TomCRM Data Processing Agreement (DPA)
TomCRM Data Processing Agreement (DPA)
Introduction
This Data Processing Agreement ("DPA") is part of the [Subscription Agreement/Service Agreement] ("Agreement") between the customer ("Controller") and TomCRM Limited ("Processor"). This DPA ensures compliance with the UK GDPR and other applicable data protection laws.
1. Definitions
1.1 "Data Protection Laws" means the UK GDPR and any other applicable data protection or privacy laws.
1.2 "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
1.3 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.4 "Sub-processor" means any third party appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller.
2. Details of Processing
2.1 Subject Matter: The subject matter of the data processing under this DPA is the Personal Data.
2.2 Duration: As long as the Processor provides services to the Controller under the Agreement.
2.3 Nature and Purpose: To provide the Subscription Service and Consulting Services.
2.4 Categories of Data Subjects: Individuals whose data is provided to the Processor by the Controller.
2.5 Types of Personal Data: Contact information, payment information, usage data, and any other data provided by the Controller.
3. Obligations of the Processor
3.1 Compliance: Process Personal Data only on documented instructions from the Controller, including transfers of Personal Data to a third country or an international organisation, unless required to do so by law.
3.2 Confidentiality: Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those specified in the UK GDPR.
3.4 Assistance: Assist the Controller in ensuring compliance with their obligations under Data Protection Laws, including data subject rights requests, data protection impact assessments, and breach notifications.
3.5 Return or Deletion: At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, except where required by law.
3.6 Information and Audit: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
4. Obligations of the Controller
4.1 Instructions: Provide documented instructions for the processing of Personal Data.
4.2 Compliance: Ensure compliance with Data Protection Laws in its use of the Subscription Service and its provision of instructions to the Processor.
5. Sub-processors
5.1 Authorisation: The Processor shall not engage any Sub-processor without the prior specific or general written authorisation of the Controller.
5.2 Obligations: The Processor shall ensure that Sub-processors are bound by data protection obligations compatible with those of the Processor under this DPA.
6. Data Subject Rights
6.1 Notification: Promptly notify the Controller if a data subject requests access to, correction, amendment, deletion of, or objection to the processing of their Personal Data.
6.2 Assistance: Assist the Controller, to the extent possible, in responding to data subject requests.
7. Security Breach Notification
7.1 Notification: Notify the Controller without undue delay upon becoming aware of any Personal Data breach.
7.2 Cooperation: Cooperate with the Controller in the investigation, mitigation, and remediation of each such breach.
8. Data Protection Impact Assessment and Prior Consultation
8.1 Assistance: Provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities.
9. Data Transfers
9.1 Transfers: Any transfer of Personal Data to a third country or an international organisation shall be done only on documented instructions from the Controller or as required by law.
10. Miscellaneous
10.1 Governing Law: This DPA shall be governed by, and construed in accordance with, the laws of England and Wales.
10.2 Amendments: No variation of this DPA shall be effective unless it is in writing and signed by the parties.
10.3 Liability: The Processor shall be liable for the actions and omissions of its Sub-processors to the same extent the Processor would be liable if performing the services of each Sub-processor directly.
Data Security
TomCRM uses Go High Level’s services and cloud-based software, with data stored on their servers. Go High Level complies with GDPR and implements security measures to protect personal data, including encryption, regular backups, and vulnerability testing. Data is backed up daily to the local region on Google/AWS servers. For more details, see Go High Level Security and Compliance Overview.
Compliance and Audits
TomCRM is committed to maintaining compliance with the UK GDPR. We regularly test our systems for vulnerabilities, ensure our staff are trained in data protection principles, and are open to audits and inspections by the Controller to ensure ongoing compliance.
Request a Signed Copy: For a signed copy of this DPA, please email [email protected].
Introduction
This Data Processing Agreement ("DPA") is part of the [Subscription Agreement/Service Agreement] ("Agreement") between the customer ("Controller") and TomCRM Limited ("Processor"). This DPA ensures compliance with the UK GDPR and other applicable data protection laws.
1. Definitions
1.1 "Data Protection Laws" means the UK GDPR and any other applicable data protection or privacy laws.
1.2 "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
1.3 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.4 "Sub-processor" means any third party appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller.
2. Details of Processing
2.1 Subject Matter: The subject matter of the data processing under this DPA is the Personal Data.
2.2 Duration: As long as the Processor provides services to the Controller under the Agreement.
2.3 Nature and Purpose: To provide the Subscription Service and Consulting Services.
2.4 Categories of Data Subjects: Individuals whose data is provided to the Processor by the Controller.
2.5 Types of Personal Data: Contact information, payment information, usage data, and any other data provided by the Controller.
3. Obligations of the Processor
3.1 Compliance: Process Personal Data only on documented instructions from the Controller, including transfers of Personal Data to a third country or an international organisation, unless required to do so by law.
3.2 Confidentiality: Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those specified in the UK GDPR.
3.4 Assistance: Assist the Controller in ensuring compliance with their obligations under Data Protection Laws, including data subject rights requests, data protection impact assessments, and breach notifications.
3.5 Return or Deletion: At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, except where required by law.
3.6 Information and Audit: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
4. Obligations of the Controller
4.1 Instructions: Provide documented instructions for the processing of Personal Data.
4.2 Compliance: Ensure compliance with Data Protection Laws in its use of the Subscription Service and its provision of instructions to the Processor.
5. Sub-processors
5.1 Authorisation: The Processor shall not engage any Sub-processor without the prior specific or general written authorisation of the Controller.
5.2 Obligations: The Processor shall ensure that Sub-processors are bound by data protection obligations compatible with those of the Processor under this DPA.
6. Data Subject Rights
6.1 Notification: Promptly notify the Controller if a data subject requests access to, correction, amendment, deletion of, or objection to the processing of their Personal Data.
6.2 Assistance: Assist the Controller, to the extent possible, in responding to data subject requests.
7. Security Breach Notification
7.1 Notification: Notify the Controller without undue delay upon becoming aware of any Personal Data breach.
7.2 Cooperation: Cooperate with the Controller in the investigation, mitigation, and remediation of each such breach.
8. Data Protection Impact Assessment and Prior Consultation
8.1 Assistance: Provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities.
9. Data Transfers
9.1 Transfers: Any transfer of Personal Data to a third country or an international organisation shall be done only on documented instructions from the Controller or as required by law.
10. Miscellaneous
10.1 Governing Law: This DPA shall be governed by, and construed in accordance with, the laws of England and Wales.
10.2 Amendments: No variation of this DPA shall be effective unless it is in writing and signed by the parties.
10.3 Liability: The Processor shall be liable for the actions and omissions of its Sub-processors to the same extent the Processor would be liable if performing the services of each Sub-processor directly.
Data Security
TomCRM uses Go High Level’s services and cloud-based software, with data stored on their servers. Go High Level complies with GDPR and implements security measures to protect personal data, including encryption, regular backups, and vulnerability testing. Data is backed up daily to the local region on Google/AWS servers. For more details, see Go High Level Security and Compliance Overview.
Compliance and Audits
TomCRM is committed to maintaining compliance with the UK GDPR. We regularly test our systems for vulnerabilities, ensure our staff are trained in data protection principles, and are open to audits and inspections by the Controller to ensure ongoing compliance.
Request a Signed Copy: For a signed copy of this DPA, please email [email protected].
07951 860542
Copyright TomCRM 2022 -- All Rights Reserved
We’re on a mission to build a better future where technology creates good jobs for everyone.