top of page

Data Processing Agreement

Extend Robotics Limited – Data Processing Agreement

BACKGROUND

The Customer and the Supplier have entered into an agreement for the supply of software and related services (Master Agreement) that may require the Supplier to process Personal Data on behalf of the Customer.

This Personal Data Processing Agreement (DPA) sets out the additional terms, requirements and conditions on which the Supplier will process Customer Personal Data (defined below) when providing services under the Master Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the assimilated EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between Controllers and Processors and the General Data Protection Regulation ((EU) 2016/679).

AGREED TERMS

Definitions and Interpretation

The following definitions and rules of interpretation apply in this DPA.

Definitions:

Business Purposes: the services to be provided by the Supplier to the Customer as described in the Master Agreement and any other purpose specifically identified in Part 2 of Annex A. 

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018).

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and processing: have the meanings given in the Data Protection Legislation.

Customer: the person purchasing the Software (as defined in the Master Agreement) from the Supplier and party to the Master Agreement. 

Customer Personal Data: any Personal Data which the Supplier processes in connection with this DPA in the capacity of a Processor as set out in paragraph 1.2, Part 1 of Annex A.

Data Protection Legislation:

To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.

To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union or EEA to which the Customer or Supplier is subject, which relates to the protection of Personal Data.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

EEA: the European Economic Area.

Records: has the meaning given in clause 12.1.

Regulator: as applicable, the Commissioner, concerned EEA supervisory authorities and such other regulators with authority to enforce the Data Protection Legislation applicable to the processing. 

Sub-Processor: has the meaning given in clause 8.1.

Supplier: Extend Robotics Limited, a company incorporated in England and Wales under company number 12171849 and whose registered office is at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ.

Supplier Personal Data: any Personal Data which the Supplier processes in connection with this DPA in the capacity of a Controller as set out in paragraph 1.1, Part 1 of Annex A. 

Supplier Personnel: means all directors, officers, employees, agents, and freelancers of the Supplier engaged in the performance of its obligations under the Master Agreement or this DPA from time to time.

Supplier’s Privacy Policy: the Supplier’s privacy policy in respect of the Supplier Personal Data, online linked to https://www.extendrobotics.com/privacy-policy as amended from time to time. 

UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

The Annex forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annex.

A reference to writing or written includes email.

In the case of conflict or ambiguity between:

any provision contained in the body of this DPA and any provision contained in the Annex, the provision in the body of this DPA will prevail; and

any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.

Personal Data types and processing purposes

The Customer and the Supplier agree and acknowledge that for the purpose of the Data Protection Legislation:

the Supplier is the Controller of the Supplier Personal Data; 

the Customer is the Controller and the Supplier is the Processor of the Customer Personal Data;

the Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Supplier.

in relation to the Customer Personal Data, Part 2 of Annex A describes the subject matter, duration, nature and purpose of the processing and the Customer Personal Data categories and Data Subject types in respect of which the Supplier may process the Customer Personal Data to fulfil the Business Purposes.

Should the determination in clause 2.1(a) or clause 2.1(b) change, then each party shall work together in good faith to make any changes which are necessary to this DPA. 

Both parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.

Without prejudice to the generality of clause 2.1 and clause 2.3, the Customer will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Supplier Personal Data and Customer Personal Data to the Supplier and lawful collection of the same by the Supplier for the duration and purposes of this DPA. The Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in connection with any breach by the Customer of the terms of clause 2.1(c), clause 2.3 and this clause 2.4.

By entering into this DPA, the Customer consents to (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by the Supplier in connection with the processing of the Supplier Personal Data, provided these are in compliance with the then-current version of the Supplier’s Privacy Policy.

Supplier’s obligations

The Supplier shall only process the Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. The Supplier will not process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Supplier shall promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.

The Supplier shall comply promptly with any Customer written instructions requiring the Supplier to amend, transfer, delete or otherwise process the Customer Personal Data, or to stop, mitigate or remedy any unauthorised processing.

The Supplier shall maintain the confidentiality of the Customer Personal Data and will not disclose the Customer Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Regulator). If a domestic or EU law, court or regulator (including the Regulator) requires the Supplier to process or disclose the Customer Personal Data to a third party, the Supplier must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.

The Supplier shall reasonably assist the Customer, at the Customer’s cost, with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Supplier's processing and the information available to the Supplier, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Regulator under the Data Protection Legislation.

Supplier Personnel

  • The Supplier shall ensure that all of the Supplier Personnel:

are bound by written confidentiality obligations and use restrictions in respect of the Customer Personal Data or are under an appropriate statutory or common law obligation of confidentiality;

have undertaken training on the Data Protection Legislation and how it relates to their handling of the Customer Personal Data and how it applies to their particular duties; and

are aware both of the Supplier's duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

Security

  • The Supplier shall at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data, including but not limited to:

the pseudonymisation and encryption of Personal Data;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

Personal Data Breach

The Supplier shall within 36 hours and in any event without undue delay notify the Customer in writing if it becomes aware of:

the loss, unintended destruction or damage, corruption, or unusability of part or all of the Customer Personal Data. The Supplier will restore such Customer Personal Data at its own expense as soon as possible;

any accidental, unauthorised or unlawful processing of the Customer Personal Data; or

any Personal Data Breach.

Where the Supplier becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:

description of the nature of (a), (b) and/or (c), including the categories of in-scope Customer Personal Data and approximate number of both Data Subjects and the Customer Personal Data records concerned;

the likely consequences; and

a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

Immediately following any accidental, unauthorised or unlawful Customer Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Supplier will reasonably co-operate with the Customer, in the Customer's handling of the matter, including:

assisting with any investigation;

facilitating interviews with the Supplier Personnel (including, where possible, former Supplier Personnel);

making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Customer Personal Data processing.

The Supplier shall not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Customer Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic or EU law.

The Supplier agrees that the Customer has the sole right to determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Regulator, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice. The Customer shall not offer any remedy to affected Data Subjects without the prior written approval of the Supplier, such approval not to be unreasonably withheld or delayed. 

The Supplier shall cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's written instructions, negligence, wilful default or breach of this DPA, in which case the Customer will cover all reasonable expenses.

The Supplier shall also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Supplier caused such, including all reasonable costs of notice and any remedy as set out in clause 6.5.

Transfers of Customer Personal Data

  • The Supplier (and any Sub-Processor) may transfer or otherwise process Customer Personal Data outside of the UK or EEA provided that the Supplier shall ensure that all such transfers are effected in accordance with the Data Protection Legislation. 

Sub-Processors

The Supplier may only authorise a third party (Sub-Processor) to process the Customer Personal Data if:

the Sub-Processor is listed in Part 3 of Annex A or the Customer is provided with an opportunity to object to the appointment of each Sub-Processor within 7 Business Days (as defined in the Master Agreement) after the Supplier supplies the Customer with details in writing regarding such Sub-Processor;

the Supplier enters into a written contract with the Sub-Processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer's written request, provides the Customer with copies of the relevant excerpts from such contracts; and

the Supplier maintains control over all of the Customer Personal Data it entrusts to the Sub-Processor.

If the Customer objects to the appointment of any Sub-Processor pursuant to clause 8.1(a), the Supplier may terminate the Master Agreement immediately on written notice to the Customer. 

Where the Sub-Processor fails to fulfil its obligations under the written agreement with the Supplier which contains terms substantially the same as those set out in this DPA, the Supplier remains fully liable to the Customer for the Sub-Processor’s performance of its agreement obligations.

The parties agree that the Supplier will be deemed by them to control legally any Customer Personal Data controlled practically by or in the possession of its Sub-Processors.

Complaints, Data Subject requests and third-party rights

The Supplier shall take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Customer Personal Data, object to the processing and automated processing of Customer Personal Data, and restrict the processing of Customer Personal Data; and

information or assessment notices served on the Customer by the Regulator under the Data Protection Legislation.

The Supplier shall notify the Customer promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Customer Personal Data or to either party's compliance with the Data Protection Legislation.

The Supplier shall notify the Customer promptly if it receives a request from a Data Subject for access to their Customer Personal Data or to exercise any of their other rights under the Data Protection Legislation.

The Supplier shall give the Customer, at the Customer’s cost, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

The Supplier shall not disclose the Customer Personal Data to any Data Subject or to a third party other than in accordance with the Customer's written instructions, or as required by domestic or EU law.

Term and termination

This DPA will remain in full force and effect so long as:

the Master Agreement remains in effect; or

the Supplier retains any of the Customer Personal Data related to the Master Agreement in its possession or control.

Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Customer Personal Data will remain in full force and effect.

If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties may agree to suspend the processing of the Customer Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Customer Personal Data processing into compliance with the Data Protection Legislation, either party may terminate the Master Agreement with immediate effect on written notice to the other party.

Data return and destruction

At the Customer's request, the Supplier will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of the Customer Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

On termination of the Master Agreement for any reason or expiry of its term, the Supplier will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Customer Personal Data related to this DPA in its possession or control, except for one copy that it may retain and use for routine backup purposes for a period of 12 months from the termination of the Master Agreement. 

If any law, regulation, or government or regulatory body requires the Supplier to retain any documents, materials or Customer Personal Data that the Supplier would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Customer Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

The Supplier will certify in writing to the Customer that it has deleted or destroyed the Customer Personal Data within 7 days after it completes the deletion or destruction.

Records

The Supplier will keep detailed, accurate and up-to-date written records regarding any processing of the Customer Personal Data, including the access, control and security of the Customer Personal Data, approved Sub-Processors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in clause 5 (Records).

The Supplier will ensure that the Records are sufficient to enable the Customer to verify the Supplier's compliance with its obligations under this DPA and the Data Protection Legislation and the Supplier will provide the Customer with relevant copies of the Records upon request.

Audit

The Supplier will permit the Customer and its third-party representatives to conduct reasonable audits of the Supplier’s compliance with its obligations under this DPA, on reasonable written notice at a frequency of not more than once per year.  

The frequency restrictions set out in clause 13.1 shall not apply where the Customer is directly required by the Regulator or other in-scope regulator to audit the Supplier’s compliance with its obligations under this DPA. 

Limitation of liability

  • Any limitation of liability set forth in the Master Agreement shall apply to this DPA’s liability or reimbursement obligations. 

  • This DPA has been entered into on the date the Master Agreement is executed.


Personal Data processing purposes and details

Part 1 – Role of the parties 

  • Where the Supplier acts as a Controller: 

(a) when processing Personal Data contained within correspondence between the Customer’s staff, Supplier Personnel, and/or documents relating to the establishment, management, audit, operation, and communication (on which the Supplier may wish to rely on to establish its rights and liabilities under the Master Agreement) in respect of the Master Agreement for the provision of the contracted services; 

(b) when processing Personal Data contained in any Routine Data (as defined in the Master Agreement) for the Supplier’s own purposes (as further described in the Supplier’s Privacy Policy); and 

(b) when processing Personal Data of the Customer’s staff for marketing purposes. 

  • 1.2 Where the Supplier acts as a Processor: 

Save as set out in paragraph 1.1 of this Annex A, when processing the Personal Data of Data Subjects whose Personal Data is collected through the services provisioned under the Master Agreement (including Personal Data contained within any Routine Data where the Supplier is processing such Personal Data to perform its obligations under the Master Agreement) and processed by the Supplier on the Customer’s behalf. 

Part 2 – Particulars of processing

2.1 Subject matter of processing

The performance of the Supplier’s duties under the Master Agreement.

2.2 Duration of processing

For the term of the Master Agreement and for such time afterwards as required for the parties to exercise their rights and obligations under clause 11 of this DPA. 

2.3 Nature of processing

The processing of Customer Personal Data to enable the Supplier to comply with its duties under the Master Agreement. 

2.4 Business Purposes

To enable the Supplier to perform its duties under the Master Agreement. 

2.5 Personal Data categories

Identity data, device details, image data, video data, contact details and such other Personal Data categories as relevant. 

2.6 Data Subject types

Staff, clients or customers of the Customer and/or such clients’ or customers’ staff and such other Data Subjects whose Personal Data is processed by the Supplier in connection with the performance of its duties under the Master Agreement. 

Part 3 - Approved Sub-Processors:

Microsoft Limited

Amazon Web Services EMEA SARL

Valve Corporation

Meta Platforms Technologies UK LTD

bottom of page