Data Processing Agreement

This data processing agreement (Agreement) is made between Elen Financial Software Ltd, a company incorporated in England and Wales (with company number 11680470) whose registered office is at Sophia House, 28 Cathedral Road, Cardiff Wales CF11 9LJ) (Elen) and you, the customer (Customer).

BACKGROUND
  1. The Customer and Elen entered into a software as a service agreement (SaaS Agreement) that requires Elen to process Personal Data (as defined below) on behalf of the Customer.

  2. This Agreement sets out the additional terms, requirements and conditions on which Elen will process Personal Data (as defined below) when providing services under the SaaS Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.
     

AGREED TERMS
  1.  Definitions and Interpretation. The following definitions and rules of interpretation apply in this Agreement.
     

    1.  Definitions:

      Business Purposes: the services described in the SaaS Agreement or any other purpose specifically identified in ANNEX A.

      Controller and Processor: as defined in the Data Protection Legislation.


      Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications);


      Data Subject: an individual who is the subject of Personal Data.


      Personal Data: means any information relating to an identified or identifiable natural person that is processed by Elen as a result of, or in connection with, the provision of the services under the SaaS Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


      Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.


      Processing, processes, process: either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.


      Standard Contractual Clauses (SCC): the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, a completed copy of which comprises Annex C.


      UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
       

    2.  This Agreement is subject to the terms of the SaaS Agreement and is incorporated into the SaaS Agreement. Interpretations and defined terms set forth in the SaaS Agreement apply to the interpretation of this Agreement.
       

    3.  The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
       

    4. A reference to writing or written includes email.
       

    5.  In the case of conflict or ambiguity between:
       

      1. any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail;

      2. the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and

      3. any of the provisions of this Agreement and the provisions of the SaaS Agreement, the provisions of this Agreement will prevail.
         

    6.  Both parties will comply with all applicable requirements of applicable Data Protection Laws. This Agreement is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the applicable Data Protection Laws.
       

  2.  Personal data types and processing purposes
     

    1.  The Customer and Elen acknowledge that for the purpose of the Data Protection Legislation, the Customer is the Controller and Elen is the Processor.

    2.  The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Elen.

    3.  A describes the duration, nature and purpose of processing and the types of Personal Data processed and Data Subject types in respect of which Elen may process to fulfil the Business Purposes of the SaaS Agreement.
       

  3.  Elen’s obligations
     

    1.  Elen will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions, which, for the avoidance of doubt, shall be to process the Personal Data for the Business Purposes. Elen will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation.

    2.  Elen agrees to comply with any Customer request or instruction requiring Elen to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

    3.  Elen will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by law.

    4.  Elen agrees to use reasonable endeavours to assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of Elen’s processing and the information available to Elen, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
       

  4.  Elen’s employees
     

    1.  Elen will ensure that all employees:

      1. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;

      2. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and

      3. are aware both of Elen’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
         

  5.  Security
    Elen has, at the date of this Agreement, implemented appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annex B.

     

  6.  Personal data breach

    1.  Elen will notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.

    2.  Elen will notify the Customer if it becomes aware of:

      1. any accidental, unauthorised or unlawful processing of the Personal Data; or

      2. any Personal Data Breach.

    3.  Where Elen becomes aware of (a) and/or (b) above, it shall also provide the Customer with the following information:

      1. description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned;

      2. the likely consequences; and

      3. description of the measures taken or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.

    4.  Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Elen will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:

      1. assisting with any investigation;

      2. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation; and

      3. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.

    5.  Elen will not inform any third party of any Personal Data Breach without first obtaining the Customer’s prior written consent, except when required to do so by law.

    6.  Elen will cover all reasonable expenses associated with the performance of the obligations under clause 6.2 and clause 6.4 unless the matter arose from the Customer’s specific instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.
       

  7.  Cross-border transfers of personal data

    1.  Elen (or any subcontractor) must not transfer or otherwise process Personal Data outside the European Economic Area (EEA) without obtaining the Customer’s prior written consent.

    2.  Where such consent is granted, Elen may only process, or permit the processing, of Personal Data outside the EEA under the following conditions:

      1. Elen is processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or

      2. Elen participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Elen (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the General Data Protection Regulation ((EU) 2016/679).

    3.  If the Customer consents to appointment by Elen located within the EEA of a subcontractor located outside the EEA in compliance with the provisions of clause 8, then the Customer authorises Elen to enter into an SCC with the subcontractor in the Customer’s name and on its behalf.
       

  8.  Subcontractors

    1.  Elen may only authorise a third party (subcontractor) to process the Personal Data if:

      1. the Customer is provided with an opportunity to object to the appointment of each subcontractor within 14 days after Elen supplies the Customer with full details regarding such subcontractor;

      2. Elen enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer’s written request, provides the Customer with copies of such contracts;

      3. Elen maintains control over all Personal Data it entrusts to the subcontractor; and

      4. the subcontractor’s contract terminates automatically on termination of this Agreement for any reason.

    2.  Those subcontractors approved as at the commencement of this Agreement are as set out in A.

    3.  Where the subcontractor fails to fulfil its obligations under such written agreement, Elen remains liable to the Customer for the subcontractor’s performance of its agreement obligations.

    4.  The Parties consider Elen to control any Personal Data controlled by or in the possession of its subcontractors.
       

  9.  Complaints, data subject requests and third-party rights

    1.  Elen shall, at the Customer’s cost, take such technical and organisational measures as may be appropriate, and provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

      1. the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

      2. information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.

    2.  Elen shall notify the Customer within 14 working days if it receives:

      1. any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation; or

      2. a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.

    3.  Elen will give the Customer its reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
       

  10.  Term and termination

    1.  This Agreement will remain in full force and effect so long as:

      1. the SaaS Agreement remains in effect; or

      2. Elen retains any Personal Data related to the SaaS Agreement in its possession or control (Term).

    2.  Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the SaaS Agreement in order to protect Personal Data will remain in full force and effect.

    3.  If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its SaaS Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 days, they may terminate the SaaS Agreement on written notice to the other party.
       

  11.  Data return and destruction

    1.  At the Customer’s written request, Elen will give the Customer a copy of or access to all or part of the Customer’s Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

    2.  On termination of the SaaS Agreement for any reason or expiry of its term, Elen will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Agreement in its possession or control.

    3.  If any law, regulation, or government or regulatory body requires Elen to retain any documents or materials that Elen would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
       

  12.  Records

    1.  Elen will keep records regarding any processing of Personal Data it carries out for the Customer, including the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any approved transfers of personal data to a third country and related safeguards, and a general description of Ele’s technical and organisational security measures (Records).

    2.  Elen will ensure that the Records are sufficient to enable the Customer to verify Elen’s compliance with its obligations under this Agreement and Elen will provide the Customer with copies of the Records upon reasonable request.
       

  13.  Audit

    1.  At least once a year, Elen will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement.

    2.  Elen will address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by Elen’s management.
       

  14.  Warranties

    1.  Elen warrants and represents that it will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments.

    2.  The Customer warrants and represents that Elen’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
       

  15.  Indemnification

    1.  Elen agrees to indemnify, keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses incurred by the Customer or for which the Customer may become liable due to any failure by Elen or its employees, subcontractors or agents to comply with any of its obligations under this Agreement or the Data Protection Legislation.

    2.  Any limitation of liability set forth in the SaaS Agreement apply to this Agreement’s indemnity or reimbursement obligations.
       

  16.  Notice

    1.  Any notice or other communication given to a party under or in connection with this Agreement must be in writing and made via the admin pages of the Software.

    2.  Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
       

ANNEX A Personal Data processing purposes and details

Description
Details
Subject Matter of Processing
The subject of the processing shall be, where a valid SaaS Agreement is in place, Elen’s provision of a digital back office software designed for Advisers to interact with FA Clients as set out in the SaaS Agreement.
Duration of the Processing
The processing shall continue until the Services are terminated in accordance with the terms of the SaaS Agreement. Elen may process the data after the termination of the SaaS Agreement only in accordance with the terms of the SaaS Agreement or this Agreement.
Nature and purpose of the Processing
The Software provided by Elen as part of the Services is used by Advisers and FA Clients. Elen will process the Customer Data, including the personal data of FA Clients for Business Purposes.
Elen does not disclose Customer Data, including Personal Data, to third parties not otherwise listed as sub processors in this Agreement.
Types of Personal Data to be processed by Elen
Demographic data: Name, gender, date of birth, age, nationality
Contact details: Email address, home postal address, home/mobile telephone
Electronic identification data: IP addresses, cookies, location data
Financial Information: Details of financial history, accounts, balances and investments
Categories of Data Subject
Advisers; and FA Clients.
Approved Subcontractors/subprocessors:
Subcontractor/Subprocessor
Purpose
Territory
CashCalc
To provide services integrated with the Platform
UK
Nucleus
To provide services integrated with the Platform
UK
P1
To provide services integrated with the Platform
UK
Quilter
To provide services integrated with the Platform
UK
Transact
To provide services integrated with the Platform
UK
Stripe
Payment and subscription services
EU. Data can be collected and stored globally including the U.S., depending on our Customer’s location
Google Analytics
App usage analytics
US
Google Tag Manager
App usage analytics
US
Google Cloud
IT infrastructure and services, for example servers and storage
UK, EU
Amazon AWS
IT infrastructure and services, for example servers and storage
UK, EU
MongoDB Atlas
Database services
US company but data store in the UK
Mailchimp
Marketing
US
Really Simple System
Marketing
UK, EU
Dot Digital
Marketing
UK, EU
Freshdesk
Support
US, Europe, India and Australia

ANNEX B Security measures
 

Physical access controls

Nearly all personal data is stored on in the data centres of very secure and reputable cloud services such as Google Cloud and Amazon AWS

Our office has CCTV and access to it is via three sets of locked doors and an alarm system. During working hours the reception is manned.

Our remote workers are required to secure their properties to a reasonable level.

If an intruder does gain access to the office or a staff member’s house we have multiple policies in place to protect the data within the property, including
 

  • All computers to be encrypted so if stolen the data cannot be accessed

  • Access to all online services which are critical for operations or hold personal data to be protected by multi-factor authentication

  • Multiple policies regulating passwords, technologies and clean desks
     

System and data access controls

Our Access Control Policy ensures that staff members only have access to the parts of the system or data which they need to carry out their specific roles and responsibilities.
 

Access to critical systems and data are controlled by multi-factor authentication in order to ensure that having the password isn’t enough to access them.

Transmission controls

All personal data is encrypted during transmission. The data between the end user’s apps and our servers uses a 128-bit AES encryption over a TLS connection.
 

The connections between the servers, such as databases and file storage are also protected by TLS connections.

 

Data storage

All user data is encrypted at rest, from the database storage and backups to the uploaded documents. The encryption keys and passwords (secrets) to access this data is either managed by Google Cloud, Amazon AWS or by Elen.
 

The servers, databases and documents storage run on the Google Cloud and Amazon AWS infrastructures in data centres in the UK.


The certificates for sealing e-signature documents are stores on FIPS 140-2 Level 3 certified hardware security models (HSM) which are designed to be tamper proof.

Data backups

Data backups and archives are all stored in secure data centres managed by cloud services such as Google Cloud and Amazon AWS. All the data is encrypted at rest.

Protection against hardware failures

Single points of failures are avoided as much as possible in the system infrastructure. There are at least 3 instances/replica sets of every service and database running at the same time and if any of these instances fail a new instance would be created automatically to replace it. Uploaded documents and backups are replicated across multiple hardware devices across multiple data centres.

 

Protection against natural disasters and power outages

The workers who are key for maintaining and administering the system work on laptops in order for them to be able to relocate at short notice if necessary. A few key members of the team also have UPS set up in order to continue to work with internet access during a prolonged power outage. In the case of loss of internet all key workers have an extra internet connection via 4G .


The data centres hosting the servers which run the system have a high level of redundancy managed by Google Cloud and Amazon AWS, with services running and data replicated across multiple data centres.