Data Processing Addendum

Last updated 6th June 2024

 

This Data Processing Addendum (“DPA”) supplements the Terms and Conditions that are in place between the Customer (“Data Controller”) and Aveni Ltd (“Aveni, Data Processor”) and covers the Customer’s use of Aveni products and any related support (the “Agreement”).

 

The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data is processed.

 

This DPA is entered into between Aveni and the Customer when the Customer visits, accesses, uses or provides access for others to our services (the “Effective Date”) and shall apply to the extent that Aveni Processes Personal Data as either a Data Controller or Data Processor as defined below.

 

WHEREAS:

 

(1)    The provision of the Services by the Data Processor, as described in Schedule 1, involves it processing the Personal Data described in Schedule 2 on behalf of the Data Controller.

 

(2)    Aveni will Process Customer Account Data as a Data Controller for the following purposes:

·   to provide and improve the Products;

·   to manage the Customer relationship (communicating with Customer and Users in accordance with their account preferences, responding to Customer enquiries and providing technical support, etc.)

·   to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; and

·   to carry out core business functions such as accounting, billing, and filing taxes.[JW1] 

 

(3)    Aveni will process Aveni usage data as a Data Controller for the purposes of:

·   providing, optimising, securing, and maintaining Aveni’s Products;

·   optimising user experience; and

·   informing Aveni’s business strategy.[JW2] 

 

(4)    Under the United Kingdom (“UK”) General Data Protection Regulation (“the UK GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organisation which processes personal data on its behalf governing the processing of that data.

 

(5)    The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the UK GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.

 

(6)    The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.

 

IT IS AGREED as follows:                                                                                              

 

1.          Definitions and Interpretation

1.1       In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

 

“Data Controller”, “Data Processor”, “processing”, and “data subject”

shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively in Article 4 of the UK GDPR;

“ICO”

 

means the UK’s supervisory authority, the Information Commissioner’s Office;

“Personal Data”

means all such “personal data”, as defined in Article 4 of the UK GDPR, as is, or is to be, processed by the Data Processor on behalf of the Data Controller, as described in Schedule 2;

“Services”

means those services described in Schedule 1 which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purposes described in Schedule 1;

“Sub-Processor”

means a sub-processor appointed by the Data Processor to process the Personal Data; and

“Sub-Processing Agreement”

means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 9.

 

1.2       Unless the context otherwise requires, each reference in this Agreement to:

1.2.1   “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;

1.2.2   a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;

1.2.3   “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;

1.2.4   a Schedule is a schedule to this Agreement; and

1.2.5   a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.

1.2.6   a “Party” or the “Parties” refer to the parties to this Agreement.

1.3       The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.

1.4       Words imparting the singular number shall include the plural and vice versa.

1.5       References to any gender shall include all other genders.

1.6       References to persons shall include corporations.

2.          Scope and Application of this Agreement

2.1       The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held or accessed by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.

2.2       The provisions of this Agreement supersede any other arrangement, understanding, or agreement including, but not limited to, the Service Agreement made between the Parties at any time relating to the Personal Data.

2.3       This Agreement shall continue in full force and effect for so long as the Data Processor is processing Personal Data on behalf of the Data Controller, and thereafter as provided in Clause 10.

3.          Provision of the Services and Processing Personal Data

The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:

3.1       for the purposes of those Services and not for any other purpose;

3.2       to the extent and in such a manner as is necessary for those purposes; and

3.3       strictly in accordance with the express written authorisation and instructions of the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).

4.          Data Protection Compliance

4.1       All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the UK GDPR and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise (as per Article 29 of the UK GDPR).

4.2       The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data.

4.3       The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions.

4.4       Both Parties shall comply at all times with the UK GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the UK GDPR.

4.5       The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the UK GDPR) and any best practice guidance issued by the ICO.

4.6       The Data Processor shall provide all reasonable assistance to the Data Controller in complying with its obligations under the UK GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.

4.7       When processing the Personal Data on behalf of the Data Controller, the Data Processor shall:

4.7.1   not process the Personal Data outside the UK or European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the UK or EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the UK GDPR by providing an adequate level of protection to any Personal Data that is transferred;

4.7.2   not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 9;

4.7.3   process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);

4.7.4   implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against any unauthorised processing, including any accidental or unlawful loss, destruction, damage, alteration, disclosure or access. In assessing the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for Data Subjects. The Data Processor shall at least implement the technical and organisational measures specified in Schedule 3 and shall inform the Data Controller in advance of any material changes to such measures:

4.7.5   if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;

4.7.6   keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the UK GDPR;

4.7.7   make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with the UK GDPR;

4.7.8   on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the UK GDPR. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the law; and

4.7.9   inform the Data Controller immediately if it is asked to do anything that infringes the UK GDPR or any other applicable data protection legislation.

5.          Data Subject Access, Complaints, and Breaches

5.1       The Data Processor shall assist the Data Controller in complying with its obligations under the UK GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.

5.2       The Data Processor shall notify the Data Controller without undue delay if it receives:

5.2.1   a subject access request from a data subject; or

5.2.2   any other complaint or request relating to the processing of the Personal Data.

5.3       The Data Processor shall cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by:

5.3.1   providing the Data Controller with full details of the complaint or request;

5.3.2   providing the necessary information and assistance in order to comply with a subject access request;

5.3.3   providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and

5.3.4   providing the Data Controller with any other information requested by the Data Controller.

5.4       The Data Processor shall notify the Data Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.

6.          Liability and Indemnity

The Data Processor shall indemnify, keep indemnified and defend the Data Controller, at the Data Processor’s own expense, against all claims, liabilities, costs, expenses, damages and losses (including all interest, penalties and legal costs (calculated on a full indemnity basis) and all other professional costs and expenses) suffered or incurred by the Data Controller arising out of the failure by the Data Processor or its employees or agents to comply with of its obligations under this Agreement (“Claims”). Each party acknowledges that Claims include any claim or action brought by a data subject arising from the Supplier’s breach of its obligations under this Agreement.

7.          Intellectual Property Rights

All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Data Controller or the Data Processor) shall belong to the Data Controller or to any other applicable third party from whom the Data Controller has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). The Data Processor is licensed to use such Personal Data under such rights only for the purposes of the Services, and in accordance with this Agreement.

8.          Confidentiality

8.1       The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.

8.2       The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.

8.3       The obligations set out in in this Clause 8 shall continue for a period of six years after the cessation of the provision of Services by the Data Processor to the Data Controller.

8.4       Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

9.          Appointment of Sub-Processors

9.1       The Client consents to Aveni engaging third party subprocessors to process personal data on their behalf provided that Aveni:

(i) maintains an up-to-date list of its subprocessors in Schedule 2, which it shall update with details of any change in subprocessors at least 10 days prior to any such change;

(ii) imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and

(iii) remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor.

9.2   The Client may object to Aveni’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to the Client’s ability to comply with Applicable Data Protection Laws. In such event, Aveni will either not appoint or replace the subprocessor or, if this is not possible, the Client may suspend or terminate the relevant agreement(s) (without prejudice to any fees incurred by the Client prior to suspension or termination).

10.       Deletion and/or Disposal of Personal Data

10.1    The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:

10.1.1 the end of the provision of the Services; or

10.1.2 the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under this Agreement or the Service Agreement.

10.2    Following the deletion, disposal, or return of the Personal Data under sub-Clause 10.1, the Data Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Data Processor shall inform the Data Controller of such requirement(s) in writing.

11.       Law and Jurisdiction

11.1    This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of Scotland.

11.2    Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of Scotland.

 

SCHEDULE 1

 

Services

 

“Software Tool” means access to the Aveni products which are browser based software as a service solutions and iOS/Android applications to review and engage with the output

 

“Technology” means the application of machine learning, natural language processing and wider artificial intelligence per Aveni specialisms

 

“Output” means the analysis of the data provided by the data controller

 

At the date of this Agreement means the use of the Software Tool (and the bespoke development of the Software Tool based on the data received by the Data Processor through the provision of the Services and based on any agreed deliverables) on a trial basis provided to the Data Controller by the Data Processor, to which the Data Controller is being granted access, including the Technology and the Output, and any other services operated and maintained by the Data Processor, or anciliary online or offline products and services. Additionally, Services shall include any services agreed to be provided by agreement of the parties or detailed in any Business Services Agreement.

 

 

SCHEDULE 2

 

Personal Data

 

Type of Personal Data

Categories of Data Subject

Nature of Processing Carried Out

Purpose(s) of Processing

Retention Period

Duration of Processing

Name; contact details; location data; financial; health; personal circumstances; relationships; employment status

Customers, Employees

Audio conversion to text.  Analysis of components of the converted audio to surface information that is identified by the Aveni classifiers. Further processing of these components to aggregate and train machine learning model using pattern recognition.  Surfacing of this information to customer employees to aid actions on customers and employees.

To enable the Company to demonstrate the insight it can deliver on customers and agents direct from customer conversations.

 

All customer data will be deleted on termination of the contract or if requested by the customer.

For the contract period unless otherwise agreed / no longer required. 

 

Sub-Processors:

 

Name: AWS, Location:  UK, Purpose: Data centre

Name: Rev AI, Location: EEA, Purpose: Transcription

Name: RecallAI (Hyperdoc Inc.), Location EEA, Purpose: Audio Capture

Name: Azure, Location: EEA, Purpose: Large Language models

 

 

Schedule 3

 

Technical and organisational measures to ensure the security of Personal Data

 

 

1.   Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to Data Subjects, the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Data Processor shall implement the following, as appropriate:

 

a)      the pseudonymisation and encryption of the Personal Data;

 

b)      the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

 

c)       the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

 

d)      a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

 

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

 

3. As a minimum, the Data Processor shall implement the items set out below.

 

Organisational Measures

 

The Data Processor has in place the following policies:

 

·   Data Protection Policy

·   Personal data breach Policy

·   IT Communications and Systems Policy

·   Data Security Policy

·   Business Continuity Policy

 

 

Technical Measures

 

The Data Processor shall implement the following measures, as appropriate:

 

·  Firewalls

·  Anti-malware

·  Encryption of Personal Data

·  Access controls

·  Penetration testing

·  Vulnerability scanning

 

 

 

 

 

Aveni’s platform uses the latest in NLP to transform productivity and risk oversight.

Scale compliance at a fraction of the cost

Cut financial advice admin from hours to minutes with Aveni’s AI assisitant

Aveni Assist

Get up and running with Aveni Assist and how it can help transform productivity and compliance. 


Aveni Detect

Get up and running with Aveni Detect and how it can help transform productivity and compliance. 


Read the latest articles from Aveni

Access our latest whitepapers, webinars, brochures and more

Jargon-bust your way to a better understanding of all things AI