Request a pilot

GDPR Compliance - Data Transfer Agreements and Standard Contractual Clauses

Our GDPR compliance

Schedule 4 Data Transfer Agreement
STANDARD CONTRACTUAL CLAUSES FOR INTERNATIONAL TRANSFERS
FROM CONTROLLERS TO PROCESSORS
PARTIES
[Name]
[Address]
[Telephone]
[Email]
A company registered in England & Wales with company number [number]
Acting by its agent Reading Solutions UK Limited
(hereinafter the data exporter)
and
Reading Plus LLC
110 West Canal Street, Suite 301, Winooski, VT 05404
800-732-3758
support@readingplus.com
A Delaware limited liability company
(hereinafter the data importer)
each a party; together the parties
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce
adequate safeguards with respect to the protection of privacy and fundamental rights and
freedoms of individuals for the transfer by the data exporter to the data importer of the personal
data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’,
‘processor’, ‘data subject’ and ‘Commissioner’ shall have the same meaning as in
the UK GDPR;
29
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter
personal data intended for processing on his behalf after the transfer in accordance
with his instructions and the terms of the Clauses and who is not subject to a third
country’s system covered by UK adequacy regulations issued under Section 17A Data
Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act
2018;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any
other sub-processor of the data importer who agrees to receive from the data importer
or from any other sub-processor of the data importer personal data exclusively
intended for processing activities to be carried out on behalf of the data exporter after
the transfer in accordance with his instructions, the terms of the Clauses and the terms
of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental
rights and freedoms of individuals and, in particular, their right to privacy with respect
to the processing of personal data applicable to a data controller in the UK;
(f) ‘technical and organisational security measures’ means those measures aimed at
protecting personal data against accidental or unlawful destruction or accidental loss,
alteration, unauthorised disclosure or access, in particular where the processing
involves the transmission of data over a network, and against all other unlawful forms
of processing
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where
applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i),
Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and
Clauses 9 to 12 as third-party beneficiary.
1. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e)
and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data
exporter has factually disappeared or has ceased to exist in law unless any successor
30
entity has assumed the entire legal obligations of the data exporter by contract or by
operation of law, as a result of which it takes on the rights and obligations of the data
exporter, in which case the data subject can enforce them against such entity.
2. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e)
and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both
the data exporter and the data importer have factually disappeared or ceased to exist
in law or have become insolvent, unless any successor entity has assumed the entire
legal obligations of the data exporter by contract or by operation of law as a result of
which it takes on the rights and obligations of the data exporter, in which case the data
subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The parties do not object to a data subject being represented by an association or other
body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will
continue to be carried out in accordance with the relevant provisions of the applicable
data protection law (and, where applicable, has been notified to the Commissioner)
and does not violate the applicable data protection law;
(b) that it has instructed and throughout the duration of the personal data-processing
services will instruct the data importer to process the personal data transferred only on
the data exporter’s behalf and in accordance with the applicable data protection law
and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and
organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the
security measures are appropriate to protect personal data against accidental or
unlawful destruction or accidental loss, alteration, unauthorised disclosure or access,
in particular where the processing involves the transmission of data over a network,
and against all other unlawful forms of processing, and that these measures ensure a
level of security appropriate to the risks presented by the processing and the nature of
the data to be protected having regard to the state of the art and the cost of their
implementation;
(e) that it will ensure compliance with the security measures;
31
(f) that, if the transfer involves special categories of data, the data subject has been
informed or will be informed before, or as soon as possible after, the transfer that its
data could be transmitted to a third country not covered by adequacy regulations
issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule
21 Data Protection Act 2018;
(g) to forward any notification received from the data importer or any sub-processor
pursuant to Clause 5(b) and Clause 8(3) to the Commissioner if the data exporter
decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the
exception of Appendix 2, and a summary description of the security measures, as well
as a copy of any contract for sub-processing services which has to be made in
accordance with the Clauses, unless the Clauses or the contract contain commercial
information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance
with Clause 11 by a sub-processor providing at least the same level of protection for
the personal data and the rights of data subject as the data importer under the Clauses;
and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer1
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with
its instructions and the Clauses; if it cannot provide such compliance for whatever
reasons, it agrees to inform promptly the data exporter of its inability to comply, in
which case the data exporter is entitled to suspend the transfer of data and/or terminate
the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from
fulfilling the instructions received from the data exporter and its obligations under the
contract and that in the event of a change in this legislation which is likely to have a
substantial adverse effect on the warranties and obligations provided by the Clauses,
1 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what
is necessary in a democratic society that is, if they constitute a necessary measure to safeguard national security,
defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches
of ethics for the regulated professions, an important economic or financial interest of the State or the protection of
the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses.
Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society
are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting
requirements.
32
it will promptly notify the change to the data exporter as soon as it is aware, in which
case the data exporter is entitled to suspend the transfer of data and/or terminate the
contract;
(c) that it has implemented the technical and organisational security measures specified
in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law
enforcement authority unless otherwise prohibited, such as a prohibition under
criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that
request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its
processing of the personal data subject to the transfer and to abide by the advice of
the Commissioner with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of
the processing activities covered by the Clauses which shall be carried out by the data
exporter or an inspection body composed of independent members and in possession
of the required professional qualifications bound by a duty of confidentiality, selected
by the data exporter, where applicable, in agreement with the Commissioner;
(g) to make available to the data subject upon request a copy of the Clauses, or any
existing contract for sub-processing, unless the Clauses or contract contain
commercial information, in which case it may remove such commercial information,
with the exception of Appendix 2 which shall be replaced by a summary description of
the security measures in those cases where the data subject is unable to obtain a copy
from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and
obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance
with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the
Clauses to the data exporter.
33
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any
breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage
suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with
paragraph 1 against the data exporter, arising out of a breach by the data importer or
his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11,
because the data exporter has factually disappeared or ceased to exist in law or has
become insolvent, the data importer agrees that the data subject may issue a claim
against the data importer as if it were the data exporter, unless any successor entity
has assumed the entire legal obligations of the data exporter by contract of by
operation of law, in which case the data subject can enforce its rights against such
entity.
The data importer may not rely on a breach by a sub-processor of its obligations in
order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data
importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor
of any of their obligations referred to in Clause 3 or in Clause 11 because both the data
exporter and the data importer have factually disappeared or ceased to exist in law or
have become insolvent, the sub-processor agrees that the data subject may issue a
claim against the data sub-processor with regard to its own processing operations
under the Clauses as if it were the data exporter or the data importer, unless any
successor entity has assumed the entire legal obligations of the data exporter or data
importer by contract or by operation of law, in which case the data subject can enforce
its rights against such entity. The liability of the sub-processor shall be limited to its
own processing operations under the Clauses.
Clause 7
MEDITATION AND JURISDICTION
1. The data importer agrees that if the data subject invokes against it third-party
beneficiary rights and/or claims compensation for damages under the Clauses, the
data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by
the Commissioner;
(b) to refer the dispute to the UK courts.
34
2. The parties agree that the choice made by the data subject will not prejudice its
substantive or procedural rights to seek remedies in accordance with other provisions
of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the Commissioner if it
so requests or if such deposit is required under the applicable data protection law
2. The parties agree that the Commissioner has the right to conduct an audit of the data
importer, and of any sub-processor, which has the same scope and is subject to the
same conditions as would apply to an audit of the data exporter under the applicable
data protection law.
3. The data importer shall promptly inform the data exporter about the existence of
legislation applicable to it or any sub-processor preventing the conduct of an audit of
the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the
data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9
Governing law
The Clauses shall be governed by the law of the country of the United Kingdom in which the
data exporter is established, namely England and Wales.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties
from (i) making changes permitted by Paragraph 7(3) & (4) of Schedule 21 Data Protection
Act 2018; or (ii) adding clauses on business related issues where required as long as they do
not contradict the Clauses.
Clause 11
Sub-processing
1. The data importer shall not subcontract any of its processing operations performed on
behalf of the data exporter under the Clauses without the prior written consent of the
data exporter. Where the data importer subcontracts its obligations under the Clauses,
with the consent of the data exporter, it shall do so only by way of a written agreement
with the sub-processor which imposes the same obligations on the sub-processor as
are imposed on the data importer under the Clauses2
. Where the sub-processor fails
2 This requirement may be satisfied by the sub-processor co-signing the contract entered into between the data
exporter and the data importer under this Decision.
35
to fulfil its data protection obligations under such written agreement the data importer
shall remain fully liable to the data exporter for the performance of the sub-processor’s
obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also
provide for a third-party beneficiary clause as laid down in Clause 3 for cases where
the data subject is not able to bring the claim for compensation referred to in paragraph
1 of Clause 6 against the data exporter or the data importer because they have
factually disappeared or have ceased to exist in law or have become insolvent and no
successor entity has assumed the entire legal obligations of the data exporter or data
importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract
referred to in paragraph 1 shall be governed by the law of the country of the UK where
the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the
Clauses and notified by the data importer pursuant to Clause 5(j), which shall be
updated at least once a year. The list shall be available to the Commissioner.
Clause 12
Obligation after the termination of personal data-processing services
1. The parties agree that on the termination of the provision of data-processing services,
the data importer and the sub-processor shall, at the choice of the data exporter, return
all the personal data transferred and the copies thereof to the data exporter or shall
destroy all the personal data and certify to the data exporter that it has done so, unless
legislation imposed upon the data importer prevents it from returning or destroying all
or part of the personal data transferred. In that case, the data importer warrants that it
will guarantee the confidentiality of the personal data transferred and will not actively
process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data
exporter and/or of the Commissioner, it will submit its data-processing facilities for an
audit of the measures referred to in paragraph 1.
Additional Commercial Clause
Supplemental Measures
1. To prevent the acquisition of personal data by third parties, such as governmental
authorities who may gain physical access to the transmission mechanisms (e.g., wires
and cables) while the personal data is in transmission or at rest, the parties shall
encrypt the personal data (i) during transit between the parties or by Reading Plus
36
internally or between either party and any sub-processor or other third parties, and (ii)
when it is in storage or otherwise not in transit.
2. The data importer represents that:
2.1 as at the date of these Clauses it has not received any directive under Section 702
of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C. § 1881a (“FISA
Section 702”) and has no reason to believe that such a directive would be made;
2.2 it is not a “telecommunications carrier” as defined in 47 U.S.C. § 153; and
2.3 it is not the type of provider that is eligible to be subject to upstream collection (“bulk”
collection) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the
judgment in the EU Court of Justice in Case C-311/18 Data Protection Commissioner
v Facebook Ireland Limited and Maximillian Schrems, and that therefore the only
FISA Section 702 process it could be eligible to receive would be based on a specific
“targeted selector” (i.e. an identifier that is unique to the targeted endpoint of
communications subject to the surveillance).
3. If the data importer receives a FISA Section 702 order seeking disclosure of the
personal data, the data importer will:
3.1 use all reasonably available legal mechanisms to challenge any demands for
personal data access through any national security process it receives as well as any
non-disclosure provisions attached thereto;
3.2 seek available interim measures to suspend the effects of the order until the court
has decided the foregoing challenges on the merits;
3.3 not disclose the personal data requested until required to do so under the applicable
procedural rules; and
3.4 provide the minimum amount of information permissible when responding to the
order, based on a reasonable interpretation of the order.
4. To the extent not prohibited by applicable law or order, the parties will provide any
data subjects whose personal data is subject to a FISA Section 702 order with
reasonable assistance with ad hoc redress mechanisms.
5. To the extent not prohibited by applicable law or order, the data importer will promptly
notify the data exporter in the event that the data importer receives any request or
order from governmental authorities in the United States seeking disclosure of the
personal data. Upon receiving such notification from the data importer, the data
exporter will promptly notify any relevant data subjects of the request or order to
enable the data subjects to seek information and an effective redress.
37
6. The data importer will take no action pursuant to U.S. Executive Order 12333 (“EO
12333”). The data importer has not created back doors or similar programming in a
manner designed to facilitate governmental authorities’ access to personal data
pursuant to FISA Section 702 or other national security process or EO 12333 and is
currently is under no legal obligation to do so.
7. The data importer will document and record the requests for access (if any) received
from public authorities and the response provided, alongside a summary of the legal
reasoning and the actors involved.
8. The data importer will share personal data with a sub-processor only in accordance
with Clause 11 and if the sub-processor meets one of the following conditions:
8.1 it processes the personal data only in the European Economic Area or another
jurisdiction which is subject to UK adequacy regulations;
8.2 it receives the personal data only in situations where technical safeguards (such as
appropriate end-to-end encryption) remove the ability of the sub-processor to
understand the substance of the personal data; or
8.3 it has agreed to safeguards at least as protective as those set forth in these Clauses.
9. The data importer will, with due regard to the state of the art, in accordance with the
risk of the categories of data processed and the likelihood of attempts from
governmental authorities to access it, provide additional technical safeguards for the
personal data processed hereunder by:
9.1 applying a series of physical, technical and security services that are compliant with
the industry security standards; and
9.2 implementing additional measures, including (without limitation) firewalls, virus
scanning software, full disk encryption, encrypted communication via SSL or VPN,
and access controls such as multi-factor authentication, Single Sign On, access on
an as-needed basis, strong password controls, and restricted access to
administrative accounts.
10. The data importer will adopt, and regularly review, internal policies to assess the
adequacy of the technical and organizational measures it has in place to protect
personal data that is transferred to or by it outside of the United Kingdom and, to the
extent not prohibited by applicable law or order, will use such additional measures as
are required to maintain an equivalent level of protection for the personal data to that
guaranteed within the UK.
38
11. The data importer will promptly notify the data exporter if the data importer can no
longer comply with the Clauses including the provisions of this additional commercial
clause on supplemental measures.
Additional Commercial Clause
Priority of Standard Contractual Clauses
1. The Clauses take priority over any other agreement between the parties, whether
entered into before or after the date these Clauses are entered into.
2. Unless the Clauses are expressly referred to and expressly amended, the parties do
not intend that any other agreement entered into by the parties, before or after the
date the Clauses are entered into, will amend the terms or the effects of the Clauses,
or limit any liability under the Clauses, and no term of any such other agreement
should be read or interpreted as having that effect.
Additional Commercial Clause
Execution by agent
1. The clauses have been signed by Reading Solutions UK Limited, a company
incorporated in England & Wales under company number 09284598 whose
registered office is at 14 Emmbrook Close, East Rainton, Houghton Le Spring, Tyne
And Wear, DH5 9SQ as agent for and on behalf of the data exporter pursuant to an
authority granted under the terms of the Software as a Service Agreement entered
into between the data exporter and Reading Solutions UK Limited.
2. The parties acknowledge and agree that:
2.1 Notifications made by the data importer as required under the Clauses may be made
to Reading Solutions UK Limited as agent for the data exporter; and
2.2 The data importer shall be entitled to construe any instructions issued by Reading
Solutions UK Limited pursuant to the Clauses as instructions issued by the date
exporter.
On behalf of the data exporter:
Name (written out in full): [insert full name of person signing for data exporter]
Position: [position of person signing e.g. Director]
Address: [business address of person signing]
Other information necessary in order for the contract to be binding (if any): [insert if relevant]
Signature:………………………………………
39
On behalf of the data importer:
Name (written out in full): [insert full name of person signing for Reading Plus]
Position: [position of person signing e.g. Director]
Address: [business address of person signing]
Other information necessary in order for the contract to be binding (if any): [insert if relevant]
Signature:………………………………………
Date of the Standard Contractual Clauses: [insert date upon which the second party
signs]
40
Appendix 1
This Appendix forms part of the Clauses and must be completed and signed by the parties
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
A UK school which uses the data importer’s Software as a Service product in the delivery of
educational services to its pupils.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
The provider of a Software as a Service product designed to improve literacy.
Data subjects
The personal data transferred concerns the following categories of data subjects (please
specify):
Student users of the Software as a Service product together with their teachers and school
administrators, parents or guardians.
Categories of data
The personal data transferred concerns the following categories of data (please specify):
• Identity Data including names and titles
• Contact Data including email addresses, addresses and telephone numbers
• Financial Data including bank account and payment card details
• Transaction Data including details about payments made, support requests,
questions or complaints
• Technical Data including IP addresses, login dates and times, domain and web
browser information, technical information about a user’s workstation or local area
network, simultaneous login attempts, lesson dates and times, account creation dates
and times, account modification dates and times and information collected through
cookies and other tracking technologies
• Profile Data including usernames and passwords, student numbers and grades,
gender, race, Hispanic/non-Hispanic, free/reduced lunch status, first language, ESL,
ELL, EL status, special education status
• Usage Data including information about how the Software as a Service product is
used, tasks performed, assessments undertaken, communications within the
Application, survey responses, and progress history including any specific skills
deficiencies or areas of weakness identified.
41
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please
specify):
Race, ethnicity and health data.
Processing operations
The personal data transferred will be subject to the following basic processing activities
(please specify):
• Receiving data, including collection, accessing, retrieval, recording, and data entry
• Holding data, including storage, organisation and structuring
• Using data, including analysing, consultation, testing, automated decision making
and profiling
• Updating data, including correcting, adaptation, alteration, alignment and
combination
• Protecting data, including restricting, encrypting, and security testing
• Sharing data, including disclosure, dissemination, allowing access or otherwise
making available
• Returning data to the data exporter or data subject
• Erasing data, including destruction and deletion
All undertaken for the purpose of making the Software as a Service product available to UK
users including setting up and closing user accounts, delivering product functionality and
providing product support and technical IT assistance to users.
DATA EXPORTER
Name: [Insert name of individual signing for the data exporter]
Authorised Signature …………………….
DATA IMPORTER
Name: [Insert name of individual signing for Reading Plus]
Authorised Signature …………………….
42
Appendix 2
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the
data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation
attached):
The data importer has implemented the following security measures in its organization:
• Network segmentation
• Firewalls
• Anti-virus software
• Full disk encryption of end-points
• Encrypted communication via SSL or VPN
• Segregation of duties
• Role-based access permissions (based on least-privilege)
• Secure disposal facilities of confidential information
• Tools to enable employees to work secure (such as password managers, VPN,
multi-factor authentication)
Per application or communication, additional security measures can be implemented.
DATA EXPORTER
Name: [Insert name of individual signing for the data exporter]
Authorised Signature …………………….
DATA IMPORTER
Name: [Insert name of individual signing for Reading Plus]
Authorised Signature …………………….
43
Agreement to be Bound by Standard Contractual Clauses
[Name]
[Address]
[Telephone]
[Email]
A company registered in England & Wales with company number [number] (the Data
Exporter)
(Acting by its agent Reading Solutions UK Limited); and
Reading Plus LLC
110 West Canal Street, Suite 301, Winooski, VT 05404
800-732-3758
support@readingplus.com
A Delaware limited liability company (the Data Importer)
each a Party; together the Parties
BACKGROUND
1. The Data Exporter and the Reseller have entered into the SaaS Agreement pursuant
to which the Reseller will act as a data processor for the Data Exporter.
2. The Reseller has, with the prior written consent of the Data Exporter and in
accordance with Article 28 of the UK GDPR, appointed the Data Importer to carry out
specific processing activities on behalf of the Data Exporter.
3. The Data Importer will process personal data on behalf of the Data Exporter in the
USA.
4. The Parties wish to enter into the Agreed SCCs in accordance with Article 46 of the
UK GDPR.
AGREED TERMS
1. Interpretation. The following definitions apply in this agreement:
1.1 the SaaS Agreement means the Reading Plus Software as a Service Subscription
Agreement with Reading Solutions UK Limited;
1.2 the Reseller means Reading Solutions UK Limited;
44
1.3 the Agreed SCCs means the EU Standard Contractual Clauses for international
transfers from controllers to processors in the form displayed at Schedule 4 to the
SaaS Agreement;
1.4 the Date of the Standard Contractual Clauses shall be as stated below;
1.5 unless the context otherwise requires, all other terms used in this agreement shall
have the meanings given to them in the Agreed SCCs.
2. The parties hereby agree:
2.1 that the Agreed SCCs shall come into effect and be binding as between them with
effect from the Date of the Standard Contractual Clauses;
2.2 that the processing of personal data to be undertaken by the Data Importer on behalf
of the Data Exporter shall be as detailed in Appendix 1 to the Agreed SCCs; and
2.3 that the technical and organisational security measures to be implemented by the
Data Importer shall be as detailed in Appendix 2 to the Agreed SCCs.
On behalf of the data exporter:
Name (written out in full): [insert full name of person signing for data exporter]
Position: [position of person signing e.g. Director]
Address: [business address of person signing]
Signature:………………………………………
On behalf of the data importer:
Name (written out in full): [insert full name of person signing for Reading Plus]
Position: [position of person signing e.g. Director]
Address: [business address of person signing]
Signature:………………………………………
Date of the Standard Contractual Clauses: [insert date upon which the second party
signs]
45
Signed by Michael Walker
for and on behalf of
READING SOLUTIONS
UK LIMITED
..
Director
Signed by
For and on behalf of
________________

Speak to our team to see how Reading Plus can work for you

Request a pilot Book a demo