Supplier Data Protection Agreement

Last updated: 23rd September 2025 | Revision 1

1. For the purposes of this Data Processing Agreement ("DPA"):
   1. "Data Privacy Laws" means all applicable laws that relate to data protection, privacy, the use of information relating to individuals, and/or the information rights of individuals, including, without limitation, the GDPR (Regulation 2016/679), the Data Protection Act 2018, the UK GDPR (as defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018), the Privacy and Electronic Communication (EC Directive) Regulations 2003, the California Privacy Rights Act 2018, the Privacy Act 1988 (Cth) including the Australian Privacy Principles, and all and any regulations made under those acts or regulations, all as amended or replaced from time to time;
   2. "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" (and "process" and "processed"), "Supervisory Authority" shall be construed accordingly and unless contrary to such meaning will include the collection, storage, use, transfer, disclosure and any other handling or processing of personal data), and "Processor" have the respective meanings given under the UK GDPR or meanings given by corresponding terms in other applicable Data Privacy Laws from time to time; 
   3. "Company Personal Data" means any Personal Data processed by You on behalf of the Company under or pursuant to the Agreement as more particularly described in Schedule 1 to this DPA. For the avoidance of doubt, the Company shall not provide to You any data subject to Health Insurance Portability and Accountability Act (HIPAA), International Traffic in Arms Regulations (ITAR) or children's data unless this has been agreed in writing and a separate data processing agreement or Business Associate Agreement ("BAA") has been executed by the Parties;
   4. "Goods" means any physical products, materials, equipment, or tangible items supplied by You to the Company under the Agreement; 
   5. "Services" means any professional services, support services, maintenance, consulting, training, or other intangible services provided by You to the Company under the Agreement; 
   6. "Software" means any computer programs, applications, platforms, systems, or digital solutions provided, licensed, or made available by You to the Company under the Agreement, whether delivered as software-as-a-service (SaaS), on-premise installation, cloud-based solution, or any other delivery method; and g. "Restricted Transfer" means a transfer of Company Personal Data which is undergoing processing or which is intended to be processed after transfer, to a country or territory to which such transfer is prohibited or subject to a requirement to take additional steps to adequately protect the Company Personal Data for the transfer to be lawful under the Data Privacy Laws.
2. Where the provision of Goods, Services, or Software involves hosting, cloud infrastructure, or data storage, the servers required to provide such capabilities to the Company are managed by You, and the applicable geographical region of the same will be detailed on the Order Form.
3. Both Parties shall comply with their respective obligations under the applicable Data Privacy Laws in relation to the Processing of Company Personal Data while carrying out their respective obligations under the Agreement.
4. The Company is the Controller and you acknowledge and accept that you are the Processor. You shall only process Company Personal Data on documented instructions from the Company, unless there is a requirement to process Company Personal Data to comply with domestic law to which either party is subject, in which case the disclosing party will notify the other party of such legal requirement prior to such processing unless such law prohibits notice to the Company on public interest grounds. The Company hereby instructs you to process the Company Personal Data: a. for the purpose of performing its obligations under the Agreement, including the provision of Goods, Services, and/or Software; b. for such other purposes, as may be instructed by or agreed with the Company or as otherwise notified by Company in writing from time to time; and c. in accordance with the Data Privacy Laws.
5. You shall:
   1. without prejudice to clause 1.4, inform the Company without undue delay if, in your reasonable opinion, any instruction received from the Company infringes any Data Privacy Laws; 
   2. not appoint any sub-processor without the prior written consent of the Company not to be unreasonably withheld or delayed, and consent is expressly given in respect of those suppliers given in the Order Form and your privacy policy. You will inform the Company of any intended changes concerning the addition or replacement of sub-processors 14 calendar days prior to such change coming into effect, thereby giving the Company the opportunity to object to such changes. If the Company objects to any sub-processor, then either you will not appoint the sub-processor or you may elect to suspend or terminate this DPA and/or any Agreement upon written notice to the Company. You shall ensure an agreement is entered into with the relevant sub-processor which meets the requirements of Data Privacy Laws and which imposes on the sub-processor materially the same obligations in respect of Processing of Company Personal Data as are imposed on you under the Agreement. You shall remain fully liable to Company for any acts or omissions of the sub-processor where processing on your behalf under this agreement; 
   3. without undue delay notify the Company if it should become aware of any reportable Personal Data Breach;
   4. assist the Company (at your cost) in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of Processing and the information available to the Processor; 
   5. taking into account the state of the art and the costs of implementation, implement appropriate technical and organisational measures; 
   6. ensuring that reasonable security measures to protect the Company Data from misuse, interference, loss and from unauthorised access, modification and disclosure are in place;
   7. not otherwise modify, amend, remove or alter the contents of any Company Data comprising Personal Data; 
   8. ensure that persons authorised to Process the Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 
   9. without prejudice to any other rights that the Company may have under the Agreement, upon request you shall make available to the Company information relating to its obligations and compliance thereof with the Data Privacy Laws. The Company may request at its cost an on-site audit or inspection at your premises relating to your compliance with obligations under Data Privacy Laws and this DPA, provided that the Company gives you 30 days prior written notice of each such audit. Before the commencement of any on-site audit, the Parties shall mutually agree on the scope, timing, and duration of the audit; 
   10. at the option of the Company, delete or return to the Company all Company Personal Data after the end of the provision of Goods, Services, and/or Software relating to processing, and delete any remaining copies. You will be entitled to retain any Company Personal Data which you have to keep to comply with any applicable law or which it is required to retain for insurance, accounting, taxation or record keeping purposes, not do or omit to do anything which causes the Company to breach any Data Privacy Laws; and 
   11. provide the Company with reasonable assistance in complying with any requests by Data Subjects exercising their rights under the Data Privacy Laws (each a "Data Subject Request") or communicating with the Information Commissioner's Office ("ICO") or relevant supervisory authority in relation to the Processing of Personal Data ("Supervisory Authority Correspondence").
6. You may make a Restricted Transfer if you demonstrate or implement an appropriate safeguard for that Restricted Transfer in accordance with the applicable Data Privacy Laws. Such appropriate safeguards may include: 
   1. an appropriate safeguard as directed by the Company, as determined by the Company in accordance with Data Privacy Laws; 
   2. that the country or territory to which the Restricted Transfer is to be made ensures an adequate level of protection for processing of Personal Data pursuant to adequacy regulations made in accordance with Data Privacy Laws; or 
   3. an appropriate safeguard provided by you in accordance with Data Privacy Laws, in which case the Company will execute any documents (including data transfer agreements containing the standard contractual clauses for the transfer of personal data to Processors established in third countries) relating to that Restricted Transfer which the Company requires you to execute from time to time; or 
   4. where the Company and/or the Company Data are subject to the Australian Privacy Act 1988 (Cth), you require the recipient of the Restricted Transfer to comply with the Australian Privacy Principles (other than Australia Privacy Principle 1) as set out in the Privacy Act 1988 (Cth).
7. Nothing in the Agreement shall be construed as preventing a Party from taking such steps as are necessary to comply with its own obligations under the applicable Data Privacy Laws and this Clause.
8. You may process Personal Data on the Company's behalf for the purposes of fulfilling its obligations under the Agreement, including the provision of Goods, Services, and/or Software.