Data processing agreement
Details on our obligations for complying with UK + EU GDPR regulation.
Last updated: March 2023. We periodically review the contents of the Data Processing Agreement to ensure it’s accurate.
The parties
About us.
Hello. We are Sequence HQ Ltd, incorporated in England and Wales under the company number13585168. You can find us at 27 New Dover Road, Canterbury, England, CT1 3DN. Under these Terms of Service, we are referred to as us, our and we.
About you.
You are the Sequence Customer whose details are reflected under the broader Customer Agreement. Under these Terms of Service, you will be referred to as you and your. Together, we will be the parties.Terms we use: our customers are businesses, our users are the staff of those businesses, and end customers are counterparties or customers of those businesses.
Definitions
In this DPA:Adequate countrymeans a country or territory that is recognized under Data Protection Laws from time to time as providing adequate protection for processing personal data.Controller,data subject,personal data,process/processing,processor, andsupervisory authoritywill have the same meanings as in the Data Protection Laws.Data Protection Lawsmeans all applicable laws and regulations, including of the European Union, the European Economic Area, their member states and the United Kingdom, applicable to the processing of personal data, including the European Union Regulation (EU) 2016/679 and the Data Protection Act 2018, as amended from time to time.EU Transfer Clausesmeans module 2 of the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021, as may be amended from time to time, for the transfer of personal data from the European Economic Area (EEA) to a third party country.UK Transfer Clausesmeans the International Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 and in force from 21 March 2022 for transfers of personal data from the United Kingdom to a third country, and any subsequent version issued by the United Kingdom.Transfer Clausesmeans the EU Transfer Clauses and the UK Transfer Clauses.
Relationship and obligations of the parties
1.1 Status.
In respect of the parties’ rights and obligations under this DPA, we are the processor and you are the controller.1.2 Details of the processing.
To the extent that we process your personal data under the Customer Agreement, the type of personal data processed, subject matter, duration, nature and purpose of the processing, and the categories of data subjects are described in Schedule 1.1.3 Controller obligations.
You are solely responsible for obtaining all necessary consents, licenses and valid legal bases under Data Protection Laws to allow us to process your personal data provided to us under the Customer Agreement. Each party warrants they will comply with Data Protection Laws and will use their reasonable endeavors to ensure their personnel and subcontractors do the same.1.4 Processor obligations.
We will:- (a) only process personal data in accordance with this DPA and your instructions, and promptly inform you if any of your instructions infringe Data Protection Laws,
- (b) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing, such as protection against accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data,
- (c) only allow our personnel access to personal data as required to perform the services described in the Customer Agreement,
- (d) promptly notify you of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data in our possession or under our control,
- (e) provide you with reasonable assistance in the event of a security breach and provide you with relevant information that we possess concerning the security breach,
- (f) provide you with reasonable assistance when requested by you in relation to data protection impact assessments, responses to data subjects’ requests to exercise their rights under Data Protection Laws, and engagement with supervisory authorities, and
- (g) upon the termination or expiration of the Customer Agreement and this DPA and on your written request, return personal data to you. We’re not obliged to delete copies of personal data retained in automated backup copies that we generate, which we’ll retain for a period of time in line with our legal obligations before deleting. These backup copies will remain subject to this DPA and the Customer Agreement until they are destroyed.
subprocessing
2.1 Use of subprocessors.
You consent to our use of subprocessors when processing personal data, a list of which is set out in the Subprocessors page. We will require our subprocessors, and any future subprocessors, to comply with terms that are substantially similar to those imposed on us in this DPA and will remain liable for any acts or omissions of our subprocessors.2.2 Approvals.
We may authorize new subprocessors and will provide you with prior written notice of such changes. You may object to any future subprocessor on reasonable data protection grounds within 15 days of receiving our notification. You may terminate the Customer Agreement without penalty if we’re unable to provide an alternative subprocessor approved by you within a reasonable time frame, provided your approval is not unreasonably withheld.Audits
Audits and records.
We will provide you with information demonstrating our compliance with processor obligations upon your reasonable written request. You may exercise your right of audit under Data Protection Laws by requesting an audit report or certification not older than 12 months by an independent external auditor demonstrating that our technical and organizational measures are in accordance with our regulatory standards.International personal data transfers
4.1 Transfer mechanism.
To the extent that we process your personal data in any country outside the United Kingdom, the EEA or an adequate country, the parties agree to comply with the EU Transfer Clauses or the UK Transfer Clauses as applicable, which are incorporated into this DPA by reference and are completed with the additional information contained in Schedule 4. Under the Transfer Clauses, we act as the data importer and you are the data exporter.4.2 Additional measures.
If the Transfer Clauses are not sufficient to safeguard the transfer due to applicable surveillance laws, we will implement any additional supplementary, technical, contractual and/or policy measures as may be required to ensure personal data is protected to a standard equivalent to that afforded by Data Protection Laws.4.3 Disclosures.
If we become subject to a request from a public authority to access personal data, and provided it is legally possible, we will:- (a) challenge the request and promptly notify you about it after receiving it,
- (b) not disclose any personal data without your consent, and
- (c) if we are required to disclose personal data, we will only disclose the minimum amount required and keep a record of the disclosure
5.2 Term.
This DPA will commence on the date of final signature between the parties (Effective Date) and will continue until the Customer Agreement is terminated or expires.5.3 Survival.
Any provision of this DPA which is intended to remain in force on or after the expiry or termination of the Customer Agreement and this DPA will remain in full force and effect.5.4 Conflicts.
If any terms of the Customer Agreement conflict with this DPA, this DPA will prevail. If any terms of this DPA conflict with the Transfer Clauses, the Transfer Clauses will prevail.5.5 Governing law and jurisdiction.
This DPA is subject to the governing laws and jurisdiction set out in the Customer Agreement.SCHEDULE 1
Details of processing
Purpose, scope and nature of the processing
To provide our software-as-a-service payment operations platform and the services you have purchased as more fully described in the Customer Agreement.Types of personal data
Depending on the services purchased in the Customer Agreement, you may submit the following types of personal data for processing:- Company directors’ information: Full name, date of birth, home address, email address, phone number of your company directors
- Employee information: Full name, email address of your employees
- Identity and contact information: Full name, date of birth, email address, IP address of your end customers
- Bank account and transactions: Bank account number, sort code, transactions, bank account balance of your end customers
Duration of the processing
The duration of the Customer Agreement between the parties.Data subjects
Depending on the services purchased in the Customer Agreement, you may submit personal data of your:- Company directors
- Employees
- End customers and/or their financial counterparties
Details of special category data
No special category data will be processed.Security measures
These are detailed in depth in our Security Measures page.SCHEDULE 2
Subprocessors
In the offline version of our Data Processing Agreement, this refers to the list of subprocessors. We maintain an accurate and up to date list online here, in our Subprocessors page.SCHEDULE 3
Organizational and technical measures
In the offline version of our Data Processing Agreement, this section references to security measures we use to protect Sequence and its data. In our online documentation, this information is split out into the Security Measures page.SCHEDULE 4
Transfer Clauses
EU Transfer Clauses
The following information is incorporated into the EU Transfer Clauses for the purposes of their completion:| Topic | Clause | Required details |
|---|---|---|
| Parties’ details | Annex 1 | As set out in the Customer Agreement. |
| Processing details | Annex 1 Appendix 2 | As set out in Schedule 1 to the DPA. |
| Governing law | Clause 17 | As set out in the Customer Agreement. |
| Jurisdiction | Clause 18 | As set out in the Customer Agreement. |
| Technical and organizational measures | Annex 2 Appendix 2 | As set out in Schedule 3 to the DPA. |
| Supervisory authority | Appendix 2 | The Irish Data Protection Commission. |
| Partner’s subprocessors | Annex 3 | As set out in Schedule 2 to the DPA. |
UK Transfer Clauses
The following information is incorporated into the UK Transfer Clauses for the purposes of their completion:| Start date | From the Effective Date of the DPA. | |
|---|---|---|
| The parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
| Parties’ details | Full legal name, main company address, and official registration number as reflected in Section 1 of the Terms of Service. | Full name: Sequence HQ Ltd 27 New Dover Road, Canterbury, England, CT1 3DN Official registration number: 13585168 |
| Key Contacts | Full name (optional), job title, contact details including email as reflected in the Order Form in the table marked ‘Your data processing information’. | Full name: Chris Bond Job Title: Director of Engineering Contact email: compliance@sequencehq.com |
| Addendum EU SCCs | Module 2 of the Approved EU SCCs which this Schedule is appended to, detailed below, including the Appendix Information. Date: Effective Date of the DPA |
|---|
| “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the parties), and which for this Schedule is set out in: | |
|---|---|
| Annex 1A | List of Parties: As set out in Table 1 of these UK Transfer Clauses. |
| Annex 1B | Description of Transfer: As set out in Schedule 1 to the DPA. |
| Annex II | Technical and organizational measures including technical and organizational measures to ensure the security of the data: As set out in Schedule 3 to the DPA |
| Annex III | List of Subprocessors: As set out in Schedule 2 to the DPA. |
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: Importer and Exporter |
|---|
| Mandatory Clauses | Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
|---|