Data Processing Addendum
Last updated January 2022
This Data Processing Addendum is an agreement between you as an enterprise customer (“Customer”, “you” or “your”) and Bramble Technologies Limited of Unit 211, The Lightbox 111 Power Road, London, United Kingdom, W4 5PY (“Bramble”, "we", "us" or "our").
1.1 In this Data Processing Addendum the following expressions have the following meanings:
"Authorised Person" means any person Bramble authorises to process Customer Data, which may include Bramble's staff, agents and sub-contractors;
“Data Processing Addendum” means this addendum;
"Data Protection Laws" means applicable laws and regulations relating to the processing of personal data (including where applicable the guidance and codes of practice issued by a regulator), including, but not limited to, the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder); and the Privacy and Electronic Communications Regulations 2003 as amended;
"Customer Data" means Customer Personal Information;
Customer Personal Information means personal data that is uploaded to myBramble EnterpriseTM by Customer (including, but not limited to, year, UPN, SEN, PP) under Customer’s myBramble EnterpriseTM accounts and processed by Bramble as a processor for and on behalf of Customer. For the avoidance of doubt, Customer Personal Information shall never include personal data in user generated content (UGC) created by Bramble session app end users, whether or not they were introduced to the platform by Customer;
“personal data” means any information relating to an identified or identifiable living individual; an identified or identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual;
“controller” shall have the meanings given to the term “controller” by Article 4(7) of the UK GDPR and section 6 of the Data Protection Act 2018;
“process” has the meaning given to it under applicable Data Protection Laws, and "processing" and "processed" shall have the corresponding meaning; provided, however, that to the extent the applicable Data Protection Laws do not provide such definition or meaning, “process,” “processing” and “processed” mean and refer to any operation or set of operations performed on personal data, whether or not by automated means, including, without limitation, collection, recording, organisation, structuring, storage, adaptation, alteration, anonymisation, accessing, retrieval, consultation, use, disclosure by transmission, dissemination, distribution or making available by other means, alignment, combination, restriction, erasure, deletion or destruction;
“processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of a controller;
“Security Incident” means a breach of Bramble’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data;
“UK GDPR” means Regulation (EU) 2016/679 General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
2. Scope and conflicts
2.1 The Parties acknowledge and agree that, for the purposes of this Data Processing Addendum:
(a) Customer is, or shall be regarded as, a controller of Customer Personal Information and Bramble is, or shall be regarded as, a processor of Customer Personal Information; or
(b) Customer is, or shall be regarded as, a processor of Customer Personal Information (acting on behalf of Customer’s customers) and Bramble is, or shall be regarded as, a sub-processor of Customer Personal Information.
3. Processing instructions
3.1 Bramble shall:
(a) only process Customer Personal Information as required to perform its obligations to the Customer;
(b) not disclose, publicise, share, copy, amend, delete, interfere, or otherwise process Customer Personal Information, except as otherwise permitted by the Customer; and
(c) comply with any reasonable, lawful and written instructions from Customer in relation to Bramble's processing of Customer Personal Information, except where otherwise required by any Data Protection Laws applicable to the relevant Customer Personal Information.
3.2. In no event shall Bramble process Customer Data for its own purposes or the purposes of any third party.
3.3. Bramble shall comply with applicable laws, including, without limitation, applicable Data Protection Laws in respect of its processing of Customer Personal Information.
4. Confidentiality of processing
4.1 Bramble shall ensure that Authorised Persons are and shall continue to be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process Customer Data who is not under such a duty of confidentiality.
4.2 Bramble shall ensure that access, retrieval and other processing of Customer Data by Authorised Persons is restricted to those who have a legitimate and necessary reason to so access, retrieve and otherwise process such Customer Data.
5. Data subject rights
5.1 Bramble shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer or, if applicable, a controller for whom Customer is a processor, to respond to:
(a) any request relating to Customer Personal Information from a data subject to exercise any of its rights under any Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable);
(b) any request relating to Customer Personal Information from a controller for access, correction, erasure, deletion and data portability, where Customer is a processor of the Customer Personal Information for such controller; and
(c) any other correspondence, enquiry or complaint received from a data subject, controller, regulator or other third party in connection with the processing of Customer Data.
5.2 In the event that any such request, correspondence, enquiry or complaint relating to Customer Data is made directly to Bramble, Bramble shall promptly inform Customer and provide full details of the same.
5.3 Bramble shall not disclose any Customer Data in response to a request for access or disclosure from any third party without Customer’s prior written consent, save where compelled to do so in accordance with applicable law.
6. Data protection impact assessments
6.1 If Bramble believes or becomes aware that its processing of any Customer Personal Information is likely to result in a high risk to the data protection rights and freedoms of data subjects, Bramble shall promptly inform Customer. In this circumstance and upon any other request by Customer, Bramble shall provide Customer with such reasonable and timely assistance as Customer may require in order for Customer to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
In order to demonstrate its compliance with this Data Processing Addendum and Data Protection Laws, Bramble shall maintain records regarding Bramble’s processing of Customer Personal Information, including data flow diagrams and Bramble’s processes for handling Security Incidents, for a period of two years following the completion of Bramble’s processing activities.
Bramble shall put in place and maintain a comprehensive information security program reasonably appropriate for the Customer Data, which shall include implementing and maintaining appropriate technical, security and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access and against other unlawful forms of processing.
9. Security Incidents
9.1 Bramble will:
(a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident; and
(b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
9.2 To enable Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), Bramble will cooperate with and assist Customer by including in the notification under paragraph 9.1 such information about the Security Incident as Bramble is able to disclose to Customer, taking into account the nature of the processing, the information available to Bramble, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
9.3 Customer agrees that:
(a) an unsuccessful Security Incident will not be subject to this paragraph 9. An unsuccessful Security Incident is one that results in no unauthorised access to Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents; and
(b) Bramble’s obligation to report or respond to a Security Incident under this paragraph 9 is not and will not be construed as an acknowledgement by Bramble of any fault or liability of Bramble with respect to the Security Incident.
9.4 Notification of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Bramble selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information and secure transmission at all times.
10.1 Customer provides general authorisation to Bramble’s use of sub-processors to provide processing activities on Customer Data on behalf of Customer (“Sub-processors”) in accordance with this paragraph. At least 30 days before Bramble engages a Sub-processor, Bramble will provide Customer with notice of that update.
10.2 Where Bramble authorises a Sub-processor as described in paragraph 10.1:
(a) Bramble will restrict the Sub-processor’s access to Customer Data only to what is necessary to provide or maintain the Bramble’s obligations to the Customer, and Bramble will prohibit the Sub-processor from accessing Customer Data for any other purpose;
(b) Bramble will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Bramble under this Data Processing Addendum, Bramble will impose on the Sub-processor the same contractual obligations that Bramble has under this Data Processing Addendum; and
(c) Bramble will remain responsible for its compliance with the obligations of this Data Processing Addendum and for any acts or omissions of the Sub-processor that cause Bramble to breach any of Bramble’s obligations under this Data Processing Addendum.
11. International data transfers
11.1 Where Bramble processes Customer Data which is subject to any laws (including Data Protection Laws) of a country that prevent or impose restrictions on processing such Customer Data outside of such country, then Bramble may only process (or permit the processing of) such Customer Data outside of such country where:
(a) it first obtains Customer’s prior written consent; and
(b) Bramble takes such measures as are necessary to ensure that any processing of such Customer Data is in compliance with such consent, applicable laws and other applicable terms of this Data Processing Addendum.
12. Effects of termination
12.1 Upon termination or expiry of this Data Processing Addendum, Bramble shall immediately cease processing the Customer Data.
12.2 Subject to paragraph 12.3, upon expiry or termination of this Data Processing Addendum Bramble shall destroy or return to Customer all Customer Data in its possession or control (including any Customer Data sub-contracted to a third party for processing).
12.3 Paragraph 12.2 shall not apply to the extent that Bramble is required by any legal obligation to retain some or all of the Customer Data, in which case Bramble shall isolate and protect such Customer Data from any further processing except to the extent required by such law.