THIS AGREEMENT comes into effect from the time the Customer agrees to the Terms of Service Agreement     

BETWEEN:

(1) You The Customer

and

(2) Desuto Ltd, a company registered in England and Wales under number 09797288, whose registered office is at Hwic, Treliske, Truro, Cornwall, England, TR1 3FF 

WHEREAS: 

(1) Under Agreement between the Data Controller and the Data Processor (“The Terms of Service Agreement”) the Data Processor provides to the Data Controller the Services described in Schedule 1.

(2) The provision of the Services by the Data Processor involves it in processing the Personal Data described in Schedule 2 on behalf of the Data Controller.

(3) Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”) requires an agreement in writing between the Data Controller and any organisation which processes Personal Data on its behalf, governing the processing of that Personal Data.

(4) The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the UK GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.

(5) The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.

IT IS AGREED as follows:

1. Definitions and Interpretation 
   1. In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

2. Unless the context otherwise requires, each reference in this Agreement to:
   1. “writing”, and any cognate expression, includes a reference to any communication affected by electronic or facsimile transmission or similar means;
   2. a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
   3. “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;
   4. a Schedule is a schedule to this Agreement;
   5. a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule; and
   6. a “Party” or the “Parties” refer to the parties to this Agreement.
3. The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
4. Words imparting the singular number shall include the plural and vice versa.
5. References to any gender shall include any other gender.
6. References to persons shall include corporations.

2. Scope and Application of this Agreement
   1. The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
   2. [The provisions of this Agreement shall be deemed to be incorporated into the Terms of Service Agreement as if expressly set out in it. Subject to sub-Clause 2.3, definitions and interpretations set out in the Terms of Service Agreement shall apply to the interpretation of this Agreement.]
   3. In the event of any conflict or ambiguity between any of the provisions of this Agreement and [the Terms of Service Agreement] OR [any other agreement between the Parties], the provisions of this Agreement shall prevail.

3. Provision of the Services and Processing Personal Data
   1. Schedule 2 describes the type(s) of Personal Data, the category or categories of Data Subject, the nature of the processing to be carried out, the purpose(s) of the processing, and the duration of the processing.
   2. Subject to sub-Clause 4.1, the Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:
      1. for the purposes of those Services and not for any other purpose;
      2. to the extent and in such a manner as is necessary for those purposes; and
      3. strictly in accordance with the express written authorisation and instructions of the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).
   3. The Data Controller shall retain control of the Personal Data at all times and shall remain responsible for its compliance with the Data Protection Legislation including, but not limited to, its collection, holding, and processing of the Personal Data, having in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to the Data Processor, and with respect to the written instructions given to the Data Processor.

4. The Data Processor’s Obligations
   1. As set out above in Clause 3, the Data Processor shall only process the Personal Data to the extent and in such a manner as is necessary for the purposes of the Services and not for any other purpose. All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the Data Protection Legislation. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by domestic law to do otherwise (as per Article 29 of the UK GDPR) (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law).
   2. The Data Processor shall not process the Personal Data in any manner which does not comply with the provisions of this Agreement or with the Data Protection Legislation. The Data Processor must inform the Data Controller [immediately] OR [promptly] if, in its opinion, any instructions given by the Data Controller do not comply with the Data Protection Legislation.
   3. The Data Processor shall promptly comply with any written request from the Data Controller requiring the Data Processor to amend, transfer, delete (or otherwise dispose of), or to otherwise process the Personal Data.
   4. The Data Processor shall promptly comply with any written request from the Data Controller requiring the Data Processor to stop, mitigate, or remedy any unauthorised processing involving the Personal Data.
   5. The Data Processor shall provide all reasonable assistance at its own cost to the Data Controller in complying with its obligations under the Data Protection Legislation including, but not limited to, the protection of Data Subjects’ rights, the security of processing, the notification of Personal Data Breaches, the conduct of data protection impact assessments, and in dealings with the Information Commissioner (including, but not limited to, consultations with the Information Commissioner where a data protection impact assessment indicates that there is a high risk which cannot be mitigated).
   6. For the purposes of sub-Clause 4.5, “all reasonable assistance” shall take account of the nature of the processing carried out by the Data Processor and the information available to the Data Processor.
   7. In the event that the Data Processor becomes aware of any changes to the Data Protection Legislation that may, in its reasonable interpretation, adversely impact its performance of the Services and the processing of the Personal Data [either under the Terms of Service Agreement or] under this Agreement, the Data Processor shall inform the Data Controller promptly.

5. Confidentiality
   1. The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose the Personal Data to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than as necessary and for the purposes of the provision of the Services to the Data Controller.
   2. Nothing in this Agreement shall prevent the Data Processor from complying with any requirement to disclose or process Personal Data where such disclosure or processing is required by domestic law, court, or regulator (including, but not limited to, the Information Commissioner). In such cases, the Data Processor shall notify the Data Controller of the disclosure or processing requirements prior to disclosure or processing (unless such notification is prohibited by domestic law) in order that the Data Controller may challenge the requirement if it wishes to do so.
   3. The Data Processor shall ensure that all employees who are to access and/or process any of the Personal Data are informed of its confidential nature and are contractually obliged to keep the Personal Data confidential.

6. Employees [and Data Protection Officer[s]]
   1. Where required, The Data Controller has appointed a data protection officer in accordance with Article 37 of the UK GDPR, whose details have been provided to the Data Processor at the time of the order. 
   2. The Data Processor has appointed a data protection officer in accordance with Article 37 of the UK GDPR, whose details are as follows: Andrew Rae, Data Protection Officer, Hwic, Treliske, Truro, Cornwall, England, TR1 3FF. email: [email protected]
   3. The Data Processor shall ensure that all employees who are to access and/or process any of the Personal Data are given suitable training on the Data Protection Legislation, the Data Processor’s obligations under it, their obligations under it, and its application to their work, with particular regard to the processing of the Personal Data under this Agreement.

7. Security of Processing

7.1 The Data Processor shall implement appropriate technical and organisational measures as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing or accidental or unlawful loss, destruction, or damage. The Data Processor shall inform the Data Controller in advance of any changes to such measures.

7.2 The measures implemented by the Data Processor shall be appropriate to the nature of the personal data, to the harm that may result from such unauthorised or unlawful processing or accidental or unlawful loss, destruction, or damage (in particular to the rights and freedoms of Data Subjects) and shall have regard for the state of technological development and the costs of implementation.

7.3 The measures implemented by the Data Processor may include, as appropriate, pseudonymisation and encryption of the Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability of and access to the Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of the technical and organisational measures.

7.5 The Data Processor shall, if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access.

7.5 [The Data Processor shall document all technical and organisational measures in writing and shall review them on an annual basis to ensure that they remain suitable and up to date.]

8. Data Subject Rights and Complaints

8.2 The Data Processor shall take appropriate technical and organisational measures and provide all reasonable assistance at the Data Controller’s cost to the Data Controller in complying with its obligations under the Data Protection Legislation with particular regard to the following:

1. the rights of Data Subjects under the Data Protection Legislation including, but not limited to, the right of access (data subject access requests), the right to rectification, the right to erasure, portability rights, the right to object to processing, rights relating to automated processing, and rights to restrict processing; and
2. compliance with notices served on the Data Controller by the Information Commissioner pursuant to the Data Protection Legislation.

8.3 In the event that the Data Processor receives any notice, complaint, or other communication relating to the Personal Data processing or to either Party’s compliance with the Data Protection Legislation, it shall notify the Data Controller immediately in writing.

8.4 In the event that the Data Processor receives any request from a Data Subject to exercise any of their rights under the Data Protection Legislation including, but not limited to, a data subject access request, it shall notify the Data Controller without undue delay.

8.5 The Data Processor shall cooperate fully (at the Data Controller’s cost) with the Data Controller and provide all reasonable assistance in responding to any complaint, notice, other communication, or Data Subject request, including by:

3. providing the Data Controller with full details of the complaint or request;
4. providing the necessary information and assistance in order to comply with a subject access request;
5. providing the Data Controller with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Data Controller); and
6. providing the Data Controller with any other information requested by the Data Controller.

8.6 The Data Processor shall act only on the Data Controller’s instructions and shall not disclose any Personal Data to any Data Subject or to any other party except as instructed in writing by the Data Controller, or as required by domestic law.

9. Personal Data Breaches

9.1 The Data Processor shall immediately notify the Data Controller in writing if it becomes aware of any form of Personal Data Breach including, but not limited to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data.

9.2 When the Data Processor becomes aware of a Personal Data Breach, it shall provide the following information to the Data Controller in writing without undue delay:

7. a description of the Personal Data Breach including the category or categories of Personal Data involved, the number (approximate or exact, if known) of Personal Data records involved, and the number (approximate or exact, if known) of Data Subjects involved;
8. the likely consequences of the Personal Data Breach; and
9. a description of the measures it has taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 In the event of a Personal Data Breach as described above, the Parties shall cooperate with one another to investigate it. The Data Processor shall provide all reasonable assistance to the Data Controller including, but not limited to:

10. assisting the Data Controller with its investigation of the Personal Data Breach;
11. providing and facilitating the Data Controller with access to any relevant facilities, operations, and personnel (including, if applicable, former personnel involved in the Personal Data Breach);
12. making available all records, logs, files, reports, and similar as reasonably required by the Data Controller or as otherwise required by the Data Protection Legislation; and
13. promptly taking all reasonable steps to mitigate the effects of the Personal Data Breach and to minimise any damage caused by it.

9.4 The Data Processor shall use all reasonable endeavours to restore any Personal Data lost, destroyed, damaged, corrupted, or otherwise rendered unusable in the Personal Data Breach as soon as possible after becoming aware of the Personal Data Breach.

9.5 The Data Processor shall not inform any third party of any Personal Data Breach as described above without the express written consent of the Data Controller unless it is required to do so by domestic law.

9.6 The Data Controller shall have the sole right to determine whether or not to notify affected Data Subjects, the Information Commissioner, law enforcement agencies, or other applicable regulators of the Personal Data Breach as required by law or other applicable regulations, or at the Data Controller’s discretion, including the form of such notification.

9.7 The Data Controller shall have the sole right to determine whether or not to offer any remedy to Data Subjects affected by the Personal Data Breach, including the form and amount of such remedy.

9.8 Subject to the provisions of Clause 16, the Data Processor shall bear all reasonable costs and expenses incurred by it and shall reimburse the Data Controller for all reasonable costs and expenses incurred by the Data Controller in responding to the Personal Data Breach, including the exercise of any functions or carrying out of any obligations by the Data Controller under any provision of this Clause 9, unless the Personal Data Breach resulted from the Data Controller’s express written instructions, negligence, breach of this Agreement, or other act or omission of the Data controller, in which case the Data Controller shall instead bear and shall reimburse the Data Processor with such costs and expenses incurred by it.

10. Personal Data Transfers Outside of the UK [or the EEA]

The Data Processor [(and any subcontractor appointed by it)] shall not process or transfer the Personal Data outside of the UK [or the EEA].

11. Appointment of Subcontractors

11.1 The Data Processor shall not subcontract any of its obligations or rights under this Agreement without the prior written consent of the Data Controller [(such consent not to be unreasonably withheld)].

11.2 In the event that the Data Processor appoints a subcontractor to process any of the Personal Data (with the specific written consent of the Data Controller on a per-subcontractor basis), the Data Processor shall:

14. enter into a written agreement with each subcontractor, which shall impose upon the subcontractor the same obligations, on substantially the same terms, as are imposed upon the Data Processor by this Agreement, particularly with regard to technical and organisational security measures required to comply with the Data Protection Legislation, which shall permit both the Data Processor and the Data Controller to enforce those obligations, and which shall terminate automatically on the termination of this Agreement for any reason;
15. at the written request of the Data Controller, provide copies of such agreements or, as applicable, the relevant parts thereof;
16. ensure that all subcontractors comply fully with their obligations under the abovementioned agreement and under the Data Protection Legislation; and
17. maintain control over all Personal Data transferred to subcontractors.

11.3 In the event that a subcontractor fails to meet its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the subcontractor’s compliance with its data protection obligations.

11.4 The Data Processor shall be deemed to legally control any and all Personal Data that may be at any time controlled practically by, or be in the possession of, any subcontractor appointed by it under this Clause 11.

12. Return and/or Deletion or Disposal of Personal Data

12.1 The Data Processor shall, at the written request of the Data Controller (and at the Data Controller’s choice), securely delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:

18. [the end of the provision of the Services; or]

OR

1. [the termination of the Terms of Service Agreement, for any reason; or]
2. the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under [this Agreement] AND/OR [the Terms of Service Agreement].

2. Subject to sub-Clause[s] 12.3 [and 12.4], the Data Processor shall not retain all or any part of the Personal Data after deleting (or otherwise disposing of) or returning it under sub-Clause 12.1.
3. If the Data Processor is required to retain copies of all or any part of the Personal Data by law, regulation, government, or other regulatory body, it shall inform the Data Controller of such requirement(s) in writing, including precise details of the Personal Data that it is required to retain, the legal basis for the retention, details of the duration of the retention, and when the retained Personal Data will be deleted (or otherwise disposed of) once it is no longer required to retain it.
4. Upon the deletion (or disposal) of the Personal Data, the Data Processor shall certify the completion of the same in writing to the Data Controller within 7 days of the deletion (or disposal).
5. [All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed of using the following method(s): The data controller shall have control over deletion of data that has been collected by them and entered onto the system. The data controller will have the facility to set  a deletion schedule and receive deletion reminders. 

13. Information [and Records]
    1. The Data Processor shall make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with the Data Protection Legislation and this Agreement.
    2. [The Data Processor shall maintain complete, accurate, and up-to-date written Records of all processing activities carried out by the Data Processor on behalf of the Data Controller which shall include:
       1. the name and contact details of the Data Processor and the Data Controller and, where applicable, each Party’s representative and data protection officer;
       2. the categories of processing carried out by the Data Processor; and
       3. a general description of the technical and organisational security measures in place, as referred to in Clause 7.]

14. Audits
    1. The Data Processor shall, on [reasonable] prior notice, allow the Data Controller or a third-party auditor appointed by the Data Controller to audit the Data Processor’s compliance with its obligations under this Agreement and with the Data Protection Legislation.
    2. The Data Processor shall provide all necessary assistance at the Data Controller’s cost in the conduct of such audits including, but not limited to:
       1. access (including physical and remote) to, and copies of, all [Records and any other] relevant information kept by the Data Processor;
       2. access to all of its employees who are to access and/or process any of the Personal Data including, where reasonably necessary, arranging interviews between the Data Controller and such employees; and
       3. access to and the inspection of all [Records,] infrastructure, equipment, software, and other systems used to store and/or process the Personal Data.
    3. The requirement for the Data Controller to give notice under sub-Clause 14.1 shall not apply if the Data Controller has reason to believe that the Data Processor is in breach of any of its obligations under this Agreement or under the Data Protection Legislation, or if it has reason to believe that a Personal Data Breach has taken place or is taking place.
    4. The Data Processor must inform the Data Controller promptly if, in its opinion, any instructions given by the Data Controller or any third-party auditor appointed by the Data Controller do not comply with the Data Protection Legislation.

15. Warranties
    1. The Data Controller hereby warrants and represents that the Personal Data and its use with respect to [the Services] OR [the Terms of Service Agreement] and this Agreement shall comply with the Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing.
    2. The Data Processor hereby warrants and represents that:
       1. the Personal Data shall be processed by the Data Processor (and by any subcontractors appointed under Clause 11) in compliance with the Data Protection Legislation and any and all other relevant laws, regulations, enactments, orders, standards, and other similar instruments;
       2. it has no reason to believe that the Data Protection Legislation in any way prevents it from complying with its obligations [pertaining to the provision of the Services] OR [under the Terms of Service Agreement]; and
       3. it will implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing or accidental or unlawful loss, destruction, or damage, as set out in Clause 7 and described in Schedule 3.

16. Liability and Indemnity
    1. The Data Controller shall be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of, any and all actions, proceedings, liabilities, costs, claims, losses, expenses (including reasonable legal fees and payments on a solicitor and client basis), or demands, suffered or incurred by, awarded against, or agreed to be paid by, the Data Processor [and any subcontractor appointed by the Data Processor under Clause 11] arising directly or in connection with:
       1. any non-compliance by the Data Controller with the Data Protection Legislation;
       2. any Personal Data processing carried out by the Data Processor [or any subcontractor appointed by the Data Processor under Clause 11] in accordance with instructions given by the Data Controller to the extent that the instructions infringe the Data Protection Legislation; or
       3. any breach by the Data Controller of its obligations or warranties under this Agreement;

but not to the extent that the same is or are contributed to by any non-compliance by the Data Processor [or any subcontractor appointed by the Data Processor under Clause 11] with the Data Protection Legislation or its breach of this Agreement.

2. The Data Processor shall be liable for, and shall indemnify (and keep indemnified) the Data Controller in respect of, any and all actions, proceedings, liabilities, costs, claims, losses, expenses (including reasonable legal fees and payments on a solicitor and client basis), or demands, suffered or incurred by, awarded against, or agreed to be paid by, the Data Controller arising directly or in connection with:
   1. any non-compliance by the Data Processor [or any subcontractor appointed by the Data Processor under Clause 11] with the Data Protection Legislation;
   2. any Personal data processing carried out by the Data Processor [or any subcontractor appointed by the Data Processor under Clause 11] which is not in accordance with instructions given by the Data Controller to the extent that the instructions are in compliance with the Data Protection Legislation; or
   3. any breach by the Data Processor of its obligations or warranties under this Agreement;

but not to the extent that the same is or are contributed to by any non-compliance by the Data Controller with the Data Protection Legislation or its breach of this Agreement.

3. The Data Controller shall not be entitled to claim back from the Data Processor under sub-Clause 16.2 or on any other basis any sums paid in compensation by the Data Controller in respect of any damage to the extent that the Data Controller is liable to indemnify the Data Processor under sub-Clause 16.1.
4. Nothing in this Agreement (and in particular, this Clause 16) shall relieve either Party of, or otherwise affect, the liability of either Party to any Data Subject, or for any other breach of that Party’s direct obligations under the Data Protection Legislation. Furthermore, the Data Processor hereby acknowledges that it shall remain subject to the authority of the Information Commissioner and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the Data Protection Legislation may render it subject to the fines, penalties, and compensation requirements set out in the Data Protection Legislation.
5. Nothing in this Clause 16 shall be deemed to be limited, excluded, or prejudiced by any other provision(s) of this Agreement.
6. [Any limit of liability set out in the Terms of Service Agreement shall not apply to any indemnity or reimbursement provisions set out in this Agreement.]

17. Term and Termination
    1. This Agreement shall come into force on the date of the client order and shall continue in force for the longer of:
       1. [The duration of the Services, as set out in Schedule 1; or]

OR

1. [The period that the Terms of Service Agreement remains in effect; or]
2. The period that the Data Processor has any of the Personal Data in its possession or control.

2. Any provision of this Agreement which, expressly or by implication, is to come into force or remain in force on or after [its termination or expiry] OR [the termination or expiry of the Terms of Service Agreement] shall remain in full force and effect.
3. In the event that changes to the Data Protection Legislation necessitate the re-negotiation of any part this Agreement, either Party may require such re-negotiation.

18. Notices
    1. All notices under or in connection with this Agreement shall be in writing.
    2. All notices given to the Data Controller under or in connection with this Agreement must be addressed to the responsible person or the data protection officer using the contact details provided on the order form.
    3. All notices given to the Data Processor under or in connection with this Agreement must be addressed to: Andrew Rae, Data Protection Officer, Hwic, Treliske, Truro, Cornwall, England, TR1 3FF Email [email protected]
    4. Notices shall be deemed to have been duly given:
       1. when delivered, if delivered by courier or other messenger (including registered mail) during normal business hours of the recipient; or
       2. when sent, if transmitted [by facsimile or] e-mail [and a successful transmission report or return receipt is generated]; or
       3. on the fifth business day following mailing, if mailed by national ordinary mail, postage prepaid.

In each case notices shall be addressed as indicated above.

19. Law and Jurisdiction
    1. This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
    2. Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

SCHEDULE 1

Services

Desuto Ltd will provide an online storage facility ‘Client Management System’ for the storage of client (data subject) data. Customers (data controllers) will use the system for the purpose of storing health and care data gathered in the process of providing health and care services, specifically psychotherapy and counselling services. 

Desuto will provide record templates but there is no requirement for customers to complete template fields. The system will store the data that is collected by the customer, its employees and /or contractors in whatever form they choose. Desuto does not determine the type or category of data that is collected. Decisions about the type and category of data and the level of detail are the responsibility of the customer, its employees and contractors. 

Desuto will store the data according to the time schedule determined by the customer. The length of storage and deletion of data will be under the control of the customer. 

Desuto Ltd will meet its Data processor obligations as required in this agreement and in law.  

SCHEDULE 2

Personal Data

SCHEDULE 3

Technical and Organisational Measures for Data Protection

1. Introduction

This document provides an overview of the technical and organisational measures which Desuto Limited (“Desuto”) have in place to ensure the protection of personal data processed by the company. 

Desuto provides a range of web applications for health and care providers that support lawful and ethical practice, compliance with care standards, guide decision making and increase efficiency. 

1. Desuto Data Centres

Desuto makes available its health services cloud-based platform to customers as a Software as a Service (SaaS) from U.K. data centres.  All personal data relating to Desuto’s customers and respondent data collected and processed is hosted on external servers in the data centres controlled by Digital Ocean (See 5.1). 

All data centres used are certified to the required international information security standards with Digital Ocean being certified as follows with copies of the certifications available here :

• ISO/IEC 27001:2013
• PCI-DSS Compliant
• SOC 1 Type II
• SOC 2 Type II

2. Desuto Offices

Desuto processes personal data relating to employees, customers, visitors and suppliers in accordance with Desuto’s Data Security and Protection measures using internally approved platforms. 

Desuto operates a service office address only as shown below and no information processing is done currently onsite.

3. Fulfilment of the General Data Protection Regulation (“GDPR”)

The document describes how Desuto fulfils its obligations for processing personal data on behalf of its customers in accordance with the requirements in the GDPR for technical and organisational measures. The relevant requirements are found in the GDPR Articles 5, 17, 19, 24, 25, 28, 29, 32, 33, 35 and 39. The technical and organisational measures described in this document are set out by Desuto, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk for the rights and freedoms of natural persons, referencing GDPR Article 32.

2. Official Laws and Regulatory Compliance

Desuto processes all personal data in the U.K. and fully complies with the laws in England and Wales such as the Data Protection Act 2018. Desuto is committed to reporting to the Information Commissioner’s Office (“ICO”) any data breach incident within 72 hours.

3. Organisation of Information Security

Desuto information security structure is set out below:

• Desuto has a comprehensive set of information security policies fully integrated and adopted as part of the company’s  Data security and protection measures with the implementation of all applicable mandatory processes, records and controls in alignment with the International Standard 27001; all approved by senior management and disseminated to everyone required.
• Desuto’s CEO has overall responsibility of the information security policy.
• All job applicants follow a screening process according to the principles of the Desuto background check policy before formally becoming staff members. 
• All staff receive an induction and are given regular information security training according to their assigned roles and responsibilities.
• All staff have signed approved confidentiality and intellectual property agreements.
• Regular awareness discussions and training on data protection are provided to all staff.
• Desuto commits to continuous monitoring to the effectiveness of its information safeguards through a structured audit programme as outlined in section 12.
• Key information security policies are reviewed at least annually.
• Desuto contracts a Third-Party expert to provide regular information security assistance and information reviews for the company on its systems and processes.
• Desuto shall establish a Security Review Board led by the CEO to monitor and assess the company’s effectiveness of its security operations and incident management.

4. Privacy Policies and Procedures

Desuto shall maintain an appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle. 

5. Physical and Environmental Security

This section describes Desuto’s measures that are in place to prevent unauthorised individuals from physically accessing the data processing systems that are employed to process or use personal data.

5.1 Data Centres

5.1.1 Centre in London, U.K.

DigitalOcean’s databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data is encrypted in transit between the Customer’s software application and DigitalOcean using TLS v1.2.

DigitalOcean uses a variety of tools and mechanisms to achieve high availability and resiliency. DigitalOcean’s infrastructure spans multiple fault-independent availability zones in geographic regions physically separated from one another. DigitalOcean’s infrastructure is able to detect and route around issues experienced by hosts or even whole data centres in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup. DigitalOcean also leverages specialised tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data centre. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data centre, these tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. DigitalOcean is also immediately notified in the event of any suboptimal server performance or overloaded capacity.

DigitalOcean data centres are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorised access as well as environmental threats. All data centres are surrounded by a fence with access restricted through badge controlled gates. 

CCTV is used to monitor physical access to data centres and the information systems. Cameras are positioned to monitor perimeter doors, facility entrances and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facilities.

Entry to each facility is rigorously controlled to monitor and manage visitor access, both into and within each data centre. Extensive CCTV video camera surveillance is in place, inside and out, across each facility, along with security breach alarms and controlled physical barriers. All data centres also include 

Data centres used are certified to the required international information security standards with Digital Ocean being certified as follows with copies of the certifications available here :

• ISO/IEC 27001:2013
• PCI-DSS Compliant
• SOC 1 Type II
• SOC 2 Type II

6. Data Access Control

Any staff with access to private data can only access the data that is necessary for the purpose of the activities under their responsibility. Access authorisation is provided based on the ‘need to know’ and ‘need to access’ and is either role based, or name based.  Access logs are in place and the responsibility for access control is overseen by senior management.

The following measures are in place:

• Set procedures are in place for staff to comply with the applicable Desuto security and data protection policies.
• Defined work instructions on handling private data.
• Procedures for checking compliance with procedures and work instructions are in place.
• User (password) codes protect access to private data. 
• Access Logging and control.
• Controlled destruction of data media.
• All data access to the data centres are strictly controlled to ensure only the CTO  can access the administration systems remotely.

7. Security and Confidentiality of Personal Data

The process and use of personal data is limited to serve the customers’ needs only and Desuto does not transfer data to third, non-involved parties. 

Based on risk assessments aligned to the Data security and protection measures (and if required an additional DPIA), Desuto will ensure a level of security appropriate to the risk, which could include the following measures:

• The encryption of personal data.
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
• Ensure a logical data separation between the company, customers and suppliers.
• Setup a process to keep processed data accurate, reliable and up-to-date.
• Process registers according GDPR requirements.
• Access relevant log systems’ use for the purposes of being able to detect unauthorised access attempts. Unless a different agreement is specified in the contract between Desuto and the customer, the data server logs are kept for a minimum of 12 months.
• Customer data (including back-ups and archives) will only be stored in the nominated data centres noted in section 1.1 for as long as it serves the purposes for which the data was collected unless there is a legal or contractual obligation to retain the data for a longer period of time. On termination of the company’s services, the data is removed by the customer and all backup data expires after 30 days.

8. Availability of Personal Data

Article 32 of the GDPR defines availability control as a requirement to ensure security of processing. This section describes Desuto’s measures to ensure that personal data is available, whilst preventing that it is not accidentally destroyed or lost, hereunder routines for backup and recovery to ensure appropriate resilience is in place.

8.1 Data Centres

8.1.1 Centre in London U.K.

• Data is backed up every day to a Digital Ocean space. 
• Backups are deleted after 7 days. 
• Senior approved Desuto staff verify data backup log files regularly. 

9. Data Transmission

Desuto shall, to the extent it has control over any electronic transmission or transfer of personal data, take all reasonable steps to ensure that such transmission or transfer cannot be read, copied, altered or removed without proper authority during its transmission or transfer.  For any access to the nominated data centres stated in section 1.1, the measures will include:

• Implementation of industry-standard encryption practices in its transmission of personal data. All databases containing client data are encrypted at rest, using at least AES256, as well as specific sensitive fields being encrypted at a column level. For data in transit, all connections are encrypted under TLS > 1.2 protocol in order to provide communications security and privacy.
• For Internet-facing applications that may handle sensitive personal data and/or provide real-time integration with systems on network that contains such information, a Web Application Firewall (“WAF”) is used to provide an additional layer of input checking and attack mitigation.

10.  End-User Device Protection

All staff, whether they are based in an office or working remotely, are covered by strict guidelines and policies; including the Access Policy, Password Policy, Acceptable use Policy and Confidentiality policy. All users working with laptops on Desuto’s secure network incorporate the following security measures:

• Encryption of the hard disk on company assigned laptops.
• Central administrator account with up-to-date anti-virus protection.
• Management and monitoring of the software to control only authorised software installations.
• Vendor supplied updates are systematically installed.
• A strong overwriting process before any used machine is reassigned.
• Login ID and password controls are implemented to access information.
• Periodic access review is implemented.
• E-mails are automatically scanned by approved anti-virus and virus outbreak protection.

11.  Incident Management

Desuto maintains a Data Breach and Notification Policy and related plan and procedures which address the measures that the company will take in the event of loss of control, theft, unauthorised disclosure, unauthorised access, or unauthorised acquisition of personal data. These measures may include incident analysis, containment, response, remediation, reporting and the return to normal operations. 

Desuto ensures that:

• There is an up-to-date Breach response plan that includes responsibilities, how information security events are assessed and classified as incidents and response plans and procedures.
• Tests are regularly undertaken around the company’s incident response plan with “table-top” exercises and continual improvement processes to improve the plan.
• In the event of a security breach, Desuto, as a data controller, will notify data subjects without undue delay after becoming aware of the security breach following the procedures stated in the GDPR Articles 4, 33 and 34. These dictate that within a maximum period of 72 hours, Desuto will report to the ICO and all persons and parties affected on the nature, scope and consequences of the breach.
• As the data processor, the responsibility for reporting breaches to the ICO rests with the customer (Data Controller) as described in the Desuto Data Processing Agreement. .  

12.  Audit

This section describes Desuto’s measures ensuring that its policies, including the policies described in this document, are adhered to through the organisation, and the process for regularly testing, assessing and evaluating the effectiveness of these technical and organisational measures.

12.1 Security Audits

Regular external audits of Desuto are undertaken bi-annually by an accredited information security company.

Apart from the external audit, Desuto has committed to an external security consultant to help ensure the company continually strives for improvement of its Data security and protection measures with quarterly internal security meetings to review the effectiveness of the measures outlined in this document. Also, regular self-audits are undertaken by senior management to ensure continual improvement and data protection compliance.

12.2 External Vulnerability Audits

To comply with the high requirement towards the platforms’ security, as well as align with ISO 27001 certification requirements, Desuto utilises accredited Third-Party security experts to conduct annual penetration tests of the company’s systems. These systems are independently verified and assessed for vulnerabilities with all penetration tests being aligned with recognised penetration testing methodologies such as OWASP, OSSTM or ISSAF.

This agreement document has been approved and authorised by: