CLEAROOMS - DATA PROCESSING AGREEMENT

BACKGROUND

(A) The Customer and Clearooms entered into the Agreement (defined below) for the supply of software services that may require Clearooms to process Personal Data on behalf of the Customer.

(B) This Personal Data Processing Agreement (DPA) sets out the additional terms, requirements and conditions on which Clearooms will process Personal Data when providing services under the Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between Controllers and Processors and the General Data Protection Regulation ((EU) 2016/679).

AGREED TERMS

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this DPA.

1.1 Definitions:

Agreement: the contract between the Customer and Clearooms for the supply of software services subject to Clearooms Terms and Conditions and incorporating this DPA.

Business Purposes: the services to be provided by Clearooms to the Customer as described in the Agreement and any other purpose specifically identified in Annex A.

Clearooms: Clearooms Limited incorporated and registered in England and Wales with company number 12855479 whose registered office is at Abacus House, Pennine Business Park, Longbow Close, Huddersfield, England, HD2 1GQ.

Clearooms Personal Data: any Personal Data which Clearooms processes in connection with this DPA in the capacity of a Controller as set out in paragraph 1.1, Part 1 of Annex A.

Clearooms Personnel: means all directors, officer, employees, agents, consultants and contractors of Clearooms engaged in the performance of its obligations under the Agreement or this DPA.

Clearooms Terms and Conditions: the terms and conditions applicable to the Agreement available online at https://clearooms.com/terms/ as amended from time to time.

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018).

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and processing: have the meanings given in the Data Protection Legislation.

Customer: the client or customer of Clearooms and party to the Agreement.

Customer Personal Data: any Personal Data which Clearooms processes in connection with this DPA in the capacity of a Processor as set out in paragraph 1.2, Part 1 of Annex A.

Data Protection Legislation:

(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data. 

(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Clearooms is subject, which relates to the protection of Personal Data. 

EEA: the European Economic Area.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

Records: has the meaning given in clause 12.1.

Sub-Processor: has the meaning given in clause 8.1.

Term: this DPA’s term as defined in clause 10.1(b).

UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

1.2 This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.

1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

1.4 A reference to writing or written includes email.

1.5 In the case of conflict or ambiguity between:

(a) any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail; and

(b) any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail.

2. Personal Data types and processing purposes

The Customer and Clearooms agree and acknowledge that for the purpose of the Data Protection Legislation:

(a) Clearooms is the Controller of the Clearooms Personal Data;

(b) the Customer is the Controller and Clearooms is the Processor of the Customer Personal Data;

(c) the Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Clearooms; and

(d) in relation to Customer Personal Data, Part 2 of Annex A describes the subject matter, duration, nature and purpose of the processing and the Customer Personal Data categories and Data Subject types in respect of which Clearooms may process the Customer Personal Data to fulfil the Business Purposes.

3. Clearooms’ obligations

3.1 Clearooms will only process the Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. Clearooms will not process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. Clearooms must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.

3.2 Clearooms shall comply promptly with any Customer written instructions requiring Clearooms to amend, transfer, delete or otherwise process the Customer Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3 Clearooms will maintain the confidentiality of the Customer Personal Data and will not disclose the Customer Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Clearooms to process or disclose the Customer Personal Data to a third party, Clearooms must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

3.4 Clearooms will reasonably assist the Customer, at the Customer’s cost, with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of Clearooms’ processing and the information available to Clearooms, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.

4. Clearooms Personnel

Clearooms will ensure that all Clearooms Personnel:

(a) are informed of the confidential nature of the Customer Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Personal Data;

(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Customer Personal Data and how it applies to their particular duties; and

(c) are aware both of Clearooms’ duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

5. Security

5.1 Clearooms must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data including the security measures set out in Annex B.

5.2 The Customer acknowledges and agrees that it has reviewed the security measures in Annex B and it confirms that those measures are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Customer Personal Data to be protected, having regard to the state of technological development and the cost of implementing any security measures.

6. Personal Data Breach

6.1 Clearooms will promptly and in any event within 36 hours notify the Customer in writing if it becomes aware of:

(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Customer Personal Data. Clearooms will restore such Customer Personal Data at its own expense (to the extent that such restoration is technically feasible) promptly;

(b) any accidental, unauthorised or unlawful processing of the Customer Personal Data; or

(c) any Personal Data Breach.

6.2 Where Clearooms becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:

(a) a description of the nature of (a), (b) and/or (c), including the categories of in-scope Customer Personal Data and approximate number of both Data Subjects and the Customer Personal Data records concerned;

(b) the likely consequences; and

(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

6.3 Following any accidental, unauthorised or unlawful Customer Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, Clearooms will reasonably co-operate with the Customer in the Customer's handling of the matter, including:

(a) assisting with any investigation;

(b) providing the Customer with physical access to any facilities and operations affected;

(c) facilitating interviews with Clearooms Personnel (and, where possible, former Clearooms Personnel);

(d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Customer Personal Data processing.

6.4 Clearooms will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Customer Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law.

6.5 Clearooms agrees that the Customer has the sole right to determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice.

7. Transfers of Customer Personal Data

Subject to clause 8.1, Clearooms (and any Sub-Processor) may transfer Customer Personal Data outside of the UK or EEA provided that all such transfers are effected in accordance with Data Protection Legislation.

8. Subcontractors

8.1 Clearooms may only authorise a third-party (Sub-Processor) to process the Customer Personal Data if:

(a) the Sub-Processor is listed Part 3 of Annex A or the Customer is provided with an opportunity to object to the appointment of each new Sub-Processor within 14 days after Clearooms supplies the Customer with details in writing regarding such Sub-Processor;

(b) Clearooms enters into a written contract with the Sub-Processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer's written request, provides the Customer with copies of the relevant excerpts from such contracts; and

(c) Clearooms maintains control over all of the Customer Personal Data it entrusts to the Sub-Processor.

8.2 If the Customer objects to the appointment of any new Sub-Processor pursuant to clause 8.1(a), Clearooms shall be entitled to terminate the Agreement immediately on written notice to the Customer or if Clearooms does not terminate the Agreement in accordance with this clause 8.2 and the Customer objects to the appointment and cannot demonstrate, to Clearooms’ reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Legislation, the Customer shall indemnify Clearooms for any losses, damages, costs (including legal fees) and expenses suffered by Clearooms in accommodating the objection.

8.3 Where a Sub-Processor fails to fulfil its obligations under the written agreement with Clearooms which contains terms substantially the same as those set out in this DPA, Clearooms remains fully liable to the Customer for the Sub-Processor’s performance of its agreement obligations.

8.4 The parties agree that Clearooms will be deemed by them to control legally any Customer Personal Data controlled practically by or in the possession of its Sub-Processors.

9. Complaints, Data Subject requests and third-party rights

9.1 Clearooms must take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

(a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Customer Personal Data, object to the processing and automated processing of Customer Personal Data, and restrict the processing of Customer Personal Data; and

(b) the information or assessment notices served on the Customer by the Commissioner or other relevant regulator under the Data Protection Legislation.

9.2 Clearooms must notify the Customer promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Customer Personal Data or to either party's compliance with the Data Protection Legislation.

9.3 Clearooms must notify the Customer promptly if it receives a request from a Data Subject for access to their Customer Personal Data or to exercise any of their other rights under the Data Protection Legislation.

9.4 Clearooms will give the Customer, at the Customer’s cost, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9.5 Clearooms must not disclose the Customer Personal Data to any Data Subject or to a third party other than in accordance with the Customer's written instructions, or as required by domestic law.

10. Term and termination

10.1 This DPA will remain in full force and effect so long as:

(a) the Agreement remains in effect; or

(b) Clearooms retains any of the Customer Personal Data related to the Agreement in its possession or control (Term).

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect the Customer Personal Data will remain in full force and effect.

11. Data return and destruction

11.1 At the Customer's written request, Clearooms will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Customer Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

11.2 Subject to clause 11.3, on termination of the Agreement for any reason or expiry of its term, at the Customer’s option (to be notified in writing) Clearooms will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Customer Personal Data related to this DPA in its possession or control. For the purposes of this clause 11.2 Customer Personal Data shall be considered deleted or destroyed where it is put beyond further use of Clearooms.

11.3 If any law, regulation, or government or regulatory body requires Clearooms to retain any documents, materials or Customer Personal Data that Clearooms would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Customer Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

11.4 Clearooms will certify in writing to the Customer that it has deleted, destroyed or returned the Customer Personal Data, as the case may be, promptly upon written request by the Customer.

12. Records

12.1 Clearooms will keep detailed, accurate and up-to-date written records regarding any processing of the Customer Personal Data, including the access, control and security of the Customer Personal Data, approved Sub-Processors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in clause 5.1 (Records).

12.2 Clearooms will ensure that the Records are sufficient to enable the Customer to verify Clearooms’ compliance with its obligations under this DPA and the Data Protection Legislation and Clearooms will provide the Customer with copies of the Records upon request.

13. Audit

13.1 Clearooms will permit the Customer and/or its third party representatives to conduct reasonable audits of Clearooms’ compliance with its obligations under this DPA, on reasonable written notice at a frequency of not more than once per year.

13.2 The frequency restrictions set out in clause 13.1 shall not apply where the Customer is directly required by the Commissioner or other in-scope regulator to audit Clearooms’ compliance with its obligations under this DPA.

14. Warranties

14.1 Clearooms warrants and represents that:

(a) Clearooms Personnel accessing the Customer Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;

(b) it and anyone operating on its behalf will process the Customer Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments; and

(c) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Agreement's contracted services.

14.2 The Customer warrants and represents that Clearooms’ expected use of the Customer Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

15. Limitation of liability

15.1 Nothing in this DPA will exclude, limit or restrict Clearooms’ liability for:

(a) death or personal injury caused by its negligence;

(b) fraud or fraudulent misrepresentation; or

(c) any other liability which may not be limited or excluded by law.

15.2 Subject to clause 15.1, Clearooms shall not be liable to the Customer for any of the following loss or damage, in each case arising out of or in connection with this DPA or the Data Protection Legislation (including as a result of breach of contract, negligence or any other tort, under statute or otherwise), and regardless of whether Clearooms knew or had reason to know of the possibility of the loss, injury or damage in question:

(a) any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;

(b) any loss or corruption (whether direct or indirect) of data or information;

(c) loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or

(d) any loss or liability (whether direct or indirect) under or in relation to any other contract.

15.3 Subject to clause 15.1 and 15.2 the aggregate liability of Clearooms (including its respective partners, officers, employees, contractors, directors, subcontractors and agents) under or in connection with this DPA or the Data Protection Legislation whether in contract, tort (including negligence) or otherwise shall be limited to £25,000 (twenty-five thousand pounds sterling).

16. Notice

16.1 Any notice given to a party under or in connection with this DPA shall be in writing and shall be: (a) delivered by hand to its registered office (if a company) or its principal place of business (in any other case); or (b) sent by email, in the case of the Customer, to the email address registered to the Customer Account (as defined in the Agreement) or, in the case of Clearooms, by email to info@clearooms.com.

16.2 Any notice shall be deemed to have been received if (a) delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address; or (b) sent by email at the time of the transmission provided that no bounce back message is received.

16.3 This clause 16 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

This DPA has been entered into on the date the Agreement is executed.

ANNEX A Personal Data processing purposes and details

Part 1 – Role of the parties

1.1 Where Clearooms acts as a Controller:

(a) when processing Clearooms Personal Data contained within correspondence between the Customer’s staff, Clearooms Personnel, and/or documents relating to the establishment, management, audit, operation, and communication (on which Clearooms may wish to rely on to establish its rights and liabilities under the Agreement) in respect of the Agreement for the provision of the contracted services; and

(b) when processing Clearooms Personal Data of the Customer’s staff for marketing purposes.

1.2 Where Clearooms acts as a Processor:

Save as set out in paragraph 1.1 of this Annex A, when processing the Customer Personal Data of Data Subjects whose Personal Data is collected through the services provisioned under the Agreement.

Part 2 – Particulars of processing

2.1 Subject matter of processing

The performance of Clearooms’ duties under the Agreement.

2.2 Duration of processing

For the term of the Agreement and for such time afterwards as required for the parties to exercise their rights and obligations under clause 11.

2.3 Nature of processing

The processing of Customer Personal Data to enable Clearooms to comply with its duties under the Agreement.

2.4 Business Purposes

To enable Clearooms to perform its duties under the Agreement.

2.5 Personal Data categories

Identity data, contact details and such other Personal Data categories as relevant.

2.6 Data Subject types

Clients or customers of the Customer and/or such clients’ or customers’ staff and such other Data Subjects whose Personal Data is processed by Clearooms in connection with the performance of its duties under the Agreement.

Part 3 – Approved Sub-Processors

• Amazon Web Services EMEA Sarl

• Functional Software, Inc

• Crisp IM SAS

• Stonly SAS

• Atlassian (UK) Operations Limited

ANNEX B Security measures

• Physical Access Controls

Clearooms is a fully remote team, and we rely on AWS infrastructure for hosting. AWS data centres employ robust physical security measures, including surveillance, security staff, and restricted physical access to only authorised personnel. As part of our setup, no physical servers are managed in-house, and our team does not handle physical data.

• System Access Controls

Access to our systems is tightly controlled. Multi-factor authentication (MFA) and VPN access are required for employees to access production servers and databases directly. Access permissions are role-based and restricted to only those employees who require it to perform their job. Production environment access requires specific approvals, and only a limited number of personnel can gain access, all of which is logged and auditable.

• Data Access Controls

Access to production data is restricted and only available to authorised personnel after explicit approval. Direct access to production databases requires VPN and 2FA authentication. Non-production environments (staging/test) use anonymised data, and no actual customer data is used in these environments.

• Transmission Controls

All data transmitted between Clearooms servers and clients is encrypted using TLS (Transport Layer Security) to prevent interception or unauthorised access. We also enforce secure protocols for internal data transmissions and inter-service communication within our system architecture. Data at rest, including backups, is encrypted using industry-standard encryption protocols to safeguard it from physical or virtual breaches.

• Input Controls

We implement extensive logging for all data entry activities, including when, where, and by whom data is modified. Our test suites are robust and comprehensive, ensuring that any data-related operations adhere to strict security and privacy standards.

• Backups

Clearooms employs a robust backup strategy to ensure data resilience and availability. Full server backups are performed daily and retained for 30 days. Additionally, point-in-time restore is enabled for our database, allowing us to restore the system to any specific point in time if needed. No critical data is stored on the servers themselves, as all data is securely backed up to AWS services like databases and S3 storage. In the event of server failure or data loss, the servers can be quickly rebuilt and the code redeployed without significant impact.

• Data Segregation

Clearooms operates a multi-tenant system, with all customer data currently stored in the same database. However, data segregation is enforced at the application level by using unique organisation ID columns, ensuring that one organisation’s data is logically isolated and inaccessible to others. Our rigorous testing process further ensures that data is not inadvertently accessible between organisations.