Bid Solutions

Data Processing Addendum

BACKGROUND

This Data Processing Addendum (DPA) sets
out the additional terms, requirements and conditions on which Bid Solutions will
process personal data on behalf of the Customer when providing Vendor Match
& Compare and Job Advertising services. In the event of any conflict
between the terms of this DPA and any Agreement governing the provision of these
services, the terms of the relevant Agreement shall prevail.

AGREED TERMS

1 DEFINITIONS

1.1 In this Data
Processing Addendum defined terms shall have the same meaning, and the same rules of interpretation
shall apply, as in the Agreement. In addition, in this DPA the following definitions have the
meanings given below:

1.2 The terms controller, processor, data subject, personal data, personal data
breach and processing shall have the meaning given to them in the UK
GDPR.

2 DATA PROTECTION

2.1 Both parties will
comply with all applicable requirements of Applicable Data Protection Laws.
This clause 2 is in addition to, and does not relieve, remove or replace, a
party’s obligations or rights under Applicable Data Protection Laws.

2.2 The parties have
determined that, for the purposes of Applicable Data Protection Laws Bid Solutions shall
process the Customer Personal Data as a processor on behalf of the Customer;

2.3 Should the determination
in clause 2.2 change, then each party shall work together in good faith to make
any changes which are necessary to this clause 2, the Privacy Policy or Annex A.

2.4 Without prejudice to
the generality of clause 2.2, the Customer will ensure that it has all
necessary appropriate consents and notices in place to enable lawful transfer
of Customer Personal Data to Bid Solutions and lawful collection of the same by
Bid Solutions for the duration and purposes of this Agreement.

2.5 In relation to the
Customer Personal Data processed by Bid Solutions as processor on behalf of
Customer, Annex A sets out the scope, nature and purpose of processing by Bid
Solutions, the duration of the processing and the types of personal data and
categories of data subject.

2.6 Without prejudice to
the generality of clause 2.2 Bid Solutions shall, in relation to Customer
Personal Data which it processes as processor on behalf of Customer:

2.6.1 process that Customer
Personal Data only on the documented instructions of the Customer, unless Bid
Solutions is required by Applicable Laws to otherwise process that Customer
Personal Data. Where Bid Solutions is relying on Applicable Laws as the basis
for processing Customer Processor Data, Bid Solutions shall notify the Customer
of this before performing the processing required by the Applicable Laws unless
those Applicable Laws prohibit the Provider from so notifying the Customer on
important grounds of public interest. Bid Solutions shall inform the Customer
if, in the opinion of Bid Solutions, the instructions of the Customer infringe
Applicable Data Protection Legislation;

2.6.2 implement appropriate
technical and organisational measures, including in accordance with Cyber Essentials
certification, to protect against unauthorised or unlawful processing of
Customer Personal Data and against accidental loss or destruction of, or damage
to, Customer Personal Data, which the Customer has reviewed and confirms are
appropriate to the harm that might result from the unauthorised or unlawful
processing or accidental loss, destruction or damage and the nature of the data
to be protected, having regard to the state of technological development and
the cost of implementing any measures;

2.6.3 ensure that any
personnel engaged and authorised by Bid Solutions to process Customer Personal
Data have committed themselves to confidentiality or are under an appropriate
statutory or common law obligation of confidentiality;

2.6.4 assist the Customer
insofar as this is possible (taking into account the nature of the processing
and the information available to Bid Solutions), and at the Customer’s cost and
written request, in responding to any request from a data subject and in
ensuring the Customer’s compliance with its obligations under Applicable Data
Protection Laws with respect to security, breach notifications, impact
assessments and consultations with supervisory authorities or regulators;

2.6.5 notify the Customer
without undue delay on becoming aware of a personal data breach involving the
Customer Personal Data;

2.6.6 at the written
direction of the Customer, delete or return Customer Personal Data and copies
thereof to the Customer on termination of the agreement unless Bid Solutions is
required by Applicable Law to continue to process that Customer Personal Data.
For the purposes of this clause 2.6.6 Customer Personal Data shall be considered deleted
where it is put beyond further use by Bid Solutions; and

2.6.7 maintain records to
demonstrate its compliance with this clause 2 and allow for reasonable audits
by the Customer or the Customer’s designated auditor, for this purpose, on
reasonable written notice, no more than once per year.

2.7 The Customer hereby
provides its prior authorisation for Bid Solutions to:

2.7.1 appoint WordPress and
Mailchimp as processors to process the Customer Personal Data, provided that Bid
Solutions:

(a) shall ensure that the
terms on which it appoints such processors comply with Applicable Data
Protection Laws, and are consistent with the obligations imposed on Bid
Solutions in this clause 2;

(b) shall remain
responsible for the failure of any such processor to meet its data protection
obligations; and

(c) shall notify the Customer
of any intended changes concerning the addition or replacement of Sub-
processors, thereby giving the Customer the opportunity, acting reasonably, to
object to such changes within 30 days of the update. If the customer does not
object in this period the new sub-processor(s) will be deemed accepted. If Bid
Solutions receives a reasonable objection to the appointment of a sub-processor
within the specified time limit, Bid Solutions may in its sole discretion and
without any liability to the customer:

(i) cease using the new
sub-processor to process customer data, which may limit the functionality of
the services available to the customer; or

(ii) take any other action
reasonably required to address the objection which will permit Bid Solutions to
continue to use the sub-processor.

2.7.2 transfer Customer
Personal Data outside of the UK as required for the Purpose, provided that Bid
Solutions shall ensure that all such transfers are effected in accordance with
Applicable Data Protection Laws, including if applicable under standard data
protection clauses adopted by the EU Commission from time to time (where the EU
GDPR applies to the transfer) or adopted by the UK Information Commissioner
from time to time (where the UK GDPR applies to the transfer).

Annex A – Particulars
of the processing