Version 2.0

Last updated: May 12, 2018

Thank you for using Albert! Transparency is important to us, which is why we try to be as clear as possible about how we process data.


Background

  1. This Data Processing Addendum ("DPA") is supplemental to the Agreement and applies as set out in clause 9) of the Agreement.
  2. In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.

 

Definitions

  1. Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:
    • "Customer Personal Data" means the personal data described in ANNEX 1 and any other personal data that HQ Mobile  processes on behalf of the Customer in connection with HQ Mobile's provision of the Service;
    • "Data Protection Laws" means all applicable laws and guidance by relevant supervisory authorities relating to data protection and the processing of personal data including:
      1. the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR");
      2. any legislation that, in respect of the United Kingdom, replaces or converts into domestic law the GDPR, the proposed Regulation on Privacy and Electronic Communications or other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union; and
      3. any applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data;
    • "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
    • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;
    • "Subprocessor" means any Processor engaged by HQ Mobile who agrees to receive from HQ Mobile, Customer Personal Data; and
    • the terms "personal data", "Controller", "Processor", "Data Subject", "Process" and "Supervisory Authority" shall have the same meaning as set out in the GDPR.

 

 Data Processing

  1. Instructions for Data Processing. HQ Mobile will only Process Customer Personal Data in accordance with (a) the Agreement, to the extent necessary to provide the Service to Customer, and (b) Customer's written instructions, unless Processing is required by European Union or Member State law to which HQ Mobile is subject, in which case HQ Mobile shall, to the extent permitted by applicable law, inform Customer of that legal requirement before Processing that Customer Personal Data. By signing the Agreement, the Customer consents to HQ Mobile accessing, processing and retaining Customer Personal Data for the purpose of enabling HQ Mobile to provide account information services, as defined in the Payment Services Regulations 2017, to the Customer.
  2. Processing outside the scope of this DPA or the Agreement will require prior written agreement between Customer and HQ Mobile on additional instructions for Processing.

 

Subprocessors

  1. Consent to Subprocessor Engagement. The Customer generally authorises the engagement of third parties as Subprocessors.
  2. Information about Subprocessors. A list of HQ Mobile's Subprocessors is available upon request as may be updated by HQ Mobile from time to time in accordance with this DPA.
  3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, HQ Mobile will:
    • ensure via a written agreement that:
      1. the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA; and
      2. the same obligations are imposed on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on HQ Mobile under this DPA.
    • remain full liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
  4. Opportunity to Object to Subprocessor Changes.
    • When any new Subprocessor is engaged during the Agreement, HQ Mobile will, at least 30 days before the new Subprocessor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant subprocessor and the activities it will perform).
    • Customer may object to the appointment of that Subprocessor by providing documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA ("Objection"). If HQ Mobile does not remedy or provide a reasonable workaround for your Objection within a reasonable time, Customer may object to any new Subprocessor by terminating the Agreement immediately upon written notice to HQ Mobile, on condition that Customer provides such notice within 90 days of being informed of the engagement of the subprocessor as described in clause 4.4(1). This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
  5. Transfers of Personal Data Outside the EEA. To the extent that the Processing of Customer Personal Data by HQ Mobile involves the export of such Personal Data to a country or territory outside the EEA, such transfer shall be to a third party:
    • in a country subject to an adequacy decision by the European Commission;
    • that is a member of a compliance scheme recognised by the European Commission as offering adequate protection for the rights and freedoms of data subjects such as the EU-U.S. Privacy Shield; or
    • that has signed Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission, (with the Customer as data exporter and the third party as data importer). For this purpose, the Customer appoints HQ Mobile to act as its agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the Customer on its behalf for this purpose.

 

Data Security, Audits and Security Notifications

  1. HQ Mobile Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, HQ Mobile  shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, HQ Mobile shall put in place and maintain the technical and organisational measures set out in ANNEX 2.
  2. HQ Mobile Security Audits. Customer may audit (by itself or using independent third party auditors) HQ Mobile's compliance with the security measures set out in this DPA (including the technical and organisational measures as set out in ANNEX 2), including by conducting audits of HQ Mobile's (and Suprocessors') data processing facilities and such audits may be performed at least once annually.
  3. Where applicable by virtue of Article 28(3)(h) of the GDPR, HQ Mobile  shall make available to Customer on request all information necessary to demonstrate compliance with this DPA. HQ Mobile shall immediately inform Customer if, in its opinion, an instruction pursuant to this clause 5.3 infringes applicable Data Protection Laws.
  4. Security Incident Notification. If HQ Mobile or any Subprocessor becomes aware of, or has reason to suspect that there has been, a Security Incident, HQ Mobile will (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
  5. HQ Mobile Employees and Personnel. HQ Mobile shall treat Customer Personal Data as the Confidential Information of Customer, and shall ensure that:
    • access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer Personal Data;
    • any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.

 

Access Requests and Data Subject Rights

  1. Data Subject Requests. Save as required (or where prohibited) under applicable law, HQ Mobile  shall notify Customer of any request received by HQ Mobile  or any Subprocessor from a Data Subject in respect of their personal data included in Customer Personal Data, and shall not respond to the Data Subject.
  2. HQ Mobile shall, where possible, assist Customer with ensuring its compliance under applicable Data Protection Laws, and in particular shall:
    • provide the Customer with the ability to correct, delete, block, access or copy the personal data of a Data Subject, or
    • promptly correct, delete, block, access or copy Customer Personal Data within the Service at Customer's request.
  3. Government Disclosure. HQ Mobile shall notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

 

Assistance

  1. HQ Mobile shall provide Customer with any information or assistance reasonably requested by Customer for the purpose of complying with any of Customer's obligations under applicable Data Protection Laws, including:
    • where applicable by virtue of Article 28(3)(e) of the GDPR, taking into account the nature of the Processing, assisting Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising Data Subject rights laid down in the GDPR;
    • where applicable by virtue of Article 28(3)(f) of the GDPR, providing reasonable assistance to Customer with any data protection impact assessments which are referred to in Article 35 of GDPR and with any prior consultations to any Supervisory Authority of Customer which are referred to in Article 36 of GDPR, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to HQ Mobile.

 

Data Protection Impact Assessment and Prior Consultation

  1. To the extent required under applicable Data Protection Laws, HQ Mobile shall provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to HQ Mobile.

 

Duration and Termination 

  1. Deletion of data. Subject to 9.2 and 9.3 below, HQ Mobile  shall, within 90 (ninety) days of the date of termination of the Agreement:
    • return a complete copy of all Customer Personal Data by secure file transfer in a common format by Customer to HQ Mobile; and
    • delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by HQ Mobile  or any Subprocessors.
  2. Subject to section 9.3 below, Customer may in its absolute discretion notify HQ Mobile  in writing within 30 (thirty) days of the date of termination of the Agreement to require HQ Mobile  to delete and procure the deletion of all copies of Customer Personal Data Processed by HQ Mobile. HQ Mobile  shall, within 90 (ninety) days of the date of termination of the Agreement:
    • comply with any such written request; and
    • use all reasonable endeavours to procure that its Subprocessors delete all Customer Personal Data Processed by such Subprocessors,
    • and, where this section 9.2 applies, HQ Mobile  shall not be required to provide a copy of the Customer Personal Data to Customer.
  3. HQ Mobile and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that HQ Mobile shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

Annex 1 - Details of the Processing of Customer Personal Data

This includes certain details of the processing of Customer Personal Data as required by Article 28(3) of the GDPR.

Subject matter and duration of the Processing of Customer Personal Data

The subject matter of the Processing of Customer Personal Data is the use of and access to the Service by Customer in accordance with the Agreement.

The duration of the Processing of Customer Personal Data is the Term, subject to paragraphs 9.2 and 9.3 of this DPA.

The nature and purpose of the Processing of Customer Personal Data

The Processing of Customer Personal Data provided by Customer to HQ Mobile for the purposes of providing the Service to Customer.

The types of Customer Personal Data to be processed

  • Business information such as company name, company address, company number, and VAT information (registration number, for example).
  • Contact information and basic personal details such as first name, last name and address as well as primary and secondary e-mail address.
  • Payment information such as bank name, account number, sort code, PayPal ID, IBAN and SWIFT details as well as bank balance and bank account transactions.
  • Invoice data such as a description of the items, amounts, recipient contact details including first name, last name, company name, company number and company address.
  • Expense data such as receipt image, amount, VAT, description, category, date, spent status.
  • Information about location.
  • Information provided by social networks when you connect with the Service.
  • Information about access and use of the Service.

The categories of data subject to whom the Customer Personal Data relates

  • Customers of the Customer. 

The obligations and rights of the Customer

  • The obligations and rights of Customer are as set out in this DPA and the Agreement.

Annex 2 - Technical and Organisational Security Measures

Technical and organizational measures to control access to premises and facilities, particularly to check authorization:

1. Access Control

  • Access control system – ID reader, magnetic card, chip card (shared office)
  • Door locking (electric door openers etc.) (shared office)
  • Security staff (shared office)
  • Surveillance facilities – alarm system, video/CCTV monitor (shared office)
  • Access controlled by keys (home office)

2. Unauthorized control to systems

Unauthorized access to IT systems must be prevented.

Technical (ID/password security) and organizational (user master data) measures for user identification and authentication:

  • Password procedures
  • Automatic blocking (e.g., password or timeout)
  • Encryption of hard drives

3. Access control to data

Activities in IT systems not covered by the allocated access rights must be prevented.

Requirements-driven definition of the authorization scheme and access rights, and monitoring and logging of access:

Differentiated access rights per team member

  • Reports
  • Access
  • Change
  • Deletion

The record of access is retained for at least 2 years and is reviewed every 6 months by the security officer(s).

4.  Availability control

The data must be protected against accidental destruction or loss.

Measures to assure data security (physical/logical):

  • Backup procedures allowing for (at least) weekly backups and verification of such procedures at least every six months
  • Disk encryption
  • Remote storage
  • Anti-virus/firewall systems
  • Disaster recovery plan

5. Media management

Devices and documents containing personal data (e.g., storage media such as, drives used for backup purposes) allow identification of the type of information they contain, are inventoried and are accessible only to properly authorized persons.

If this is not possible due to the characteristics of the device, these circumstances will be duly documented by the data importer in the security documents.

The data importer has implemented an entry and exit record to monitor the type of media, date and time, identity of the sender and the recipient, number of media, type of information contained in such media, method of delivery, and name of the recipient.

6. Audits

Devices and documents containing personal data (e.g., storage media such as, drives used for backup purposes) allow identification of the type of information they contain, are inventoried and are accessible only to properly authorized persons.

If this is not possible due to the characteristics of the device, these circumstances will be duly documented by the security officer in the security document.

7. Security Policy

  • All data will be kept secure from internal and external threats, including accidental loss, unauthorised internal access and external hacking attempts.
  • Customer Data will be encrypted both ‘at rest’ and ‘in transit’.
  • All major new releases of the Albert platform will be security tested. 
  • Vulnerability management procedures will be employed to ensure all platforms have the latest updates and patches where appropriate.
  • A security incident and data breach process will be in place at all times.