Terms of service for PocketLaw
Last updated: 26 April 2022
Information about PocketLaw
These terms of service (the "Terms") are applicable to all services provided by PocketLaw Limited (Company number 13149151) "PocketLaw", "us", "our" or "we"). You may contact us at firstname.lastname@example.org.
By "you" we mean the legal entity that is ordering Services under these Terms, any of your affiliates together with your and your affiliates’ employees and representatives.
When we refer to the "parties" we mean you and us together.
PocketLaw enables companies to manage and do legal work themselves by automating legal knowledge and simplifying consumption of legal services and know-how. With PocketLaw, companies can manage their day to day legal themselves. For the avoidance of doubt, PocketLaw is not a law firm, does not provide legal advice and is not responsible for any document created or decision taken based on the Services.
Agreeing to the terms
By creating an Account and using the Services you agree to the Terms. Please make sure that you have read and understood the Terms beforehand. If you do not agree to these Terms, do not create an Account or use the Services.
"Account" means the account that you register and create on the Site and/or in the App.
"App" means our applications accessible via computer or mobile device relating to the Services.
"Contact Information" means email@example.com.
"Functions" means the Site, the App, your Account and the Services, together.
"Services" means the services described under section titled "Services" below which we have made available through the Site and the App, together with any such other related goods, equipment, services and information made available by us to you.
"Site" means our website (https://pocketlaw.com) relating to the Services.
"Third Party Applications" means, in these Terms, online, web-based applications and offline software products or services that are a) provided by third parties, b) interoperate with us, and c) may be either separate or integrated with us and whether or not such are indicated by us as being third-party applications.
"Subscription Period" means twelve (12) months, unless otherwise agreed between the parties in writing.
Description of the services
PocketLaw enables companies to manage and do legal work themselves by automating legal knowledge and simplifying consumption of legal services and know-how (the "Services"). More information about the Services can be found on the Site and in the App.
Setting up an Account
To use the Services, you must create an Account. You confirm that all information provided to us in the creation of your Account is correct and agree to ensure that the information is accurate at all times. We are entitled to decline or adjust an order from you or shutdown your Account in the event that you provide us with untrue, inaccurate, not current, or incomplete information when creating your Account.
Once an Account has been successfully created, and payment has been made where prepayment is required, the Services will be available and ready to use or order, as detailed on the Site and in the App.
Credentials for your Account must be kept secure at all times. You may only create one (1) Account. You are not allowed to transfer the Account to another person or to share data relating to your Account with any third parties. Should you suspect that your Account or your credentials have been or are being used by a third party you must contact us immediately by using our Contact Information.
The Services shall be ordered in accordance with the instructions on the Site and the App.
Your order is an offer to buy from us. Our confirmation of your order will take place when we send you an invoice and/or send you a confirmation to your registered email account, at which point a contract will come into existence between you and us.
Delivery of Services
During the order process we will let you know when and where we will provide the Services to you. Certain Services may be provided by third parties or Third Party Applications and the provision of such Services may be subject to further terms.
We offer the Services to companies and other legal entities. You warrant that you are authorised to enter into these Terms on the behalf of the legal entity as well as to use all Functions.
These Terms, and any documents referred to herein, constitute the entire agreement between us in relation to the Services. You warrant that the persons (e.g. employees and representatives) you authorise to create Accounts and use the Services have read and understand the Terms. You are at all times responsible for the use of Services under these Terms, including by such persons - as if it was you using the Services.
Use of the Functions
When you use the Functions, you must always comply with all applicable laws, regulations and public orders. You shall not access the Site or the App other than through interfaces provided by us and as otherwise expressly authorised under these Terms. You may not use the Functions in a manner contrary to our, or any third party’s, rights and interests. You agree to comply with all instructions and recommendations provided by us from time to time.
You are responsible for all activities that occur under your Account.
You also agree not to:
- Defame, abuse, harass, threaten or otherwise violate the legal rights of any third party or us;
- Publish, post or - in any other way express - any material or information that is inappropriate, defamatory, infringing, obscene, pornographic, racist, terrorist, politically slanted, indecent or unlawful;
- Contribute to destructive activities such as dissemination of viruses, spam or any other activity that might harm us, the Site and/or the App in any way;
- Monitor the Services’ availability, performance or functionality for any competitive purpose, meaning, for example that you agree not to access the Services for the purpose of developing or operating a competitive product or service or copying the Services’ features or user interface; or
- Resell or in any way redistribute results generated in the Site and/or the App or use the Services in order to create a competing service or product.
We may have to suspend the supply of any of the Functions to:
- Deal with technical problems or make minor technical changes; or
- Update the Functions to reflect changes in applicable laws or satisfy a regulatory requirement.
We will endeavour to contact you in advance in the event we need to suspend the supply of any Service but may not be able to if the problem is urgent or an emergency.
Your provision of content
The Site and/or the App include(s) functions for uploading and storing of files and other information provided or created by you ("Content"). You are responsible for all distribution and other actions by you and in your name.
By adding Content to the Site and/or the App, you warrant that you are a) the owner of the uploaded Content, or, b) entitled to manage the Content in such a way and that the Content or your use of the Content in no way violates any applicable legislation. We will not supervise whether any Content is lawfully uploaded or distributed through the Site and/or the App.
By adding Content to the Site and/or the App, you are aware that, depending on the settings of your Account, such Content might be shared with others. We are not liable for any loss of Content, and we advise you to always keep your own backup of your Content. We do not take any responsibility with regards to the validity of Content provided or created by you.
PRICES AND PAYMENT
You must pay all applicable fees for the Services periodically in advance or in arrears. The prices for the Services are set out and described on the Site. The prices for the Services include any explicitly set out relevant delivery costs, but excludes value added tax (VAT) or other fees and taxes. The price of the Services provided to you will be indicated on the order pages when you placed your order or as otherwise notified by us to you in writing. If you have been offered Services for a specific term and price, that price will apply for the agreed time after which the price may increase.
We have the right to change the prices for the Services. If we change the prices, we will notify you in advance. Unless otherwise agreed between the parties in writing, any change in the price of your subscription will take effect from the start of the Subscription Period after the price change took effect. By continuing to use or access the Services after the price changes come into effect, you agree to be bound by the new charges.
Payment for the Services can be made in one of the following ways.
We offer payments in cooperation with Stripe through:
- Invoice (when paying an aggregate annual fee upfront); or
- Card payment.
On your payment, the third party processor's/provider’s terms and conditions will apply (https://stripe.com/en-se/ssa). You may be requested to identify yourself and credit reports may be pursued by the third party processor/provider. Where we use a third party for payments, we will not have access to or store any payment information.
The Services may be paid for by credit or debit card. You must keep the payment information provided to us accurate and up-to-date.
We may invoice you for the Services in advance or in arrears, with the frequency agreed for the period contracted. You agree that we may issue electronic invoices, which will be sent to the email address you have provided in your Account. You must keep the payment information provided to us accurate and up-to-date.
We are entitled to perform a credit control when this is needed in order to be able to offer you a credit period.
You agree to pay within the set time for the payment method you choose. We have the right to close down your Account until you have paid for all the charges incurred by you. Payment after the due date can entail late payment fees and interest.
Unless otherwise expressly set out in these Terms, we do not provide refunds, right to return a purchased subscription or Service, credits for any partially used subscription or Service, credits for any unused Account or credits by reason of your dissatisfaction with the Services and/or the Functions.
TERM AND TERMINATION
The term for the Services commences upon creation of an Account with us and shall remain in force until terminated in accordance with these terms.
If you purchase a subscription from us, the Subscription Period is always twelve (12) months, unless communicated differently by us to you in writing.
At the end of each Subscription Period, your subscription will automatically renew for an additional twelve (12) months unless terminated by you by giving at least 30 days’ notice before the end of your current Subscription Period. The same applies should you upgrade or downgrade your subscription, then your subscription will be automatically renewed for twelve (12) months.
To terminate the Services, you need to notify us in writing to firstname.lastname@example.org, or by contacting us via the in-App chat service.
If you notify us of your intention to terminate the Services during a current Subscription Period, the Services will terminate at the end date of the current Subscription Period, and we will continue to provide the Services until the end of the Subscription Period. In no event will your termination relieve you of the obligation to pay any amounts payable to us for the remainder of the current Subscription Period.
If you notify us of your intention to terminate the Services and you do not currently subscribe to the Services, we will terminate our provision of the Services immediately.
Upon termination, your right to access the Services will be revoked. We will also delete or anonymise any personal information about you, with exception for any personal information that we are required to keep by law.
Any Services still ongoing upon termination shall be carried through in accordance with these Terms. Obligations arising from any breach of contract during the term of these Terms shall not be affected by termination.
Termination for cause
We reserve the right to terminate or limit the Services if you:
- Materially breach or otherwise violate these Terms or any other provisions set up by us;
- Use the Functions in any way that does not comply with the intended purposes or is otherwise harmful for us or any third person; or
- In our reasonable opinion, use the Functions in violation of any applicable law.
Upon occurrence of any of these events, we may contact you and request that you remedy your breach of these Terms before terminating or limiting the Services. In the event that we terminate the Services for cause, you will pay any unpaid fees covering the remainder of the term of your subscription.
Not legal advice
Whilst our goal is to ensure that the content on the Site and the App are up to date and current, this is not a contractual commitment and we make no representations, warranties or guarantees, whether express or implied, that the content on the Site and the App is accurate, complete or up to date .
Our content, templates and guidance on the Site and the App can be used as a source of legal information but does not substitute taking legal advice. The content (including the documents and any guidance) on the Site and the App have been created for a wide audience and may not be appropriate or applicable to your situation. We would always recommend that you take legal advice before making any decisions in relation to any content, templates and guidance on the Site and the App.
LIABILITY – YOUR ATTENTION IS PARTICULARLY DRAWN TO THIS SECTION.
Disclaimer of warranties
Except as expressly provided for in these Terms, the Services and all related components and information are provided on an "as is" and "as available" basis without any warranties of any kind, and we expressly disclaim any and all warranties, whether express or implied, including the implied warranties of merchantability, title, fitness for a particular purpose and non-infringement. You acknowledge that we do not warrant the Services will be uninterrupted, timely, secure or error-free.
Limitation of Liability
In no event shall PocketLaw Limited, its subsidiaries, affiliates or any of their respective employees, officers, directors, agents, partners be liable for: (a) loss of contracts; (b) loss of reputation and/or goodwill; (c) loss of profit, loss of revenue, loss of anticipated savings and/or loss of business; or (d) indirect, consequential or special loss, damage or liability even if such loss or damage was reasonably foreseeable, arising out of or in connection with your use of the Functions or the performance of our obligations under these Terms.
Our total liability to you for all other losses arising under or in connection with any contract between us, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be limited to the total sums paid by you for Services under the applicable order/contract. We have no liability if you use the Services under a trial period or otherwise free of charge.
We shall not be liable for any loss or damages unless notice in writing summarising the nature of the damages (in so far as it is known by you) and, as far as is reasonably practicable, the amount of damages claimed, has been provided to us within three (3) months of you becoming aware of the loss or, if earlier, within six (6) months from when the loss occurring.
- Nothing in these Terms of Service shall exclude or limit the parties' liability for: (a) death or personal injury caused by negligence; (b) for fraudulent misrepresentation; or (c) for any other matter which cannot be excluded by law.
You agree to defend, indemnify and hold harmless PocketLaw Limited, its subsidiaries and affiliates and their respective directors, officers, employees and agents from and against all claims and expenses, including legal fees, arising out of or related to:
- any Content submitted or posted by you in connection with the Services or the Site;
- fraud you commit or your intentional misconduct or gross negligence in connection with the Functions; or
- your violation of any applicable law or rights of a third party.
Defects and delays beyond our control (force majeure)
We are not responsible for delays and defects outside our control. If our suppliers are delayed by an event outside our control, then we will contact you as soon as possible to let you know and we will take steps to minimise the effect of the delay. Provided that we do this we will not be liable for defects and delays caused by the event, but if there is a risk of substantial defect or delay you may contact us to end the agreement and receive a refund for any Services you have paid for but not received.
During the term of these Terms and thereafter, the parties undertake not to disclose to any third party information regarding these Terms, nor any other information that the parties have learned as a result of these Terms, whether written or oral and irrespective of form ("Confidential Information").
The parties agree and acknowledge that the Confidential Information may be used solely for the fulfilment of the obligations under these Terms and not for any other purpose. The receiving party further agrees to use, and cause its directors, officers, employees, sub-contractors or other intermediaries to use, the same degree of care (but not less than reasonable care) to avoid disclosure or use of Confidential Information.
The confidentiality undertaking above shall not apply to any Confidential Information that the Receiving Party can establish is or becomes available to the public (otherwise than by breach of this Agreement or any other confidentiality undertaking.
Each party also undertakes to ensure that any information disclosed under this section, to the extent possible, shall be treated confidentially by anyone receiving such information. This confidentiality undertaking shall remain in force three (3) years after the termination of the Terms.
During the term of the Agreement and for a period of nine (9) months thereafter, you shall refrain from attempting to solicit any individual who is employed by us and with whom you have had contact with in connection with the performance of the Services.
This shall not apply with respect to a) persons that approach you on an unsolicited basis or who respond to general advertisements for employment not specifically directed at you or any of your employees; b) persons who are referred to you in good faith by search firms, employment agencies or similar; and c) persons who have terminated their employment with us prior to their contacts or discussions with you.
CHANGES & ADDITIONS
We may modify these Terms at any time. In the event of changes which are not minor and may affect you, you will be notified via email or via the App. You are responsible for keeping yourself informed of any changes to the Terms. The latest version of the Terms will be available on the Site. Amendments to the Terms become effective the business day following the day they are posted.
All new functionalities, features and content introduced and added to the Services, the Site or the App will be subject to what is stipulated in the Terms.
COMPLAINTS AND CUSTOMER SUPPORT
If you have any complaints, please contact our support department by using any of our Contact Information.
You acknowledge that you are the data controller for any personal data processed by us on your behalf in conjunction with your use of the Services. You also acknowledge that we are considered as your data processor; therefore, by agreeing to the Terms we enter into the data processing agreement (Appendix DPA), which shall remain in effect for as long as we process personal data on your behalf.
PROPERTY AND INTELLECTUAL PROPERTY RIGHTS
The Site and the App are owned and operated by PocketLaw. All copyrights, trademarks, trade names, logos and other intellectual or industrial property rights held and used by us as well as those presented in the Functions (including titles, graphics, icons, scripts, source codes etc.) are our property or third party licensors’ property and must not be reproduced, distributed, sold, used, modified, copied, limited or used (in whole or in part) without our written consent.
PocketLaw grants you a non-exclusive right and licence to use the Site, the App and the Services for the sole purpose of us providing the Site, the App and the Services to you. Upon expiry or termination of this agreement, this right and licence shall end.
Respect for our property
You must not tamper with, attempt to gain unauthorised access to, modify, hack, repair or otherwise adjust any of our material, hardware, source-codes or other information for any purposes.
Respect for our intellectual property
The Services and other information, including all associated intellectual property rights, provided and made available by us, remain our exclusive property. You may not use our exclusive property for commercial or any other purposes without our written consent.
You agree that we may use your company name and/or logo in our marketing and publicity material as examples of current users of the Site unless you choose to opt-out by changing your settings on the Site or notifying us by email at the Contact Information.
No failure or delay by either party in exercising any right under the Terms will constitute a waiver of that right. No waiver under the Terms will be effective unless made in writing and signed by an authorised representative of the party being deemed to have granted the waiver.
The Terms, and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter they cover.
Each of the parties acknowledges and agrees that in entering into the Terms it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to the Terms or not) relating to the subject matter of the Terms, other than as expressly set out in the Terms.
You may not assign any of your rights or obligations under the Terms to any third party without our prior written consent.
We may assign the Terms, and we may assign, transfer or subcontract any of our rights or obligations under the Terms, to any third party without your prior consent.
GOVERNING LAW AND DISPUTES
These Terms and all non-contractual obligations arising in any way whatsoever out of or in connection with these Terms of Service are governed by and construed in accordance with English law.
The courts of England have exclusive jurisdiction to settle any claim or dispute (including non-contractual disputes or claims) arising out of or in connection with the Terms or its subject matter.
PocketLaw Limited is an entity registered in the United Kingdom (UK).
Registered address: 78 York Street, London, United Kingdom, W1H 1DP Company No.: 13149151
Appendix - DPA
This Data Processing Agreement with Schedules (the “Agreement”) has been entered into between:
Data Controller: You (“Customer”, “Controller” “You”); and
Data Processor: PocketLaw Limited (Company Number: 13149151) (“PocketLaw”, “Processor”, “us”, “our” or “we”)
Each a “Party” and together “the Parties".
1.1 The Agreement forms part of the PocketLaw Terms of Service found at https://pocketlaw.com/en-uk/terms (the “Terms”) and sets out the additional terms, requirements and conditions on which the Processor will Process Personal Data (each as defined below) when providing services under the Terms. The Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
1.2 The Agreement includes the following Schedules:
- Schedule 1 - Existing and Approved Subcontractors
- Schedule 2 - Technical and Organisational Security Measures
- Schedule 3 - Contact Details
2. DEFINITIONS AND INTERPRETATION
2.1 The following definitions and rules of interpretation apply in the Agreement:
“Applicable Law” refers to all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party.
“Commissioner” means the Information Commissioner’s Office (see Article 4(A3), UK GDPR).
“Personal Data” means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of, or in connection with, the provision of the services under the Terms (in the Agreement “Personal Data” is used synonymously with “Personal Data for which the Data Controller is responsible for and which the Data Controller processes on behalf of the Data Processor).
“Data Processor” means the company/organisation/individual that sets out the purposes for which data is processed and is thereby held responsible for ensuring that Personal Data is processed in accordance with Applicable Law. The parties agree and acknowledge that for the purpose of the Data Protection Legislation the customer is the Controller.
“Data Controller” is the company/organisation that processes personal data on behalf of the Data Processor and is therefore only permitted to process data in accordance with the Controller’s written instructions. The Parties agree and acknowledge that for the purpose of the Data Protection Legislation, PocketLaw Limited is the Processor.
"Data Subject" is the identified or identifiable living individual to whom the Personal Data relates.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
2.2 Unless otherwise defined in the Agreement, capitalised terms used in this Agreement shall have the same meaning as those given in the Terms.
2.3 Unless otherwise defined in the Agreement or in the Terms, terms used in this Agreement shall have the same meaning as those set out in Article 4 of the UK GDPR..
2.4 In the case of conflict or ambiguity between the Terms and any provision contained in the body of the Agreement or the Schedules, the provisions in the Agreement will prevail.
2.5 The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this agreement includes the Schedules.
2.6 A reference to a clause, paragraph or schedule is, unless stated otherwise, a reference to a clause or paragraph of, or schedule to this Agreement.
3. PERSONAL DATA TYPES AND PROCESSING PURPOSES
3.1 Data subject types. The Controller appoints the Processor to process data which identifies the Controller’s:
- Business contacts;
- Board members; and
- All other data subject types as determined by the Controller in accessing and using the Services provided by us
3.2 Categories of personal data. The Controller may submit Personal Data to the Processor, the extent of which is determined and controlled by the Controller in compliance with Applicable Laws and which may include:
- Contact details;
- National Insurance Number;
- Employee salary details;
- Location data; and
- All other categories of personal data as determined by the Controller in accessing and using the Services provided by us.
3.3 Source. The Processor processes personal data which:
- The Controller’s employees or authorised users add to any PocketLaw Services
- The Controller collects from its Data Subjects
3.4 The purpose for processing personal data (the “Purpose”):
- To enable the Controller to easily manage, upload, and access their legal, contractual and other types of documents via our App.
3.5 Processing activities:
- Storage and other processing necessary to provide, maintain, and update the Services.
4. DATA PROCESSOR’S OBLIGATIONS
4.1 The Processor will observe and abide by the principles set out in Chapter 2 of the UK GDPR in its processing of the Controller’s Personal Data.
4.2 The Processor confirms that the Controller is not required to take any further action to ensure that the Processor fulfils its obligations in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements under Applicable Law, including for the security of Processing.
4.3 The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Purposes in accordance with the Customer's written instructions. The Processor will not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation.
4.4 The Processor will, upon the request of the Controller, reasonably assist the Controller, at no additional cost, with meeting the Controller’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.
4.5 The Processor must promptly notify the Controller if, in its opinion, the Controller's instructions do not comply with Applicable Law. If the Processor deems any written instructions provided by the Controller as incomplete, deficient, or false, the Processor must promptly inform the Controller. The Processor is permitted to refrain from following the Controller's instructions if they contravene Applicable Law.
5. CONTROLLER’S OBLIGATIONS
5.1 The Controller determines the purposes and means for processing Personal Data. The Controller retains control of the Personal Data and remains responsible for its regulatory and compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Processor.
5.2 The Controller retains responsibility for relations with data subjects in the processing of personal data.
5.3 The Controller is responsible for ensuring that personal data is accurate and up to date.
6. DATA BREACH
6.1 In the event of a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the personal data (“Personal Data Breach”), the data controller must, without undue delay and latest within eight (8) hours from the time of discovering the Personal Data Breach, provide written notice to the Controller via the contact details set out in Schedule 3.
6.2 The information will, to the extent that it is available to the Processor, contain the following:
- A description of the circumstances surrounding the Personal Data Breach
- A description of the nature of the Personal Data Breach and, where possible, the categories and the approximate number of data subjects affected by the incident.
- A description of the potential consequences of the Personal Data Breach in question
- A description of the measures taken or proposed to remedy the Personal Data Breach, as well as when implementing such measures may be appropriate, and measures for reducing the potential negative effects of such an incident.
- Contact details of the Data Protection Officer (“DPO”) or other relevant contact person who can provide further information to the Controller
6.3 Where it is initially not possible for the Processor to provide information to the Controller, the information may be provided in instalments without further undue delay.
7. AUDIT RIGHTS
7.1 On the Controller’s written request, the Processor must provide the Controller with any information reasonably required for the Controller to confirm the Processor’s compliance with its obligations under this Agreement and Applicable Law.
7.2 If information provided by the Processor pursuant to clause 11.1 is not sufficient, in the reasonable opinion of the Controller, to demonstrate that the Processor has satisfied its obligations under Applicable Law, the Controller has the right to conduct physical audits of the Processor’s premises, including any facilities, equipment or application software used to process Personal Data. The Processor must provide reasonable assistance to allow the Controller or its third party representative to carry out any audit or inspection.
7.3 The Controller must give the Processor at least ten (10) business days written notice of any planned audits or inspections.
7.4 Any audit conducted in accordance with this clause may only be conducted:
- during normal business hours;
- after the Controller has confirmed that any appointed representative, whether working for the Controller or acting an authorised third party, carrying out the audit is subject to a confidentiality agreement that is appropriate in relation to the Personal Data and the information to be audited; and
- in accordance with the Processor’s internal policies and security-related procedures.
7.5 Each party shall bear its own costs incurred in relation to the audit.
7.6 In the event that the Controller is reasonably required to conduct more than one audit in accordance with this clause within any twelve (12) month period, the Controller shall bear all costs reasonably incurred by the Controller in conducting the audit.
8.1 The Processor may only authorise a third-party (a subcontractor) to process the Personal Data if:
- the Customer is provided with an opportunity to object to the appointment of each subcontractor within five (5) working days after the Provider supplies the Customer with full details in writing regarding such subcontractor;
- the Provider enters into a written contract with the subcontractor that contains data protection obligations that provide at least the same level of protection for Personal Data as those contained in the Agreement, to the extent applicable to the services provided by the subcontractor;
- the Provider maintains control over all of the Personal Data it entrusts to the subcontractor; and
- the subcontractor's contract terminates automatically on termination of this Agreement for any reason.
8.2 The Processor shall keep an up to date list of all its approved subcontractors. The list must be made available to the Controller upon request. Those subcontractors approved as at the commencement of this Agreement are as set out in Schedule 1. If the Controller reasonably objects to the appointment of a subcontractor it must provide written details of the reasonable grounds for its objection and the Processor will use commercially reasonable efforts to make a change to the services to avoid Processing of Personal Data by the objected to subcontractor or to appoint an alternative subcontractor. If the Processor is unable to make such a change to the services or appoint an alternative subcontractor within thirty (30) business days, either party shall have the right to terminate this Agreement and (if applicable) the Terms.
8.3 On the Controller’s written request, the Processor shall provide copies or relevant extracts (at the Processor’s sole discretion) of the Processor’s data processing agreements with subcontractors.
8.4 The Processor shall keep an up to date list of all its approved subcontractors. The list must be made available to the Controller upon request.
8.5 If a subcontractor fails to comply with its obligations under the data processing agreement between the subcontractor and the Processor, the Processor remains fully liable to the Controller for the subcontractor's performance of the Controller’s obligations under the Agreement.
9. RECORDS AND DATA PROTECTION OFFICER
9.1 The Processor will keep written records (“Records”) of all data processing activities. The Records will be made accessible to the Controller upon request.
9.2 In the event that the Processing or nature of business activities require the Processor to appoint a DPO in accordance with Applicable Law, the contact details of the DPO will be provided in Schedule 3.
10. CONTACT WITH AUTHORITIES, DATA SUBJECT REQUESTS
10.1 The Processor will inform the Controller without undue delay of any contact from Data Subjects, relevant authorities, courts or regulators (including the Commissioner), or third parties concerned with the Processor’s Processing of Personal Data on behalf of the Controller.
10.2 If the Data Subject makes a request to exercise their Data Protection Legislation rights to the Processor, the Processor will refer the Data Subject to the Controller.
10.3 The Processor will accommodate inspections as required by domestic law, courts or regulators (including the Commissioner).
10.4 The Processor is not permitted to represent the Controller’s interests or in any other way act on behalf of the Controller towards any Data Subject, authority or any other relevant third party.
11. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
11.1 The Controller will adopt the appropriate organisational and technical security measures in order to protect personal data under the Agreement from unauthorised and illegal access. This includes ensuring sufficient physical access controls, system access controls, data access controls and data backups.
11.2 The suitability of technical and organisational measures will be assessed with regard to the latest technology available, associated costs for adoption, sensitivity of data concerned by the processing acts of the Processor, in addition to any risks to the rights and freedoms of data subjects.
11.3 If the Controller assesses the risk level of Processing by the Processor as high, and thereby conduct an impact assessment, the Controller must share the result of such an assessment so that this can be factored into a decision of what is a sufficient level of technical and organisational measures.
11.4 The Processor must follow any decisions issued by the Commissioner or any other supervisory authority on measures to meet the security requirements in Applicable Law and all other requirements relating to the Personal Data Assistant in accordance with Applicable Law.
11.5 The Processor must comply with any decisions and consultation opinions issued by the supervisory authority on measures necessary to meet the security standards in accordance with Applicable Law and all other requirements relating to the Controller’s obligations under Applicable Law.
11.6 The Processor must ensure its employees, subcontractors and, where applicable, the employees of its subcontractors only have access to the Personal Data to the extent to which it is necessary and that those who have access to the Personal Data maintain the confidentiality of such information (e.g. by signing an individual confidentiality agreement).
11.7 Only employees or assigned individuals of the Processor deemed to have the necessary level of knowledge in relation to the nature and scope of the Personal Data processing may process the Personal Data.
11.8 Computer equipment, storage media and other equipment used in the processing of personal data performed by the Processor must be stored so that unauthorised persons cannot gain access to them.
11.9 The security in the Processor’s physical premises where personal data is processed must be suitable and secure with regard to locking equipment, functioning alarm equipment, protection against fire, water and burglary, and protection against power outages. The equipment used to process Personal Data must have good protection against theft and events that may destroy the equipment and/or Personal Data.
12. CONTROL OVER PERSONAL DATA
12.1 The Processor must ensure that the Personal Data remains protected against unauthorised, unlawful and unintentional destruction, modification and distortion. The Personal Data must be protected from unauthorised access during storage, transfer and other treatment. The Controller must not access Personal Data unless the identity of the recipient has been verified.
13. DATA TRANSFERS OUTSIDE THE EU/EES
13.1 The Processor primarily processes the Personal Data of the Controller within the EU/EES. In the event that Personal Data is not processed within the EU/EES, the Processor must ensure that processing takes place according to Applicable Law by ensuring that one of the following criteria is met:
13.1.1. There is a decision from the European Commission that the country ensures an adequate level of protection for the Personal Data;
13.1.2. The Processor applies the European Commission's standard contractual clauses (SSCs) for third country transfers; and
13.1.3. The Processor has adopted other appropriate safeguards which fulfil requirements under Applicable Law.
14. LIABILITY AND INDEMNITIES
14.1 The Parties are free from liability for obligations arising under the Agreement in cases where performance is hindered by a circumstance of an extraordinary nature beyond the Party's control which the Party could not reasonably be expected to have taken into account and whose consequences the Party could not reasonably have avoided.
14.2 The Processor’s liability arising out of or relating to this Agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise is subject to the “Our Liability” section of the Terms, and any reference in such section to our total liability means our aggregate liability under the Terms and this Agreement together.
14.3 The Processor agrees to indemnify the Controller for any damages incurred by the Controller as a direct result of the Processor processing Personal Data against the Controller’s instructions according to the Agreement and Applicable Law.
14.4 For the avoidance of doubt, we shall not be liable for any loss of profit, or any indirect or consequential loss arising in connection with this Agreement.
15.1 The Processor is not permitted to use information or any other material which they are provided access to in order to fulfil the Agreement or the Terms for any other purpose than those which are necessary to fulfil their obligations under this Agreement or the Terms.
15.2 The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Controller or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). The agreement of confidentiality between the parties is valid from the date on which the Parties enter into the Terms until the Processor returns or destroys the Personal Data in accordance with this Agreement. The Processor will ensure that confidentiality is maintained by its employees and all other parties involved with the business or work undertaken on their behalf.
16 VALIDITY AND TERMINATION
16.1 This Agreement will remain in full force and effect so long as the Processor is processing Personal Data on behalf of the Controller or until the Agreement is replaced by a different data processing agreement.
16.2 The duties and obligations of the Processor in relation to agreement will remain in full force and effect in spite of the Agreement being terminated, so long as the Processor is Processing Personal Data on behalf of the Controller.
17. DELETION AND RETURN OF PERSONAL DATA
17.1 Upon termination of the Agreement, the Processor and any other potential subcontractors will either destroy or return the Personal Data concerned by the Agreement to the Controller.
17.2 In the event that the Controller has not requested destruction or return of the Personal Data concerned by the Agreement within twelve (12) months from the date of which the Agreement has terminated as agreed by the Parties, the Processor must destroy the Personal Data.
18. APPLICABLE LAW AND DISPUTE RESOLUTION
18.1 This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
18.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).
18.3 The specified dispute resolution mechanism applicable in the Terms will be applicable in this Agreement.
SCHEDULE 1 - EXISTING AND AUTHORISED SUBCONTRACTORS
- Name: Amazon Web Services (AWS)\ Type of Service: Data storage and distribution network (CDN)\ Website: https\://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf\ Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal data is processed within the EU/EES
- Name: Compose\ Type of Service: Cache database\ Website: https\://www.compose.com/DPA-exhibit.html\ Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal Data is processed within the EU/EES
- Name: Hetzner\ Type of Service: Server\ Website: https\://www.hetzner.com/de/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal Data is processed within the EU/EES
- Name: Scrive\ Type of Service: E-signature\ Website: https\://www.scrive.com/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: Personal Data is processed within the EU/EES
- Name: DocuSign\ Type of Service: E-signature\ Website: https://www.docusign.com/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\ Supplementary Measures: the subcontractor abides by binding corporate rules/EES
- Name: Hubspot\ Type of Service: CRM platform\ Website: https://www.hubspot.com/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\Supplementary Measures: the subcontractors rely on the European Commission's standard contractual clauses (or SCCs).
- Name: Stripe:\ Type of Service: Online payment processing\ Website: https://www.stripe.com/\Personal Data Processed: All details provided by the Controller in accessing the PocketLaw App, such as name, address, email address, phone number, company role, etc.\Supplementary Measures: the subcontractors rely on the European Commission's standard contractual clauses (or SCCs).
SCHEDULE 2 - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
The Processor has adapted the following technical and organisational measures to ensure that personal data is processed securely and that they are protected from loss, misuse and unlawful or unauthorised access.
Technical security measures are measures which are adopted through technical solutions.
- Access control level
- Access log
- Secure network
- Regular security inspection
- Two-factor authentication
- Password management software for all passwords
Organisational security measures are measures which are adopted in working methods and routines within the organisation.
- Internal policies and procedures
- Login and password management
- Physical security (premises etc.)
SCHEDULE 3 - CONTACT DETAILS
Email address: email@example.com