Forming part of and incorporated into the Contract between you and Orlo.
This Addendum sets out the provisions that will govern the processing of personal data by the parties to the Contract and its provisions take precedence over every other term of the Contract unless expressly stated otherwise.
The following definitions have the meanings shown:
Controller, Processor, data subject, personal data and Processing each have the meaning given to them in the Data Protection Laws and Process and Processed will be construed accordingly.
Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Protection Laws means all applicable privacy and data protection laws including the Data Protection Act 1998 (as replaced by the GDPR with effect from 25 May 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and all subordinate and ancillary legislation, directions of any competent privacy regulator, common law and other relevant court decisions that relate to privacy and/or data protection in each case as may be amended or replaced from time to time.
Data Security Measures means the technical and organisational security measures described in Annex 2 (as may be improved upon from time to time by Orlo or which have been agreed by the parties in accordance with Annex 2) as being those required to be used by Orlo and which have been approved by you as complying with the Data Protection Laws when Processing Your Data.
Deliverables means the goods, services, software, licences and any other deliverables to be provided by or on behalf of Orlo under the Contract.
GDPR means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data which came into force on 24 May 2016 (together with any associated derogations and amendments imposed by the United Kingdom) and which will apply from 25 May 2018.
Personnel means any employee, officer, agent, consultant, auditor, subcontractor, Subprocessor or other third party acting on behalf of Orlo in connection with the provision of the Deliverables.
Processing Requirements means the your requirements for the Processing of Your Data by or on behalf of Orlo under the Contract as described in Annex 1.
Orlo Approved Subcontractor List means the internal list of subcontractors that have been approved by Orlo to provide services that involve the subcontractor Processing Your Data.
Subprocessor means any third party engaged by Orlo including any of its affiliates, subsidiaries and/or subcontractors or agents that may Process Your Data.
Your Data means all personal data relating to data subjects that are Processed in the course of using or providing the Deliverables and includes any copies included in back-ups made by or on behalf of Orlo.
Your Instructions means your instructions for the Processing of Your Data as described in this Addendum and the Processing Requirements or otherwise agreed by you and Orlo.
1. Intellectual property rights. All intellectual property rights in and to Your Data will be and will remain vested in you.
2. Compliance with Data Protection Laws. Each of the parties will ensure that it complies with the Data Protection Laws when Processing Your Data under the Contract.
3. Causing breach. Each of the parties will not (and will ensure that none of the Personnel may) do anything that would cause itself or the other or any or any other person to be in breach of the Data Protection Laws.
4. Compliance with Your Instructions. When Processing Your Data on behalf your behalf, Orlo will comply with Your Instructions. If Orlo is unable, for any reason, to comply with Your Instructions, we will notify you promptly. If we believe any of Your Instructions infringes Data Protection Law, we will notify you as soon reasonably practicable.
5. Specific requirements and permitted Processing. Orlo will ensure that, when it Processes Your Data, it will use the Data Security Measures. You have determined that compliance with the Data Security Measures when Processing Your Data by or on behalf of Orlo is satisfactory to comply with the Data Protection Laws. If you require a change to our standard Data Security Measures, we reserve the right to charge for implementing, maintaining and operating as you require.
6. Processing limitations. Orlo will not Process Your Data for any purpose beyond providing the Deliverables and the scope of Your Instructions or, to the extent otherwise necessary, to comply with the Data Protection Laws.
7. International transfers. Orlo will not transfer or allow any other person to transfer Your Data outside the European Economic without your prior written approval.
8. Acknowledgement. You acknowledge and accept that access and use of the Deliverables by your authorised users may occur outside the European Economic Area and, in such circumstances, Your Data may be viewed outside the European Economic Area by the relevant user. Orlo will not be in breach of paragraph 7 in such circumstances.
9. Personnel. Orlo will: (i) take reasonable steps to ensure the reliability of Personnel that may have access to Your Data; (ii) carry out appropriate checks of its Personnel before allowing them to Process Your Data; (iii) ensure the Personnel are appropriately trained in the handling and secure Processing of Your Data.
10. Subcontracting. Orlo will only appoint Subprocessors in connection with the Processing of Your Data where: (i) the Subprocessor has provided sufficient guarantees to ensure the Data Security Measures are met or exceeded; (ii) the Subprocessor is on the Orlo Approved Subcontractor List; and (iii) the Subprocessor is appointed under a written agreement that complies with the Data Protection Laws. Orlo will remain liable for the defaults of its Subprocessors as if it carried out the actions of the Subprocessors itself.
11. Confidentiality. Orlo will ensure that: (i) any persons authorised by or on behalf of Orlo to Process Your Data are bound by obligations to maintain the confidentiality of Your Data; and (ii) its disclosure of Your Data will be limited to the extent necessary to provide the Deliverables or as otherwise permitted under the Contract, by you or by applicable Data Protection Law.
12. Data subject rights. You and your users have full access to Your Data through the Deliverables and, as such, it is your responsibility to comply with the rights of data subjects under the Data Protection Laws. If, for any reason you need the help of Orlo to comply, we will assist you but reserve the right to charge for the assistance at our then prevailing rate.
13. Regulator and other third-party correspondence. If we receive a communication from a regulator, other competent authority or any other person (each a Competent Person) in respect of Your Data we will, unless we are prohibited by the Competent Person or applicable laws, forward it to you for you to address and reserve the right to notify the Competent Person that we have done so. If Orlo is required to respond to the communication directly, we will do so.
14. Data breach. Orlo will maintain a Data Breach incident response plan that documents the procedures to be followed and contacts to be notified in the event of a Data Breach. In the event Orlo suffers a Data Breach as a result of or in connection with the performance of its rights or obligations under the Contract, Orlo will notify you of all material facts without undue delay after becoming aware of the Data Breach.
15. Data breach management. Orlo will cooperate and assist you in handling the Data Breach referred to in paragraph 14, by investigating the Data Breach, facilitating meetings with those involved in the data breach and making available all relevant records, logs, files and data, reports including those regarding the facts relating to the Data Breach, its effects and the remedial action taken or to be taken. If the Data Breach is not attributable to Orlo or any of its Subprocessors, we reserve the right to charge for the assistance at our then prevailing rate.
16. Confidentiality in respect of Data Breaches. Except as required by Data Protection Laws, neither party will do, say or report anything to any person that may affect the other’s reputation without the approval of such other party (such approval not to be unreasonably withheld or delayed).
17. Data protection impact assessments. Orlo will cooperate, and provide reasonable assistance to you with, any data protection impact assessment that you are required by the Data Protection Laws to carry out in connection Orlo’s Processing of Your Data. If such co-operation or assistance requires Orlo or any Subprocessor to provide any additional professional services, Orlo will notify you of the proposed charges and no work will be commenced until the parties have agreed the charges and the scope of work in writing.
18. Returning Your Data on termination or expiry. You are able to export Your Data at any time during the term of our contract. After expiry (or termination if that is earlier) we will delete Your Data (normally within one month) but will retain the shortened links you have created using our code so that your users are redirected to the correct location.
19. Demonstration of compliance. Orlo will appoint an independent third party to carry out an annual assessment to verify Orlo’s compliance with the terms of this Addendum. Orlo will provide you with a copy of the latest report produced on request.
20. Audit. If a court or regulatory body requires us to give you access to our premises or systems, we will do so but will require you comply with our prevailing security and health and safety requirements.
You have appointed Orlo to provide certain Deliverables (as specified in Contract. To facilitate the provision of these, Orlo will need to Process Your Data in respect of which you are the Controller.
The Processing will continue for the term of the Contract (as the same may be terminated and/or extended in accordance with the terms of the Contract).
Your Data will be Processed for the purpose of providing the Deliverables to you in accordance with the terms of the Agreement.
The nature of our application is a mere repository for messages from your followers and users with the functionality for your users to manage those messages. As such, our provision of the Deliverables may require the Processing of any type of personal data.
The provision of the Deliverables may involve the Processing of personal data about any or all of the following data subjects:
– your users
– your customers and followers
– any other person that your users, customers or followers refer to in their messages or in our application
1. Knowledge and resources. Orlo will ensure that it has the appropriate knowledge to Process Your Data and has the necessary resources to implement the technical and organisational measures required under this Addendum.
2. Security of Your Data. Orlo will implement and maintain the following technical and organisational measures when Processing Your Data and you have determined and are satisfied that:
(a) these are sufficient to ensure compliance with the Data Protection Laws and the protection of the rights of data subjects; and
(b) they take into account the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Your Data when it is transmitted, stored or otherwise Processed.
We have internal policies and procedures that are kept under review, a designated privacy officer and external specialist data protection advisers to support our compliance.
All relevant personnel are trained to understand data protection and to apply its principles within their roles.
Network devices are managed within a secure management network and servers are secured by firewalls. In both instances SSL/TLS secure encryption protocols are used.
All of the servers we manage have antivirus and malware scanners installed and have updates applied frequently.
Data in transit is always encrypted to a minimum standard of 256 bit
We offer various options for you to choose from including:
– email / password
– strong passwords
– two-factor authentication
– SAML (Okta and OneLogin or any other agreed by us)
– Google Account Login
Each client’s data is logically separated from that of other clients in our databases. Our code automatically tests to ensure each client’s data is not mixed with that of another client.
Your Data is only accessible by a small number of personnel in our development team on a ‘need to know’ basis.
Our infrastructure is designed to be resilient. Our main database is ‘highly available’ such that, if one server goes offline, the other servers will pick up the work and contains replica data to ensure there is no downtime.
All servers that serve our application are load balanced and can distribute load/requests to at least 3 servers.
We perform daily port scanning on public IP addresses to ensure there are no unexpected changes. Configuration management is dealt with by scripts with are kept and managed in our private version control system.
Our entire application is scanned by external technically skilled individuals to try to break, gain unsolicited access to, and “hack” our systems in a safe way in order to find flaws or potential weaknesses in our platform.
We have some continual end-to-end testing of our server cluster to ensure specific key indicators are working correctly and use software to log and track these with a combination of active checks and, for back-ups, passive checks. Team members are alerted if an expected behaviour has not executed as expected.
Our code is written to log any critical events for our developers to address.
Our databases are backed-up continuously. Whilst our main datastore holds replicas of data at all times, we also run our other databases with duplicate data in them ready to swap over should the need arise.
Multiple snapshots of the entire database are taken daily and they are stored on a separate server from the one that holds live data.
From these various back-ups, we are able to restore the entire database in the event of a physical or technical incident in a timely manner.
We maintain a disaster recovery plan to test our disaster recovery which is tested at least annually.
We currently use leading third parties to provide hosting services. They have all been vetted and authorised by a designated approver within Orlo as part of our supplier on-boarding process and we have written contracts with each of them incorporating appropriate data protection provisions to protect your personal data.
Our software normally maintains a record of many of your users’ activities when using our application such as which user creates or edits a post, or created any free text notes on your followers messages. You can view these audit logs through the application.
If we agree any alternative or additional measures in writing specifically referring to this Annex 2 of the Addendum, we will implement and maintain these accordingly.
In signing the Orlo Agreement you agree to participate in the Orlo Brand Ambassador Programme as outline below: