The following terms shall have the following meanings:
“Agreement” means these Terms and Conditions together with the SOF and any document referred to in these Terms and Conditions or the SOF.
“tootoot” means tootoot Ltd.
“Services” means the “Stribe” application and any of the services provided by tootoot under these Terms and Conditions, including the provision of access to the Dashboard.
“User” means those employees, agents, independent contractors or end-users of the Customer who are authorised by the Customer to use and/or access the Services.
“Dashboard” means the aggregated dashboard which displays real-time data of multiple Users.
“Customer” means the purchaser of access to the Services from tootoot, as set out in the SOF.
“Data Protection Legislation”means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) to the extent incorporated into English law; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
“Initial Contract Term” means the initial term of this Agreement, as set out in the SOF.
“SOF” means the document tootoot provides to the Customer containing specific information relating to the particular services supplied or to be arranged to be supplied by tootoot to the Customer.
“Contract Start Date” has the meaning given to it in the SOF.
“Fees” means the fees payable by the Customer to tootoot for the provision of access to the Services, as set out in the SOF.
“Maximum Users” means the user subscriptions purchased by the Customer which entitle Users to access and use the Services in accordance with this Agreement.
“Lifetime Storage Fee” means the fees payable by the Customer to tootoot for the ongoing storage of Customer Data after the termination of this Agreement, if applicable, and as set out in the SOF.
“Customer Data” means the data inputted by the Customer, Users, or the Supplier on the Customer’s behalf, for the purpose of using the Services, or facilitating the use of the Services.
“controller”, “processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing” and “appropriate technical and organisational measures” each have the meaning given to them in the Data Protection Legislation.
“Clause” and “schedule” means respectively clauses or schedules in this agreement unless the context shows a contrary meaning. “Now” and “today” means at the date of this agreement. “Comply with” includes “observe and perform”. “Parties” means the parties to this agreement and where the context permits, their successors in title.
1 PERSONAL DATA TYPES AND PROCESSING PURPOSES
1.1 The Customer and tootoot acknowledge that for the purpose of the Data Protection Legislation, the Customer is the controller and tootoot is the processor.
1.2 The Customer retains control of the Customer Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including without limitation providing any required notices, undertaking any impact assessments, communicating to Users any relevant justifications and obtaining any required consents (including in respect of any Special Categories of Personal Data to be processed by tootoot as part of the User’s access to the Services), and for the processing instructions it gives to tootoot.
1.3 Regarding processing conducted pursuant to this Agreement:
i Subject matter of processing: the supply and use of the Services.
ii Duration of Processing: the Term and, if applicable and on payment of the Lifetime Storage Fee, in perpetuity.
iii Nature of Processing: Storage of personal data, transfer of personal data between the Customer and its Users (as the case may be).
iv Business Purposes: the provision of access to the Services for the benefit of Users.
v Personal Data Categories: full name and workplace email address of the Data Subject, and, depending on how the Services are used and what the Customer’s specific instructions are, such other information that the Data Subject provides to the Services during use of the Services.
vi Data Subject Types: Users who sign up to use the Services.
2 PROVIDER’S OBLIGATIONS
2.1 Tootoot will only process the Personal Data to the extent, and in such a manner, as is necessary for the provision of the Services in accordance with this agreement and/or the User’s written instructions except where otherwise required by applicable law (and shall inform the User of that legal requirement before processing unless prohibited by that applicable law on important grounds of public interest).
2.2 Tootoot will notify the User if, in its opinion, the User’s instruction would not comply with the Data Protection Legislation and shall be entitled to cease to provide the relevant services until appropriate amended instructions are received.
2.3 Tootoot will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the User or this agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Tootoot to process or disclose Personal Data, Tootoot will first inform the User of the legal or regulatory requirement and give the User an opportunity to object or challenge the requirement, unless the law prohibits such notice.
2.4 Tootoot will reasonably assist the User with meeting the User’s compliance obligations under articles 32 to 36 of the GDPR (and any similar obligations under Data Protection Legislation), taking into account the nature of Tootoot’s processing and the information available to Tootoot, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
3 PROVIDER’S EMPLOYEES
3.1 Tootoot will ensure that all employees are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data.
4.1 Tootoot will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data. Tootoot will document those measures in writing and periodically review them to ensure they remain current and complete.
4.2 Tootoot will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
4.2.1 the pseudonymisation and encryption of personal data;
4.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
4.2.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures.
5 PERSONAL DATA BREACH
5.1 Tootoot will promptly and without undue delay notify the User if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Tootoot will restore such Personal Data at its own expense.
5.2 Tootoot will promptly and without undue delay notify the User if it becomes aware of:
5.2.1 any accidental, unauthorised or unlawful processing of the Personal Data; or
5.2.2 any Personal Data Breach.
6 CROSS-BORDER TRANSFERS OF PERSONAL DATA
6.1 Tootoot (or any subcontractor) must not transfer or otherwise process Personal Data outside the European Economic Area (“EEA“) without obtaining the User’s prior written consent.
6.2 Notwithstanding paragraph 6.1, the User hereby consents to Personal Data being sent to the following sub-contractors:
6.2.1 Intercom Inc. who provide live chat support services for the Services and who are located in the USA; and
6.2.2 Slack Technologies Inc. who provide company communication tools and who are located in the USA.
7.1 Tootoot may only authorise a third party (subcontractor) to process the Personal Data if:
7.1.1 the User is provided with an opportunity to object to the appointment of each subcontractor within 7 (seven) days after Tootoot supplies the User with full details regarding such subcontractor;
7.1.2 Tootoot enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this agreement, in particular, in relation to requiring appropriate technical and organisational data security measures; and
7.1.3 Tootoot maintains control over all Personal Data it entrusts to the subcontractor.
7.2 If the User:
(a) objects to the appointment of any subcontractor within the timescale referred to in paragraph 7.1.1 then Tootoot shall ensure that no Personal Data that it is processing on behalf of the User is transferred to such subcontractor and this agreement shall automatically terminate one month after receipt of such objection by Tootoot on a no fault basis for either party; or
(b) does not object to the appointment of any subcontractor within the timescale referred to in paragraph 7.1.1 then they are deemed to have agreed to the engagement of that subcontractor.
7.3 Those subcontractors approved as at the commencement of this agreement are as set out in paragraph 6.2 above and, additionally, Digital Ocean LLC and Amazon.com Inc who together provide hosting services for our platform and app who are both US companies but who keep all personal data on servers at data centres respectively based in the UK and throughout the EEA (and who do not transfer such data to the US at any time).
7.4 Where the subcontractor fails to fulfil its obligations under such written agreement, Tootoot remains fully liable to the User for the subcontractor’s performance of its contract obligations.
7.5 The Parties consider Tootoot to control any Personal Data controlled by or in the possession of its subcontractors.
8 SENSITIVE PERSONAL DATA
8.1 Tootoot does not expect to regularly process sensitive personal data on behalf of the User but where it is requested to do so by the User from time to time, the User shall ensure that prior to making such request it has sufficient consent to the processing from the relevant data subject including (but not limited to) ensuring that the consent is freely given (so giving of the consent must not be a pre-condition of the data subject being entitled to use Tootoot’s platform an app), specific and informed (so the data subject must be advised that the data will be sent to Tootoot and its sub-processors, why it has been sent, and what data will be send) and an unambiguous indication of consent.
8.2 If the consent referred to in paragraph 8.1 is withdrawn at any time then the User must notify Tootoot immediately, following which Tootoot will cease processing such sensitive personal data.
8.3 The User shall indemnify Tootoot against any losses, claims, damages, liabilities, fines, sanctions, interests, penalties, costs, charges, expenses, compensation paid to data subjects, demands and legal and other professional costs (calculated on a full indemnity basis and each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the customer of its obligations under paragraphs 8.1 or 8.2.
9 COMPLAINTS, DATA SUBJECT REQUESTS AND THIRD PARTY RIGHTS
9.1 Tootoot will, at no additional cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to the User as the User may reasonably require, to enable the User to comply with:
9.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
9.1.2 information or assessment notices served on the User by any supervisory authority under the Data Protection Legislation.
10 DATA RETURN AND DESTRUCTION
10.1 At the User’s request, Tootoot will give the User a copy of or access to all or part of the User’s Personal Data in its possession or control in the format and on the media reasonably specified by the User.
10.2 On termination of this agreement for any reason or expiry of its term, Tootoot will securely delete or destroy or, if directed in writing by the User, return and not retain, all or any Personal Data related to this agreement in its possession or control.
10.3 If any law, regulation, or government or regulatory body requires Tootoot to retain any documents or materials that Tootoot would otherwise be required to return or destroy, it will notify the User in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
11.1 Tootoot shall, in accordance with the Data Protection Legislation, make available to the User such information that is in its possession or control as is necessary to demonstrate Tootoot’s compliance with the obligations placed on it under this agreement and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent provisions of any Data Protection Legislation), and allow for and contribute to audits, including inspections, by the User (or another auditor mandated by the User) for this purpose (subject to a maximum of one audit request in any 12 month period under this paragraph 11).