Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions available at actionlinks.io/terms (the “Terms”), between Action Links Ltd (“Processor”) and the client organisation (“Controller”), and applies where the Processor processes Personal Data on behalf of the Controller in the course of providing the Action Links service (“Service”). By using the Service and accepting the Terms and Conditions, the Controller is deemed to have accepted the DPA.

Definitions

Data Protection Laws: All applicable laws relating to the processing of Personal Data and privacy, including, where relevant, the UK GDPR, the EU GDPR, the Data Protection Act 2018, as well as the California Consumer Privacy Act 2018 ("CCPA") and other applicable U.S. state privacy laws.
Personal Data, Data Subject, Processing, Controller, and Processor: As defined in applicable Data Protection Laws.
Subprocessor: Any third party engaged by the Processor to process Personal Data on its behalf.

Subject Matter and Duration

The Processor will process Personal Data solely for the purpose of providing the Service as described in the Terms and Conditions.
This DPA remains in effect for the duration of the Terms and Conditions and applies for as long as the Processor retains any Personal Data on behalf of the Controller.

Nature and Purpose of Processing

The Processor provides a software platform through which the Controller may configure and display Links and execute backend operations via third-party integrations.
Personal Data may be processed solely to fulfil these operations, including retrieving or transmitting information from or to integrated systems.
The Processor does not persistently store end-user Personal Data processed during these operations beyond what is technically necessary to provide the Services, except where required to store integration tokens, access credentials, logs, or other data for security, operational, or legal purposes
Personal Data remains the confidential information of the Controller.

Type of Personal Data and Categories of Data Subjects

Types of Personal Data: Typically includes names, email addresses, identifiers, and other fields drawn from the Controller’s integrated systems.
Data Subjects: Individuals whose data is stored in the Controller’s integrated systems.

Processor Obligations

The Processor shall:

Process Personal Data only when instructed to do so by the Controller (including as set out in this DPA and the Terms and Conditions), unless required to do so by law.
Promptly inform the Controller if, in its reasonable opinion, an instruction infringes applicable Data Protection Laws and shall not be required to comply with such instruction until it has been modified to ensure compliance.
Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality. Such confidentiality obligations shall survive termination or expiry of this DPA and apply to all employees, contractors, and agents of the Processor.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Assist the Controller in responding to Data Subject requests under Data Protection Laws.
Assist the Controller, where reasonably required, with security obligations, Personal Data Breach notifications, and data protection impact assessments, and any required prior consultations with supervisory authorities.
At the Controller’s choice, delete or return all Personal Data at the end of the provision of the Services, unless required by law to retain it.
Make available information necessary to demonstrate compliance and allow for audits, subject to reasonable notice and confidentiality.

For the avoidance of doubt:

Any data integrated or derived from the Controller's systems or end users shall remain the sole property of the Controller.
The Processor shall not sell, disclose, or commercially exploit any Personal Data belonging to the Controller or any data derived from it (including anonymised data) to third parties.

Controller Obligations

The Controller shall:
Ensure that it has obtained, and will maintain, all necessary rights, consents, and lawful bases required under applicable Data Protection Laws to provide Personal Data to the Processor for Processing under this DPA;
Ensure that its instructions to the Processor comply with Data Protection Laws and do not cause the Processor to breach any applicable law;
Be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it was obtained;
Be responsible for responding to Data Subject requests under Data Protection Laws, unless otherwise expressly agreed in writing.
The Controller represents and warrants that it has complied, and will continue to comply, with all applicable Data Protection Laws in respect of the Personal Data.
Subprocessing

The Processor may engage Subprocessors to process Personal Data in connection with the provision of Services.
A list of current Subprocessors is available on request. The Processor shall provide at least thirty (30) days' advance notice of any intended addition or replacement of a Subprocessor. The Controller shall have the right to object in writing to any such change on reasonable data protection grounds and, if unresolved, terminate the affected Services without penalty.
The Processor shall enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set out in this DPA.

International Transfers

The Processor stores and processes Personal Data in the United Kingdom and the European Economic Area (EEA).
Any transfers outside these territories will be subject to appropriate safeguards under Data Protection Laws, such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, as applicable.
Where required under applicable Data Protection Laws, the Processor shall enter into and maintain appropriate transfer safeguards, including the UK International Data Transfer Agreement and/or EU Standard Contractual Clauses, and shall implement supplementary measures as necessary following a transfer risk assessment.

Security

The Processor applies encryption (e.g. AES-256) to all stored integration tokens and separates encryption keys from stored data.
The Processor implements access controls, auditing, and regular security reviews to ensure system integrity. The Processor shall maintain and enforce a written Cyber Security Policy that defines administrative, technical, and organisational safeguards designed to protect the security, integrity, and availability of Personal Data. The Cyber Security Policy shall be provided upon request.

Breach Notification

The Processor shall notify the Controller without undue delay, but in any event within twenty-four (24) hours upon becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
Such notification shall include, where possible, a description of the nature of the breach, likely consequences, and measures taken or proposed to address it.

Deletion of Data

Upon termination of the Controller’s account, Personal Data will be retained for a grace period of thirty (30) days unless earlier deletion is requested.
After that period (or after an additional 30 days on request), all Personal Data held by the Processor (excluding credentials or logs required for legal or operational purposes) will be deleted from live systems.

Limitation of Liability

Nothing in this DPA shall increase or extend the Processor’s liability beyond the limitations, exclusions, and caps set out in the Terms and Conditions. This DPA forms part of, and is subject to, the Terms and Conditions.

Miscellaneous

This DPA is governed by and construed in accordance with the laws of England and Wales. This does not affect either party’s obligation to comply with applicable Data Protection Laws.