This Data Processing Agreement (DPA), entered into by the Hyphen customer (Customer) identified on the applicable order form for Hyphen services (Order Form) and Hyphen, governs the processing of Personal Data that Customer uploads or otherwise provides Hyphen in connection with the services, the processing of Personal Data by Hyphen on behalf of Customer in connection with the services, and the processing of any Personal Data that Hyphen uploads or otherwise provides to Customer in connection with the services.
This DPA is incorporated into the relevant Hyphen terms of service (Terms of Service), which is itself incorporated by reference into the Order Form (the Terms of Service and Order Form relevant to the Customer together, the Contract). Collectively, the DPA, the Terms of Service and the Order Form are referred to as the Agreement. In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the Order Form; (b) this DPA; (c) the Terms of Service. Except as specifically amended in this DPA, the Terms of Service and Order Form remain unchanged and in full force and effect.
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this Agreement.
- 1.1.1 Business Purposes: the services to be provided by Hyphen to the Customer as described in the Contract and any other purpose specifically identified in Annex A.
1.1.2 Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
1.1.3 Controller: has the meaning given to it in section 6, DPA 2018.
1.1.4 Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the United Kingdom and European Union to which the Customer or Hyphen is subject, including without limitation the EU GDPR, UK GDPR; the DPA 2018; and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).
1.1.5 Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
1.1.6 EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
EEA: the European Economic Area.
1.1.7 Personal Data: means any information relating to an identified or identifiable living individual that is processed by Hyphen on behalf of the Customer as a result of, or in connection with, the provision of the services under the Contract; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
1.1.8 Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third-parties.
1.1.9 Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
1.1.10Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
1.1.11 Records: has the meaning given to it in Clause 12.
1.1.12 UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 This DPA is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this DPA.
1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
2. Personal data types and processing purposes
2.1 The Customer and Hyphen agree and acknowledge that for the purpose of the Data Protection Legislation:
- (a) the Customer is the Controller and Hyphen is the Processor;
(b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Hyphen; and
(c) Annex A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Hyphen may process the Personal Data to fulfil the Business Purposes.
3. Hyphen's obligations
3.1 Hyphen will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. Hyphen will not process the Personal Data for any other purpose or in a way that does not comply with the Agreement or the Data Protection Legislation. Hyphen must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
3.2 Hyphen must comply promptly with any Customer written instructions requiring Hyphen to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 Hyphen will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or the Agreement specifically authorises the disclosure, or as required by applicable law.
3.4 Hyphen will reasonably assist the Customer, at no additional cost to the Customer, with meeting the Customer's compliance obligations under the Data Protection Legislation.
3.5 Hyphen must notify the Customer promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting Hyphen's performance of the Agreement.
4. Hyphen's employees
4.1 Hyphen will ensure that all of its employees:
- (a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
(c) are aware both of Hyphen's duties and their personal duties and obligations under the Data Protection Legislation and the Agreement.
5.1 Hyphen must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annex B.
5.2 Hyphen must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
- (a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c)the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
6. Personal data breach
6.1 Hyphen will, as soon as reasonably practicable, notify the Customer in writing if it becomes aware of:
- (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;
(b) any accidental, unauthorised or unlawful processing of the Personal Data; or
(c) any Personal Data Breach.
6.2 Where Hyphen becomes aware of (a), (b) and/or (c) above, it will, as soon as reasonably practicable, also provide the Customer with the following written information:
- (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, Hyphen will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to:
- (a) assisting with any investigation;
(b) providing the Customer with physical access to any facilities and operations affected;
(c) facilitating interviews with Hyphen's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
(d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
7. Cross-border transfers of personal data
7.1 Hyphen (and any third-party) must not transfer or otherwise process the Personal Data outside the UK, EU or EEA without obtaining the Customer's prior written consent.
7.2 The Customer shall be deemed to have consented to Hyphen transferring Personal Data to the United States of America, provided such transfer shall be on the basis of the EU Commission’s standard contract clauses for data transfer to non-EU/EEA countries.
8.1 Hyphen may authorise subcontractors (including consultants) to process the Personal Data if Hyphen enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures.
8.2 Where the subcontractor fails to fulfil its obligations under the written agreement with Hyphen which contains terms substantially the same as those set out in this DPA, Hyphen remains fully liable to the Customer for the subcontractor's performance of its agreement obligations.
9. Complaints, data subject requests and third-party rights
9.1 Hyphen will take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
- (a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
(b) information or assessment notices served on the Customer by a regulator under the Data Protection Legislation.
9.2 Hyphen will notify the Customer as soon as reasonably practicable in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
9.3 Hyphen must notify the Customer within 20 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.4 Hyphen will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
10. Term and termination
10.1 This DPA will remain in full force and effect so long as:
- (a) the Order Form (incorporating the Terms of Service into which this DPA is incorporated by reference) remains in effect; or
(b) Hyphen retains any of the Personal Data related to the Order Form in its possession or control (Term).
10.2 Any provision of the Agreement that expressly or by implication should come into or continue in force on or after termination of the Order Form in order to protect the Personal Data will remain in full force and effect.
10.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within  days, either party may terminate the Agreement on not less than  working days written notice to the other party.
11. Data return and destruction
11.1 At the Customer's request, Hyphen will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
11.2 Hyphen will, at the Customer’s request (in writing), securely delete, destroy, or return and not retain all or any of the Personal Data related to the Agreement in its possession or control, except for one copy that it may retain and use for up to four (4) years for the Business Purposes only.
11.3 If any law, regulation, or government or regulatory body requires Hyphen to retain any documents, materials or Personal Data that Hyphen would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
12.1 The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (Records).
12.2 Hyphen will ensure that that the Records are sufficient to enable the Customer to verify Hyphen's compliance with its obligations under this DPA and the Data Protection Legislation and Hyphen will provide the Customer with copies of the records upon request.
13.1 Hyphen will, upon the Customer's written request, give the Customer access to such information reasonably required to demonstrate Hyphen’s compliance with its obligations under this DPA. If the Customer, acting reasonably is not satisfied that such information demonstrates Hyphen’s compliance with its obligations under this DPA, the Customer may, upon at least 20 days' notice, audit Hyphen's compliance with its obligations under this DPA during the Term. Hyphen will give the Customer and its third-party representatives all necessary assistance to conduct such audits at no additional cost to the Customer. The assistance may include, but is not limited to:
- (a) physical access to, remote electronic access to, and copies of the Records and any other information held at Hyphen’s premises or on systems storing the Personal Data;
(b) access to and meetings with any of Hyphen's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
(c) inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.
13.2 The notice requirements in Clause 13.1 will not apply if the Customer reasonably believes that a Personal Data Breach has occurred or is occurring, or Hyphen is in material breach of any of its obligations under this DPA or any of the Data Protection Legislation.
13.3 If a Personal Data Breach occurs or is occurring, or Hyphen becomes aware of a breach of any of its obligations under this DPA or any of the Data Protection Legislation, Hyphen will:
- (a) promptly conduct its own audit to determine the cause;
(b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
(c) provide the Customer with a copy of the written audit report; and
(d) remedy any deficiencies identified by the audit within 20 days.
14.1 Hyphen warrants and represents that:
- (a) its employees, consultants, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;
(b) it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
(c) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Agreement’s contracted services; and
(d) considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:
(i) the harm that might result from such accidental, unauthorised or unlawful processing and loss or damage;
(ii) the nature of the Personal Data protected; and
(iii) comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in Clause 5.1.
14.2 The Customer warrants and represents that Hyphen's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
Any notice given to a party under or in connection with this DPA must be given in accordance with the notice provisions of the Terms of Service.
A. Personal Data processing purposes and details
Subject matter of processing: The Controller’s employees.
Duration of Processing: For the period during which Hyphen provides Services to the Customer and for a period of 6 months thereafter.
Nature of Processing: Collection and storage of Personal Data.
- Registering user accounts
- Verifying user credentials for security purposes
- To evaluate and follow up usage of the Services
Personal Data Categories:
- Identity data, including first name, last name, title, date of birth [and gender]
- Contact data, including email address and telephone number
B. Security measures
Virus and other Malicious Software (malware) protection:
- We maintain a current subscription to an established virus and malware protection program covering our computers. Incoming and outgoing email is scanned for viruses and malware. Any suspect messages are quarantined. Any equipment not owned by us, maintains equivalent protection prior to connection to our resources. All removable media are scanned for viruses and malware before use with our resources.
- All operating systems and software components are patched to the manufacturer’s current recommendations. Where patching is not practical then the deviation procedure is invoked.
Authentication and Access Management:
- A formal user account creation request and disablement process, which includes access provisioning and de-provisioning. All users of our resources are required to authenticate to systems before use. The standard form of authentication is via username and password.
- Authentication information may not under any circumstances be shared with others.
- Minimum standards for passwords are enforced:
(i) Passwords are a minimum of [eight characters] in length.
(ii) Complexity requirements are applied. These requirements are, at a minimum, a mix of upper and lower case, a number and a symbol.
Backup and recovery:
- We take automated backups of relevant systems. We rely on our cloud providers’ standard backup protocols.
Electronic mail (email):
- Email is inherently insecure and sending of email does not prove receipt. Email can be intercepted and changed between sending and receipt. Under no circumstances are emails containing personal data sent outside the company in plain text. Personnel must take care to ensure that the phrasing of electronic messages do not accidentally imply the formation of a contract between the Company and another party.
Use of personal devices:
Use of online (‘cloud’) file storage services:
- The only supported online file storage services are Google drive (gdrive) and Notion. Other online file storage services are not used.
- Systems development must adhere to industry best practices in relation to security, data protection, development methodology, documentation and change management to for example, but not limited to, ensure that any exposure of personal or confidential data is avoided.
- The design of a system must address, at minimum: how interconnections between application components will be secured; how data will be protected both in-transit and at-rest; identification, authentication, and authorisation; input and output validation; how the system will securely handle operation malfunctions.