customer’s advertising accounts) against production by the Supplier of appropriate invoices and receipts in support.

• Customer’s marketing activities and information. If the Customer advertises and promotes the Customer Services by a method other than Meta and Google advertising independently of the Supplier, the Customer shall provide the Supplier with information on the advertising and promotion carried out by the Customer.

1. 1. Confidentiality of logins. The Customer agrees to keep user details and passwords for any site connected to the provision of the Services confidential at all times and to not disclose them to any third party. The Customer shall notify the Supplier immediately if it becomes aware of any unauthorized use of its’ account and shall indemnify the Supplier against all claims, damages, losses, costs or expenses (including professional fees) and any other liability which arises from any unauthorized use of the Customer’s account. 
   2. Third Parties. All third parties must obtain explicit written authorization from us, the supplier, before accessing any accounts containing the supplier’s intellectual property. This includes, but is not limited to, Meta Business Suite, Google Drive, DC Funnels, Google Ads, and Google Analytics. This requirement also applies to adding users to these accounts, sharing passwords, or any other method by which a third party could access these accounts. Authorization requests should be submitted to the supplier in writing. Approval of such requests is at the sole discretion of the supplier. Additionally, this process may involve signing additional documentation, such as an intellectual property protection agreement or a non-compete agreement.

1. Respect. A part of the Services, the Supplier will invite the Customer to the Supplier’s Inner Circle Meta  group which is an online forum where certain of the Supplier’s customers and members communicate with each other and with the Supplier. In using such Meta  group, the Customer agrees to comply at all times with the Supplier’s and particularly agrees that it shall not communicate in that group or contact any persons in such group (whether via the group or by any other means) for purposes other than advancing the business of the Customer and that does not put any member of such group to any detriment. The Customer also agrees to be respectful to the employees, agents, contractors or other representatives of the Supplier at all times. 

1. 1. Timely review. The Customer is responsible for approving the content (including without limitation copy, images and videos) of the Meta and Google advertisements and shall do so in a timely manner. The Customer acknowledges that if it delays in approving content, there will be a corresponding delay in the Supplier providing the Services and the Supplier shall have no liability in relation to any such delay.

• Non-solicitation. The Customer agrees that it shall not at any time directly or indirectly solicit or entice away (or attempt to solicit or entice away) from the employment of the Supplier any account manager or any other person employed or engaged (including ex employees) by the Supplier in the provision of the Services at any time during the Term or in perpetuity after the termination of this agreement other than by means of a national advertising campaign open to all comers and not specifically targeted at any of the staff of the Supplier. If the Customer commits any breach of this clause, the Customer shall, on demand, pay to the Supplier a sum equal to one year’s basic salary or the annual fee that was payable by the Supplier to that employee, worker or independent contractor plus the recruitment costs incurred by the Supplier in replacing such person.

• Fees

1. 1. Fees. The fees for the delivery of the Services are payable on a monthly basis and are as set out on our invoice (“Monthly Fee”). 

• Instalments. The Monthly Fee will be charged automatically and without the further approval of the Customer each month on a continuing basis until such time as the Contract is terminated. For the avoidance of doubt the Monthly Fee remains payable during any notice period of termination. All payments are non-refundable other than as expressly agreed in writing by the Supplier otherwise. 

1. All sums payable under this Contract are exclusive of amounts in respect of value added tax (VAT) (or any other applicable taxes), which shall be payable at the prevailing rate (if applicable). A VAT invoice (or other appropriate invoices showing such taxes) shall be provided against any payment.

• Interest. If the Customer fails to make any payment due to the Supplier under this Contract by the due date for payment, then the Customer shall pay interest on the overdue amount at the rate of 4% per annum above the Bank of England’s base rate from time to time. Such interest shall accrue on a daily basis from the due date until actual payment of the overdue amount, whether before or after judgment. The Customer shall pay the interest together with the overdue amount.

• Suspension of Services. If payments are not made when due by the Customer, the Supplier will suspend all Services until such time as it has received all outstanding payments. 

• Intellectual property

• Acknowledgement and licence of IPR. The Supplier acknowledges that the Customer Intellectual Property belongs to the Customer. The Customer grants to the Supplier a non-exclusive perpetual, worldwide, royalty free licence to use the Customer Intellectual Property for the purposes of the delivery of the Services (such as trademarks and logos to go on advertising copy or images). The Customer acknowledges that the Supplier Intellectual Property belongs to the Supplier and nothing in this agreement or otherwise shall operate to transfer the ownership of the Supplier Intellectual Property Rights to the Customer or any other person or entity. The Supplier grants to the Customer a fully paid-up, worldwide, non-exclusive, royalty-free licence  during the term of the Contract to use the Supplier Intellectual Property for the purpose of receiving and using the Services in the Customer’s business. For the avoidance of doubt the Customer may not at any time copy, reproduce, publish in any form, share, sell, dispose of or otherwise make available to a third party in any way any of the Supplier Intellectual Property (including the images and copy created for the purposes for the advertisements) or any of the ideas and concepts shared with the Supplier as part of the advertising strategy. 

• Limitations on use of IPR. The Customer accepts that:

1. 1. 1. 1. It is only permitted to use the Supplier Intellectual Property for the purposes of and during the term of this Contract.
         2. Save as provided in 6.2(a), it has and shall have no right to use or to allow others to use the Supplier Intellectual Property or any part of it. 
         3. where the Supplier’s use of the Supplier Intellectual Property is conditional on the Supplier obtaining a written licence (or sub-licence) from the relevant licensor or licensors on such terms as will entitle the Supplier to license such rights to the Customer, if such licenses (or sub-licenses) are not available for any reason, the corresponding license to the Customer shall be withdrawn or not granted and the Customer shall immediately cease using the affected Supplier Intellectual Property.

• Notification. The Customer shall notify the Supplier of: 

1. 1. 1. 1. Any actual, threatened or suspected infringement of any Supplier Intellectual Property of which the Customer becomes aware.
         2. Any claim by any third party of which it becomes aware that the provision of the Services infringes any rights of any other person.

• Assistance re IPR. The Customer shall, at the Supplier’s request and reasonable expense take all reasonable steps during the term of this Contract as the Supplier may reasonably require to assist the Supplier in maintaining the Supplier Intellectual Property as valid and effective.

• Indemnity. The Customer shall indemnify the Supplier against all liabilities, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and any and all other professional costs and expenses) suffered or incurred by the Supplier arising out of or in connection with any claim made against the Supplier for actual or alleged infringement of a third party’s Intellectual Property Rights or moral rights arising out of or in connection with the use of the Customer Intellectual Property or in connection with any of the advertisements created by the Supplier.

• Duration and termination

• Termination on notice. This Contract shall take effect from the Effective Date. Unless terminated earlier in accordance with law or its terms, it shall continue until one party gives the other party written notice to terminate in accordance with 7.2 to expire on the expiry date of such notice.

• Notice period. For the purposes of 7.1, the notice period for termination shall be 30 days for each party. Notice of termination shall be in writing to the other party in accordance with clause 12.8 below and can be served at any time.

• Termination for cause. Without affecting any other right or remedy available to it, either party may terminate this Contract with immediate effect by giving written notice to the other if:

• Material breach. The other party commits a material breach of any term of this Contract which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 14 days after being notified in writing to do so. A material breach is a breach that has a serious effect on the benefit such party would otherwise derive from this agreement.

• Insolvency. The other party takes or has taken against it any step or action in connection with its entering into administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business or, if the step or action is taken in another jurisdiction, in connection with any analogous procedure in the relevant jurisdiction, or in the case of the Customer, if an individual, the Customer takes any step or action in connection with it being made bankrupt, entering any composition or arrangement with its creditors, having a receiver appointed to any of its assets, or ceasing to carry on business or, if the step or action is taken in another jurisdiction, in connection with any analogous procedure in the relevant jurisdiction.

• Cessation of Services. The Supplier ceases for any reason to provide Google or meta advertising and any other advertising platforms and services as part of its business activities.

• Compliance. The other party fails to discharge its compliance obligations under 10.

1. Termination for cause for Supplier. Without affecting any other right or remedy available to it, the Supplier may terminate this Contract with immediate effect by giving written notice to the Customer if, in the opinion of the Supplier, (i) the Customer is causing disruption to the delivery of services by the Supplier to its other customers, (ii) if the continued provision of the Services to the Customer would have an adverse effect on the Supplier’s business interests , (iii) the Supplier has reason to believe that the Customer has failed to comply with clause 4.6 or (iv) or the Supplier has reason to believe that the Customer is in breach of clause 2.2 above. 

• Consequences of termination

• Accrued rights and duties. Termination of this Contract shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Contract which existed at or before the date of termination.

• Consequences of termination. On termination of this Contract:

• Services to cease. The Supplier shall cease to provide the Services. For the avoidance of doubt, the Supplier shall continue to provide the Services during any notice period, except where requested otherwise by the Customer, in which case the Monthly Instalment for the notice period shall remain payable.

• No further holding out or use of IPR. The Customer shall immediately cease to use the Supplier Intellectual Property Rights (including without limitation advertising copy and images created at any time by the Supplier) and agrees that the Supplier shall delete all advertising campaigns within Google and Meta created by the Supplier. If the Supplier no longer has access to the advertising accounts of the Customer, the Customer shall delete all advertising campaigns within Google and Meta created by the Supplier and shall confirm within 3 days of termination of the agreement that such materials have been deleted.

• Return of materials. The Customer shall at its own expense within 7 days of termination return to the any materials or other possessions or belongings of the Supplier, or otherwise dispose of the same as the Customer may instruct.

• Survival. Any provision of the Contract that expressly or by implication is intended to come into or continue in force on or after termination shall remain in full force and effect.

• Compliance

1. 1. 1. Each party shall at its own expense comply with and assist the other party to comply with all laws and regulations relating to its activities under this Contract, and with all and any conditions binding on it in any applicable licences, registrations, permits and approvals. Such laws shall include but not be limited to the Data Protection Legislation, the Bribery Act 2010, the Criminal Finances Act 2017, and the Modern Slavery Act 2015. (UK) the Privacy Act 1974, Foreign Corrupt Practices Act, and the The Trafficking Victims Protection Act of 2000.
      2. The Customer agrees that the Supplier shall have no liability for compliance with marketing and/or advertising laws in the Territory (or otherwise) including without limitation the Advertising Standards Authority or General Chiropractic Council (UK) or State Regulatory Boards and Federal Trading Commission (USA)

• Limitation of liability

• Unlimited liability. Nothing in this Contract shall limit or exclude the liability of either party for:

1. 1. 1. 1. Death or personal injury caused by its negligence, or the negligence of its employees, suppliers or subcontractors (as applicable).
         2. Fraud or fraudulent misrepresentation.
         3. Any matter in respect of which it would be unlawful to exclude or restrict liability.

• Limitations of liability. Subject to 10.1:

1. 1. 1. 1. Neither party shall under any circumstances whatever be liable to the other, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for:
            1. any loss of profit, revenue, or anticipated savings; or
            2. any loss that is an indirect or secondary consequence of any act or omission of the party in question.
         2. The total liability of the Supplier to the Customer in respect of all other loss or damage arising under or in connection with this Contract, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall in no circumstances exceed the amount paid by the Customer to the Supplier for the 12 months prior to the date of the cause of action of such liability. 
      2. Indemnity. The Customer shall indemnify and keep indemnified the Supplier in relation to any liability whatsoever incurred by the Supplier in relation to the content of the advertisements. It shall be the Customer’s responsibility to check that it is happy with the content of the advertisements. 
      3. Fair Use. Although the Services include unlimited Meta and Google advertising campaigns, the Customer shall use such Services on a fair use basis and if the Supplier feels that the Customer is extending the Services past fair use, the Supplier has the right to reduce the number of requested advertising campaigns accordingly.

• General

• Force Majeure. Neither party shall be in breach of this Contract nor liable for delay in performing, or failure to perform, any of its obligations under this Contract if such delay or failure result from events, circumstances or causes beyond its reasonable control. If the period of delay or non-performance continues for 3 months, the party not affected may terminate this Contract by giving 30 days’ written notice to the affected party.

• Assignment and other dealings.

1. 1. 1. 1. The Customer shall not assign, transfer, charge, subcontract, declare a trust over or deal in any other manner with any or all of its rights and obligations under this Contract without the Supplier’s prior written consent.
         2. The Supplier may at any time assign, transfer, charge, subcontract, declare a trust over or deal in any other manner with any or all of its rights under this Contract.
         3. The Supplier may provide marketing services to any business including those which compete with the Customer. 

• Confidentiality.

1. 1. 1. 1. Each party undertakes that it shall not at any time disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by 11. 3
         2. Each party may disclose the other party’s confidential information:
            1. to its employees, officers, representatives, subcontractors or advisers who need to know such information for the purposes of carrying out the party’s obligations under this Contract. Each party shall ensure that its employees, officers, representatives, subcontractors or advisers to whom it discloses the other party’s confidential information comply with this 11.3; and
            2. as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
         3. No party shall use any other party’s confidential information for any purpose other than to perform its obligations under this Contract.

• Entire agreement. 

1. 1. 1. 1. This Contract constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
         2. Each party agrees that it shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Contract. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Contract.

• Variation. No variation of this Contract shall be effective unless it is in writing and signed by the parties (or their authorised representatives). 

• Waiver. A waiver of any right or remedy is only effective if given in writing and shall not be deemed a waiver of any subsequent breach or default. A delay or failure to exercise, or the single or partial exercise of, any right or remedy shall not:

1. 1. 1. 1. Waive that or any other right or remedy.
         2. Prevent or restrict the further exercise of that or any other right or remedy.

• Severance. If any provision or part-provision of this Contract is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Contract.

• Notices.

1. 1. 1. 1. Any notice or other communication given to a party under or in connection with this Agreement shall be in writing, addressed to that party at its registered office or such other address as that party may have specified to the other party in writing in accordance with this clause, and shall be delivered personally, or sent by pre-paid first-class post or other next working day delivery service, commercial courier, or email.
         2. A notice or other communication shall be deemed to have been received: 
            1. if sent by email, one Business Day after transmission.
         3. The provisions of this clause shall not apply to the service of any proceedings or other documents in any legal action.

• Third party rights. No one other than a party to this Contract, their successors and permitted assignees, shall have any right to enforce any of its terms. 

• Governing law. This Contract, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with the law of England and Wales.

1. 1. Jurisdiction. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Contract or its subject matter or formation (including non-contractual disputes or claims).

SCHEDULE – DATA PROCESSING

1. DEFINITIONS AND INTERPRETATION

The following definitions and rules of interpretation apply to this Schedule.

1.1  Definitions:

Controller: the Customer as set out in the Contract Details above.

Data Protection Legislation:  all applicable data protection laws in the UK and the EU including the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018), the EU GDPR and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426). And in the US the Privacy Act of 1974, as amended (5 U.S.C. § 552a) (and regulations made thereunder) as amended.

Data Subject:  an individual who is the subject of Personal Data.

GDPR: General Data Protection Regulation ((EU) 2016/679).

Personal Data:  means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services under the Services Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach:  a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor: the Supplier.

UK GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.

1.2 The Appendices form part of this Schedule and will have effect as if set out in full in the body of the Contract. Any reference to this Schedule includes the Appendices.

1.3  A reference to writing or written includes email.

2. PROCESSING PURPOSES

2.1  The Controller and the Processor acknowledge that the Controller is the controller and the Processor is the processor and that the Controller retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation.

2.2. Where the Processor appoints a subcontractor pursuant to paragraph 4 below, the Processor shall be a data controller in relation to such processing.

2.3 The Processor may process the Personal Data categories and Data Subject types set out in Appendix 1 of this Schedule. 

3. PROCESSOR’S OBLIGATIONS

1. The Processor shall:
   1.  implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Legislation and ensure the protection of the rights of the Data Subject, as further set out below in this Agreement;
   2. only use subcontractors to help with the processing of Personal Data in the circumstances set out in paragraph 4 below;
   3. process the Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
   4. ensure that persons authorised to process the personal data (such as its employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
   5. take the security measures set out in paragraph 5 below;
   6. taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights as set out in paragraph 6 below;
   7. assist the Controller in ensuring compliance with the obligations set out in paragraph 7 below (data breach) taking into account the nature of processing and the information available to the Processor;
   8. at the choice of the Controller, delete or return all the Personal Data to the Controller after the termination or expiry of the Services Agreement and delete existing copies (unless Union or Member State law requires storage of the Personal Data);
   9. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller; 
   10. assist the Controller in ensuring compliance with the requirement to carry out Data Protection Impact Assessments as set out in Article 35 of GDPR, taking into account the nature of processing and the information available to the Processor; 
   11. immediately inform the Controller, if in the opinion of the Processor, an instruction from the Controller infringes Data Protection Legislation. 
2. The Processor will promptly comply with any request by or instruction from the Controller to process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3. The Processor will keep all Personal Data confidential and not disclose such data to third parties unless specifically authorised in writing by the Controller or as required by law.   If the Processor is required by law, court, regulator or supervisory authority to process or disclose any Personal Data, the Processor will first inform the Controller of this and allow the Controller to object or challenge the requirement, unless the law prohibits the Processor from informing the Controller.

1. 1. SUBCONTRACTORS  
      1. The Processor may only authorise a third party (“subcontractor”) to process the Personal Data if:

• the Processor has obtained the prior written consent from the Controller for each appointment of a subcontractor (or the subcontractor’s name is set out in Schedule A); and 

1. 1. 1. the Processor and the subcontractor enter into a written contract containing terms the same as those set out in this Agreement, in particular, in relation to data security measures; and
      2. the Processor maintains control over all Personal Data it shares with the subcontractor; and
      3. the Processor ensures that the subcontractor does not process the Personal Data except on instructions from the Data Controller (unless required to do so by UK Law and/or Union or Member State law); and
   2. The Processor shall be fully liable for the actions and inactions of the subcontractor and shall be responsible for the subcontractor’s performance of obligations.

5. SECURITY

5.1 The Processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: 

1. the pseudonymisation and encryption of Personal Data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

6. RESPONSES TO DATA SUBJECTS

6.1 The Processor will put in place such technical and organisational measures as may be appropriate to enable the Controller to comply with the rights of Data Subjects under Data Protection Legislation, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing and the right to object to automated individual decision making.

6.2 If the Processor receives any complaint or other communication relating to the processing of the Personal Data or a Subject Access Request from a Data Subject, it must notify the Controller as soon as possible after it receives it and will provide the Controller with all reasonable assistance in helping the Controller to reply to such communications. 

6.3 The Processor will provide to the Controller such information as the Controller may reasonably require in order for the Controller to comply with the rights of Data Subjects under Data Protection Legislation. 

6.4 The Processor will provide all appropriate assistance to the Controller to enable it to comply with any information or assessment notices served on the Controller by any supervisory authority under the Data Protection Legislation.

6.5 The Processor shall not disclose Personal Data to any third party other than at the Controller’s written request or as set out in this agreement or as required by law. 

7. PERSONAL DATA BREACH

7.1 If any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable (“Personal Data Loss”), the Processor will notify the Controller without undue delay after learning of such Personal Data Loss.

7.2 If the Processor becomes aware of any unauthorised or unlawful processing of the Personal Data or any Personal Data Breach, it will notify the Controller without undue delay including all relevant information such as:

(a) a description of the nature of the Personal Data Breach, the unauthorised or unlawful processing and/or the Personal Data Loss, including the categories and approximate number of both Data Subjects and Personal Data records concerned;

 (b)  the likely consequences; and

 (c)  description of the measures taken, or proposed to be taken, including measures to mitigate the impact.

7.3  The parties will co-ordinate and co-operate with each other to investigate any matters arising as contemplated by this paragraph. 

7.5  The Processor agrees that it shall not (and the Controller is solely responsible to):

 (a)   provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or any other third party, except when the Processor (as opposed to the Controller) is required by law or regulation to provide such notice; and

 (b)   offer any type of remedy to affected Data Subjects.

8. CROSS-BORDER TRANSFERS OF PERSONAL DATA

8.1 The Processor (or any subcontractor of the Processor) shall not transfer or otherwise process Personal Data outside the UK or the European Economic Area (EEA) (as the case may be) without obtaining the Controller’s prior written consent (except where the Processor is required to transfer such data by UK law and/or Union or Member State law, in which case the Processor shall inform the Controller of such legal requirement before processing takes place, unless any law prohibits such disclosure on important grounds of public interest).

8.2 If the Controller consents to the transfer or other processing of the Personal Data outside of the UK and/or the EEA (as the case may be) and no appropriate safeguards exist (such as an adequacy decision), the Processor and the Controller will each execute the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Schedule to Commission Decision 2010/87/EU (“SCCs”) (or the UK approved versions of the same as the case may be). 

8.2 if the Processor appoints subcontractors that are based outside of the UK or the EEA the Processor shall, prior to any Personal Data being transferred to such countries, ensure that protections are in place that comply with Data Protection Legislation.

9. TERM AND TERMINATION

This Schedule will continue for so long as the Processor processes any Personal Data related to the Services.

10. AUDIT

The Controller (and any third-party representatives) may audit the Processor’s compliance with its obligations under this Agreement and the Processor will give the Controller (and its third-party representatives) all necessary assistance and co-operation to conduct such audits. 

APPENDIX

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

Subject matter of processing:

Customer Data and Prospect Data.

Duration of Processing:

The duration of the data processing until the termination of the Contract in accordance with its terms.

Nature and Purpose of Processing:

The provision of the services to the Controller and the performance of the Processor’s obligations under the Contract and this Processor Agreement or as otherwise agreed by the parties.

Data Subject Categories:

Customers and prospects. 

Personal Data Types:

Customer Data: data relating to any purchases of services such as name, title, billing address, delivery address, email address, phone number, contact details, purchase details and card details. 

Prospect Data: data relating to prospects such as name and email address.