Terms & Conditions UK Terms & Conditions of Use US Terms & Conditions of Use AU Terms & Conditions of Use Smart Book Terms & Conditions Venue Terms & Conditions Venue hire Terms & Conditions Data Processing Agreement Fair use policy Privacy Policy Cookie Policy Third Party Processors Policy Host Support Guest Refund Policy Cancellation Policy Intellectual Property Policy Review Policy Reward and Referral Policy Fee Structure and Invoicing
More from 'Policies'

Policies

Data Processing Agreement (DPA)

  1. Definitions

    1. Parties

      1. The Customer set out in the HeadBox Order Form; and

      2. HeadBox Solutions Limited

    2. Parties' roles

      1. The Customer is the Data Controller; and

      2. HeadBox Solutions Limited is the Data Processor.

    3. Contacts

      1. Processor – DPO@headbox.com.

      2. Controller – as set out in the HeadBox Order Form.

    4. Main Agreement

      This Data Processing Agreement forms part of and is incorporated into the Main Agreement.

    5. Term

      This DPA will commence on the date of signature of the Main Agreement and will continue for the term of the Main Agreement.

    6. Breach Notification Period

      48 hours after becoming aware of a personal data breach.

    7. Data Subject Rights Request Notification Period

      2 working days after becoming aware of a data subject rights request.

    8. Sub-processor Notification Period

      14 days before the new sub-processor is granted access to Personal Data.

    9. Liability Cap

      Each party's aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement.

    10. Governing Law and Jurisdiction

      English governing law and subject to the exclusive jurisdiction of the Courts of England and Wales.

    11. Data Protection Laws

      All laws, regulations and court orders which apply to the processing of Personal Data in connection with the Processor's services, including in the European Economic Area (EEA), the United Kingdom (UK) and the United States of America (USA).

      This includes the:

      1. European Union Regulation (EU) 2016/679 the General Data Protection Regulations (GDPR),

      2. The UK Data Protection Act 2018 and the UK GDPR, and

      3. California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA),

      each as amended from time to time.

    12. Services related to processing

      Provision of the Services as set out in the Main Agreement, including the creation of Bespoke Avatars, account management and HeadBox user administration.

    13. Duration of processing

      Term of the Main Agreement.

    14. Nature and purpose of processing

      Management of the account, administration of users of the HeadBox platforms and Development of Bespoke Avatars and provision of virtual 3D Models and Tours (as such terms are defined in the Main Agreement)

    15. Personal Data

      The types of personal data processed are:

      1. name;

      2. image and likeness

      3. voice

      4. title and rolel; and

      5. contact details

    16. Data subjects

      The individuals whose Personal Data will be processed are:

      1. any person on which a Bespoke Avatar is based; and

      2. the personnel and officers of Controller and its contractors and agents.

    17. International Transfer Mechanism

      Where HeadBox utilize the services of Sub-processors that are not in the UK, they do so in accordance with Article 49 and 46 of the UK GDPR, where required, this may include the use of the International Data Transfer Agreement issued by the Information Commissioner's Office under Section 119A of the Data Protection Act 2018.

  2. Purpose

    1. The Parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Personal Data (as defined above).

    2. In this DPA:

      1. save as expressly set out herein, capitalized terms shall have the same meaning as in the Main Agreement;

      2. adequate country means a country or territory that is recognized under Data Protection Laws from time to time as providing adequate protection for processing Personal Data;

      3. Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws; and

      4. Sub-processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data.

  3. Obligations

    1. Controller instructs Processor to process Personal Data in accordance with this DPA. Controller is responsible for providing all notices and obtaining all consents, licenses and legal bases required to allow Processor to process Personal Data and Controller warrants that it has done so in accordance with the Data Protection Laws.

    2. Processor will:

      1. only process Personal Data in accordance with this DPA and Controller's instructions (unless legally required to do otherwise)

      2. not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement

      3. inform Controller promptly if (in its opinion) any instructions infringe Data Protection Laws;

      4. use the technical and organizational measures described in Annex 1 when processing Personal Data to ensure a level of security appropriate to the risk involved;

      5. notify Controller of a personal data breach within the Breach Notification Period and provide, at Controller's cost, reasonable assistance to Controller as required under Data Protection Laws in responding to it;

      6. ensure that anyone authorized to process Personal Data is committed to confidentiality obligations

      7. without undue delay and at Controller's cost, provide Controller with reasonable assistance with:

        1. data protection impact assessments;

        2. responses to data subjects' requests to exercise their rights under Data Protection Laws; and

        3. engagement with supervisory authorities;

      8. if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA;

      9. allow for audits of Personal Data processed in connection with the Main Agreement at Controller's reasonable request and on reasonable advance notice, provided that audits are limited to once a year and during business hours, and

      10. return Personal Data upon Controller's written request or delete Personal Data at the end of the Term, unless retention is legally required.

    3. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.

  4. Sub-processing

    1. Controller authorizes Processor to engage other processors (referred to in this section as Sub-processors) when processing Personal Data. Processor's existing Sub-processors are listed in Annex 2.

    2. Processor will:

      1. require its Sub-processors to comply with equivalent terms as Processor's obligations in this DPA;

      2. ensure appropriate safeguards are in place before internationally transferring Personal Data to its Sub-processor; and

      3. be liable for any acts, errors or omissions of its Sub-processors as if they were a party to this DPA.

    3. Processor may appoint new Sub-processors provided that they notify Controller in accordance with the Sub-processor Notification Period. Such notification may be provided through any platform made available by Processor in the provision of the Services.

    4. Controller may reasonably object in writing to any future Sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate the Main Agreement on written notice to the other party.

  5. International Personal Data transfers

    1. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller (including services requested pursuant to the Main Agreement), unless otherwise required by law.

    2. Where a party is located outside the UK, the EEA or an adequate country and receives Personal Data:

      1. that party will act as the data importer;

      2. the other party is the data exporter; and

      3. the relevant Transfer Mechanism will apply.

    3. Subject to terms of the relevant International Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):

      1. challenge the request and promptly notify the data exporter about it; and

      2. only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.

  6. Other important information

    1. Any provision of this DPA which is intended to survive the Term will remain in full force

    2. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:

      1. International Transfer Mechanism,

      2. DPA,

      3. Main Agreement.

    3. Notices under this DPA must be in writing and sent to the Contact on the DPA's front page as may be updated by a party to the other in writing.

    4. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.

Annex 1

Security measures

Technical and organizational measures to ensure the security of Personal Data:

  • Database encryption for sensitive and credentials data;
  • encryption in transit for all services;
  • encrypted backup and disaster recovery; and
  • AWS perimeter security.

Annex 2

Sub-processors

Current Sub-processors:

  • De-Identification Inc. and De-Identification Ltd. (Avatar creation) – United States – Signed Data Processing Agreement – https://www.d-id.com/privacy-policy/.
  • Google Suite (Corporate digital filing system) – Republic of Ireland – Signed Data Processing Agreement – https://policies.google.com/privacy?hl=en-US.
  • Xero – (Accounting software) European Economic Area (EEA) – Signed Data Processing Agreement SCC and IDTA for global support model) – https://www.xero.com/uk/legal/privacy/
  • DocuSign (eSigning platform) – EEA – Signed Data Processing Agreement – https://www.docusign.com/company/privacy-policy.
  • AdobeSign (eSigning platform) – EEA – Incorporated Data Processing Agreement – https://www.adobe.com/content/dam/cc/en/legal/terms/enterprise/pdfs/DPA-SCC-English_2022v2.pdf.
  • HubSpot (Customer Relationship Management) - EEA – Signed Data Processing Agreement SCC for global support model – https://legal.hubspot.com/privacy-policy.
  • AWS – (HeadBox hosted infrastructure Ireland) – EEA – Signed Data Processing Agreement – https://aws.amazon.com/privacy/.
  • BrainTree (Online payments) – EEA – Signed Data Processing Agreement SCC and IDTA for global support model https://www.braintreepayments.com/gb/legal/braintree-privacy-policy.
  • Mux (Video hosting) – United States – Signed Data Processing Agreement - https://www.mux.com/privacy.