Archived Data Processing Agreement
16th July 2024
This is an archived version of our Data Processing Agreement. You can see the current version here.
This Data Processing Agreement ("DPA") is in addition to the Managed Services Terms of Service and the Campus Terms of Service between Sprint and the Customer (each an “Agreement”), and is incorporated by reference into the Agreement. The Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Legislation, in the name and on behalf of its Authorised Affiliates (defined below). By continuing to use our Services in which we act as a Data Processor you agree to the conditions in this DPA.
This DPA sets out the terms, requirements and conditions on which we will process Personal Data when providing services under the Managed Services Terms and/or the Campus Subscription Terms.
This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
We may update this policy from time to time by publishing a new version on our website so you should check this page periodically to ensure you are happy with any changes to this policy. We may notify you of changes to this policy by email or, if you are a Campus user, through the notification module in Campus.
The parties agree as follows:
1. DEFINITIONS AND INTERPRETATION
1.1 In this DPA, unless the context otherwise requires, the following expressions have the following meanings:
Affiliate: means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
Authorised Affiliate: means any of Customer Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Agreement.
Authorised Persons: means the persons or categories of persons that you authorise to give us written personal data processing instructions as identified in Schedule 1 and from whom we agree solely to accept such instructions.
Control: has the meaning given in section 1124 of the Corporation Tax Act 2010, and the expression change of Control shall be construed accordingly.
Customer, you, or your: refers to you, the customer, as specified in the Order.
Customer Data: means any data that we and/or our Affiliates processes on behalf of you in the course of providing the Services.
Data Controller, Data Processor, processing, and data subject: shall have the meanings given to the terms controller, processor, processing, and data subject respectively in Article 4 of the UK GDPR and GDPR.
Data Protection Legislation: means:
(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which you or we are subject, which relates to the protection of Personal Data.
EU GDPR: means the General Data Protection Regulation ((EU) 2016/679).
ICO: means the UK's supervisory authority, the Information Commissioner's Office.
Order: your order for Services either (i) on the prescribed form provided by us or (ii) agreed between us in writing or (iii) agreed between us verbally and confirmed by our subsequent commencement of the provision of the ordered Services to you.
Personal Data: means any information relating to an identified or identifiable living individual that is processed by us on behalf of you as a result of, or in connection with, the provision of the services under the Terms of Service; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Personal Data Breach: means any breach of security that leads to the accidental, unauthorised or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data.
Provider, we, us, our: Sprint Media Limited, a company incorporated in England and Wales (registration number 6177833) having its registered office at B1 The Courtyard, Tewkesbury Business Park, Tewkesbury, GL20 8GD.
Services: means those services described in Schedule 1 which are provided by us to you and which you use for the purposes described in Schedule 1.
Sprint: means Sprint Media Limited.
Sub-Processor: means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or any of our Affiliates.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 Unless the context otherwise requires, each reference in this DPA to:
(a) "writing", and any cognate expression, includes a reference to any communication effected by electronic transmission or similar means;
(b) a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
(c) "this DPA" is a reference to this DPA and each of the Schedules as amended or supplemented at the relevant time;
(d) a Schedule is a schedule to this DPA;
(e) a Clause or paragraph is a reference to a Clause of this DPA (other than the Schedules) or a paragraph of the relevant Schedule;
(f) a "Party" or the "Parties" refer to the parties to this DPA.
1.3 The headings used in this DPA are for convenience only and shall have no effect upon the interpretation of this DPA.
1.4 Words imparting the singular number shall include the plural and vice versa.
1.5 References to any gender shall include all other genders.
1.6 References to persons shall include corporations.
2. SCOPE AND APPLICATION OF THIS DPA
2.1 The provisions of this DPA shall apply to where and only to the extent that we process Personal Data on behalf of you in the course of providing the Services whether such Personal Data is held at the date of this DPA or received afterwards and such Personal Data is subject to Data Protection Legislation of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom.
2.2 Role of the Parties. As between us and you, you are the Controller of Personal Data and we shall process Personal Data only as a Processor on behalf of you. Nothing in the Agreement or this DPA shall prevent us from using or sharing any data that we would otherwise collect and process independently of your use of the Services.
2.3 Our Processing of Personal Data. As a Processor, we shall process Personal Data only for the following purposes:
(a) processing to perform the Services in accordance with the Agreement;
(b) processing to perform any steps necessary for the performance of the Agreement; and
(c) to comply with other reasonable instructions provided by you to the extent they are consistent with the terms of this DPA and only in accordance with your documented lawful instructions. The parties agree that this DPA and the Agreement set out your complete and final instructions to us in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between you and us.
2.4 Nature of the Data. We handle Customer Data provided by you. Such Customer Data may contain special categories of data depending on how the Services are used by you. The Customer Data may be subject to the following process activities:
(a) storage and other processing necessary to provide, maintain and improve the Services provided to you;
(b) to provide customer and technical support to you; and
(c) disclosures as required by law or otherwise set forth in the Agreement.
2.5 Sprint Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), you acknowledge that we shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for our legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Legislation, we are the Controller of such data and accordingly shall process such data in compliance with Data Protection Legislation.
2.6 Customer Obligations. You agree that:
(a) you shall comply with your obligations as a Controller under Data Protection Legislation in respect of your processing of Personal Data and any processing instructions you issue to us; and
(b) you have provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Legislation for us to process Personal Data and provide the Services pursuant to the Agreement and this DPA.
2.7 The provisions of this DPA supersede any other arrangement, understanding, or agreement made between you and us at any time relating to the Personal Data.
2.8 This DPA shall continue in full force and effect for so long as we are processing Personal Data on behalf of you.
3. DATA PROTECTION COMPLIANCE
3.1 All instructions given by you to us shall be made in writing and shall at all times comply with the Data Protection Legislation and other applicable laws. We shall act only on such written instructions from you unless we are required by law to do otherwise (as per Article 29 of the UK GDPR). We shall promptly notify you if, in our opinion, your instructions do not comply with the Data Protection Legislation.
3.2 We shall promptly comply with any request from you requiring us to amend, transfer, delete, or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 We shall transfer all Personal Data to you on your request in the formats, at the times, and in compliance with your written instructions.
3.4 We will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless you or this Agreement specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the ICO). If a domestic or EU law, court or regulator (including the ICO) requires us to process or disclose the Personal Data to a third-party, we will first inform you of such legal or regulatory requirement and give you an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.
3.5 Both Parties shall comply at all times with the Data Protection Legislation and other applicable laws and shall not perform their obligations under this DPA or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the Data Protection Legislation.
3.6 We hereby warrant, represent, and undertake that the Personal Data shall comply with the Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing.
3.7 We agree to comply with any reasonable measures required by you to ensure your obligations under this DPA are satisfactorily performed in accordance with any and all applicable legislation from time to time in force and any best practice guidance issued by the ICO.
3.8 We shall provide all reasonable assistance (at your cost) to you in complying with your obligations under the Data Protection Legislation with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
3.9 When processing the Personal Data on behalf of you, we shall:
(a) procure that any Sub-Processor shall not transfer or otherwise process the Personal Data outside the UK or, the European Economic Area (“EEA”) without obtaining your prior written consent. Where such consent is granted, we may only process, or permit the processing, of the Personal Data outside the EEA under the following conditions:
(i) we are processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. We must identify in Schedule 2 the territory that is subject to such adequacy regulations; or
(ii) we participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that we (and, where appropriate, you) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR. We must identify in Schedule 2 the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and we must immediately inform you of any change to that status; or
(iii) the transfer otherwise complies with the Data Protection Legislation for the reasons set out in Schedule 2.
(b) not transfer any of the Personal Data to any third party without your written consent and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement;
(c) process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with our obligations to you or as may be required by law (in which case, we shall inform you of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
(d) implement appropriate technical and organisational measures, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure;
(e) if so requested by you, supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
(f) keep records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the UK GDPR and EU GDPR;
(g) make available to you any and all such information as is reasonably required and necessary to demonstrate our compliance with the applicable Data Protection Legislation;
(h) on reasonable prior notice, submit to audits and inspections and provide you with any information reasonably required in order to assess and verify compliance with the provisions of this DPA and both Parties' compliance with the requirements of the Data Protection Legislation. The requirement to give notice will not apply if we believe that you are in breach of any of your obligations under this DPA or under the law; and
(i) inform you immediately if we are asked to do anything that infringes the Data Protection Legislation.
4. DATA SUBJECT ACCESS, COMPLAINTS, AND BREACHES
4.1 We shall, at your cost, assist you in complying with your obligations under the Data Protection Legislation. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
4.2 We shall notify you within 7 days if we receive:
(a) a subject access request from a data subject; or
(b) any other complaint or request relating to the processing of the Personal Data.
4.3 We shall, at your cost, cooperate fully with you and assist as required in relation to any subject access request, complaint, or other request, including by:
(a) providing you with full details of the complaint or request;
(b) providing the necessary information and assistance in order to comply with a subject access request;
(c) providing you with any Personal Data we hold in relation to a data subject (within the reasonable timescales required by you);
(d) providing you with any other information reasonably requested by you; and
(e) providing any information required for information or assessment notices served on you by the ICO or other relevant regulator under the Data Protection Legislation.
4.4 We shall notify you within 72 hours if we become aware of any form of Personal Data Breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
5. SECURITY
5.1 We shall ensure that, in respect of all Personal Data we receive from or processes on behalf of you, we maintain security measures to a standard appropriate to:
(a) the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
(b) the nature of the Personal Data.
5.2 In particular, we shall:
(a) have in place, and comply with, a security policy which:
(i) defines security needs based on a risk assessment;
(ii) allocates responsibility for implementing the policy to a specific individual or personnel;
(iii) is disseminated to all relevant staff; and
(iv) provides a mechanism for feedback and review.
(b) ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
(c) prevent unauthorised access to the Personal Data;
(d) protect the Personal Data using pseudonymisation, where it is practical to do so;
(e) ensure that our storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) is stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
(f) have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using encryption);
(g) password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure, and that passwords are not shared under any circumstances;
(h) take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
(i) have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
(i) the ability to identify which individuals have worked with specific Personal Data; and
(ii) having a proper procedure in place for investigating and remedying breaches of the Data Protection Legislation.
(j) have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
(k) have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment; and
(l) adopt such organisational, operational, and technological processes and procedures as are required to comply with the requirements of ISO/IEC 27001:2013, as appropriate to the Services provided to the Data Controller.
6. INTELLECTUAL PROPERTY RIGHTS
All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either us or you) shall belong to you or to any other applicable third party from whom you have obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). We are licensed to use such Personal Data under such rights only for the purposes of the Services, and in accordance with this DPA.
7. CONFIDENTIALITY
7.1 We shall maintain the Personal Data in confidence, and in particular, unless you have given written consent for us to do so, we shall not disclose any Personal Data supplied to us, for, or on behalf of you to any third party. We shall not process or make any use of any Personal Data supplied to us by you otherwise than in connection with the provision of the Services to the you.
7.2 We shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
7.3 The obligations set out in in this Clause 7 shall continue for a period of 1 month after the cessation of the provision of Services by us to you.
7.4 Nothing in this DPA shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
8. APPOINTMEHT OF SUB-PROCESSORS
8.1 You agree that we may engage Sub-Processors to process Personal Data on your behalf if:
(a) you are provided with an opportunity to object to the appointment of each Sub-Processor within 7 working days after we supply you with full details in writing regarding such Sub-Processor;
(b) we enter into a written contract with the Sub-Processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon your written request, provide you with copies of the relevant excerpts from such contracts;
(c) we maintain control over all of the Personal Data we entrust to the Sub-Processor; and
(d) the Sub-Processor's contract terminates automatically on termination of this DPA for any reason.
8.2 Those Sub-Processors approved as at the commencement of this DPA are as set out in Schedule 2. We must list all approved Sub-Processors in Schedule 2 and include any Sub-Processors’ name and location.
8.3 Where the Sub-Processor fails to fulfil its obligations under the written DPA with us which contains terms substantially the same as those set out in this DPA, we remain fully liable to the Customer for the Sub-Processor's performance of its obligations.
9. DELETION AND/OR DISPOSAL OF PERSONAL DATA
9.1 At your request, we will give you, or a third-party nominated in writing by you, a copy of or access to all or part of the Personal Data in our possession or control in the format and on the media reasonably specified by you.
9.2 We shall, at the written request of you, securely delete (or otherwise dispose of) the Personal Data or return it to you in the format(s) reasonably requested by you within a reasonable time after the earlier of the following:
(a) the end of the provision of the Services; or
(b) the processing of that Personal Data by us is no longer required for the performance of our obligations under this DPA.
9.3 Following the deletion, disposal, or return of the Personal Data under Clause 9.1 and/or Clause 9.2, we shall delete (or otherwise dispose of) all further copies of the Personal Data that we hold, unless retention of such copies is required by law, in which case we shall inform you of such requirement(s) in writing.
10. NOTICE
Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered in accordance with the provisions set out in the Campus Subscription Terms and the Managed Services Terms.
SCHEDULE 1 - THE SERVICES SPRINT MEDIA PROVIDES TO THE CUSTOMER
The following services that we provide, in respect of which we act as a Data Processor are:
1. Campus
If you are a Campus user we process your CRM, education data, and user data by storing it, enabling you to access, sort, search, embellish, suppress, and send marketing to it.
2. Managed Email and Postal Campaigns
In some instances, we may hold and process a list of your suppressions if they were provided by you. The processing we do surrounding these is to suppress this data against our own send lists to ensure those contacts are not emailed or posted to.
3. Website Build and Hosting
Where we have built or host your website we process user data and contact enquiry data that may have been submitted through a form on the website by storing it, enabling you to access, sort, and search it in the CMS part of your website.
SCHEDULE 2 - LIST OF SUB-PROCESSORS
We use our Affiliates and a range of third-party Sub-Processors to assist us in providing the Services (as described in the Agreement). These Sub-Processors set out below provide server hosting and storage services.
You consent to sub-processing by the following organisations:
Help Scout PBC
https://www.helpscout.com
| Company Registration Number | 001361259 |
| Address | 100 City Hall Plaza 4th Floor Boston, MA 02108 United States |
| Description of Processing | Email inbox provider |
| Transfer Outside EU/EEA | Yes |
| If Transfer Which Country | United States |
| If Transfer Which Mechanism | See: https://www.helpscout.com/company/legal/dpa (Clause 7) |
Northway Communications Services (UK) Ltd
https://www.northway.net
| Company Registration Number | 05738059 |
| Address | Unit B1 The Courtyard Tewkesbury Business Park Tewkesbury GL20 8GD United Kingdom |
| Description of Processing | Server hosting |
| Transfer Outside EU/EEA | No |
| If Transfer Which Country | N/A |
| If Transfer Which Mechanism | N/A |
DigitalOcean, LLC
https://www.digitalocean.com
| Company Registration Number | 5411585 |
| Address | 101 6th Ave New York, NY 10013 United States |
| Description of Processing | Server hosting |
| Transfer Outside EU/EEA | No |
| If Transfer Which Country | N/A |
| If Transfer Which Mechanism | N/A |
Atlassian B.V.
https://www.atlassian.com
| Company Registration Number | N/A |
| Address | Singel 236 1016 AB Amsterdam Netherlands |
| Description of Processing | Team and project management software |
| Transfer Outside EU/EEA | No |
| If Transfer Which Country | N/A |
| If Transfer Which Mechanism | N/A |
New Relic, Inc.
https://newrelic.com
| Company Registration Number | 4478831 |
| Address | 188 Spear Street Suite 1200 San Francisco, CA 94105 United States |
| Description of Processing | Full stack data analysis platform |
| Transfer Outside EU/EEA | No |
| If Transfer Which Country | N/A |
| If Transfer Which Mechanism | N/A |
HubSpot, Inc.
https://www.hubspot.com
| Company Registration Number | 001262696 |
| Address | 2 Canal Park Cambridge, MA 02141 United States |
| Description of Processing | CRM, marketing, and sales platform |
| Transfer Outside EU/EEA | Yes |
| If Transfer Which Country | United States |
| If Transfer Which Mechanism | See: https://legal.hubspot.com/dpa (Clause 8.(2)) |
Mailgun Technologies, Inc.
https://www.mailgun.com
| Company Registration Number | 603585335 |
| Address | 112 E Pecan St #1135 San Antonio, TX, 78205 United States |
| Description of Processing | Transactional email API service |
| Transfer Outside EU/EEA | Yes |
| If Transfer Which Country | United States |
| If Transfer Which Mechanism | See: https://www.mailgun.com/legal/dpa (Clause 12) |
Google LLC (Specifically Workspace)
https://www.google.com
| Company Registration Number | 3582691 |
| Address | 1600 Amphitheatre Parkway Mountain View, CA 94043 United States |
| Description of Processing | Company email and standard workspace tools |
| Transfer Outside EU/EEA | Yes |
| If Transfer Which Country | Multiple locations |
| If Transfer Which Mechanism | See: https://cloud.google.com/terms/data-processing-addendum (Clause 10) |
CyberPanda, s.r.o.
https://emaillistverify.com
| Company Registration Number | 44550804 |
| Address | Obchodná 2 811 06 Bratislava Slovakia, European Union |
| Description of Processing | Email sanitisation |
| Transfer Outside EU/EEA | No |
| If Transfer Which Country | N/A |
| If Transfer Which Mechanism | N/A |
Formagrid Inc.
https://www.airtable.com
| Company Registration Number | 5659593 |
| Address | 799 Market Street, 8th Floor San Francisco, CA 94103 United States |
| Description of Processing | Spreadsheet and relational database service |
| Transfer Outside EU/EEA | Yes |
| If Transfer Which Country | United States |
| If Transfer Which Mechanism | See: https://www.airtable.com/company/dpa (Clause 9) |
Dropbox, Inc.
https://www.dropbox.com
| Company Registration Number | 4621015 |
| Address | 1800 Owens Street San Francisco, CA 94158 United States |
| Description of Processing | Storage |
| Transfer Outside EU/EEA | Yes |
| If Transfer Which Country | United States |
| If Transfer Which Mechanism | See: https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf (Clause 9) |
