VIRTUAL FREEDOM ACADEMY LIMITED (T/A BUZZCUBE) - DATA PROCESSING AGREEMENT
AGREED TERMS
1.
Definitions and Interpretation
The following definitions and rules of interpretation apply in this DPA.
1.1
Definitions:
Applicable Laws: as applicable, Domestic Law or EU Law.
Business Purposes: the services described in the Master Agreement and any other purpose specifically identified in Part 2 of Annex A.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and processing: have the meanings given in the Data Protection Legislation.
Customer: means VFA’s customer as referred to in the Master Agreement.
Customer Personal Data: any Personal Data which VFA processes in connection with this DPA in the capacity of a Processor as set out in paragraph 1.2, Part 1 of Annex A.
Data Protection Legislation:
(a) the UK Data Protection Act 2018 (DPA 2018);
(b) the UK GDPR;
(c) the EU GDPR; and
(d) all other UK, EU and EEA member state laws relating to the processing of Personal Data and privacy.
Domestic Law: the law of the UK or a part of the UK.
DPA: this Personal Data Processing Agreement which sets out the additional terms, requirements and conditions on which VFA will process Customer Personal Data when providing services under the Master Agreement, and contains the mandatory clauses required by Article 28(3) UK GDPR for contracts between Controllers and Processors.
EEA: the European Economic Area.
EU Commissioner: the relevant supervisory authority of a European Union Member State (Article 4(22) EU GDPR).
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
Master Agreement: means the services agreement entered into by VFA and the Customer that involves VFA processing of Personal Data on behalf of the Customer.
Records: has the meaning given to it in clause 12.1.
Regulator: as applicable to the processing, the UK Commissioner or the EU Commissioner, concerned EEA supervisory authorities and such other regulators with authority to enforce the Data Protection Legislation applicable to the processing.
Sub-Processor: has the meaning given to it in clause 8.1.
UK Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
VFA: Virtual Freedom Academy Limited, incorporated and registered in England and Wales with the company number 12213491 whose registered office is at Home Ground Northfield, Somerton, Somerset, United Kingdom, TA11 6SJ.
VFA Personal Data: any Personal Data which VFA processes in connection with this DPA in the capacity of a Controller as set out in paragraph 1.1, Part 1 of Annex A.
VFA Personnel: all officers, employees, agents, contractors and sub-contractors of VFA engaged in the performance of its obligations under the Master Agreement or this DPA.
1.2
The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
1.3
This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.
1.4
In the case of conflict or ambiguity between:
(a)
any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail; and
(b)
any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.
2.
Personal Data types and processing purposes
2.1
Both parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
2.2
The Customer and VFA agree and acknowledge that for the purpose of the Data Protection Legislation:
(a)
VFA is the Controller of the VFA Personal Data;
(b)
the Customer is the Controller and VFA is the Processor of the Customer Personal Data;
(c)
the Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to VFA; and
(d)
in respect of the Customer Personal Data, Part 2 of Annex A describes the subject matter, duration, nature and purpose of the processing and the Customer Personal Data categories and Data Subject types in respect of which VFA may process the Customer Personal Data to fulfil the Business Purposes.
2.3
Should the determination in clause 2.2 change, then the parties shall work together in good faith to make any change which is necessary to this DPA or the Annexes.
3.
VFA’s obligations
3.1
VFA will only process the Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions, unless VFA is required by any Applicable Laws to otherwise process that Customer Personal Data. Where VFA is relying on any Applicable Laws as the basis for processing Customer Personal Data, VFA shall notify the Customer of this before performing the processing required by any Applicable Laws, unless those Applicable Laws prohibit VFA from so notifying the Customer on important grounds of public interest.
3.2
VFA will not process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. VFA shall inform the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
3.3
VFA must comply promptly with any Customer written instructions requiring VFA to amend, transfer, delete or otherwise process the Customer Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.4
VFA will maintain the confidentiality of the Customer Personal Data and will not disclose the Customer Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by any Applicable Laws, a UK or EEA member state court or the Regulator. If any Applicable Laws, an UK or EEA member state court or the Regulator requires VFA to process or disclose the Customer Personal Data to a third party, VFA must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless any Applicable Laws prohibit the giving of such notice.
3.5
VFA will reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of VFA’s processing and the information available to VFA, including but not limited to in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Regulator under the Data Protection Legislation.
4.
VFA Personnel
VFA will ensure that the VFA Personnel:
(a)
are informed of the confidential nature of the Customer Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Customer Personal Data;
(b)
have undertaken training on the Data Protection Legislation and how it relates to their handling of the Customer Personal Data and how it applies to their particular duties; and
(c)
are aware both of VFA’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
5.
Security
5.1
VFA must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data. These security measures are set out in Annex B.
5.2
The Customer acknowledges and agrees that it has reviewed the technical and organisational measures set out in Annex B and confirms that they are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
6.
Personal Data Breach
6.1
VFA will promptly, and in any event within 48 hours, notify the Customer in writing if it becomes aware of:
(a)
the loss, unintended destruction or damage, corruption, or un-useability of part or all of the Customer Personal Data. VFA will restore as soon as possible such Customer Personal Data at its own expense;
(b)
any accidental, unauthorised or unlawful processing of the Customer Personal Data; or
(c)
any Personal Data Breach.
6.2
Where VFA becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:
(a)
description of the nature of (a), (b) and/or (c), including but not limited to the categories of in-scope Customer Personal Data and approximate number of both Data Subjects and the Customer Personal Data records concerned;
(b)
the likely consequences; and
(c)
a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including but not limited to measures to mitigate its possible adverse effects.
6.3
Immediately after the Customer has been notified pursuant to clause 6.1, following any accidental, unauthorised or unlawful Customer Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, VFA will reasonably co-operate with the Customer in the Customer's handling of the matter, including but not limited to:
(a)
assisting with any investigation;
(b)
providing the Customer with physical access to any facilities and operations affected;
(c)
facilitating interviews with VFA Personnel, former VFA Personnel (where possible) and others involved in the matter including, but not limited to, its officers and directors;
(d)
making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
(e)
taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Customer Personal Data processing.
6.4
VFA will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Customer Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by any Applicable Laws.
6.5
VFA agrees that the Customer has the sole right to determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Regulator, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including but not limited to the contents and delivery method of the notice. The Customer shall not offer any remedy to affected Data Subjects without the prior written approval of VFA, such approval not to be unreasonably withheld or delayed.
6.6
The Customer will cover all reasonable expenses and time costs associated with the performance of VFA’s obligations under clauses 6.1 to 6.3 inclusive unless the matter arose from VFA’s negligence, wilful default or breach of this DPA, in which case VFA will cover all of its expenses and time costs.
6.7
VFA will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that VFA caused such an incident and/or Personal Data Breach, including but not limited to all costs of notice and any remedy as set out in clause 6.5.
7.
Cross-border transfers of Personal Data
7.1
VFA (and any Sub-Processor) may transfer or otherwise process the Customer Personal Data outside of the UK or the EEA provided that VFA shall ensure that all such transfers are effected in accordance with the Data Protection Legislation.
7.2
Subject to clause 8.1 VFA shall and shall ensure that any Sub-Processor shall at their own expense comply with all data protection laws and regulations relating to their activities under this DPA in the jurisdictions in which they operate, as such laws and regulations may change from time to time.
7.3
VFA shall notify the Customer immediately in case of any conflict between the laws and regulations in the jurisdictions in which it and any of its Sub-Processors operate and the Data Protection Legislation.
8.
Sub-Processors
8.1
The Customer hereby provides its prior, general authorisation for VFA to appoint a third party or subcontractor (Sub-Processor) to process the Customer Personal Data if:
(a)
the Sub-Processor is listed in Part 3 of Annex A or the Customer is provided with an opportunity to object to the appointment of each new Sub-Processor;
(b)
VFA enters into a written contract with the Sub-Processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer’s written request, provides the Customer with copies of such contracts;
(c)
VFA maintains control over all Customer Personal Data it entrusts to the Sub-Processor; and
(d)
VFA remains responsible for the acts and omissions of any Sub-Processor as if they were the acts and omissions of VFA.
8.2
Where the Customer objects to the appointment of any Sub-Processor pursuant to clause 8.1(a), VFA may terminate the Master Agreement with immediate effect by giving written notice to the Customer.
9.
Complaints, Data Subject requests and third-party rights
9.1
VFA must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
(a)
the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
(b)
information or assessment notices served on the Customer by the Regulator under the Data Protection Legislation.
9.2
VFA must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Customer Personal Data or to either party's compliance with the Data Protection Legislation.
9.3
VFA must notify the Customer immediately if it receives a request from a Data Subject for access to their Customer Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.4
VFA will give the Customer, at the Customer’s cost, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.5
VFA must not disclose the Customer Personal Data to any Data Subject or to a third party other than in accordance with the Customer's written instructions, or any Applicable Laws.
10.
Term and termination
10.1
This DPA will remain in full force and effect so long as:
(a)
the Master DPA remains in effect; or
(b)
VFA retains any of the Customer Personal Data related to the Master Agreement in its possession or control.
10.2
Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Customer Personal Data will remain in full force and effect.
11.
Data return and destruction
11.1
At the Customer's request, VFA will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of the Customer Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
11.2
On termination of the Master Agreement for any reason or expiry of its term, VFA will securely delete or destroy or, if directed in writing by the Customer within 10 working days of such date, return and not retain, all or any of the Customer Personal Data related to this DPA in its possession or control.
11.3
If any law, regulation, or government or regulatory body requires VFA to retain any documents, materials or Customer Personal Data that VFA would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Customer Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
11.4
VFA will certify in writing to the Customer that it has deleted or destroyed the Customer Personal Data within five days after it completes the deletion or destruction.
11.5
For the purposes of this clause 11, VFA shall be deemed to have deleted or destroyed the Customer Personal Data when such Customer Personal Data has been, to the extent technically and legally possible, put beyond further use of VFA.
12.
Records
12.1
VFA will keep detailed, accurate and up-to-date written records regarding any processing of Customer Personal Data it carries out for the Customer, including but not limited to, the access, control and security of the Customer Personal Data, Sub-Processors, the processing purposes, categories of processing, any transfers of Customer Personal Data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in clause 5.1 (Records).
12.2
VFA will ensure that the Records are sufficient to enable the Customer to verify VFA’s compliance with its obligations under this DPA and the Data Protection Legislation and VFA will provide the Customer with copies of the Records upon request.
12.3
The Customer and VFA must review the information listed in the Annexes to this DPA whenever requested by the Customer to confirm its current accuracy and update it when required to reflect current practices.
13.
Audit
13.1
VFA will permit the Customer and/or its third-party representatives to conduct reasonable audits of VFA’s compliance with its obligations under this DPA, on reasonable written notice at a frequency of not more than once per year.
13.2
The frequency restrictions set out in clause 13.1 shall not apply where the Customer is directly required by the Regulator to audit VFA’s compliance with its obligations under this DPA or if there has been, or the Customer reasonably suspects that there has been, a Personal Data Breach.
14.
Warranties
14.1
VFA warrants that:
(a)
the VFA Personnel are reliable and trustworthy and have received the required training on the Data Protection Legislation; and
(b)
it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Master Agreement's contracted services.
14.2
The Customer warrants and represents that VFA’s expected use of the Customer Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
15.
Limitation of liability
15.1
The following definitions apply in this clause 15:
(a)
default: any act or omission resulting in one party incurring liability to the other; and
(b)
liability: every kind of liability arising under or in connection with this DPA including but not limited to liability in contract, tort (including but not limited to negligence), or otherwise.
15.2
Nothing in this DPA will exclude, limit or restrict VFA’s liability for:
(a)
death or personal injury caused by its negligence;
(b)
fraud or fraudulent misrepresentation; or
(c)
any other liability which may not be limited or excluded by law.
15.3
Subject 15.2, VFA shall have no liability for any:
(a)
loss of profits (including but not limited to loss of anticipated savings);
(b)
loss of business or business opportunity;
(c)
wasted expenditure;
(d)
loss of use or corruption of software, data or information;
(e)
loss of or damage to goodwill and/or similar losses; or
(f)
special, indirect or consequential loss, costs, damages, charges or expenses, howsoever arising under or in connection with this DPA.
15.4
Subject to clause 15.2 and clause 15.3, the total aggregate liability of VFA (including, but not limited to, its officers, employees, contractors, sub-contractors, Sub-Processors and agents) under or in connection with this DPA in respect of all defaults shall be limited to £50,000 (fifty thousand pounds sterling).
15.5
This clause 15 shall survive termination of this DPA.
This DPA has been entered into on the date the Master Agreement is executed.
ANNEX A
Personal Data processing purposes and details
Part 1 – Role of the parties
1.1
Where VFA acts as a Controller:
(a)
when processing VFA Personal Data contained within correspondence between the Customer or Customer’s staff, VFA Personnel and/or documents relating to the establishment, management, audit, operation, and communication (on which VFA may wish to rely on to establish its rights and liabilities under the Master Agreement) in respect of the Master Agreement for the provision of the contracted services; and
(b)
when processing VFA Personal Data of the Customer or the Customer’s staff marketing purposes.
1.2
Where VFA acts a Processor:
Save as set out in paragraph 1.1 of this Annex A, when processing the Customer Personal Data of Data Subjects whose Personal Data is inputted on, collected by, or as part of the services provisioned under the Master Agreement.
Part 2 – Particulars of processing
2.1
Subject matter of processing
The performance of VFA’s duties under the Master Agreement.
2.2
Duration of processing
For the term of the Master Agreement and for such time afterwards as required for the parties to exercise their rights and obligations under clause 11.
2.3
Nature of processing
The processing of Customer Personal Data to enable VFA to comply with its duties under the Master Agreement.
2.4
Business Purposes
To enable VFA to perform its duties under the Master Agreement.
2.5
Personal Data categories
Identity data, contact details and such other Personal Data categories as relevant.
2.6
Data Subject types
Clients or customers of the Customer and/or such clients’ or customers’ staff and such other Data Subjects whose Personal Data is processed by VFA in connection with the performance of its duties under the Master Agreement.
Part 3 - Approved Sub-Processors:
- VFA’s individual subcontractors located both inside and outside the UK and the EEA that are specifically assigned to the Customer as part of the Services (as defined in the Master Agreement); the identities and locations of whom are made known to the Customer from time to time for the duration of the Master Agreement;
- VFA uses Slack as its main method of communications with it’s clients. Slack is a company owned by Salesforce, and it’s DPA can be found here: https://www.salesforce.com/en-us/wp-content/uploads/sites/4/documents/legal/Agreements/data-processing-addendum.pdf
- VFA uses Airtable as its database for all client ticket data. Airtable’s DPA can be found here: https://www.airtable.com/company/dpa
- VFA from time to time will use Google Drives to store client work to transfer files to a client, which is subsequently archived from the Google Drive once downloaded by the client as per our policies. Google’s DPA can be found here: https://cloud.google.com/terms/data-processing-addendum
- VFA will use Stripe as a billing mechanism for clients. Stripe’s DPA can be found here: https://stripe.com/gb/legal/dpa
ANNEX B
Security measures
Physical Access Controls: As a remote-first business, VFA has minimal physical access control potential risks. We ensure in our Contractor and employment agreements with our team that they have password protected equipment where and when working with clients.
System Access and Control: System Access and Control is monitored closely by our team. Our policy is to change our access passwords every month which is then logged. We use 1Password to generate password links when passing any password around the team. This is logged and any breaches are recorded and highlighted to the team, which are then retrospectively amended in any records. Access to email addresses with access to anything relating to client data is given selectively on a ‘who needs it’ basis, and is regularly monitored and removed where not needed.
Data Access Controls: Passwords are controlled as above with system access – data access is managed within our systems. Any data passed across systems uses 1Password to hide sensitive information and is controlled by our data controllers within the team.
Transmission Controls and Security: All data transmissions are secured using encrypted channels (e.g. HTTPS, SFTP, or other TLS-enabled protocols) to prevent unauthorised access during transfer. Access to systems is restricted via role-based authentication, and any remote connections require secure, password-protected or multifactor-authenticated access.
Input Controls: Access to data entry or modification functions is limited to authorised personnel only, with unique user credentials and audit logging to record changes. Regular reviews are conducted to ensure data accuracy, prevent unauthorised input, and detect potential misuse or errors.
Data Backups: Our data mostly is situated on Slack, Stripe and Airtable which control their own data backups on our behalf. They do so by following the guidelines within their own DPA which VFA have read and are comfortable with.
Data Segregation: Client data is logically separated within our systems to ensure that one client’s information cannot be accessed by another. Separate project workspaces and restricted user permissions are maintained for each client to uphold data confidentiality and minimise cross-contamination risk.
Encryption Standards: Data at rest and in transit is protected using industry-standard encryption protocols (typically AES-256 for storage and TLS 1.2+ for transmission). Encryption keys are securely managed and rotated as appropriate, in line with best-practice data security standards.
