Compliance & governance
Where to next
These Data Protection Terms shall be in addition to the Customer Subscription Terms and Conditions which are entered into between the Customer and Euphoric pursuant to the respective Order Form (“Customer Subscription Terms and Conditions”).
Unless defined herein, capitalised terms used in these Data Protection Terms shall have the meanings given to them in the Customer Subscription Terms and Conditions.
Customer Data means any Personal Data provided by the Customer to Euphoric pursuant to the Agreement and shall exclude End User Data;
Data Protection Laws means, : (i) the UK Data Protection Act 2018; (ii) the UK GDPR (iii) either the Privacy and Electronic Communications (EC Directive) Regulations 2003 or the EU ePrivacy Regulation whichever is in force in the UK at the relevant time; and (iv) all other applicable laws and regulations relating to the Processing of personal data and privacy, including statutory instruments and, where applicable, the guidance and codes of practice issued by the Information Commissioner or any other supervisory authority with jurisdiction, all as amended, extended, re-enacted or replaced from time to time;
End User Data means the Personal Data which an End User provides to Euphoric directly when accessing the Applications or using the Services, and shall not include any Customer Data;
Third-party Cloud Infrastructure Provider means an organisation with whom Euphoric has contracted to provide software services that includes cloud infrastructure, such services to be provided in compliance with Euphoric’s information security and other relevant policies;
Process/Processing, Data Controller, Data Processor, Data Subject, Personal Data, Personal Data Breach have the same meaning as in the Data Protection Laws.
UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
2.1. The Customer acknowledges that upon activation of an End User account by an End User on the Euphoric Applications, an independent contractual relationship will arise between Euphoric and each End User. For this purpose, Euphoric will be the Data Controller of all End User Data pursuant to the Data Protection Laws, as Euphoric will independently determine the purposes for which and the manner in which Euphoric and relevant Third-party Cloud Infrastructure Providers (where applicable), will Process such End User Data, including, but not limited to, the Processing for the purpose of Euphoric’s compliance with its contractual obligations to any such End User.
2.2. End Users’ Data will be processed by Euphoric Global Limited in accordance with Euphoric’s Privacy Policy and depending on the type of Service provided.
2.3. The terms, details and duration of Euphoric’s processing of End User Data as Data Controller shall be set out in its Privacy Policy, including details of Third-party Cloud Infrastructure Providers where these entities act as Processors of End User Data on behalf of Euphoric.
2.4. Euphoric shall at all times comply with the Data Protection Laws in relation to its Processing of the End User Data of End Users.
2.5. Euphoric maintains appropriate technical and organisational measures to protect End User Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the End User Data and having regard to the nature of the End User Data which is to be protected.
2.6. In the event of a suspected End User Data Breach, relating to End User Data, Euphoric will:
2.6.1 take action immediately to investigate the suspected End User Breach;
2.6.2 take action immediately to identify, prevent and mitigate the effects of the End User Data Breach and remedy the End User Data Breach; and
2.6.3 comply with all notification obligations with respect to Data Subjects, Supervisory Authorities or any other entity requiring notification under the Data Protection Laws, and provide such information as may be reasonably required by the Customer to respond to complaints or enquiries from Data Subjects relating to the End User Data Breach, provided that Euphoric will not provide End User Data to the Customer as part of such notification unless instructed to by the Data Subject.
2.7 If one party receives any complaint, notice or communication that relates directly or indirectly to the other party's Processing of End User Data pursuant to this Agreement it shall promptly notify the other party and provide full details and copies of any communication. Each party shall use reasonable endeavours to work with the other party to remedy the situation.
2.8 Any data provided by Euphoric to the Customer relating to End Users’ use of the Services, including but not limited to use of the Euphoric Applications, will not comprise End User Data and shall be fully anonymised and aggregated in such a way that no Data Subject is identified or identifiable.
3. Where Euphoric is the Data Processor of Customer Data:
3.1. The Customer may provide Euphoric with Personal Data relating to its Employees either directly or via its appointed third party processor (“Third Party Processor”) in order for Euphoric to provide certain services pursuant to this Agreement.
3.2. Where the Customer provides such Customer Data to Euphoric, the parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller and Euphoric is the Processor of the Customer Data. Where the Customer provides such Customer Data to Euphoric via a Third Party Processor, the parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller, the Third Party Processor is the Processor of the Customer Data on behalf of the Customer, and Euphoric is a Sub-Processor of the Customer Data. Clause 4 below sets out the scope, nature and purpose of processing by Euphoric, the duration of the processing and the types of Personal Data and categories of Data Subject.
3.3 Without prejudice to the generality of clause 3.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Data to Euphoric and/or lawful collection of the Customer Data by Euphoric on behalf of the Customer for the duration and purposes of this Agreement. Furthermore, the Customer agrees that, notwithstanding anything to the contrary, that the Customer’s failure to comply with this clause 3.3 shall relieve Euphoric from any and all liability to the Customer under this paragraph 3.
3.4 Without prejudice to the generality of 3.2, Euphoric shall, in relation to any Customer Data processed in connection with the performance by Euphoric of its obligations under this agreement:
3.4.1 process that Customer Data only on the documented written instructions of the Customer unless Euphoric is required by Data Protection Laws or EU Law to otherwise process that Customer Data. Where Euphoric is relying on Domestic Law or EU Law as the basis for processing Customer Data, Euphoric shall promptly notify the Customer of this before performing the processing required by the Domestic Law or EU Law unless the Domestic Law or EU Law prohibits Euphoric from so notifying the Customer;
3.4.2 ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Customer Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
3.4.3 ensure that all personnel who have access to and/or process Customer Data are obliged to keep the Customer Data confidential; and
3.4.4. not transfer any Customer Data outside of the UK or EEA unless the following conditions are fulfilled:
3.4.4.1. the Customer or Euphoric has provided appropriate safeguards in relation to the transfer;
3.4.4.2.the data subject has enforceable rights and effective legal remedies;
3.4.4.3. Euphoric complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Customer Data that is transferred; and
3.4.4.4. Euphoric complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Customer Data;
3.4.5. assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
3.4.6. notify the Customer without undue delay on becoming aware of a Personal Data Breach;
3.4.7. at the written direction of the Customer, delete or return Customer Data and copies thereof to the Customer on termination of the agreement unless required by domestic law or EU law to store the Customer Data; and
3.4.8. maintain complete and accurate records and information to demonstrate its compliance with this clause 3.4, and by making such information available to the Customer by way of audit by the Customer or designated third party. Where any instruction by the Customer may infringe the Data Protection Laws, Euphoric shall immediately inform the Customer.
3.5. The Customer consents to Euphoric appointing such third parties as set out in the paragraph 4 below and as Euphoric may amend from time to time as a third-party processors of Customer Data under this agreement. Euphoric confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement terms which are substantially similar to those set out in this clause 3 and in either case which Euphoric confirms reflect and will continue to reflect the requirements of the Data Protection Laws. As between the Customer and Euphoric, Euphoric shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 3.5.
3.6. Either party may, at any time on not less than 30 (thirty) days’ notice, revise this clause 3 by replacing it with any applicable controller to controller/controller to processor standard clauses or similar terms adopted under the Data Protection Laws or forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).
4. Processing by Euphoric:
4.1.Type of Processing
4.1.1. Scope: Customer employee information by Euphoric and appointed Processors.
4.1.2. Nature: Storage and onward transfer by Euphoric.
4.1.3. Purpose of processing: Confirming the availability of the Euphoric Services to Customer employees and in order for Euphoric to provide certain services to the End Users pursuant to the terms of this Agreement.
4.1.4. Duration of the processing: The duration of the Agreement between Euphoric and the Customer.
4.2. Types of Personal Data: Names; address, personal email address, business email address, and any other Personal Data which the Customer collects from its employees and stores on its Human Resource Information Systems, which Euphoric may be given access to in order to provide certain services.
4.3. Categories of Data Subject: Customer Employees.
4.4. Current appointed third party processors by Euphoric:
4.4.1. Google Cloud Platform
4.4.2.Mixpanel
4.4.3 Sentry
4.4.4 Customer IO
4.4.5.Vanta
4.4.6. Union AI
4.4.7. Typeform
4.4.8. Segment
4.4.9. Airtable
4.4.10. OpenAI
4.4.11. Stripe
4.4.12. Merge
4.4.13. Runa
.svg)