Data Processing Agreement

This Data Processing Agreement (this "DPA") forms part of the agreement between the customer entity that uses ImportOps (the "Controller") and ImportOps (the "Processor") constituted by the Terms of Service (the "Agreement"). It applies where the Processor processes personal data on behalf of the Controller when providing the Service.

1.Definitions

Capitalised terms in this DPA have the meaning given in the Agreement unless defined below. Terms "controller", "processor", "data subject", "personal data", "processing", and "supervisory authority" have the meanings in UK GDPR.

1. "Applicable Data Protection Law" means UK GDPR, the Data Protection Act 2018, and EU GDPR where it applies to processing in connection with the Service.
2. "Sub-processor" means a third party engaged by the Processor to process personal data on behalf of the Controller.

2.Duration and scope

This DPA takes effect on the date the Controller first uses the Service and continues until termination of the Agreement and completion of processing described in clause 11. It applies only to processing of personal data within the scope of Article 28 UK GDPR carried out by the Processor for the Controller in connection with the Service.

3.Processing details

3.1Subject matter and nature

The subject matter is the provision of the ImportOps vehicle import operations platform. Processing operations include hosting, storage, organisation, retrieval, display, backup, security monitoring, support access as authorised, and AI-assisted extraction initiated by Users.

3.2Purpose

Processing is carried out solely to provide the Service in accordance with the Agreement and documented instructions from the Controller (including configuration choices made through the product interface).

3.3Categories of data subjects

May include the Controller's customers, suppliers, employees, contractors, and other individuals whose personal data the Controller chooses to store in the Service.

3.4Types of personal data

May include contact details, identifiers, employment or role information, vehicle-related data that identifies individuals, free-text notes, and content in uploaded files or images.

3.5Special category data

The Service is not intended for special category or criminal offence data under UK GDPR. The Controller shall not submit such data unless the parties have agreed additional safeguards in writing.

4.Instructions and compliance

1. The Processor shall process personal data only on documented instructions from the Controller unless required to process by law to which the Processor is subject; in such case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law on important grounds of public interest.
2. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law.

5.Personnel and confidentiality

The Processor shall ensure that persons authorised to process personal data are bound by appropriate obligations of confidentiality (whether contractual or statutory).

6.Security of processing

Taking into account the state of the art, cost of implementation, and nature, scope, context, and purposes of processing, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as described in our Privacy Policy and security documentation available on request.

7.Sub-processors

7.1Authorised sub-processing

The Controller grants general authorisation for the Processor to engage Sub-processors listed or described in the Privacy Policy and for replacements or additions in accordance with this clause 7.

7.2New Sub-processors

The Processor shall notify the Controller by email to the Organisation administrator's registered address at least thirty (30) days before engaging a new Sub-processor who will access personal data. The Controller may object on reasonable data protection grounds within that period. If the parties cannot resolve the objection within a further fourteen (14) days, the Controller may terminate the affected portion of the Service or the Agreement in accordance with its termination rights.

7.3Flow-down obligations

The Processor shall impose on each Sub-processor data protection terms materially equivalent to those in this DPA and shall remain liable to the Controller for the performance of Sub-processors' obligations.

8.International transfers

The Processor shall not transfer personal data outside the UK or EEA without ensuring appropriate safeguards under Chapter V UK GDPR / GDPR (as applicable), such as adequacy regulations, the UK International Data Transfer Agreement or Addendum, standard data protection clauses, or binding corporate rules, as relevant to the transfer.

9.Assistance with data subject rights

The Processor shall, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subjects' rights under Applicable Data Protection Law. If the Processor receives a request directly, it shall promptly forward it to the Controller unless prohibited by law.

10.Personal data breach notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller, and shall provide information reasonably available to enable the Controller to meet its own breach reporting obligations, including the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

11.Deletion and return

On termination of the Agreement, the Processor shall, at the Controller's choice where technically feasible, delete or return all personal data processed on behalf of the Controller, except where retention is required by EU or UK law, in which case the Processor shall inform the Controller and apply appropriate isolation and deletion timelines.

12.Audit and demonstration of compliance

The Processor shall make available information necessary to demonstrate compliance with Article 28 UK GDPR and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality and security requirements, no more than once per twelve (12) months except following a supervisory authority request or credible security incident, and at the Controller's expense. The Processor may satisfy this obligation by providing third-party certifications or audit reports where commercially reasonable.

13.Liability

Liability for breach of this DPA is subject to the limitation and exclusion provisions of the Agreement, except where prohibited by Applicable Data Protection Law.

14.Order of precedence

In the event of conflict between this DPA and the Agreement concerning processing of personal data as processor, this DPA prevails solely to the extent of that conflict. Otherwise the Agreement prevails.

15.Contact

Processor contact for data protection matters: privacy@import-ops.com