Last updated May 6, 2022
This Data Processing Agreement is a component of the Master Services Agreement and subject to its terms which can be found at www.m3ter.com/docs. Capitalised terms in this Data Processing Agreement shall be construed in accordance with the Master Services Agreement unless expressly indicated otherwise. m3ter shall be entitled to amend this Data Processing Agreement from time to time in accordance with the provisions of the Master Services Agreement. Disputes arising under this Data Processing Agreement shall be resolved in accordance with the version of the Data Processing Agreement that was in force and effect at the time when the relevant dispute arose.
Why is a Data Processing Agreement necessary?
The Customer and m3ter are obliged to enter into a Data Protection Agreement pursuant to the Data Protection Laws where the Customer requires m3ter to Process Personal Data on behalf of the Customer pursuant to the provision of the Services. There are further documentary requirements relating to the Sub-Processing of Personal Data by a sub-contractor of m3ter and where m3ter Transfers any Personal Data outside of the United Kingdom.
In more detail:
m3ter is incorporated under the laws of England Wales with a registered office in England. m3ter provides Services to Customers who operate and provide services in multiple jurisdictions around the world. In order to provide the Services, m3ter uses sub-contractors who also operate from multiple jurisdictions around the world.
m3ter’s provision of the Services involves Processing Data which, depending on the nature of the services provided by the relevant Customer to End-Customers, may involve the Processing of Personal Data. The multi-jurisdictional nature of the Transfers of Personal Data means that the Data Protection Laws will be applicable to Personal Data Processed pursuant to the Master Services Agreement.
In order for the Customer to Process Personal Data lawfully pursuant to the Data Protection Laws it must have a lawful basis for doing so, which typically involves the Customer obtaining consent for such Processing from the relevant End-Customer.
In the event that m3ter is Processing Personal Data on behalf of a Customer pursuant to the provision of the Services then m3ter will be acting a Processor on behalf of the Customer.
In order to comply with Data Protection Laws the Customer (as Controller of the relevant Personal Data) and m3ter (as Processor) must agree a Data Processing Agreement. The Data Processing Agreement contains various obligations including (a) that the Customer has a lawful basis for Processing the Personal Data (b) that m3ter will comply with the Customer’s instructions in Processing the Personal Data (c) that m3ter will utilise technical and organisational measures with the intention of protecting the security and integrity of the Personal Data (d) that m3ter will provide assistance to the Customer to enable the Customer to comply with the Data Protection Laws including, without limitation, in respect of Data Subject Requests and audits.
In this Data Processing Agreement:
|Applicable Law||means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Services: (a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time; (b) the common law and laws of equity as applicable to the parties from time to time; (c) any binding court order, judgement, or decree; or (d) any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business.|
|Controller||has the meaning given to that term in Data Protection Laws.|
|Controller-to-Controller Clauses||means the standard contractual clauses between Controllers and Controllers for Data as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which forms part of the Documentation.|
|Controller-to-Processor Clauses||means the standard contractual clauses between Controllers and Processors for Data as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which forms part of the Documentation.|
|Data Processing Agreement||means this Data Processing Agreement including the Schedules annexed hereto which forms a schedule to the Master Services Agreement.|
|Data Protection Laws||all applicable law relating to data privacy and data protection and direct marketing, including: (a) the European Union Regulation on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (Regulation 2016/679) (GDPR) (and all laws implementing GDPR including as such law forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR)); (b) the Data Protection Act 2018; (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/24/26) and any other law implementing Directive 2002/58/EC; and (d) any related mandatory guidance, guidelines, code of practice and approved codes of conduct guidance issued by a supervisory or competent authority.|
|Data Protection Losses||means all liabilities, including all: (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and (b) to the extent permitted by Applicable Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Data Protection Supervisory Authority; (ii) compensation which is ordered by a court or Data Protection Supervisory Authority to be paid to a Data Subject; and (iii) the reasonable costs of compliance with investigations by a Data Protection Supervisory Authority.|
|Data Protection Supervisory Authority||means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.|
|Data Subject||has the meaning given to that term in Data Protection Laws.|
|Data Subject Request||means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR.|
|International Recipient||means the organisations, bodies, persons and other recipients to which Transfers of Protected Data are prohibited under clause 6.1 without the Customer’s prior written authorisation.|
|Lawful Safeguards||means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time.|
|Onward Transfer||means a Transfer from one International Recipient to another International Recipient.|
|Personal Data||has the meaning given to that term in Data Protection Laws.|
|Personal Data Breach||means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.|
|Processing||has the meaning given to that term in Data Protection Laws (and related terms such as Process, Processes and Processed have corresponding meanings).|
|Processing End Date||means the earlier of: (a) the end of the provision of the relevant Services related to Processing of the Protected Data; or (b) once Processing by m3ter of any Protected Data is no longer required for the purpose of m3ter’s performance of its relevant obligations under this Agreement.|
|Processing Instructions||has the meaning given to that term in clause 2.1.1.|
|Processor||has the meaning given to that term in Data Protection Laws.|
|Processor-to-Controller Clauses||means the standard contractual clauses between Processors and Controllers for Data as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which forms part of the Documentation.|
|Processor-to-Processor Clauses||means the standard contractual clauses between Processors and Processors for Data as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which forms part of the Documentation.|
|Protected Data||means Personal Data received from or on behalf of the Customer in connection with the performance of m3ter’s obligations under this Agreement.|
|Standard Contractual Clauses||means the Controller-to-Controller Clauses, Controller-to-Processor Clauses and the Processor-to-Controller Clauses (as relevant).|
|Sub-Processor||means a Processor engaged by m3ter or by any other Sub-Processor for carrying out Processing activities in respect of the Protected Data on behalf of the Customer.|
|Transfer||bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR and the UK GDPR. Related expressions such as Transfers and Transferring shall be construed accordingly.|
In this Data Processing Agreement:
(a) references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable; and
(b) a reference to a law includes all subordinate legislation made under that law; and
(c) a capitalised term which is not defined in this Data Processing Agreement is construed in accordance with the definition set out in the m3ter Terms of Service as found at www.m3ter.com/docs.
The Parties agree that, for the Protected Data, the Customer shall be the Controller and m3ter shall be the Processor. Nothing in this Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.
m3ter shall Process Protected Data in compliance with:
the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under this Data Processing Agreement; and
the terms of this Data Processing Agreement.
The Customer shall comply with:
all applicable Data Protection Laws in connection with the Processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Data Processing Agreement, including maintaining all relevant regulatory registrations and notifications as required under applicable Data Protection Laws; and
the terms of this Data Processing Agreement.
The Customer warrants, represents and undertakes, that at all times:
the Processing of all Protected Data (if Processed in accordance with this Data Processing Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;
fair Processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all Processing activities in respect of the Protected Data which may be undertaken by m3ter and its Sub-Processors in accordance with this Data Processing Agreement;
the Protected Data is accurate and up to date;
it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, Processing or disclosure);
it shall maintain complete and accurate backups of all Protected Data provided to m3ter (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by m3ter or any other person;
all instructions given by it to m3ter in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
it is satisfied that:
Insofar as m3ter Processes Protected Data on behalf of the Customer, m3ter:
The Customer agrees that:
m3ter (and each Sub-Processor) is not obliged to undertake any Processing of Protected Data that it reasonably believes infringes any Data Protection Laws and shall not be liable (or subject to any reduction or set-off of any Fees otherwise payable to m3ter) to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under this Data Processing Agreement as a result of not undertaking any Processing in such circumstances; and
without prejudice to any other right or remedy of m3ter, in the event the Customer has not resolved any Processing Instruction notified to it under clause 2.1.3 such that it is lawful in m3ter’s reasonable opinion within 7 days of such notification then m3ter may terminate this Data Processing Agreement (and any other agreements between the Parties) immediately upon notice in writing to the Customer (without incurring any liability in respect of such termination).
The Processing of Protected Data to be carried out by m3ter under this Data Processing Agreement shall comprise the Processing set out in Schedule 1.
m3ter shall implement and maintain, at its cost and expense, technical and organisational measures:
in relation to the Processing of Protected Data by m3ter, as set out in Schedule 2; and
taking into account the nature of the Processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data. The Parties have agreed that (taking into account the nature of the Processing) m3ter’s compliance with clause 5.1 shall constitute m3ter’s sole obligations under this clause 3.1.2.
Any additional technical and organisational measures shall be at the Customer’s cost and expense.
The Customer authorises the appointment of the Sub-Processors listed in the Documentation.
m3ter shall be entitled to update the list of Sub-Processors listed in the Documentation from time to time and the Customer’s continued use of the Services shall be deemed to indicate the Customer’s consent to any new Sub-Processor.
To the extent that the Customer objects to any new Sub-Processor added by m3ter pursuant to clause 4.2, it shall be entitled to terminate this Data Processing Agreement and all other agreements between the Customer and m3ter by 7 days’ notice in writing to m3ter, and that such termination will be without prejudice to the Customer’s obligation to pay the Fees that are payable by the Customer in respect of the period up to the date of termination in accordance with the Payment Term and other relevant provisions of the Master Services Agreement.
prior to the relevant Sub-Processor carrying out any Processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under clauses 1 to 11 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures) that is enforceable by m3ter;
ensure each such Sub-Processor complies with all such obligations; and
remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
m3ter shall ensure that all persons authorised by it (or by any Sub-Processor) to Process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case m3ter shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).
m3ter shall refer all Data Subject Requests it receives to the Customer within three Business Days of receipt of the request, provided that if the number of Data Subject Requests exceeds 2 per calendar month, the Customer shall pay m3ter for all work, time, costs and expenses incurred by m3ter or any Sub-Processor(s) in connection with all further Data Subject Requests in such month calculated on a time and materials basis at m3ter’s reasonable rates from time to time. Such charges shall be deemed to be Fees and payable by the Customer in accordance with the Standard Payment Terms and other relevant provisions of the Master Services Agreement.
m3ter shall provide such assistance as the Customer reasonably requires (taking into account the nature of Processing and the information available to m3ter) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
security of Processing;
data protection impact assessments (as such term is defined in Data Protection Laws);
prior consultation with a Data Protection Supervisory Authority regarding high-risk Processing; and
notifications to the Data Protection Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,
provided the Customer shall pay m3ter for all work, time, costs and expenses incurred by m3ter or any Sub-Processor(s) in connection with providing the assistance in this clause 5.2, such Fees to be calculated on a time and materials basis at m3ter’s reasonable rates from time to time and payable in accordance with the relevant provisions of the Master Services Agreement.
Subject to clause 6.2, m3ter shall not Transfer (nor permit any Onward Transfer of) any Protected Data:
to any country or territory outside the United Kingdom; and/or
to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without the Customer’s prior written authorisation except where required by Applicable Law (in which case the provisions of clause 2.1 shall apply).
The Customer hereby authorises m3ter (or any Sub-Processor) to Transfer Protected Data for the purposes referred to in Schedule 3 in accordance with that Schedule, provided all Transfers of Protected Data by m3ter to an International Recipient (including any Onward Transfer) shall:
be effected by way of the Lawful Safeguards referred to in clause 6.3 and in accordance with this Agreement; and
be made pursuant to a written contract, including equivalent obligations on each Sub-Processor in respect of Transfers to International Recipients as apply to m3ter under any of this clause 6.
The provisions of this Agreement shall constitute the Customer’s instructions with respect to Transfers of Protected Data to International Recipients for the purposes of this Data Processing Agreement.
The Lawful Safeguards employed by m3ter in connection with this Data Processing Agreement shall be as set out in Schedule 3;
m3ter and each Sub-Processor is not obliged to make any unlawful Transfer of Protected Data and shall not be liable to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under this Data Processing Agreement due to:
there being no available valid Lawful Safeguard agreed under clause 6.3 from time to time for any of the Transfers authorised pursuant to clause 6.2; or
m3ter or any Sub-Processor declining to permit any Transfer(s) on the basis it believes acting reasonably) that the circumstances in clause 6.4.1 apply.
The Fees payable to m3ter shall not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this clause 6.4.
m3ter shall maintain, in accordance with Data Protection Laws binding on m3ter, written records of all categories of Processing activities carried out on behalf of the Customer.
m3ter shall, in accordance with Data Protection Laws make available to the Customer such information as is reasonably necessary to demonstrate m3ter’s compliance with its obligations under Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer:
giving m3ter reasonable prior notice of such information request, audit and/or inspection being required by the Customer;
ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Data Protection Supervisory Authority or as otherwise required by Applicable Law);
hereby agreeing that to the extent consistent with the generality of m3ter’s obligations set out above in this clause, m3ter shall be entitled to withhold information where it is commercially sensitive or confidential to it or its other customers;
ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to m3ter’s business, the Sub-Processors’ businesses and the business of any customers of m3ter or of any of the Sub-Processors; and
paying m3ter for all work, time, costs and expenses incurred by m3ter or any Sub-Processor(s) in connection with the provision of information and allowing for and contributing to inspections and audits, such Fees to be calculated on a time and materials basis at m3ter’s reasonable rates from time to time and payable in accordance with the Standard Payment Terms and other relevant provisions of the Master Services Agreement.
notify the Customer of the Personal Data Breach; and
provide the Customer with details of the Personal Data Breach.
non-compliance by the Customer with the Data Protection Laws;
Processing carried out by m3ter or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Law; or
breach by the Customer of any of its obligations under clauses 1 to 11 (inclusive).
Clauses 1 to 8 (inclusive) shall survive expiry or termination (for any reason) of this Data Processing Agreement and continue until no Protected Data remains in the possession or control of m3ter or any Sub-Processor. The termination or expiry of such clauses shall be without prejudice to any accrued rights or remedies of either party under any such clauses at the time of such termination or expiry.
Clauses 9 to 11 (inclusive) shall survive expiry or termination (for any reason) of this Data Processing Agreement and continue indefinitely.
m3ter may be contacted at firstname.lastname@example.org.
|Subject-matter of Processing||m3ter’s provision of the Services to the Customer.|
|Duration of the Processing||The Customer shall retain and maintain all copies of the Customer Data that it needs for legal compliance or any other reason and shall not rely on m3ter for retention of such Customer Data. m3ter will hold Customer Data for the Service Term in accordance with the relevant Order Form and applicable Documentation. m3ter may retain copies of the Customer Data for up to 60 days after expiry or termination of the Service Term (as the case may be), and shall delete the Customer Data as soon as practicable thereafter.|
|Nature and purpose of the Processing||To provide the Services.|
|Type of Personal Data in respect of End-Customers||Full name (for example wherein the End-Customer is a sole trader), Email addresses, Phone numbers, and Physical addresses.|
|Categories of Data Subjects||Natural persons whose Personal Data is indirectly provided by the Customer to m3ter pursuant to the provision of the Services (for example including natural persons who own and manage an End-Customer business as a sole proprietor, sole trader or equivalent).|
|Special categories of Personal Data||The Customer warrants, represents and undertakes that no special categories of Personal Data will be Processed by m3ter pursuant to the provision of the Services.|
m3ter uses technical and organisational security measures designed to protect personal information Processed by m3ter against unauthorised access, disclosure, alteration, and destruction.
m3ter will develop and maintain a comprehensive security program including without limitation appropriate administrative, technical, organisational and physical security measures to protect the Protected Data against accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure. At a minimum, these measures will include, encryption of data in transit and at rest, restricting access to the Protected Data to only employees who need access, implementing network security and access control, reasonable change management Processes and regular monitoring and testing of the effectiveness of system security.
m3ter will maintain written policies including without limitation, an information security policy, security and privacy guidelines, an internal acceptable use policy, and internal procedural documentation, and will provide the Customer with reasonable evidence of its policies and guidelines upon request.
m3ter will provide appropriate training to m3ter’s personnel in relation to security and handling of Protected Data and m3ter’s policies in respect of the same.
m3ter shall remain primarily liable for the actions of its employees in respect of Protected Data.
Without prejudice to the generality of the foregoing, m3ter will perform appropriate risk assessments and maintain appropriate organisation controls in respect of m3ter’s personnel.
Where Personal Data is stored with any Sub-Processors, access is only provided after appropriate due diligence. Sub-Processors have added additional layers of security to limit access to Personal Data stored in their cloud-based solutions and to permit safe and lawful data transfers, which m3ter have assessed and reviewed. These include strict access restriction, encryption, two factor authentication and password protection, to prevent Personal Data from being accidentally lost or used or accessed unlawfully.
On an annual basis, m3ter shall have auditors conduct an examination, testing the effectiveness of the controls m3ter has implemented. m3ter shall, at its own expense, correct any control issue or deficiencies identified during the audit Process. Upon request from the Customer, m3ter will provide the Customer with a summary of the latest audit report produced on behalf of m3ter. Such information will be treated as m3ter’s Confidential Information.
The Customer acknowledges that due to the location of:
The Customer’s production instances and/or personnel;
m3ter’s production instances and/or personnel;
the Customer’s End-Customers and/or personnel;
the provision of the Services may involve continuous Transfers of the Protected Data and the Customer consents to the same.
Subject to paragraph 3 of this Schedule 3, the Transfers shall be subject to the Standard Contractual Clauses.
Where m3ter is utilising:
Binding Corporate Rules for Processors (as construed in accordance with Article 47 of the GDPR); or
an alternative recognised compliance standard;
for lawful Transfer the same shall apply to such Transfer to the exclusion of the Standard Contractual Clauses.
The Customer shall retain and maintain all copies of the Customer Data that it needs for legal compliance or any other reason and shall not rely on m3ter for retention of such Customer Data.
The Customer is responsible for deciding which Personal Data to send to m³ter, for retrieving the Personal Data and deleting it where necessary. In the event that the Customer decides to use a m3ter Integration to synchronise Personal Data from one of the Customer’s source systems, it is the Customer’s responsibility to control which, if any, Personal Data is sent to m3ter by that m3ter Integration.
The Customer must only provide Personal Data to m3ter for the purposes of identifying their End-Customers. This Personal Data should be kept to the minimum required for this purpose and must only be stored in m3ter End-Customer Account entities as further described in the Documentation available at www.m3ter.com/docs. The Customer is responsible for retrieving and deleting such Personal Data using the m3ter API.
The Customer must only include Personal Data in m3ter End-Customer Account entities, and is responsible for retrieving and deleting such Personal Data using the m³ter API as further described in the Documentation available at www.m3ter.com/docs. During the Service Term, m3ter deletes the raw usage and cost Data you send to the m3ter API after 60 days, or as otherwise specified in the applicable Order Form.
Any aggregated data is available to the Customer via the Services during the Service Term until the earlier of (a) such date when the Customer deletes the Data via the m3ter API and (b) the data retention period specified in the paragraph below. m3ter will hold Customer Data for the Service Term in accordance with the relevant Order Form and applicable Documentation. m3ter may retain copies of the Customer Data for up to 60 days after expiry or termination of the Service Term (as the case may be), and shall delete the Customer Data as soon as practicable thereafter.
The Sub-Processors currently engaged by Service Provider are as follows:
|Name (full legal name)||Contact name, position, and details||Address||Description of processing||Place of processing|
|Amazon Web Services EMEA SARL||https://aws.amazon.com/contact-us/compliance-support/||38 Avenue John F. Kennedy, L- 1855, Luxembourg||Provision of cloud computing services||USA|
|Timescale Inc.||email@example.com||335 Madison Ave, Floor 5, New York, New York 10017, USA||Provision of cloud database services||USA|
|Cyclr Systems Ltdfirstname.lastname@example.org||No.1 Croydon, Office 6-11, Sussex Innovation Centre, 12-16 Addiscombe Rd, Croydon, CR0 0XT, UK||Provision of cloud system integration services||UK|
|VLDBemail@example.com||1 Mann Island, Liverpool, Merseyside, L3 1BP||Provision of resource for Customer on boarding projects||UK|
|Redcentric PLCfirstname.lastname@example.org||Central House, Beckwith Knowle, Harrogate, HG3 1UG||Provision of helpdesk services||UK, India|