SureCert Platform Data Processing Agreement
1. About this Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between:
- the Organisation (as data controller); and
- CDS New Ventures t/a SureCert (“SureCert”, as data processor)
and applies to the processing of personal data by SureCert on behalf of the Organisation in connection with use of the SureCert platform at .
This DPA is incorporated by reference into the SureCert Platform Terms & Conditions.
2. Definitions
Terms not defined in this DPA have the meanings given in the Platform Terms.
“Data Protection Law” means UK GDPR and the Data Protection Act 2018.
“Personal Data”, “Controller”, “Processor”, and “Processing” have the meanings given in UK GDPR.
3. Roles of the Parties
3.1 The Organisation acts as data controller in respect of Personal Data processed through the platform.
3.2 SureCert acts as data processor, processing Personal Data on documented instructions from the Organisation for the purposes set out in this DPA.
3.3 SureCert does not determine the lawful basis for background checks or the appropriateness of processing in relation to individual data subjects.
4. Details of Processing
The subject matter, duration, nature, and purpose of the processing, the types of Personal Data processed, and the categories of data subjects are set out in Schedule 1.
5. Processor Obligations
SureCert shall:
a) process Personal Data only on documented instructions from the Organisation, unless required to do so by applicable law;
b) ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations;
c) implement appropriate technical and organisational measures to protect Personal Data;
d) not engage another processor except as permitted under this DPA;
e) assist the Organisation in responding to data subject rights requests in accordance with Section 8;
f) assist with compliance obligations relating to security, breach notification, and impact assessments, taking into account the nature of the processing; and
g) make available information reasonably necessary to demonstrate compliance with this DPA.
6. Sub-processing
6.1 The Organisation grants SureCert a general authorisation to appoint sub-processors.
6.2 SureCert shall ensure that sub-processors are subject to data protection obligations no less protective than those set out in this DPA.
6.3 SureCert may update or change sub-processors as required to provide the Services.
7. Security
SureCert shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- role-based access controls;
- encryption of data in transit and at rest;
- incident detection and response procedures.
Further details are set out in Schedule 2.
8. Data Subject Rights
8.1 The Organisation is responsible for responding to data subject rights requests.
8.2 SureCert shall assist the Organisation, where reasonably required, to fulfil its obligations in respect of such requests.
8.3 SureCert shall not respond directly to data subjects unless instructed by the Organisation.
8.4 Where assistance is excessive, repetitive, or requires disproportionate effort, SureCert may charge a reasonable fee.
9. Personal Data Breaches
SureCert shall notify the Organisation without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
Such notification shall include available information reasonably required for the Organisation to comply with its own breach notification obligations.
10. Audits and Compliance
10.1 SureCert shall make available documentation and information reasonably necessary to demonstrate compliance with this DPA.
10.2 Audits shall be limited to document-based review and shall not include on-site inspections, except where required by a competent supervisory authority.
10.3 Any audit must:
- be subject to reasonable notice;
- be conducted in a manner that minimises disruption; and
- respect SureCert’s confidentiality and security obligations.
11. International Transfers
Personal Data is processed primarily in the United Kingdom.
Where Personal Data is processed outside the UK by a sub-processor, SureCert shall ensure that appropriate safeguards are in place in accordance with Data Protection Law.
12. Return or Deletion of Data
12.1 Upon termination of the Services, SureCert shall, at the Organisation’s request, delete or return Personal Data processed under this DPA.
12.2 SureCert may retain Personal Data where required by law or for legitimate purposes, including:
- record-keeping;
- compliance with legal obligations; or
- responding to queries regarding historical processing activities.
Any retained data shall remain subject to appropriate security and confidentiality measures.
13. Liability
Liability under this DPA shall be subject to the limitations set out in the Platform Terms & Conditions.
Nothing in this DPA limits liability where such limitation is prohibited by law.
14. Governing Law
This DPA is governed by the laws of Northern Ireland. The courts of Northern Ireland have exclusive jurisdiction.
Schedule 1 – Details of Processing
Subject matter:
Provision of a background checking and verification platform.
Duration:
For the duration of the Organisation’s use of the platform and any applicable retention periods.
Nature and purpose:
Processing necessary to deliver identity verification, right-to-work checks, KYC, criminal record checks, adverse financial checks, sanctions screening, and related services.
Types of Personal Data:
Identity data, contact data, address history, identity documents, images, verification results, criminal record information, financial screening data, and organisational affiliation data.
Categories of data subjects:
Organisation Users and invited Clients.
Schedule 2 – Security Measures (High Level)
- Role-based access controls
- Encryption at rest and in transit
- Secure cloud infrastructure located in the UK
- Incident response and monitoring procedures