Skip to content

Data Processing Agreement

Version number: 3.0

This DPA took effect on 28 March 2023.

In a hurry? No problem. Here’s a quick summary of the key points:

The parties. We’re Thirdfort Limited and you (or if you are a Thirdfort Partner, your customers) are purchasing our Services via our Platform or any Partner Platforms as described in our Terms of Use (https://www.thirdfort.com/terms/terms-of-use/). 

The purpose. This Data Processing Agreement (“DPA”) governs the processing of Personal Data under the Terms of Use.

1. Definitions

1.1 “Adequate Country” means a country or territory outside the European Economic Area (“EEA”) that has received an adequacy decision under Article 45 of the European Union Regulation (EU) 2016/679 (“GDPR”)

1.2 “Controller”, “Data Subject”, “Personal data”, “Process” “Processing”, “Processor”, and “Supervisory Authority” will have the same meanings as in the Data Protection Laws.

1.3 “Data Protection Laws” means all applicable laws and regulations, including the GDPR and the UK Data Protection Act 2018, both as may be amended from time to time.

1.4 “EU Transfer Clauses” means module 2 of the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021, as may be amended from time to time, for the transfer of Personal Data from the EEA to a third party country.

1.5 “UK Transfer Clauses” the International Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 and in force from 21 March 2022 for transfers of Personal Data from the United Kingdom (“UK”) to a third country, and any subsequent version issued by the United Kingdom.

1.6 “Transfer Clauses” means the EU Transfer Clauses and the UK Transfer Clauses.

1.7 Other definitions. Any terms not defined in this DPA are defined in the Terms of Use.

2. What do we do and what do you do?

2.1 Status. You’re the Controller and we’re the Processor of any Personal Data you provide us. If you are purchasing Services via our Platform, this will also cover any Personal Data provided to us by your clients for the purpose of completing any checks initiated by you.

2.2 Details of the processing. All the information you might need about the Personal Data we process for you is described in Schedule 1.

2.3 Obligations. Each of us agrees to comply with Data Protection Laws for the term of the Terms of Use.

2.4 Processor obligations. We’ll:

(a) only process Personal Data to provide the Services and with your instructions;

(b) inform you immediately if (in our opinion) your instructions infringe Data Protection Laws;

(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved with the processing;

(d) only allow our personnel access to Personal Data who need it to perform the Services;

(e) notify you in writing without undue delay if we become aware of a Personal Data breach, take steps to mitigate the breach and provide you with reasonable assistance and details of what happened;

(f) provide reasonable assistance to allow you to:

(i) conduct data protection impact assessments;

(ii) respond to Data Subjects' requests to exercise their rights under Data Protection Laws; and

(iii) consult with data protection supervisory authorities;

(g) if requested, provide information necessary to show that we comply with Data Protection Laws;

(h) after termination of the Terms of Use, delete or return Personal Data at your written request unless we need to keep them for legal or regulatory reasons; and

(i) collect, store and process Personal Data in line with our Privacy Policy (https://www.thirdfort.com/privacy/).

3. How can we use sub-processors?

3.1 Use of sub-processors. You allow us to use sub-processors to process Personal Data.

3.2 Sub-processor obligations. We’ll:

(a) require our sub-processors to comply with obligations equivalent to those in this DPA;

(b) ensure appropriate safeguards are in place before internationally transferring Personal Data to our sub-processors; and

(c) be liable for our sub-processors’ actions.

3.3 Approvals. We may appoint new sub-processors provided we notify you in writing within 30 days, but we shall be entitled to appoint third parties as general suppliers of technology and services without notice, provided that such third parties do not carry out processing activities of your or your clients' Personal Data.

3.4 Objections. You may reasonably object in writing to any new sub-processors. If the parties cannot agree on a solution within a reasonable time, either party may terminate the Terms of Use.

4. Will Personal Data be transferred internationally?

4.1 Transfer Mechanism. Where we transfer or process Personal Data outside the UK, the EEA or an Adequate Country, we agree to comply with the EU Transfer Clauses or the UK Transfer Clauses as applicable, which are incorporated into this DPA by reference and are completed with the additional information contained in Schedule 2. Under the Transfer Clauses, we act as the data importer, and you are the data exporter.

4.2 Additional measures. If the Transfer Clauses are not sufficient to safeguard the transfer due to applicable surveillance laws, we’ll implement any additional technical, contractual or policy measures as needed to ensure Personal Data is protected to a standard equivalent to that under the Data Protection Laws.

4.3 Disclosures. If a public authority requests access to Personal Data, where legally possible, we’ll:

(a) challenge the request and promptly notify you;

(b) not disclose any Personal Data without your consent;

(c) notify you and provide you with information of such requests; and

(d) if we are required to disclose Personal Data, we’ll only disclose the minimum amount required and keep a record of the disclosure.

5. What else do you need to know?

5.1 Changes. We reserve the right to make any updates and changes to this DPA. We will provide at least 30 days prior written notice to you when an update is required as a result of:

(a) changes in Applicable Data Protection Laws;

(b) a merger, acquisition, or other similar transaction; or

(c) the release of new products or services or material changes to any of the existing Services.

5.2 Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

5.3 Liability. The liability provisions contained within the Terms of Use apply to this DPA.

5.4 Governing law and jurisdiction. This DPA is subject to the governing laws and jurisdiction set out in the Terms of Use.

Schedule 1: Details of processing

Our security measures are set out at https://thirdfort.com/security-measures/

Schedule 2: Transfer Clauses

Purpose. This Schedule supplements the DPA entered into between the parties to govern the international transfer of Personal Data.

1. EU Transfer Clauses

Variables

Appendix to the clauses

2. UK Transfer Clauses

Part 1: Tables

Part 2: Mandatory Clauses