top of page

Data Protection & Security Policy

Terms

This Schedule 1 to the Terms and Conditions forms part of the Agreement between Refactor and the Customer. It sets out the roles and obligations that apply to each Party when Refactor processes Customer’s Personal Data (“Customer Personal Data”) falling within the scope of the UK Data Protection Laws when providing services under the Agreement.

1.DEFINITIONS

All capitalized terms not defined in this Schedule 1 shall have the meanings set forth in the main body of the Terms and Conditions.

  1. “Alternative Transfer Solution” means a solution that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the UK GDPR;

  2. “Controller”, “Processor”, “Personal Data”, “special categories of data”, “Data Subject” and “Processing” all have the meanings set out in the UK Data Protection Laws;

  3. “UK Data Protection Laws” means all applicable data protection and privacy legislation in force from time to time in the United Kingdom including the UK GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended or updated from time to time;

  4. “UK GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as amended and now forms part of the law of England and Wales, Scotland and Northern Ireland;

  5. “Optional Security Controls” means encryption, logging and monitoring, identity and access management, security scanning, and firewalls, and other security tools made available by Refactor from time to time;

  6. “Security Incident” means the (a) accidental or unlawful destruction and (b) loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data; and

  7. “Sub-Processors” means Refactor’s sub-processors authorised under these Terms and Conditions to have access to and process Customer Personal Data in order to provide parts of the Services.

 
2 .SCOPE AND ROLES OF THE PARTIES

  1. As between Refactor and Customer, the Parties agree that Customer is the Controller of the Customer Personal Data set out in the Statement of Work or Order Form as applicable and Refactor shall process such Personal Data as a Processor acting on behalf of Customer for the purposes described in the main body of Refactor’s Terms and Conditions (“Permitted Purpose”).

  2. Each Party will comply with all applicable requirements of the UK Data Protection Laws as they apply to them in the provision and receipt of the Services.

 
3.REFACTOR OBLIGATIONS

  1. To the extent that Refactor processes Customer Personal Data, which processing includes computing, storage and content delivery on the Servers, it shall do so:

  1. for the duration of the Order Term (unless otherwise agreed in writing or permitted by law);

  2. solely as necessary to fulfil the Permitted Purpose; and

  3. as instructed by the Customer in writing and in accordance with the terms of the Agreement. Refactor shall notify Customer in writing (unless prohibited from doing so under UK Data Protection Laws, it is becomes aware or believes that any data processing instructions from Customer breaches UK Data Protection Laws.

  4. Refactor will, at all times in connection with the performance by it of its Processing obligations under this Agreement:

  5. not access or use any Customer Personal Data except as necessary to provide the Services to the Customer under this Agreement or in accordance with the Customer’s written instructions;

  6. provide the Customer with an opportunity to download the Customer Personal Data following which Refactor may delete Customer Personal Data and copies thereof on termination of the Order Term unless required by applicable law to store the Customer Personal Data;

  7. promptly carry out any request from the Customer to amend, transfer, delete or return (and then delete) the Customer Personal Data; and

  8. maintain complete and accurate records and information to demonstrate its compliance with paragraph 5 below.

 
4.CUSTOMER’S OBLIGATIONS

  1. Customer will:

  1. review and approve the Refactor’s Security Measures as an appropriate level of security for the processing of the Customer Personal Data;

  2. keep adequate backups of all Customer Data including the Customer Personal Data separately from the Servers or otherwise request Refactor to create backups as part of an Order;

  3. choose any of the Optional Security Controls that it deems necessary and prudent and which is appropriate to the risk of the Customer Personal Data; and

  4. be responsible for ensuring that it shall implement its own technical and organisational measures to ensure a level of security appropriate to the risks of the data processing.

    1. The Customer also controls how Customer Personal Data is stored, classified, exchanged or otherwise Processed when using the Services. The Customer may select the territory in which it stores or processes the Customer Personal Data and may purchase Optional Security Controls from Refactor as it deems appropriate for the nature and volume of Customer Personal Data that it processes on the Servers. The Server features and functionalities and Portal made available to Customer as part of the Services shall from part of the Customer’s written instructions to Refactor in relation to the processing of Personal Data, as well as this Agreement and the terms of any Order.

    2. Customer’s instructions for the processing of Personal Data will comply with UK Data Protection Laws, and the Customer will have sole responsibility for, and ensure that it has, all necessary and appropriate consents and notices in place to enable the lawful processing of the Customer Personal Data, and for the purpose of Refactor performing the Services, and the Customer shall indemnify Refactor against any losses, damages, claims and expenses incurred by or suffered by Refactor from a breach by Customer of this paragraph 4.3

 
5.SECURITY

  1. Refactor will provide the security procedures as set out in the Security Measures, and where set out in an Order the Optional Security Controls, for the duration of the Order Term.

  2. As part of providing the Security Measures, Refactor will maintain appropriate technical and organisational measures at its data centre facilities that are within its control and are used to provide the Services, and which are designed to help the Customer secure its Customer Personal Data against unauthorised processing and accidental or unlawful loss, access or disclosure.

 

  1. Refactor may update its Security Measures from time to time but will provide at least the same level of security as is described in the Security Measures as of the effective date of this Agreement. Notwithstanding the foregoing, the Customer acknowledges that Customer is responsible for the security of guest operating systems, applications hosted on the service, data in transit and at rest, Customer’s service log-in credentials and permissions policies for Customer personnel using the Services and Servers.

  2. Upon becoming aware of a Security Incident, Refactor shall

  1. inform Customer without undue delay,

  2. shall provide timely information and cooperation as Customer requires to fulfil its obligations under the UK Data Protection Laws and

  3. promptly take reasonable steps to minimise harm and secure the Customer’s Personal Data.

 
6.REFACTOR PERSONNEL

  1. Refactor shall ensure that its personnel engaged in the Services are informed of the confidential nature of the Customer Personal Data and shall receive ongoing and appropriate training on their responsibilities.

  2. Refactor shall also ensure that any person that it authorises to process the Customer’s Personal Data is (a) limited to its personnel who need access solely to provide the Services to the Customer and (b) that such personal is under a strict duty of confidentiality (whether a contractual duty or a statutory duty).

 
7.COOPERATION AND ASSISTANCE

  1. Cooperation: Refactor will provide reasonable cooperation and assistance to the Customer, at the Customer’s cost, in ensuring compliance with its obligations under the UK Data Protection Laws with respect to security, breach notifications, impact assessments, data subjects rights and consultations with supervisory authorities or regulators.

  2. Data protection impact assessments: Refactor will provide reasonable cooperation and assistance to the Customer, at the Customer’s cost, to enable the Customer to fulfil its obligation under UK Data Protection Laws to carry out a data protection impact assessment relating to the use of the Services, and to the extent that the information is not already included in the Security Measures document or generally made available by Refactor on its website.

  3. Data subjects rights: Refactor will, to the extent legally permitted, promptly notify the Customer if it receives a direct request from a Data Subject exercising its right of access, rectification, restriction of processing, erasure (i.e., the right to be forgotten), data portability, objection to processing, or its right not to be subject to automated individual decision making (“a Data Subject Request”). Refactor will assist the Customer, at the Customer’s cost, in responding to any Data Subject Request (save that beyond providing the Customer the ability to rectify, erase, restrict or retrieve Customer Personal Data, Refactor shall not be required to provide any further assistance).

 
8.AUDIT

  1. Refactor will achieve and maintain the ISO/IEC 27001 Certification to evaluate and help ensure the continued effectiveness of the Security Measures and will make available to Customer the certificate highlighting its compliance.

  2. Pursuant to UK Data Protection Laws, Refactor will allow an independent auditor appointed by Customer (and approved by Refactor) to conduct audits (including inspections as long as such inspections do not jeopardise Refactor’s other customers confidentiality nor data security) to verify Refactor’s compliance with its obligations under this Schedule.

  3. Customer may also conduct an audit to verify Refactor’s compliance with its obligations under the Security Measures by reviewing the Security Measures documentation (which reflects

 

the outcome of audits conducted by Refactor’s own third-party auditor).

  1. Customer must send any requests for audits under this paragraph 8 to Refactor’s data protection team dpo@Refactor.com

  2. Following receipt by Refactor of a request under this paragraph 8, Refactor and Customer will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit, provided that Customer shall not exercise these combined rights of audit more than once in any 12 month period.

  3. Refactor may charge a fee (based on Refactor’s reasonable costs) for any review and/or audit under this paragraph 8. Refactor will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

  4. Refactor may object in writing to an auditor appointed by Customer to conduct any audit under paragraph 8 if the auditor is, in Refactor’s reasonable opinion, not suitably qualified or independent, a competitor of Refactor, or otherwise manifestly unsuitable. Any such objection by Refactor will require Customer to appoint another auditor or conduct the audit itself.

 
9.SUB PROCESSING

  1. Customer specifically authorises the engagement of Refactor’s Sub-Processors                                                                 listed                                     at https://www.Refactor.com/compliance/security/security- measures (updated from time to time) to provide the Services.

  2. In addition, Customer authorises Refactor to engage other third parties as Sub-Processors provided that Refactor will

  1. update its list of Sub-Processors,

  2. contractually ensure that such Sub-Processor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with this Data Protection and Security Schedule and, if applicable, any Alternative Transfer Solution adopted by Refactor; and

  3. remains fully liable for all obligations subcontracted to, and all acts of omissions of, the Sub-Processor.

    1. In the event that Refactor wishes to appoint a new sub-processor who will be involved in providing the Services on behalf of Refactor, then Refactor shall provide reasonable written notice to the Customer (and such notice shall include the details of the Sub-processor) and should the Customer not approve of the appointment, then its sole remedy shall be to terminate the Order to which the appointment relates.

    2. Where Refactor wishes to appoint a new Sub-Processor, then the Customer may object to that appointment in writing to Refactor within ten (10) Business Days of Refactor’s notice of its intended appointment. If the Customer objects to the appointment, and the Parties cannot resolve how to manage the provision of the Services to the satisfaction of the Customer, then the Customer’s sole remedy shall be to terminate the Order to which the new Sub-Processor applies.

 
10.INTERNATIONAL TRANSFERS

  1. If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the UK, and UK Data Protection Laws applies to the transfers of such data (the “Transferred Personal Data”), Refactor will offer an Alternative Transfer Solution, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to Customer about such Alternative Transfer Solution.

  2. In respect of Transferred Personal Data, Customer agrees that if under the UK Data Protection Laws Refactor reasonably requires

 

Customer to use an Alternative Transfer Solution offered by Refactor, and reasonably requests that Customer take any action (which may include execution of documents) strictly required to give full effect to such solution, Customer will do so.

 
11.DELETION OF DATA

  1. On expiry or termination of the Order Term, Customer instructs Refactor to delete all Customer Personal Data (including existing copies) from Refactor’s systems in accordance with applicable law. Refactor will comply with this instruction as soon as is reasonably practicable and within a maximum period of 180 days unless applicable UK Data Protection Laws requires longer storage. Customer acknowledges and agrees that Customer will be responsible for exporting, before the Order Term expires, any Customer Personal Data it wishes to retain afterwards.

bottom of page