Data Processing Addendum
Definitions and Interpretation
Definitions and Interpretation
The following definitions and rules of interpretation apply in this Data Processing Addendum.
Defined Terms
- Adequate Territory: A third country or international organisation which is subject to adequacy regulations under the Data Protection Legislation.
- Appropriate Safeguards: A valid cross-border transfer mechanism under the Data Protection Legislation.
- Commissioner: The Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
- Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: As defined in the Data Protection Legislation.
- Customer Personal Data: Personal Data that Customer provides to Rightbrain which Rightbrain Processes on behalf of Customer.
- Data Protection Legislation: All applicable data protection and privacy legislation in force in the UK, including UK GDPR, DPA 2018, PECR 2003, etc.
- Subprocessor: An organisation engaged by Rightbrain to Process Customer Personal Data.
- UK GDPR: As defined in section 3(10) and section 205(4) of the DPA 2018.
This Addendum is incorporated into the Agreement. Capitalised terms not defined here will follow the Agreement definitions.
In case of conflict, precedence will be:
- The body of this Addendum over the Annexes.
- Annexes over accompanying documents like invoices.
- This Addendum over the main Agreement.
Customer Responsibilities
- ANNEX A outlines the subject matter, duration, purpose, and types of Personal Data processed.
- Customer will not:
- Provide Customer Personal Data except through agreed mechanisms.
- Provide Customer Personal Data beyond what’s stated in ANNEX A.
- Customer represents that:
- They are the Controller and Rightbrain is the Processor.
- They will comply with all obligations under the Data Protection Legislation, including notices, consents, and instructions.
- Customer is responsible for its configurations and use of the Services.
Rightbrain’s Obligations
Rightbrain agrees to:
- Process Customer Personal Data only as instructed and solely to provide the Services.
- Inform Customer if an instruction appears unlawful.
- Ensure confidentiality agreements with authorized staff.
- Apply appropriate technical and organisational safeguards.
- Assist Customer (at their cost) with compliance obligations, including data subject rights and impact assessments.
- Cooperate with regulator audits or assessments if legally required.
- Notify Customer without undue delay in case of a Personal Data Breach.
Subprocessors
- Customer gives general authorization for Rightbrain to use Subprocessors listed in Annex B.
- Rightbrain will provide at least 2 weeks’ notice of any changes. If Customer objects:
- Rightbrain may cancel or revise plans.
- Rightbrain may discontinue the affected service feature.
- Subprocessor contracts will meet Data Protection Legislation requirements.
- Cross-border transfers will only occur with appropriate safeguards or to Adequate Territories.
Term and Termination
- This Addendum remains in effect while the Agreement is in effect or while Rightbrain retains Customer Personal Data.
- Clauses that need to survive termination will do so.
- If legal changes make Processing unlawful, the parties may suspend or terminate the Agreement.
- Within 30 days of termination, Rightbrain will delete or (at Customer’s cost) return all Customer Personal Data.
Annex A – Particulars of Processing
| Item | Details |
|---|---|
| Subject matter | Rightbrain’s provision of the Services to Customer |
| Duration | As set out in Clause 5.1 of this Addendum. |
| Nature | Processing Customer Personal Data to provide and support the Services. |
| Purpose | As set out in the Order Form. |
| Personal Data types | Data related to Customer’s End Users and other individuals provided via the Services. |
| Data Subject categories | Customer’s End Users and any other individuals who are subjects of Customer Personal Data. |
Annex B – Subprocessors
| Subprocessor | Registered Address | Purpose | Hosting Location | Notes |
|---|---|---|---|---|
| OpenAI, L.L.C. | 3180 18th St, San Francisco, CA 94110, USA | LLM Processing | USA | Subprocessors |
| Google Cloud EMEA Ltd | 70 Sir John Rogerson’s Quay, Dublin 2, Ireland | Hosting | EU West 4 (Netherlands) | Subprocessors |
| Apify Technologies s.r.o. | Vodičkova 704/36, 110 00 Prague 1, Czech Republic | Content Scraping | US East 1 | Used when scraping is requested by Customer |
Let me know if you’d like me to deliver this as a .md file, push it to GitHub, or enable linking to each clause.