DATA PROCESSING
ADDENDUM

GoBenny Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between GoBenny and the customer that uses the GoBenny Service (“Customer”).

1. Roles of the parties

1.1 The Customer acts as controller of personal data that is entered into or generated within the GoBenny Service.
1.2 GoBenny acts as processor of that personal data, processing it only on behalf of the Customer and in accordance with this DPA and documented instructions from the Customer.

2. Scope of processing

2.1 Subject matter: the provision of the GoBenny Service.
2.2 Duration: for the period of the Customer’s subscription and any retention period set out in the Terms.
2.3 Nature and purpose: hosting, storage, transmission, analysis and other processing necessary to provide, maintain and improve the Service, prevent or address technical or security issues and provide support.
2.4 Types of personal data: data relating to the Customer’s customers, staff and other contacts, such as names, contact details, job and service information, communications, and other data entered into the Service by or on behalf of the Customer.
2.5 Categories of data subjects: individuals whose personal data is included in the Customer’s use of the Service, such as end customers and staff.

3. Instructions

3.1 GoBenny will process personal data only on the documented instructions of the Customer, unless required by law to do otherwise.
3.2 The Customer’s initial instructions are to process personal data as necessary to provide the Service in accordance with the Terms.
3.3 If GoBenny is required by law to process personal data beyond the Customer’s instructions, GoBenny will inform the Customer unless prohibited by law.

4. Confidentiality

4.1 GoBenny will ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security

5.1 Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing, GoBenny will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures to:

• protect against unauthorised access, alteration or disclosure
  
  
• restore availability and access in a timely manner in the event of an incident
  
  
• regularly test and evaluate the effectiveness of security measures
  
  

6. Sub processors

6.1 The Customer authorises GoBenny to appoint sub processors to support the provision of the Service, including cloud hosting providers, communication tools and support platforms.
6.2 GoBenny will ensure that sub processors are bound by written agreements that impose data protection obligations that are no less protective than those in this DPA.
6.3 GoBenny will remain responsible for the acts and omissions of its sub processors.

7. International transfers

7.1 Where personal data is transferred outside the United Kingdom or European Economic Area, GoBenny will ensure that appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses, as required by applicable law.

8. Assistance to the Customer

8.1 Taking into account the nature of the processing and information available, GoBenny will assist the Customer, at the Customer’s cost where appropriate, with:

• responding to requests from data subjects
  
  
• data protection impact assessments
  
  
• consultations with supervisory authorities
  
  

9. Personal data breaches

9.1 GoBenny will notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Customer.
9.2 The notification will include information that the Customer reasonably requires to meet its legal obligations, as far as it is available to GoBenny at the time.

10. Deletion or return of data

10.1 Following termination of the Service, GoBenny will delete or anonymise personal data processed on behalf of the Customer after a reasonable retention period, unless a longer retention period is required by law.
10.2 Where feasible, and on request of the Customer before the end of the retention period, GoBenny will provide a copy or export of Customer Data.

11. Audit

11.1 On reasonable notice and no more than once in any twelve month period, the Customer may request information to demonstrate compliance with this DPA.
11.2 If necessary for regulatory reasons, and subject to confidentiality commitments, the Customer may carry out or commission an audit of GoBenny’s relevant data processing activities, provided this:

• is conducted during normal business hours
  
  
• does not unreasonably disrupt GoBenny’s operations
  
  
• respects the confidentiality of other customers
  
  

12. Liability

12.1 The limitations and exclusions of liability in the Terms apply to this DPA.

13. Precedence

13.1 In the event of any conflict between this DPA and the Terms, this DPA will prevail to the extent of the conflict in relation to data protection matters.

‍