Has COVID-19 impacted your business? See how we can help.

Service Express Data Processing Agreement


Between: Service Express, LLC a Delaware limited liability company, and Company, and together the “Parties.”


  1. Service Express and Company have a business relationship in which one or both performs services for the other Party and the processing of personal data is required to perform the services.
  2. To the extent that either Party processes Personal Data (defined below) of the other Party, Service Express and Company each agrees to be bound by the data protection requirements set forth in this agreement.

It is hereby agreed as follows:

  1. Definitions
    1. In this Agreement the following expressions shall have the stated meaning:
    2. Data Protection Legislation” means (until May 24, 2018) the Data Protection Act 1998, (from May 25, 2018 and later) the General Data Protection Regulation, and any other data protection or privacy legislation which applies to the parties in a relevant and applicable jurisdiction.
    3. Personal Data” has the meaning ascribed to it in the Data Protection Legislation.
  1. Personal Data
    1. The Parties agree and acknowledge that each is a data “Controller”, a data “Processor”, or both from time to time as defined in the Data Protection Legislation. In respect of any Personal Data processed pursuant to this agreement, each of the Parties will:
      1. Respond to inquiries regarding Personal Data and address any such inquiries promptly in accordance with the Data Protection Legislation; and
      2. Fully comply with the Data Protection Legislation.
    2. Processor will only process Personal Data as needed to perform the Services and to carry out its obligations under this Agreement, any Service Agreement, or other Agreement between the Parties. Processor will only process Personal Data in accordance with any lawful instructions reasonably given by the Controller. Processor will only transfer Personal Data to a third country or international organization on written instructions from the Controller.
    3. If Processor becomes aware of any breach of any security measure relating to Personal Data, then Processor will promptly (and in any event within 24 hours):
      1. Notify the Controller of such breach;
      2. Identify the cause of the breach;
      3. Use reasonable efforts to remedy any breach and its consequences;
      4. Use reasonable efforts to prevent the breach from re-occurring; and
      5. Report to Controller the cause of and procedure for correcting the breach of security.
    4. Processor will:
      1. Use Security, Technical, and Organizational measures to ensure the security of the Personal Data by taking into account: (i) the costs of implementation; (ii) the nature, scope, context, and purposes of the processing; (iii) the risk of harm that could result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (iv) the nature of the Personal Data.
      2. Ensure that only personnel who are under a contractual obligation of confidentiality are authorized to process Personal Data;
      3. Obtain prior written consent from Controller before transferring any Personal Data to any sub-processor, or allowing a sub-processor to access any Personal Data (and in any event ensure that data processing clauses no less stringent than as contained in this Agreement are imposed on any such sub-processor); Consent by Controller shall not be unreasonably withheld; A list of all sub-processors is included at the end of this Agreement and Processor will inform Controller of any intended changes regarding the addition or replacement of sub-processors by updating this Agreement from time to time, giving the Controller an opportunity to object to the changes;
      4. Maintain a record of all categories of any processing activities under this Agreement in relation to Personal Data in accordance with Article 30 of the General Data Protection Regulation and provide a copy of such record(s) to Controller for inspection upon reasonable demand. Such record will include the types and categories of information set out below;
      5. Immediately inform Controller in the event that Processor believes that Controller’s instructions in relation to Personal Data conflict with the requirements of Data Protection Legislation;
      6. Ensure that Personal Data will not be stored, copied, used, altered, deleted, accessed, modified, or otherwise interfered with by Processor for any purpose other than as expressly required to perform Processor’s obligations under an Agreement;
      7. Ensure that Personal Data will not be disclosed to any third party, agents, or subcontractors without the prior written consent of Controller;
      8. If requested, promptly provide Controller with a copy of all Personal Data held by it in the form and on the media reasonably specified by Controller;
      9. Not do or omit to do anything which would cause Controller to be in breach of its obligations under Data Protection Legislation;
      10. Take all reasonable steps to ensure the reliability of Processor staff who have access to Personal Data and will ensure that they:
        1. Are informed of the confidential nature of Personal Data;
        2. Have undertaken and will undertake regular training in the laws relating to handling Personal Data, data privacy and information security at least annually;
        3. Are aware both of Processor’s duties and their personal duties and obligations under Data Protection Legislation and this Agreement;
        4. Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
        5. Do not process Personal Data except on instructions from Controller, unless required to do so by applicable law.
    5. If any part of Personal Data ceases to be required for the performance of Processor’s obligations under this Agreement, Processor will return Personal Data to Controller within 14 days of such cessation, or at Controller’s discretion permanently and securely destroy or procure the destruction of the same. Processor may retain a copy of Personal Data only when it is required by law to do so and has notified Controller of this requirement, subject to all legal requirements, good industry practice, and limited to the purpose for which Processor is under a duty to retain it.
    6. If Processor receives any communication related to the processing of Personal Data or to a Party’s compliance with Data Protection Legislation, it will promptly notify Controller and provide Controller with full co-operation and assistance in relation to any such complaint, notice, communication, activities, or beach. Processor will ensure that it has appropriate technical and organizational measures in place to enable it to support Controller in fulfilling its obligations to respond to requests for exercising Data Subjects’ rights laid down in Chapter III of the General Data Protection Regulation.
    7. Processor will promptly comply with an instruction from Controller in order to comply with any agreement between Controller and a data subject, with any court order, any enforcement or other notice, or request for information from a Government body. Processor will not communicate with any regulator in respect of Personal Data without prior notice to Controller.
    8. Processor will make available to Controller such information as is reasonably necessary to demonstrate Processor’s compliance with the obligations of Processors under the Data Protection Legislation, and allow for and contribute to audits and inspections by the Controller for that purpose. Any such review shall not require access to any third-party data and the reviewing entity will enter into confidentiality obligations with the Processor as may be reasonably necessary to respect the confidentiality of the Processor’s business interests, third party data, and information which the reviewing entity may become aware in the course of undertaking the review. The auditing party shall bear its own costs in relation to such audit, unless the audit reveals any non-compliance with Processor’s obligations under Data Protection Legislation or this Agreement, in which case the costs of the audit shall be borne by the Processor.
  1. “Term”
    1. This Agreement will continue in force for as long as Processor performs services for Controller and will automatically lapse thereafter.
  1. Indemnity and Liability
    1. The Processor shall indemnify Controller, hold Controller harmless against, and is fully liable for all costs, claims, actions, fines, penalties, and damages arising out of Processor’s breach of this Agreement or the Data Protection Legislation.
  1. Data Processing Details
    1. Subject Matter and Purpose of Processing: process Personal Data for the purpose of providing Services and any related technical support to Controller in accordance with this Agreement and any other Agreement between the Parties.
    2. Duration of Processing: The Term and until all Personal Data is returned or deleted by Processor in accordance with this Agreement.
    3. Types of Personal Data: Controller’s representatives’
      1. Name
      2. Business email address
      3. Business phone number
    4. List of Sub-Processors:
      1. Salesforce https://www.salesforce.com/
      2. Marketo https://www.marketo.com/
      3. Outreach https://www.outreach.io/
      4. Microsoft https://www.microsoft.com/en-us/
      5. Totango https://www.totango.com/data-processing-agreement
      6. Alyce https://www.alyce.com/privacy-policy/

Updated 7.1.2020

Share via
Copy link
Powered by Social Snap