Data Processing Addendum

This Data Processing Addendum is also available for download (PDF) here.

This Data Processing Addendum (“DPA”) forms a part of the Customer Terms of Service found here, unless Customer has entered into a superseding written master subscription agreement with Trevor, in which case, it forms a part of such written agreement (in either case, the “Agreement”).

The subject-matter of the data processing covered by this DPA is the Service ordered by Customer either through Trevor’s website or through an Ordering Document and provided by Trevor to Customer via www.trevor.io, or as additionally described in the Agreement or the DPA. Further details of the data processing are set out in Annex 1 hereto.

  1. Definitions

    Within this Data Processing Addendum, “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679), and “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” shall have the same meanings as are defined in the GDPR. “Processed” and “Process” shall be construed in accordance with the definition of “Processing”. All other defined terms herein shall have the same meanings as are defined elsewhere in this Agreement.

  2. Data Processing

    i. In conducting its activities as Processor under this Agreement in relation to any Personal Data within Your Data (“Your Personal Data”), Trevor confirms that:

    a. the duration and purpose of the Processing shall be as specified in the Agreement;

    b. the categories of Data Subjects include your representatives, Users and any other individuals identified or identifiable by Your Personal Data;

    c. your obligations and rights as Controller in relation to Your Personal Data are as set out in this Agreement.

    ii. To the extent that Trevor Processes Your Personal Data under or in connection with the Agreement, Trevor shall:

    a. only Process Your Personal Data in accordance with your instructions as set out in this Agreement, including in respect of the transfer of Your Personal Data, and subject to any exceptions permitted by Article 28(3)(a) of the GDPR;

    b. ensure that those of its employees authorised to Process Your Personal Data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to Your Personal Data;

    c. implement and maintain appropriate technical and organisational measures designed to protect Your Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.

    d. respect the conditions referred to below in Section 2(ii) of this Data Processing Addendum when appointing sub-Processors;

    e. at Customer’s request and cost, assist you by appropriate technical and organisational measures, insofar as this is possible through Trevor, to enable you to fulfil your obligations to respond to requests for the exercise of rights by a Data Subject under Chapter III of the GDPR;

    f. assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information which is available to Trevor;

    g. on termination of the Agreement, delete the Personal Data pursuant to the Agreement, unless European Union or Member State law requires Personal Data to be retained;

    h. notify Customer without undue delay if, in Trevor’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation;

    ii. You authorise Trevor to subcontract its data Processing obligations under this Agreement to Trevor’s Affiliates, and to other third parties, a list of which is available here. Trevor shall do so only by way of a written agreement with such sub-Processor which imposes the same data protection obligations on the sub-Processor as are imposed on Trevor under this Agreement.

    iii. Customer may audit Trevor’s compliance with the terms of the Agreement and this DPA up to once per year.

    Customer may perform more frequent audits to the extent required by laws applicable to the Customer. If a third party is to conduct the audit, the third party must be mutually agreed to by both parties and must execute a written confidentiality agreement acceptable to Trevor before conducting the audit.

    To request an audit, the Customer must submit a detailed audit plan at least 4 weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Trevor will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Trevor’s security, privacy, or employment policies).

    iv. Trevor shall notify you without undue delay upon becoming aware of a Personal Data Breach relating to Your Personal Data. Such notice shall include, at the time of notification or as soon as possible after notification, relevant details of the Personal Data Breach where possible, including the number of your records affected, the category and approximate number of affected Users, anticipated consequences of the breach and any actual or proposed remedies, where appropriate, for mitigating the possible adverse effects of the breach.

Annex 1

Details of the Data Processing

Trevor shall process Customer's Data to provide the Services pursuant to the Agreement. Trevor shall have access to specific types of Customer's Data, which are sent in the form of query results, that Customer has made available to Trevor.

As an example, Customer uses Trevor to run a query against their database and Trevor retrieves the returned results. These results may include types of Personal Data about Customer’s end users, such as:

- City
- Region
- Email address
- Name
- Referrer

Customer's Data is cached and stored for up to 48 hours before being permanently deleted.

© Trevor Technology Ltd, 2016-2018