Data processing agreement

Last updated: March 2023. We periodically review the contents of the Data Processing Agreement to ensure it’s accurate.

The parties

About us.

Hello. We are Sequence HQ Ltd, incorporated in England and Wales under the company number 13585168. You can find us at 27 New Dover Road, Canterbury, England, CT1 3DN. Under these Terms of Service, we are referred to as us, our and we.

About you.

You are the Sequence Customer whose details are reflected under the broader Customer Agreement. Under these Terms of Service, you will be referred to as you and your. Together, we will be the parties.

Terms we use: our customers are businesses, our users are the staff of those businesses, and end customers are counterparties or customers of those businesses.

### Purpose This Data Processing Agreement (DPA) governs the processing of personal data under the Customer Agreement entered into by the parties (the Customer Agreement).

Definitions

In this DPA:

Adequate country means a country or territory that is recognized under Data Protection Laws from time to time as providing adequate protection for processing personal data.
Controller, data subject, personal data, process/processing, processor, and supervisory authority will have the same meanings as in the Data Protection Laws.
Data Protection Laws means all applicable laws and regulations, including of the European Union, the European Economic Area, their member states and the United Kingdom, applicable to the processing of personal data, including the European Union Regulation (EU) 2016/679 and the Data Protection Act 2018, as amended from time to time.
EU Transfer Clauses means module 2 of the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021, as may be amended from time to time, for the transfer of personal data from the European Economic Area (EEA) to a third party country.
UK Transfer Clauses means the International Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 and in force from 21 March 2022 for transfers of personal data from the United Kingdom to a third country, and any subsequent version issued by the United Kingdom.
Transfer Clauses means the EU Transfer Clauses and the UK Transfer Clauses.

Relationship and obligations of the parties

1.1 Status.

In respect of the parties’ rights and obligations under this DPA, we are the processor and you are the controller.

1.2 Details of the processing.

To the extent that we process your personal data under the Customer Agreement, the type of personal data processed, subject matter, duration, nature and purpose of the processing, and the categories of data subjects are described in Schedule 1.

1.3 Controller obligations.

You are solely responsible for obtaining all necessary consents, licenses and valid legal bases under Data Protection Laws to allow us to process your personal data provided to us under the Customer Agreement. Each party warrants they will comply with Data Protection Laws and will use their reasonable endeavors to ensure their personnel and subcontractors do the same.

1.4 Processor obligations.

We will:

(a) only process personal data in accordance with this DPA and your instructions, and promptly inform you if any of your instructions infringe Data Protection Laws,
(b) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing, such as protection against accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data,
(c) only allow our personnel access to personal data as required to perform the services described in the Customer Agreement,
(d) promptly notify you of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data in our possession or under our control,
(e) provide you with reasonable assistance in the event of a security breach and provide you with relevant information that we possess concerning the security breach,
(f) provide you with reasonable assistance when requested by you in relation to data protection impact assessments, responses to data subjects’ requests to exercise their rights under Data Protection Laws, and engagement with supervisory authorities, and
(g) upon the termination or expiration of the Customer Agreement and this DPA and on your written request, return personal data to you. We’re not obliged to delete copies of personal data retained in automated backup copies that we generate, which we’ll retain for a period of time in line with our legal obligations before deleting. These backup copies will remain subject to this DPA and the Customer Agreement until they are destroyed.

subprocessing

2.1 Use of subprocessors.

You consent to our use of subprocessors when processing personal data, a list of which is set out in the Subprocessors page. We will require our subprocessors, and any future subprocessors, to comply with terms that are substantially similar to those imposed on us in this DPA and will remain liable for any acts or omissions of our subprocessors.

2.2 Approvals.

We may authorize new subprocessors and will provide you with prior written notice of such changes. You may object to any future subprocessor on reasonable data protection grounds within 15 days of receiving our notification. You may terminate the Customer Agreement without penalty if we’re unable to provide an alternative subprocessor approved by you within a reasonable time frame, provided your approval is not unreasonably withheld.

Audits

Audits and records.

We will provide you with information demonstrating our compliance with processor obligations upon your reasonable written request. You may exercise your right of audit under Data Protection Laws by requesting an audit report or certification not older than 12 months by an independent external auditor demonstrating that our technical and organizational measures are in accordance with our regulatory standards.

International personal data transfers

4.1 Transfer mechanism.

To the extent that we process your personal data in any country outside the United Kingdom, the EEA or an adequate country, the parties agree to comply with the EU Transfer Clauses or the UK Transfer Clauses as applicable, which are incorporated into this DPA by reference and are completed with the additional information contained in Schedule 4. Under the Transfer Clauses, we act as the data importer and you are the data exporter.

4.2 Additional measures.

If the Transfer Clauses are not sufficient to safeguard the transfer due to applicable surveillance laws, we will implement any additional supplementary, technical, contractual and/or policy measures as may be required to ensure personal data is protected to a standard equivalent to that afforded by Data Protection Laws.

4.3 Disclosures.

If we become subject to a request from a public authority to access personal data, and provided it is legally possible, we will:

(a) challenge the request and promptly notify you about it after receiving it,
(b) not disclose any personal data without your consent, and
(c) if we are required to disclose personal data, we will only disclose the minimum amount required and keep a record of the disclosure

## Other important terms. ### 5.1 Liability. The liability provisions contained within the Customer Agreement apply to this DPA.

5.2 Term.

This DPA will commence on the date of final signature between the parties (Effective Date) and will continue until the Customer Agreement is terminated or expires.

5.3 Survival.

Any provision of this DPA which is intended to remain in force on or after the expiry or termination of the Customer Agreement and this DPA will remain in full force and effect.

5.4 Conflicts.

If any terms of the Customer Agreement conflict with this DPA, this DPA will prevail. If any terms of this DPA conflict with the Transfer Clauses, the Transfer Clauses will prevail.

5.5 Governing law and jurisdiction.

This DPA is subject to the governing laws and jurisdiction set out in the Customer Agreement.

SCHEDULE 1

Details of processing

Purpose, scope and nature of the processing

To provide our software-as-a-service payment operations platform and the services you have purchased as more fully described in the Customer Agreement.

Types of personal data

Depending on the services purchased in the Customer Agreement, you may submit the following types of personal data for processing:

Company directors’ information: Full name, date of birth, home address, email address, phone number of your company directors
Employee information: Full name, email address of your employees
Identity and contact information: Full name, date of birth, email address, IP address of your end customers
Bank account and transactions: Bank account number, sort code, transactions, bank account balance of your end customers

Duration of the processing

The duration of the Customer Agreement between the parties.

Data subjects

Depending on the services purchased in the Customer Agreement, you may submit personal data of your:

Company directors
Employees
End customers and/or their financial counterparties

Details of special category data

No special category data will be processed.

Security measures

These are detailed in depth in our Security Measures page.

SCHEDULE 2

Subprocessors

In the offline version of our Data Processing Agreement, this refers to the list of subprocessors. We maintain an accurate and up to date list online here, in our Subprocessors page.

SCHEDULE 3

Organizational and technical measures

In the offline version of our Data Processing Agreement, this section references to security measures we use to protect Sequence and its data. In our online documentation, this information is split out into the Security Measures page.

SCHEDULE 4

Transfer Clauses

EU Transfer Clauses

The following information is incorporated into the EU Transfer Clauses for the purposes of their completion:

Topic	Clause	Required details
Parties’ details	Annex 1	As set out in the Customer Agreement.
Processing details	Annex 1 Appendix 2	As set out in Schedule 1 to the DPA.
Governing law	Clause 17	As set out in the Customer Agreement.
Jurisdiction	Clause 18	As set out in the Customer Agreement.
Technical and organizational measures	Annex 2 Appendix 2	As set out in Schedule 3 to the DPA.
Supervisory authority	Appendix 2	The Irish Data Protection Commission.
Partner’s subprocessors	Annex 3	As set out in Schedule 2 to the DPA.

UK Transfer Clauses

The following information is incorporated into the UK Transfer Clauses for the purposes of their completion:

Start date	From the Effective Date of the DPA.
The parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Full legal name, main company address, and official registration number as reflected in Section 1 of the Terms of Service.	Full name: Sequence HQ Ltd 27 New Dover Road, Canterbury, England, CT1 3DN Official registration number: 13585168
Key Contacts	Full name (optional), job title, contact details including email as reflected in the Order Form in the table marked ‘Your data processing information’.	Full name: Garry Wilson Job Title: Director of Platform Engineering Contact email: compliance@sequencehq.com

Selected SCCs, Modules and Selected Clauses:

Addendum EU SCCs	Module 2 of the Approved EU SCCs which this Schedule is appended to, detailed below, including the Appendix Information. Date: Effective Date of the DPA

Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the parties), and which for this Schedule is set out in:
Annex 1A	List of Parties: As set out in Table 1 of these UK Transfer Clauses.
Annex 1B	Description of Transfer: As set out in Schedule 1 to the DPA.
Annex II	Technical and organizational measures including technical and organizational measures to ensure the security of the data: As set out in Schedule 3 to the DPA
Annex III	List of Subprocessors: As set out in Schedule 2 to the DPA.

Ending this Schedule when the Approved Addendum Change

Ending this Addendum when the Approved Addendum changes	Which Parties may end this Addendum as set out in Section 19: Importer and Exporter

Mandatory Clauses

Mandatory Clauses	Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

Security & Compliance

​The parties

​About us.

​About you.

​Definitions

​Relationship and obligations of the parties

​1.1 Status.

​1.2 Details of the processing.

​1.3 Controller obligations.

​1.4 Processor obligations.

​subprocessing

​2.1 Use of subprocessors.

​2.2 Approvals.

​Audits

​Audits and records.

​International personal data transfers

​4.1 Transfer mechanism.

​4.2 Additional measures.

​4.3 Disclosures.

​5.2 Term.

​5.3 Survival.

​5.4 Conflicts.

​5.5 Governing law and jurisdiction.

​SCHEDULE 1

​Details of processing

​Purpose, scope and nature of the processing

​Types of personal data

​Duration of the processing

​Data subjects

​Details of special category data

​Security measures

​SCHEDULE 2

​Subprocessors

​SCHEDULE 3

​Organizational and technical measures

​SCHEDULE 4

​Transfer Clauses

​EU Transfer Clauses

​UK Transfer Clauses