i. In conducting its activities as Processor under this Agreement in relation to any Personal Data within Your Data (“Your Personal Data”), Trevor confirms that:
a. the duration and purpose of the Processing shall be as specified in the Agreement;
b. the categories of Data Subjects include your representatives, Users and any other individuals identified or identifiable by Your Personal Data;
c. your obligations and rights as Controller in relation to Your Personal Data are as set out in this Agreement.
ii. To the extent that Trevor Processes Your Personal Data under or in connection with the Agreement, Trevor shall:
a. only Process Your Personal Data in accordance with your instructions as set out in this Agreement, including in respect of the transfer of Your Personal Data, and subject to any exceptions permitted by Article 28(3)(a) of the GDPR;
b. ensure that those of its employees authorised to Process Your Personal Data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to Your Personal Data;
c. implement and maintain appropriate technical and organisational measures designed to protect Your Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.
d. respect the conditions referred to below in Section 2(ii) of this Data Processing Addendum when appointing sub-Processors;
e. at Customer’s request and cost, assist you by appropriate technical and organisational measures, insofar as this is possible through Trevor, to enable you to fulfil your obligations to respond to requests for the exercise of rights by a Data Subject under Chapter III of the GDPR;
f. assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information which is available to Trevor;
g. on termination of the Agreement, delete the Personal Data pursuant to the Agreement, unless European Union or Member State law requires Personal Data to be retained;
h. notify Customer without undue delay if, in Trevor’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation;
ii. You authorise Trevor to subcontract its data Processing obligations under this Agreement to Trevor’s Affiliates, and to other third parties, a list of which is available here. Trevor shall do so only by way of a written agreement with such sub-Processor which imposes the same data protection obligations on the sub-Processor as are imposed on Trevor under this Agreement.
iii. Customer may audit Trevor’s compliance with the terms of the Agreement and this DPA up to once per year.
Customer may perform more frequent audits to the extent required by laws applicable to the Customer. If a third party is to conduct the audit, the third party must be mutually agreed to by both parties and must execute a written confidentiality agreement acceptable to Trevor before conducting the audit.
To request an audit, the Customer must submit a detailed audit plan at least 4 weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Trevor will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Trevor’s security, privacy, or employment policies).
iv. Trevor shall notify you without undue delay upon becoming aware of a Personal Data Breach relating to Your Personal Data. Such notice shall include, at the time of notification or as soon as possible after notification, relevant details of the Personal Data Breach where possible, including the number of your records affected, the category and approximate number of affected Users, anticipated consequences of the breach and any actual or proposed remedies, where appropriate, for mitigating the possible adverse effects of the breach.