Evalu-8 Software – Data Processing Agreement

BACKGROUND

(A)        The Customer and the Supplier have entered into a services agreement (Master Agreement) that may require the Supplier to process Personal Data on behalf of the Customer.

(B)      This Personal Data Processing Agreement (DPA) sets out the additional terms, requirements and conditions on which the Supplier will process Personal Data when providing services under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the assimilated EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between Controllers and Processors and the General Data Protection Regulation ((EU) 2016/679).

AGREED TERMS

1. Definitions and interpretation

The following definitions and rules of interpretation apply in this DPA.

1.1 Definitions:

Applicable Laws: as applicable, Domestic Law or EU Law.

Business Purposes: the Services to be provided by the Supplier to the Customer as described in the Master Agreement and any other purpose specifically identified in Part 2 of Annex A.

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and processing: have the meanings given in the Data Protection Legislation.

Customer: the organisation purchasing the Services from the Supplier and a party to the Master Agreement.

Customer Personal Data: any Personal Data which the Supplier processes in connection with this DPA in the capacity of a Processor, as set out in paragraph 1.2, Part 1 of Annex A.

Data Protection Legislation:

(a) the Data Protection Act 2018 (DPA 2018);

(b) the UK GDPR;

(c) the EU GDPR; and

(d) all other UK, EU and EEA member state laws relating to the processing of Personal Data and privacy.

Domestic Law: the law of the UK or a part of the UK.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

EEA: the European Economic Area.

EU Law: the law of the European Union or any member state of the European Union.

Records: has the meaning in clause 12.1.

Regulator: as applicable to the processing, the Commissioner, concerned EEA supervisory authorities and such other regulators with authority to enforce the Data Protection Legislation applicable to the processing.

Sub-Processor: has the meaning given to it in clause 8.1.

Supplier: EVALU-8 SOFTWARE LIMITED incorporated and registered in England and Wales with the company number 10744465 and whose registered office is at Suit 49, Earl Business Centre, Dowry Street, Oldham, England, OL8 2PF.

Supplier Personal Data: any Personal Data which the Supplier processes in connection with this DPA in the capacity of a Controller as set out in paragraph 1.1, Part 1 of Annex A.

Supplier Personnel: all directors, officers, employees, agents, consultants and contractors of the Supplier engaged in the performance of its obligations under the Master Agreement or this DPA.

Term: this DPA’s term as defined in clause 10.1.

UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.2 This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

1.4 In the case of conflict or ambiguity between:

(a) any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail; and

(b) any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevai

 

2. Personal Data types and processing purposes

2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.

2.2 The Customer and the Supplier agree and acknowledge that for the purpose of the Data Protection Legislation:

(a) the Supplier is the Controller of the Supplier Personal Data;

(b) the Customer is the Controller and the Supplier is the Processor of the Customer Personal Data;

(c) the Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Supplier; and

(d) in respect of the Customer Personal Data, Part 2 of Annex A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Supplier may process the Customer Personal Data to fulfil the Business Purposes.

2.3 Should the determination in clause 2.2 change, then the parties shall work together in good faith to make any change which is necessary to this DPA.

3. Supplier’s obligations

3.1 The Supplier will only process the Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions, unless the Supplier is required by any Applicable Laws to otherwise process that Customer Personal Data. Where the Supplier is relying on any Applicable Laws as the basis for processing Customer Personal Data, the Supplier shall notify the Customer of this before performing the processing required by any Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer on important grounds of public interest.

3.2 The Supplier will not process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Supplier shall inform the Customer if, in the opinion of the Supplier, the instructions of the Customer infringe the Data Protection Legislation.

3.3 The Supplier must comply promptly with any Customer written instructions requiring the Supplier to amend, transfer, delete or otherwise process the Customer Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.4 The Supplier will maintain the confidentiality of the Customer Personal Data and will not disclose the Customer Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by any Applicable Laws, a UK or EU/EEA member state court or the Regulator. If any Applicable Laws, an UK or EU/EEA member state court or the Regulator requires the Supplier to process or disclose the Customer Personal Data to a third party, the Supplier must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless any Applicable Laws prohibit the giving of such notice.

3.5 The Supplier will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Supplier’s processing and the information available to the Supplier, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Regulator under the Data Protection Legislation.

 

4. Supplier Personnel

The Supplier will ensure that all of the Supplier Personnel:

(a) are informed of the confidential nature of the Customer Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Personal Data;

(b) have undertaken training on the Data Protection Legislation relating to handling Customer Personal Data and how it applies to their particular duties; and

(c) are aware both of the Supplier’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

5. Security

 

5.1 The Supplier must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Customer Personal Data. These measures are set out in Annex B.

5.2 The Customer acknowledges and agrees that it has reviewed the technical and organisational measures set out in Annex B and confirms that they are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

6. Personal Data Breach

6.1 The Supplier will promptly, and in any event within 48 hours, notify the Customer if it becomes aware of:

(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Customer Personal Data. The Supplier will restore such Customer Personal Data at its own expense as soon as possible;

(b) any accidental, unauthorised or unlawful processing of the Customer Personal Data; or

(c) any Personal Data Breach.

6.2 As soon as practicable after giving any notice pursuant to clause 6.1, where the Supplier becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide the Customer with the following information:

(a) a description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;

(b) the likely consequences; and

(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

6.3 Immediately after the Customer has been notified pursuant to clause 6.1, following any accidental, unauthorised or unlawful Customer Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Supplier will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:

(a) assisting with any investigation;

(b) facilitating interviews with the Supplier Personnel, former Supplier Personnel employees and others involved in the matter including, its officers and directors;

(c) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

(d) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

6.4 The Supplier will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Customer Personal Data and/or a Personal Data Breach without first obtaining the Customer’s written consent, except when required to do so by any Applicable Laws.

6.5 The Supplier agrees that the Customer has the sole right to determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Regulator, law enforcement agencies or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice. The Customer shall not offer any remedy to affected Data Subjects without the prior written approval of the Supplier, such approval not to be unreasonably withheld or delayed.

6.6 The Customer will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Supplier’s negligence, wilful default or breach of this DPA, in which case the Supplier will cover all reasonable expenses and time costs.

6.7 The Supplier will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Supplier caused such incident and/or Personal Data Breach, including all costs of notice and any remedy as set out in clause 6.5.

7. Transfers of Personal Data

7.1 The Supplier (and any Sub-Processor) may transfer or otherwise process the Customer Personal Data outside of the UK or the EEA provided that the Supplier shall ensure that all such transfers are effected in accordance with the Data Protection Legislation.

7.2 Subject to clause 8.1, the Supplier shall and shall ensure that any Sub-Processor shall at their own expense comply with all data protection laws and regulations relating to their activities under this DPA in the jurisdictions in which it and they operate, as such laws and regulations may change from time to time.

7.3 The Supplier shall notify the Customer in case of any conflict between the laws and regulations in the jurisdictions in which it and any of its Sub-Processors operate and the Data Protection Legislation.

8. Sub-Processors

8.1 The Customer provides its prior, general authorisation for the Supplier to appoint any third party or subcontractor (Sub-Processor) to process the Customer Personal Data if:

(a) the Sub-Processor is listed in Part 3 of Annex A or the Customer is provided with an opportunity to object to the appointment of each new Sub-Processor;

(b) the Supplier enters into a written contract with the Sub-Processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer’s written request, provides the Customer with copies of the relevant excerpts from such contracts;

(c) the Supplier maintains control over all of the Customer Personal Data it entrusts to the Sub-Processor; and

(d) the Supplier remains responsible for the acts or omissions of any Sub-Processor as if they were the acts or omissions of the Supplier.

8.2 The parties agree that the Supplier will be deemed by them to control legally any Customer Personal Data controlled practically by or in the possession of its Sub-Processors.

8.3 Where the Customer objects to the appointment of any Sub-Processor pursuant to clause 8.1(a), the Supplier may terminate the Master Agreement with immediate effect by giving written notice to the Customer.

9. Complaints, Data Subject requests and third-party rights

9.1 The Supplier must take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

(a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and

(b) information or assessment notices served on the Customer by the Regulator under the Data Protection Legislation.

9.2 The Supplier must:

(a) notify the Customer as soon as possible in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Customer Personal Data or to either party’s compliance with the Data Protection Legislation;

(b) notify the Customer as soon as possible if it receives a request from a Data Subject for access to their Customer Personal Data or to exercise any of their other rights under the Data Protection Legislation;

(c) give the Customer, at the Customer’s cost, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request; and

(d) not disclose the Customer Personal Data to any Data Subject or to a third party other than in accordance with the Customer’s written instructions, or as required by any Applicable Laws.

10. Term and termination

10.1 This DPA will remain in full force and effect so long as:

(a) the Master Agreement remains in effect; or

(b) the Supplier retains any of the Personal Data related to the Master Agreement in its possession or control (Term).

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Customer Personal Data will remain in full force and effect.

11. Data return and destruction

11.1 At the Customer’s request, the Supplier will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of the Customer Personal Data in its possession or control.

11.2 On termination of the Master Agreement for any reason or expiry of its term, the Supplier will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Customer Personal Data related to this DPA in its possession or control.

11.3 If any law, regulation, or government or regulatory body requires the Supplier to retain any documents, materials or Customer Personal Data that the Supplier would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Customer Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

11.4 For the purposes of clause 11 the Supplier shall be deemed to have deleted or destroyed the Customer Personal Data, three months after the subscription has ended (or sooner at the customer’s request).

12. Records

12.1 The Supplier will keep detailed, accurate and up-to-date written records regarding any processing of the Customer Personal Data, including but not limited to, the access, control and security of the Customer Personal Data, Sub-Processors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in clause 5.1 (Records).

12.2 The Supplier will ensure that the Records are sufficient to enable the Customer to verify the Supplier’s compliance with its obligations under this DPA and the Data Protection Legislation and the Supplier will provide the Customer with copies of the Records upon request.

12.3 The Customer and the Supplier must review the information listed in the Annexes to this DPA whenever requested by the Customer to confirm its current accuracy and update it when required to reflect current practices.

13. Audit 

13.1 The Supplier will permit the Customer and its third-party representatives to audit the Supplier’s compliance with its DPA obligations during the Term, on reasonable written notice at a frequency of not more than once per year.

13.2 The frequency restrictions set out in clause 13.1 shall not apply where the Customer is directly required by the Regulator to audit the Supplier’s compliance with its obligations under this DPA or if there has been, or the Customer reasonably suspects that there has been, a Personal Data Breach and/or a breach of the Supplier’s obligations under this DPA and/or the Data Protection Legislation.

14. Warranties

14.1 The Supplier warrants that:

(a) the Supplier Personnel are reliable and trustworthy and have received the required training on the Data Protection Legislation; and

(b) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Master Agreement’s contracted services.

14.2 The Customer warrants that the Supplier’s expected use of the Customer Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

This DPA has been entered into on the date the Master Agreement is executed.

ANNEX A    Personal Data processing purposes and details

1.1 Where the Supplier acts as a Controller:

(a) when processing Personal Data contained within correspondence between the Customer’s staff, the Supplier Personnel, and/or documents relating to the establishment, management, audit, operation, and communication (on which the Supplier may wish to rely on to establish its rights and liabilities under the Master Agreement) in respect of the Master Agreement for the provision of the Services; and

(b) when processing Personal Data of the Customer’s staff for marketing purposes.

1.2 Where the Supplier acts as a Processor:

Save as set out in paragraph 1.1 of this Annex A, when processing the Personal Data of Data Subjects whose Personal Data is collected and/or processed through the Services provisioned under the Master Agreement, where the Supplier processes such Personal Data on behalf of the Customer.

Part 2 – Particulars of processing

2.1 Subject matter of processing

The performance of the Supplier’s duties under the Master Agreement.

2.2 Duration of processing

For the term of the Master Agreement and for such time afterwards as required for the parties to exercise their rights and obligations under clause 11.

2.3 Nature of processing

The processing of Customer Personal Data to enable the Supplier to comply with its duties under the Master Agreement.

2.4 Business Purposes

To enable the Supplier to perform its duties under the Master Agreement.

2.5 Personal Data categories

Identity data, image data, contact details and such other Personal Data categories as relevant.

2.6 Data Subject types

Staff or independent contractors of the Customer and such other Data Subjects whose Personal Data is processed by the Supplier in connection with the performance of its duties under the Master Agreement.

Part 3 – Approved Sub-Processors:

Amazon Web Services EMEA SARL

Wasabi Technologies LLC

Twilio UK Limited (t/a SendGrid)

 

ANNEX B   Security measures

We implement appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include administrative, physical, and technical safeguards, role-based access controls, least-privilege access permissions for employees, encryption in transit, secure backup procedures, vulnerability management, and ongoing monitoring of our systems and services.

Access to Personal Data is restricted to authorised personnel who require such access for legitimate business purposes and who are subject to confidentiality obligations. We maintain policies and procedures for access management, incident response, and security and data privacy awareness training.

We maintain an information security management system certified to ISO27001 and apply industry-standard security practices designed to protect Personal Data both during transmission and while stored within our systems

Copyright Evalu-8 Software Ltd 2026

Software

HR Management Software

EHS Software

Info

FAQs

About Us

Blog

Certifications

More

Careers

Partnerships

Privacy and Data

Contact Us

Data Processing Agreement

Evalu-8 Software Ltd

Earl Business Centre

Oldham

OL8 2PF

0161 5289466