AideCRM – Data Processing Agreement

This data processing agreement (the “DPA“) regulates the processing of Personal Data by Pipe Media on behalf of the Customer in the course of the provision of the AideCRM system.

This DPA forms part of the AideCRM Agreement (the “Agreement“). In addition to this DPA, the Agreement incorporates the following documents:

• the Terms of Service (https://pipemedia.co.uk/aidecrm/terms-of-service);
• the Service Specification (https://pipemedia.co.uk/aidecrm/service-specification);
• the Acceptable Use Policy (https://pipemedia.co.uk/aidecrm/acceptable-use-policy); and
• the Service Level Agreement (“SLA“) (https://pipemedia.co.uk/aidecrm/sla).

1. Definitions
   1. In addition to the words and phrases defined elsewhere in the Agreement, in this DPA:”Customer Personal Data” means any Personal Data that is processed by Pipe Media on behalf of the Customer in relation to the Agreement;
      “Data Protection Laws” means all applicable laws relating to the processing of Personal Data including, for the period during which they are in force and applicable to the processing of the Customer Personal Data, the General Data Protection Regulation (Regulation (EU) 2016/679) and the UK’s Data Protection Act 2018; and
      “Personal Data” means personal data within the meaning of all or any of the Data Protection Laws.
2. Personal Data
   2. The Customer warrants to Pipe Media that it has the legal right to disclose all Personal Data that it does in fact disclose to Pipe Media under or in connection with the Agreement.
   3. The Customer shall only supply to Pipe Media, and Pipe Media shall only process, in each case under or in relation to the Agreement, the Personal Data of the types, and of data subjects falling within the categories, specified in Schedule 1 (Data processing information).
3. Processing activities
   3. Pipe Media shall only process the Customer Personal Data for the purposes specified in Schedule 1 (Data processing information).
   4. Pipe Media shall only process the Customer Personal Data on the documented instructions of the Customer (including with regard to transfers of the Customer Personal Data to any place outside the United Kingdom and the European Economic Area), as set out in the Agreement or any other document agreed by the parties in writing.
   5. Notwithstanding any other provision of the Agreement, Pipe Media may process the Customer Personal Data if and to the extent that Pipe Media is required to do so by applicable law. In such a case, Pipe Media shall inform the Customer of the legal requirement before processing, unless that law prohibits such information.
4. Confidentiality and security
   4. Pipe Media shall ensure that persons authorised to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   5. Pipe Media and the Customer shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Customer Personal Data, including those measures specified in Schedule 1 (Data processing information).
5. Third party processors
   5. Pipe Media must not engage any third party to process the Customer Personal Data without the specific or general written authorisation of the Customer.
   6. Pipe Media is hereby generally authorised by the Customer to engage third party processors falling within the services provider categories specified in Schedule 1 (Data processing information) to process the Customer Personal Data.
   7. Pipe Media shall inform the Customer at least 7 days in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Customer objects to any such changes before their implementation, then the Customer may terminate the Agreement immediately by giving written notice of termination to Pipe Media before the expiry of the 7 day notice period.
   8. Pipe Media shall ensure that each third party processor is subject to equivalent legal obligations to those imposed on Pipe Media by this DPA.
6. Assistance and audit
   6. Pipe Media shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer’s obligation to respond to requests exercising a data subject’s rights under the Data Protection Laws.
   7. Pipe Media shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws.
   8. Pipe Media shall make available to the Customer all information necessary to demonstrate the compliance of Pipe Media with its obligations under the Data Protection Laws.
   9. Pipe Media shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of Pipe Media’s processing of Customer Personal Data with this DPA. Pipe Media may charge the Customer at its standard time and materials rates for any work performed under this Paragraph.4 at the request of the Customer.
7. Termination of Agreement
   7. Pipe Media shall only process the Customer Personal Data during the Term and for not more than 30 days following the end of the Term.
   8. Pipe Media shall, at the choice of the Customer, delete or return all of the Customer Personal Data to the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.

 SCHEDULE 1 (DATA PROCESSING INFORMATION)

1. Categories of data subject

The following is a list of data subjects. A data subject is an individual about whom personal data is held. The following data subjects are permitted:

• staff;
• customers, including contacts;
• members or supporters;

2. Types of Personal Data

• name;
• address;
• contact information, e.g. email address, telephone number.

3. Purposes of processing

• to provide your services;
• to contact individuals;
• to monitor individuals accessing your service.

4. Security measures for Personal Data

• Application and User Security:
  • User Authentication: Account data on Subscription Services is stored in a separate database for each Customer. Each account has its own usernames and passwords that must be provided each time a user logs on. Subscription Services use a session cookie to record the authenticated session information. The session does not store sensitive data, such as personal data or passwords. Two-factor authentication can also be enabled for each Account.
  • Encryption: Certain sensitive data, such as account passwords, is stored in an encrypted format. Passwords are hashed using the bcrypt function.
  • Data Exports: Subscription Services enable you to export your data in CSV format for offline use. It is your responsibility to secure any downloaded data.
  • Privacy: Subscription Services have a comprehensive privacy policy that outlines how we handle the data we store.
  • Logging: Every login to Subscription Services is recorded with a timestamp and IP address. Suspicious access is monitored, and we recommend Subscription Services are limited to specific IP addresses or an IP range.
• Physical Security
  • Subscription Services are hosted by our long-standing and trusted UK-based hosting partner. The following information is provided based on their network information.
  • Data Centre: All data centres are ISO 27001 compliant. Network security is provided by a firewall and a Web Application Firewall (WAF).
• Data Centre Security: Our hosting partner data centres are ISO 27001 certified, PCI-compliant and secured to UK government IL4 standards, which ensures your solution is protected by exceptional levels of both physical and virtual security at all times.
• Location: All data is stored on servers located in the United Kingdom.
• Network Security
  • Testing: Any development changes are verified in an isolated test environment and subject to security and functionality testing prior to deployment to active accounts.
  • Access Control: System administrators access Subscription Services via a secure VPN and multi-factor authentication. All data is transferred via an encrypted channel (SSH). We also enforce regular password changes.
• Storage Security
  • Back-ups: Customer Data is backed up hourly to a separate location and stored on a 30-day rolling schedule.
• Organisation Security
  • Access Levels: Only company directors have the authority to provide access to Customer Data.
  • Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know or least-privilege-necessary basis.
• Audit: We regularly audit access to Subscription Services backend systems.

5. Appointed sub-processors: general consents

The Customer consents to the appointment of sub-processors of Customer Personal Data with respect to the following services, and to transfers of that Customer Personal Data between the UK and the EEA and to the following jurisdictions outside the UK and EEA:

• Hosting services (RethinkIT Limited trading as We Are HA);
• Security hosting services (Cloudflare, Inc; data may be transferred to USA);
• Email services (Wildbit LLC trading as Postmark; data may be transferred to USA);
• Back-up services (Amazon Web Services, Inc);
• Support infrastructure services (Help Scout Inc; data may be transferred to USA).

 

Version 2.0 – 12/12/2024