Definitions and interpretation

1. The following definitions and rules of interpretation apply in this Data Processing Addendum.

2. Definitions:

   1. Adequate Territory: a third country or international organisation which is subject to adequacy regulations under the Data Protection Legislation.

   2. Appropriate Safeguards: a valid cross-border transfer mechanism under the Data Protection Legislation.

   3. Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

   4. Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.

   5. Customer Personal Data: Personal Data that Customer provides to Rightbrain that Rightbrain Processes on behalf of Customer to provide the Services.

   6. Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended;

   7. Subprocessor: an organisation engaged by Rightbrain to Process Customer Personal Data.

   8. UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

3. This Data Processing Addendum is subject to the terms of the Agreement and is incorporated into the Agreement. Capitalised terms not defined in this Data Processing Addendum shall have the meanings given to them in the Agreement.

4. The Annexes form part of this Data Processing Addendum and will have effect as if set out in full in the body of this Data Processing Addendum. Any reference to this Data Processing Addendum includes the Annexes.

5. In the case of conflict or ambiguity between:

   1. any provision contained in the body of this Data Processing Addendum and any provision contained in the Annexes, the provision in the body of this Data Processing Addendum will prevail;

   2. the terms of any accompanying invoice or other documents annexed to this Data Processing Addendum and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and

   3. any of the provisions of this Data Processing Addendum and the provisions of the Agreement, the provisions of this Data Processing Addendum will prevail.

1. Customer Responsibilities

   1. ANNEX A describes the subject matter, duration, nature and purpose of the Processing and the Personal Data categories and Data Subject types in respect of which Rightbrain Processes the Customer Personal Data. Customer agrees and acknowledges that it is responsible for the accuracy and completeness of ANNEX A.

   2. Customer will not:

      1. provide Customer Personal Data to to Rightbrain except through agreed mechanisms; or

      2. provide Customer Personal Data to Rightbrain other than as set out in ANNEX A.

   3. Customer represents and warrants that for the purpose of the Data Protection Legislation:

      1. Customer is the Controller and Rightbrain is the Processor; and

      2. Customer will comply with its obligations under the applicable Data Protection Legislation, including but not limited to by providing any required notices and obtaining any required consents, rights or authorisations for the Processing of Customer Personal Data under this Data Processing Addendum and the Agreement, and for the written Processing instructions it gives to Rightbrain.

   4. Without prejudice to Rightbrain’s security obligations under this Data Processing Addendum and the Agreement, Customer acknowledges that it, rather than Rightbrain, is responsible for certain configurations and implementation decisions and that it, and not Rightbrain, is responsible for implementing those configurations and decisions in a secure manner that complies with the Data Protection Legislation.

      
      

2. Rightbrain’s obligations

   1. Rightbrain agrees to:

      1. Process Customer Personal Data only i) on Customer’s behalf for the purpose of providing and supporting the Services, and ii) in compliance with the written instructions received from Customer;

      2. inform Customer promptly if, in Rightbrain’s opinion, an instruction of Customer violates the Data Protection Legislation;

      3. require that persons authorised by Rightbrain to Process the Customer Personal Data have committed themselves to confidentiality;

      4. implement appropriate technical and organisational measures against unauthorised or unlawful Processing, access, copying, modification,  reproduction, display or distribution of the Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data;

      5. reasonably assist Customer, at Customer’s cost, in meeting Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of Rightbrain’s Processing and the information available to Rightbrain, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation;

      6. where required by law, the Commissioner or other relevant regulator, and subject to reasonable notice and confidentiality agreements, cooperate with assessments, audits, or other steps performed by or on behalf of Customer at Customer’s sole expense and in a manner that is minimally disruptive to Rightbrain’s business. Where permitted by law, Rightbrain may instead make available to Customer a summary of the results of a third party audit or certification reports relevant to Rightbrain’s compliance with this Data Processing Addendum; and

      7. notify Customer without undue delay on becoming aware of any Personal Data Breach.

         
         

3. Subprocessors

   1. Customer hereby provides a general authorisation to Rightbrain’s engagement of the list Subprocessors as set out in Annex B - Subprocessors as updated by Rightbrain from time to time.

   2. Rightbrain will inform Customer of any intended changes concerning the addition or replacement of Subprocessors by providing no less than two weeks’ notice of such changes. Customer may, acting reasonably, object to such changes within two weeks of receipt of such notice. Where Customer has objected to the addition or replacement of a Subprocessor, Rightbrain may, at its sole discretion:

      1. cancel its plans to use such Subprocessor and/or offer an alternative Subprocessor using the process set out in this clause 4.1;

      2. take corrective steps agreed with Customer to ensure that the use of such Subprocessor is acceptable to Customer; or

      3. cease to provide, or require Customer not to use, the affected feature of the Services.

   3. Rightbrain’s agreements with Subprocessors will satisfy the requirements for such contracts imposed by the Data Protection Legislation. Subject to any limitation of liability set out in this Data Processing Addendum and the Agreement, Rightbrain will be liable to Customer for the acts and omissions of Subprocessors in their performance of their obligations under such contracts.

   4. Where Subprocessors operate outside the UK, Customer authorises Rightbrain to transfer Customer Personal Data to such subcontractors provided that such transfers are made to an Adequate Territory and/or subject to Appropriate Safeguards.

      
      

4. Term and termination

   1. This Data Processing Addendum will remain in full force and effect so long as:

      1. the Agreement remains in effect; or

      2. Rightbrain retains any of the Customer Personal Data related to the Agreement in its possession or control.

   2. Any provision of this Data Processing Addendum that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect the Customer Personal Data will remain in full force and effect.

   3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Agreement obligations, the parties may agree to suspend the Processing of the Customer Personal Data until that Processing complies with the new requirements. If the parties are unable to bring the Customer Personal Data Processing into compliance with the Data Protection Legislation within 90 days either party may terminate the Agreement on not less than 30 working days’ written notice to the other party.

   4. Within 30 days’ of termination of this Data Processing Addendum, Rightbrain will delete or, at Customer’s cost, return all Customer Personal Data to Customer.

Annex A - Particulars of Processing

Subject matter: Rightbrain’s provision of the Services to Customer

Duration: As set out in clause 5.1 of this Data Processing Addendum.

Nature: Rightbrain will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with this Data Processing Addendum.

Purpose: As set out in the Order Form.

Personal data type(s): Data relating to Customer’s End Users and other data relating to individuals provided to Rightbrain via the Services.

Categories of data subject: Customer’s End Users and any other individuals who are the subjects of Customer Personal Data.

Annex B - Subprocessors

Subprocessor: OpenAI, L.L.C.

Address: 3180 18th St, San Francisco, CA 94110, USA

Purpose: LLM processing 

Equipment Location: USA

Additional Information: https://platform.openai.com/subprocessors 

Subprocessor: Google Cloud EMEA Ltd

Address: Velasco Clanwilliam Place Quay, Dublin 2, Ireland

Purpose: Hosting, LLM Processing

Equipment Location:

• Hosting: EU West 4 (Netherlands)

• LLM processing: https://cloud.google.com/gemini/docs/locations

Additional Information: https://cloud.google.com/terms/subprocessors

Subprocessor: Anthropic Ireland, Limited

Address: 6th Floor South Bank House, Barrow Street, Dublin 4, Dublin, Ireland

Purpose: LLM Processing

Equipment Location: USA

Additional Information: https://www.anthropic.com/subprocessors

Version: 1.1

Last updated: 16 July 2024