Compuco Data Processing Addendum

1 Basis, Definitions and Interpretation
‍
1.1 Compuco: the Compuco entity (Compuco Cloud Ltd, company number 11285420, or Compucorp Ltd, company number 01303299 and any of their subsidiaries) set out in the Main Agreement (or otherwise identified in this addendum).

1.2 Client: the client set out in the Main Agreement (or the client or potential client otherwise identified in this addendum).
‍
1.3 Data Protection Law: the General Data Protection Regulation ((EU) 2016/679) as it forms part of UK law by virtue of the European Union (Withdrawal) Act of 2018 or otherwise, the Data Protection Act 2018 and any laws, regulations and secondary legislation relating to privacy or data protection as amended or updated from time to time, applicable to Compuco.

1.4 Main Agreement: the agreement for services including data processing by Compuco on behalf of the Client (if applicable).
‍
1.5 Permitted Territory: the European Economic Area and the UK
‍
1.6 Any terms or words defined in Data Protection Law and used in a provision of this addendum relating to personal data shall, for the purposes of that provision, have the meaning set out in Data Protection Law.
‍
1.7 This addendum shall be read in accordance with Data Protection Law, and in the event that any term, condition or provision of this addendum is deemed invalid, unlawful, unenforceable or non-compliant with Data Protection Law to any extent, it shall be deemed modified to the minimum extent necessary to make it valid, legal, enforceable and compliant under Data Protection Law whilst maintaining the original intention of this addendum.
‍
1.8 In consideration of the mutual promises set out in this addendum (the sufficiency of which each party expressly acknowledges), the parties agree (notwithstanding any restrictions or formalities set out in the Main Agreement regarding variation or amendment) to amend the Main Agreement as set out below.

2 Data Protection
‍
2.1 This addendum is intended to ensure that the Client’s appointment of Compuco is compliant with Data Protection Law.
‍
2.2 Both parties will comply with all applicable requirements of Data Protection Law. This clause 2 is in addition to, and does not relieve, remove or replace, a party’s obligations under Data Protection Law.
‍
2.3 The parties acknowledge their understanding that for the purposes of Data Protection Law, the Client is the data controller and Compuco is the data processor in relation to any personal data processed on behalf of the Client in connection with the performance by Compuco of its obligations under the Main Agreement. Where, in respect of any personal data, the Client is a data processor on behalf of a third party, the Client warrants that the Client’s instructions and actions regarding such personal data (including the appointment of Compuco as a data processor) have been authorised by such third party. The details of processing are as follows (and the Client acknowledges and agrees all such details as accurate and comprehensive), save as specified otherwise in the Main Agreement or by agreement in writing between the parties:

- 2.3.1 Subject-matter. Compuco’s provision of services, including (as applicable) allowing for the Client’s data to be uploaded by its users and access to the Client’s systems for support, analysis or evaluation purposes.
‍
- 2.3.2 Nature and Purpose. Allowing storage of and access to the Client’s data within Compuco’s services, which may include personal data and/or accessing the Client’s data in the course of providing the services.
‍
- 2.3.3 Duration. For the duration of the Main Agreement (if applicable, or such time period as is otherwise agreed between the parties) and thereafter until deleted or returned by Compuco in accordance with the Main Agreement.
‍
- 2.3.4 Types of Personal Data. Data relating to the Client’s users and other individuals as contained within the Client’s data and systems as applicable.
‍
- 2.3.5 Categories of Data Subject. The Client’s users uploading data or individuals referenced in the Client’s data and system as applicable.
‍
2.4 Without prejudice to the generality of clause 2.2, the Client will ensure that it has all necessary consents and notices in place to enable lawful transfer of the personal data to Compuco for the duration and purposes of the Main Agreement, and that its instructions to Compuco shall not infringe (or otherwise place Compuco in breach of) Data Protection Law.
‍
2.5 Without prejudice to the generality of clause 2.2, Compuco shall, where it acts as a data processor on behalf of the Client:
‍
- 2.5.1 process that personal data only on the documented instructions of the Client (and the Client hereby instructs Compuco to process that personal data as required to perform its obligations under the Main Agreement) unless Compuco is otherwise required by Applicable Law (being the laws of England and Wales or of any member of the European Union or the laws of the European Union applicable to Compuco) to process personal data (in which case Compuco shall notify the Client of this before performing the processing required by Applicable Law unless Applicable Law prohibits Compuco from so notifying the Client on important grounds of public interest);

- 2.5.2 only appoint sub-processors as permitted under this addendum;

- 2.5.3 ensure that it has in place appropriate technical and organisational measures as required by Data Protection Law, including the measures set out in the Security Schedule;

- 2.5.4 ensure that all its personnel who have access to and/or process personal data are obliged to keep the personal data confidential;

- 2.5.5 only transfer any personal data outside of the Permitted Territory in accordance with Data Protection Law (including through the use of standard contractual clauses and ICO addendum as applicable) and the prior written authorisation of the Client has been obtained or such transfer is on the written instructions of the Client and where the Client has been notified that an authorised sub-processor is located or stores or accesses personal data outside the Permitted Territory, the Client shall, through the authorisation of that sub-processor, be deemed to have authorised Compuco to transfer personal data outside the Permitted Territory to that sub-processor; 

- 2.5.6 taking into account the nature of the processing, assist the Client, at the Client’s cost (to the extent not already included in the charges payable by the Client), by appropriate technical and organisational measures in responding to any request from a data subject (insofar as this is possible) and in ensuring compliance with the Client’s obligations under Data Protection Law with respect to (taking into account the information available to Compuco) security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

- 2.5.7 notify the Client without undue delay on becoming aware of a personal data breach (and the parties agree to co-ordinate in good faith in relation to the content of any related public statements or notices), and (with regard to its obligations under clause 2.5.9) immediately inform the Client if (in Compuco’s opinion) an instruction of the Client’s infringes Data Protection Law;

- 2.5.8 at the written direction of the Client (subject to the terms of the Main Agreement), delete or return personal data and copies thereof to the Client on termination of the Main Agreement unless required by Applicable Law to store the personal data; and

- 2.5.9 make available to the Client all information necessary to demonstrate its compliance with this clause 2 and Data Protection Law (which shall remain Compuco’s confidential information and which the Client shall not disclose or use other than to confirm Compuco’s compliance with Data Protection Law) and allow for and contribute to audits by the Client or the Client's designated auditor at the Client’s expense (including as to Compuco’s costs of supporting the Client in or complying with such audit), on reasonable written notice during business hours, not more than once in each calendar year (save where such audit is required due to a personal data breach caused by Compuco) and subject to such reasonable measures as Compuco (or any sub-processor) requires in relation to its security and confidentiality requirements and not causing disruption to its business activities.
‍
2.6 The Client specifically authorises the appointment of any sub-processor identified in the Main Agreement or otherwise notified to the Client and generally authorises Compuco to appoint further or alternative sub-processors. Where Compuco appoints or replaces a sub-processor it shall notify the Client in advance of any intended changes concerning the addition or replacement of such sub-processors (and such notice may be given by amending the list of sub-processors at www.compuco.io/compuco-sub-processors or otherwise through any application, service or platform Compuco provides which the Client has access to). If the Client wishes to object to such changes, it must do so within 30 days of receiving such notice, by notifying Compuco in writing accompanied by its reasons for such objection. Following any such objection, Compuco may engage with the Client to provide alternatives or assurances in relation to such change. If the Client (acting reasonably in relation to its legal or regulatory compliance obligations) continues to object to such changes the Client may, within 30 days of receipt of the original notice, terminate on written notice without penalty the relevant services directly affected by that change. Where the Client does not provide written notice of such termination, or continues to use such services following the change, it shall be deemed to have accepted such change. Compuco shall remain fully liable for all acts or omissions of any sub-processor engaged by it (and such engagements shall be on such sub-processors’ terms of business which incorporate data protection obligations which are the same or more onerous in their effect as those set out in this clause 2).

2.7 The Client acknowledges that it has undertaken all due diligence it considers necessary in advance of entering into this addendum, and is satisfied that Compuco meets the requirements of Data Protection Law in respect of its processing under the Main Agreement, and that any further requests for information, guarantees or assistance in this respect may involve additional costs at Compuco’s standard rates in force from time to time.

3 General
‍
3.1 This addendum shall form part of the Main Agreement and shall continue for the duration of Compuco’s processing of personal data for or on behalf of the Client under the Main Agreement. By entering into the Main Agreement, the Client acknowledges and accepts this addendum. Any limitations on liability set out in the Main Agreement shall include the provisions of this addendum as this addendum is part of the Main Agreement. Further, the parties agree that any breach of the obligations set out in this addendum or otherwise relating to data protection shall not be treated as a breach of (or subject to) any confidentiality obligations which Compuco otherwise is subject to.

3.2 In the event of any conflict in relation to the data protection provisions of this addendum and the Main Agreement, the provisions of this addendum shall take precedence.

3.3 The parties hereby agree that this addendum shall be governed by and interpreted in accordance with English Law, and hereby submit to the English courts.
‍
Security Schedule
‍
This schedule sets out the description of the technical and organisational security measures implemented by Compuco.
‍
Technical Measures:
‍
- We choose the most appropriate secure settings for our devices and software. Most hardware and software will need some level of set-up and configuration in order to provide effective protection and we take reasonable steps to ensure that all devices have .

- We encrypt all mobile computing devices (for example laptops, tablets, mobile telephones, PDAs) and portable data storage media (for example USB sticks, flash drive, magnetic tapes) which hold, store, process or have access to personal data.

- We ensure that passwords for servers and client sites will be random and strong and use multifactor authentication wherever possible.

- We keep our software and devices up-to-date. Hardware and software needs regular updates to fix bugs and security vulnerabilities. We update all systems including firewalls and anti virus software (where in use) as soon as is reasonable to do so.
‍
- We run regular security scanning of our infrastructure (excluding client sites) for potential vulnerabilities ensuring to patch these within a suitable space of time. Scanning of client sites is available for additional charge.

- All passwords must be strong and random. They must have a minimum length of 12 characters. This can be done by using multiple words (a minimum of three) to create a password, (e.g., 'Three Random Words'). Users should avoid common or discoverable passwords, such as a pet's name, common keyboard patterns or passwords they have used elsewhere.
‍
Organisational measures:
‍
- All Compuco staff are subject to vetting and background checks as part of our hiring process.
‍
- We have an appropriate data protection policy, information security policy and data breach notification policy.
‍
- We make the data protection responsibilities of staff clear through training and within staff contracts.
‍
- We ensure that we have as few copies of client data as possible to perform our tasks and  that client data is not taken off site without authorisation.
‍
- Any sub-contractor will follow these same procedures with regard to data protection.

Technical measures relating to the CiviPlus platform only:
‍
- The CiviPlus infrastructure has been built with security by design. Our computer resources and databases which store your data are held within a private subnet and not accessible directly from the Internet.
‍
- All data is encrypted at rest including storage and databases. This includes all records, passwords, payment information, and keys.
‍
- All data in transit between your browser and the platform is encrypted in transit. For this, we use settings that are known to be safe and that allow our sites to get an A+ rating by the well known Qualys SSL Server Test.
‍
- The AWS account is secured using MFA with individual IAM roles to specific users in Compuco.
‍
- CiviPlus ships with a number of predefined roles granting different levels of access to the platform, including a read only role.
‍
- CiviPlus monitors your sessions to ensure that your login is not being used without your knowledge.

- CiviPlus enforces password policies to ensure that your team uses stronger passwords.
‍
- CiviPlus will expire your session after a sensible amount of time ensuring that users do not need to remember to logout.
‍
- CiviPlus can be integrated with a number of SSO solutions including Microsoft Azure360
‍
- We use Amazon Web Hosting for our hosting. The IT infrastructure that AWS provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:
‍
-- SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018
‍
- Platform backups are taken once per day and kept for 14 days. We are working to increase this to retain backups for 6 months. Backups are stored offsite with AWS S3 which provides 99.99% availability and AWS Service Level Guarantees as per https://aws.amazon.com/s3/sla. Data is automatically stored across multiple devices spanning a minimum of three Availability Zones, each separated by miles across an AWS Region.
‍
- We run regular security scanning of the CiviPlus infrastructure for potential vulnerabilities ensuring to patch these within a suitable space of time.
‍
- All credit card processing is performed offsite by our credit card processing partner “Stripe” who are PCI compliant.
‍
V 1.11 Last Updated 14th April 2023