Symmetry Cloud Master Services Agreement
GDPR and Data Protection Document

This document takes into account

  1. the EU's General Data Protection Regulation ((EU) 2016/679) ("GDPR"); and
  2. the UK Data Protection Act 2018 ("DPA 2018"),
together the "Applicable Data Protection Legislation". This includes ensuring that the Agreement contains the mandatory clauses required by Article 28(3) of the GDPR for contracts between controllers and processors;

In this Document, the words and expressions defined have the meanings set out in Annex A.

  1. The Annexes forms part of this Documents.
  2. Except as otherwise set out in the annexes of this Addendum, the Agreement shall continue in full force and effect.
  3. This Document sets out the entire agreement and understanding between the parties in respect of its subject matter. For the avoidance of doubt, this Document is supplemental to and shall be read and construed together with the Master Services Agreement (the "Agreement").
  4. This Document and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with the laws of England and Wales and the parties submit to the exclusive jurisdiction of the English Courts, except that either party may enforce a judgement of the English courts anywhere in the world as may be appropriate to the parties.

Annex A

“CUSTOMER Data”-means any information that is provided by the CUSTOMER to SYMMETRY as part of the CUSTOMER's use of the Services, including any information derived from such information;

“CUSTOMER Personal Data”-Means the Personal Data comprised in the CUSTOMER Data;

“Controller”-has the meaning given to that term in the GDPR;

“GDPR”-means the EU General Data Protection Regulation (Regulation 2016/679) as applied, updated, derogated from or replaced by the Data Protection Act 2018, in the UK (together the “Applicable Data Protection Legislation”);

“Personal Data”-has the meaning given in the GDPR;

“Personal Data Breach” - Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, CUSTOMER Personal Data transmitted, stored or otherwise processed.

“Privacy Policy”-The SYMMETRY privacy policy as set out at www.bluQube.co.uk as amended from time to time by SYMMETRY in its sole discretion;

“Processor”-has the meaning given to that term in the GDPR;

Customer Data, Data Protection and Freedom of Information

  1. The CUSTOMER shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the CUSTOMER Data and remains responsible for the CUSTOMER’s compliance obligations under the applicable data protection legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to SYMMETRY.
  2. SYMMETRY processes CUSTOMER Personal Data in accordance with the Privacy Policy which sets out how SYMMETRY operates in relation to the privacy and security of the CUSTOMER Personal Data.
  3. SYMMETRY shall promptly notify the CUSTOMER in writing of any actual or suspected loss or damage to the CUSTOMER Data which SYMMETRY becomes aware of and which arises as a result of Symmetry’s own acts or omissions, and shall comply with clause (t) below where there is a Personal Data Breach. In the event of any loss or damage to CUSTOMER Data, the CUSTOMER's sole and exclusive remedy shall be for SYMMETRY to use reasonable commercial endeavours to restore the lost or damaged CUSTOMER Data from the latest backup of such CUSTOMER Data maintained by SYMMETRY in accordance with its normal archiving procedures. SYMMETRY shall not be responsible for any loss, destruction, alteration or unauthorised access to or disclosure of CUSTOMER Data caused by the CUSTOMER or any third party engaged by the CUSTOMER.
  4. The CUSTOMER shall be the controller, and SYMMETRY will act as processor in respect of all data processing activities in relation to CUSTOMER Personal Data that SYMMETRY carries out under this Agreement.
  5. Nothing in this Agreement shall relieve SYMMETRY from its direct obligations as a processor under the GDPR.
  6. Scope of Processing - SYMMETRY shall process the CUSTOMER Personal Data only to the extent, and in such manner as is necessary for the provision of the Services under the Agreement, and as may be required by the Applicable Data Protection Legislation. SYMMETRY will not process the CUSTOMER Personal Data for any other purpose or in a way that does not comply with the Agreement or the Applicable Data Protection Legislation.
  7. Duration of processing - SYMMETRY shall only process the CUSTOMER Personal Data for the duration of and as set out in the Agreement.
  8. Policies - If the CUSTOMER requires SYMMETRY to comply with any CUSTOMER policies or procedures which are not stated in the Agreement, these must be agreed by the parties in advance in writing.
  9. CUSTOMER Instructions - SYMMETRY shall:
    1. maintain the confidentiality of all CUSTOMER Personal Data and will process the CUSTOMER Personal Data only on documented instructions from the CUSTOMER (which may be specific instructions or instructions of a general nature) or as set out in this Agreement, unless required by law (provided that if SYMMETRY is required by law, court, regulator or supervisory authority to process or disclose CUSTOMER Personal Data in a particular way, SYMMETRY has first notified the CUSTOMER in advance of the legal or regulatory requirement and given the CUSTOMER an opportunity to object or challenge the requirement, if SYMMETRY is permitted to do so and the law doesn’t prohibit such notice);
    2. not cause or permit the CUSTOMER Personal Data to be transferred outside of the European Economic Area by SYMMETRY or any sub- contractor of SYMMETRY without the CUSTOMER’s prior consent in writing and signed by the Customer;
    3. comply with any request from the CUSTOMER to amend, transfer or delete the CUSTOMER Personal Data, subject to always subject to Applicable Data Protection Legislation; and,
    4. only make copies of any CUSTOMER Personal Data to the extent reasonably necessary for the provision of the Services (which, for clarity, includes back-up, mirroring (and similar availability enhancement techniques), security, disaster recovery and testing of the relevant data).
  10. Staff - SYMMETRY shall:
    1. ensure that persons engaged by SYMMETRY that are authorised to process the CUSTOMER Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
    2. ensure that any of its staff who have access to the CUSTOMER Personal Data do not process that data except on instructions from the CUSTOMER, unless he or she is required to do so by applicable law.
  11. Technical and Organisational Measures
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of the CUSTOMER Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons in respect of the CUSTOMER Personal Data, SYMMETRY shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. For information on the measures SYMMETRY maintains to secure the CUSTOMER Personal Data see [Annex B].
    2. It is the responsibility of each Party to ensure that its staff members are appropriately trained to handle and process the CUSTOMER Personal Data in accordance with the technical and organisational security measures set out in [Annex B] and in accordance with the Applicable Data Protection Legislation. The level, content and regularity of training referred to in this clause shall be proportionate to the staff members' role, responsibility and frequency with respect to their handling and processing of the Personal Data.
    3. SYMMETRY shall indemnify, keep indemnified and defend at its own expense the CUSTOMER against all costs, expenses, or fines imposed by an applicable data protection regulator, incurred by the CUSTOMER due to a failure by SYMMETRY or SYMMETRY’s employees, subcontractors or agents to comply with any of SYMMETRY’s obligations under clause (k)(i) or (ii).
  12. Sub-contractors / Sub data processors
    1. SYMMETRY shall not engage another a sub-contractor to process the CUSTOMER Personal Data except those stated in the [Schedule], without prior specific or general authorisation of the CUSTOMER
    2. In the case of the sub-contractors specified in the [Schedule] or approved by the CUSTOMER specifically or under general authorisation, SYMMETRY will provide reasonable prior written notice to the CUSTOMER of any intended changes concerning the addition or replacement of any other sub-contractor, so that the CUSTOMER has an opportunity to object to such changes;
    3. Where SYMMETRY engages a sub-contractor for carrying out specific processing activities on behalf of the CUSTOMER, SYMMETRY imposes equivalent obligations as set out in this clause on that other sub- contractor by way of a contract.
    4. Where that other sub-contractor fails to fulfil its data protection obligations, SYMMETRY shall remain liable to the CUSTOMER for the performance of that sub-contractor’s obligations.
  13. Data Subjects Rights
    1. Subject to this clause (m)(v) and taking into account the nature of the processing under the Agreement, SYMMETRY shall provide reasonable assistance to the CUSTOMER using appropriate technical and organisational measures, insofar as this is possible, in relation to the fulfilment of the CUSTOMER's obligation to respond to requests exercised by data subjects in relation to their rights laid down in Chapter III of the GDPR (being Articles 12 to 23 of the GDPR). Those rights include: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling.
    2. To assist the CUSTOMER to comply with any such data subject rights requests and complaints, SYMMETRY agrees to store or record the CUSTOMER Personal Data processed under the Agreement in a structured, commonly used and machine readable form.
    3. SYMMETRY agrees to notify the Data Controller immediately and no later than 48 hours upon receipt by SYMMETRY of a request from an individual seeking to exercise any of their data subject rights under the Applicable Data Protection Legislation, including those rights as described in this clause (m)(i) above. SYMMETRY agrees to notify the CUSTOMER promptly upon receipt of any complaint from an individual regarding the processing of CUSTOMER Personal Data under the Agreement.
    4. SYMMETRY agrees to act only under the CUSTOMER’s reasonable instructions in relation to any activities undertaken to resolve any complaints or comply with any data subject rights requests from individuals under this clause (m).
    5. If the CUSTOMER requires SYMMETRY to implement specific measures, or to incur any time costs assisting the CUSTOMER to deal with any such data subject rights requests or complaints under this clause (m), all such assistance will be chargeable at SYMMETRY’s then current labour rates.
  14. Assisting Compliance of the CUSTOMER as the Controller - Taking into account the nature of the processing and the information available to SYMMETRY, SYMMETRY shall assist the CUSTOMER in ensuring compliance with the CUSTOMER’s Obligations in respect of Articles 32 to 36 of the GDPR. If the CUSTOMER requires SYMMETRY to implement specific measures, or to incur time costs dealing with requests pursuant to this clause, these will be chargeable at SYMMETRY’s then current labour rates.
  15. Freedom of Information – SYMMETRY recognises that the CUSTOMER is a public authority for the purposes of the Freedom of Information Act 2000 (“FOIA”) and may be required under the FOIA to disclose certain information about the Agreement, the services provided by SYMMETRY under the Agreement and the processing carried out under the Agreement. SYMMETRY agrees to provide reasonable assistance to the CUSTOMER as is necessary to enable the CUSTOMER to comply with its obligations under the FOIA provided that all such assistance will be chargeable at SYMMETRY’s then current labour rates.
  16. SYMMETRY shall immediately inform the CUSTOMER if, in its opinion, an instruction infringes the GDPR or other Applicable Data Protection Legislation.
  17. Review
    1. The Parties shall review the effectiveness of the processing of CUSTOMER Personal Data under this Agreement no more than once in any 12 month period provided that all such assistance in this process by SYMMETRY will be chargeable at SYMMETRY’s then current labour rates. If the CUSTOMER requires SYMMETRY to implement specific measures following this review, or to incur time costs dealing with requests pursuant to this review, these will be chargeable at SYMMETRY’s then current labour rates.
    2. The review described in this clause will involve:
      1. Assessing whether the purposes for which the CUSTOMER Personal Data is being processed are as set out in this Agreement;
      2. Assessing whether the CUSTOMER Personal Data is still as defined in this Agreement;
      3. Assessing whether the legal framework governing data quality, retention, and data subjects' rights can be complied with by the CUSTOMER in accordance with this Agreement;
      4. Assessing whether Personal Data Breaches involving the CUSTOMER Personal Data have been handled in accordance with the Agreement and the Applicable Data Protection Legislation;
      5. Assessing whether the technical and organisational measures listed in Annex B are still in place and are adequate to prevent unauthorised or unlawful processing and accidental loss or destruction of, or damage to, the CUSTOMER Personal Data.
  18. Ceasing Processing - As soon as reasonably practical at the request of the CUSTOMER, SYMMETRY shall:
    1. stop processing all or any of the CUSTOMER Personal Data (subject to SYMMETRY being permitted to retain copies of information which it is not reasonably possible to cease processing promptly. For example, where information which is stored off site without remote access);
    2. confirm any disclosures made to third parties in relation to CUSTOMER Personal Data and provide copies, if required.
  19. Personal Data Breach
    1. SYMMETRY shall notify CUSTOMER without undue delay and in any event no later than within 24 hours, upon SYMMETRY or any of its sub-contractors becoming aware of a Personal Data Breach affecting CUSTOMER Personal Data, providing CUSTOMER with sufficient information to allow the CUSTOMER to meet any obligations to report or inform data subjects, appropriate regulatory authorities, the police and other relevant third parties of the Personal Data Breach as the CUSTOMER is required to do so under the Applicable Data Protection Legislation.
    2. SYMMETRY shall co-operate with CUSTOMER and take such reasonable commercial steps as are directed by CUSTOMER and any relevant supervisory authority under the Applicable Data Protection Legislation, to assist in the investigation, mitigation and remediation of each such personal data breach.
    3. If the CUSTOMER requires SYMMETRY to implement specific measures, or to incur time costs dealing with a personal data breach which the CUSTOMER cannot reasonably demonstrate was caused by SYMMETRY, these will be chargeable at SYMMETRY’s then current labour rates.
  20. Data Protection Impact Assessment and Prior Consultation - SYMMETRY shall provide reasonable assistance to the CUSTOMER with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which CUSTOMER reasonably considers to be required by article 35 or 36 of the GDPR, in each case solely in relation to processing of CUSTOMER Personal Data by, and taking into account the nature of the processing and information available to, SYMMETRY. If the CUSTOMER requires SYMMETRY to incur time costs when providing assistance pursuant to this clause, these will be chargeable at SYMMETRY’s then current labour rates.
  21. The provisions of this clause shall apply during the term of this Agreement and after its expiry until all CUSTOMER Personal Data has been permanently deleted or destroyed so that it is no longer accessible by SYMMETRY.

Annex B

Security Measures

Physical Security
The SYMMETRY Cloud environment is based on a collection of servers, owned and managed by SYMMETRY. These are stored in a high security location in the UK, which provides the highest level of uptime and security.

The environment is built on the latest hardware providing a fault tolerant system with multiple levels of redundancy built in as standard.

Firewall Protection
The whole environment is protected by industry leading enterprise level firewalls. These are configured to not just provide a robust defence against brute force attacks, but also provide zero-day defence against other forms of malicious activity.

Encryption
All data is encrypted and currently sent over SSL/HTTPS (this may be changed to keep up with industry standard and technology advances) during transit, using enhanced certificates verified by industry accepted providers.

Back Ups
SYMMETRY complete full regular backups of data. This includes normal daily backups to provide static point in time recovery operations of individual items and provide a complete disaster recovery solution. Multiple Backups are held in separate locations for security purposes.

Penetration testing
SYMMETRY regularly test the robustness of our security measures. Full environment penetration testing is carried out using a reputable third party supplier.

We use cookies to improve website performance.

Click here to view our privacy policy