This DPA forms part of the agreement between you and Concilai for the use of our services.
Capitalized terms used but not defined in this DPA have the meaning given to them in the master services agreement entered into between the parties (the "Agreement"). For the purposes of this DPA, "applicable data protection laws" means the UK GDPR, the EU GDPR, and any other laws relating to the processing of personal data that apply to either party.
The customer is the data controller and Concilai is the data processor. Concilai will process personal data only on documented instructions from the customer, and only for the purposes set out in the Agreement.
Concilai will ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Concilai implements and maintains appropriate technical and organisational measures to protect personal data, including:
Concilai engages a limited number of sub-processors to provide the service (e.g. cloud hosting, transactional email, observability). A current list is available on request and we will give customers 30 days' notice of any change.
Where personal data is transferred outside the UK or EEA, Concilai relies on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses as appropriate.
Concilai will assist the customer with data subject requests and will notify the customer without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting customer data.
This DPA is intended to be readable. It is not a substitute for legal advice tailored to your jurisdiction.