Parties and scope
1.1The parties
This Data Processing Agreement ("DPA") is entered into between the customer identified in the applicable Order Form (the "Controller") and UK REAL REVIEWS LTD, a company registered in England and Wales under company number 14587101, trading as ScoreReviews UK (the "Processor").
This DPA is incorporated into and forms part of the Terms of Service between the parties. In the event of any conflict, this DPA prevails to the extent of the conflict in respect of Personal Data processing.
1.2Roles
For the purposes of the UK GDPR, the EU GDPR and the UK Data Protection Act 2018, the Controller is the data controller and the Processor is the data processor in respect of Customer Personal Data.
Each party will comply with its own obligations under Data Protection Law in respect of the Processing carried out under the Agreement.
Subject matter and duration
2.1Subject matter
The Processor will Process Customer Personal Data on behalf of the Controller for the purpose of providing the ScoreReviews UK platform (the "Service"), including review collection, verification, moderation, publication, analytics and support.
2.2Duration
This DPA applies for the duration of the subscription to the Service and continues for as long as the Processor holds Customer Personal Data, after which the deletion and return provisions in section 10 apply.
2.3Categories of data subjects
- The Controller's end customers who are invited to leave a review
- The Controller's employees and authorised users of the dashboard
- Individuals identified in the content of a review submitted through the Service
2.4Categories of Personal Data
- Identifiers: name, email address, hashed IP address, user-agent
- Transaction identifiers used to verify a review (order reference, invitation token)
- Review content, ratings, photos and video submitted by the data subject
- Account data for the Controller's authorised users (name, email, role, authentication events)
- Usage and diagnostic data associated with a session
Controller instructions
3.1Documented instructions
The Processor will Process Customer Personal Data only on the documented instructions of the Controller, which are: (a) the Agreement and this DPA; (b) any use of the Service by the Controller's authorised users; and (c) any additional written instructions given from time to time.
If the Processor is required by law to Process Customer Personal Data other than on the Controller's instructions, it will inform the Controller of that legal requirement before Processing, unless that law prohibits such information.
3.2Compliance with instructions
The Processor will inform the Controller without delay if, in its opinion, an instruction infringes Data Protection Law.
Personnel and confidentiality
4.1Authorised persons
The Processor will ensure that access to Customer Personal Data is limited to personnel who need access to perform the Agreement and who are bound by appropriate obligations of confidentiality.
4.2Training
The Processor will ensure that personnel with access to Customer Personal Data receive regular training on Data Protection Law and information security.
Security measures
5.1Technical and organisational measures
The Processor will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
5.2Baseline controls
- Encryption of Personal Data in transit using TLS 1.2 or above
- Encryption of Personal Data at rest on managed database and object storage
- Role-based access control for the Processor's personnel with least-privilege defaults
- Multi-factor authentication for all production system access
- Segregation of production from development and test environments
- Automated backups with tested restore procedures
- Logging and monitoring of access to Customer Personal Data
- Vulnerability scanning and periodic penetration testing
Sub-processors
6.1General authorisation
The Controller grants the Processor general authorisation to engage sub-processors to Process Customer Personal Data, subject to the safeguards below.
6.2Sub-processor register
The Processor will maintain a current list of sub-processors, including the name, service, location and category of Personal Data processed. The list is available in the dashboard.
6.3Change notifications
The Processor will notify the Controller at least thirty (30) days before adding or replacing a sub-processor. The Controller may object in writing on reasonable data-protection grounds within that period, in which case the parties will discuss a resolution in good faith.
6.4Sub-processor obligations
The Processor will impose on each sub-processor data-protection obligations no less protective than those in this DPA. The Processor remains responsible to the Controller for the performance of each sub-processor.
International transfers
7.1Primary storage
Customer Personal Data is stored by default in the United Kingdom and the European Union.
7.2Restricted transfers
Where a transfer of Personal Data is made from the UK or EEA to a country not covered by an adequacy decision, the parties enter into the UK International Data Transfer Addendum (IDTA) or the EU Standard Contractual Clauses (SCCs), as applicable, which are incorporated into this DPA by reference.
The Processor completes and documents a transfer impact assessment before making a restricted transfer.
Assistance to the Controller
8.1Data subject requests
The Processor will provide reasonable assistance to enable the Controller to respond to requests from data subjects to exercise their rights, including access, rectification, erasure, restriction, portability and objection.
8.2DPIAs and consultation
The Processor will provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to the Processor.
Personal Data breach
9.1Notification
The Processor will notify the Controller without undue delay, and in any event within twenty-four (24) hours, of becoming aware of a Personal Data breach affecting Customer Personal Data.
9.2Content of notification
- A description of the nature of the breach and the categories of data affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
- The contact point for further information
Return and deletion
10.1On termination
At the Controller's choice, the Processor will delete or return Customer Personal Data to the Controller on termination of the Agreement, and delete existing copies, unless UK or EU law requires further storage.
10.2Retention windows
The Processor may retain: (a) verification metadata required to defend the integrity of published reviews for as long as the review is public; and (b) minimal transaction logs required by law for the applicable statutory period.
Audits and inspections
11.1Audit rights
The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor, no more than once per year and on thirty (30) days' notice, save where an audit is triggered by a Personal Data breach or a written request from a supervisory authority.
11.2Third-party reports
The Controller agrees that annual third-party assurance reports and penetration test summaries provided by the Processor may satisfy audit obligations, where reasonably applicable.
Liability and precedence
12.1Liability
Each party's liability under or in connection with this DPA is subject to the liability provisions in the Agreement.
12.2Order of precedence
If there is a conflict between this DPA and any other agreement between the parties, this DPA prevails in respect of Personal Data. If there is a conflict between this DPA and the UK IDTA or EU SCCs, the IDTA or SCCs prevail.
Contact
Questions about this document? Email dpo@myverireviews.com. For a signed counterpart or a redlined version, contact your account manager.
This document is provided by UK REAL REVIEWS LTD (trading as ScoreReviews UK) for informational purposes and forms part of the contractual terms between us and our customers. It is not legal advice; you should take independent legal advice on how it applies to your organisation.