This agreement is incorporated by reference (where applicable and subject to any express agreement to the contrary) into agreements for the provision of services where ASK4 Solutions Limited, ASK4 Business Limited or ASK4 Data Centres Limited, as detailed in your agreement or order for the provision of services, (“ASK4”) act as a Processor.

This agreement does not apply where ASK4 Limited or other ASK4 group companies provide residential or managed internet services acting as the Controller.

Definitions

Controller”, “Data Subject” “Personal Data”, “Processor” and “Subprocessor” each have the meanings given to them under applicable Privacy and Data Protection Laws;

Customer” means the person contracted with ASK4 for the provision of the Services;

Customer Personal Data” has the meaning given to it in paragraph 2.1 of this agreement;

Processing Appendix” means the annex to this agreement setting the details of the Processing involved in the provision of the Services;

Privacy and Data Protection Laws” means applicable legislation protecting the personal data and privacy of natural persons, including in particular the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) together with any applicable binding guidance and codes of practice issued from time to time by relevant supervisory authorities;

Security Incident” means a breach of ASK4’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data;

Services” means the IT support, hosting, data centre colocation, telecommunications or such other services as are provided to the Customer by ASK4;

UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018; and

Unsuccessful Security Incident” means an incident that results in no unauthorised access to Customer Personal Data and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.

1. Scope and Roles
1.1 This agreement applies only where Personal Data is processed as part of the provision of the Services by the Customer (“Customer Personal Data”).
1.2 ASK4 will act as a Processor or Subprocessor to the Customer who may act either as Controller or Processor with respect to Customer Personal Data.

2. Data Processing
2.1 This agreement and the Processing Appendix constitute the Customer’s written Instructions to ASK4 for Processing of Personal Data which for the avoidance of doubt shall be limited to the Processing necessary for the provision of the Services (“Processing Instructions”).
2.2 The Customer shall not issue additional or alternate Processing Instructions to alter the scope of this agreement unless otherwise agreed with ASK4.
2.3 The Customer warrants that: (a) the Processing Instructions; (b) the collection of Customer Personal Data; and (c) subject to ASK4’s compliance with this agreement, the Processing of the Customer Personal Data each comply with Privacy and Data Protection Laws. The Customer is solely responsible for providing any fair processing information about ASK4’s Processing to its employees or other relevant Data Subjects.

3. Confidentiality of Customer Personal Data
3.1 ASK4 will keep Customer Personal Data confidential and shall not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a law enforcement, governmental or judicial body (such as a subpoena or court order). If a governmental body sends ASK4 a demand for Customer Personal Data, ASK4 will attempt to redirect the governmental body to request that data directly from the Customer. As part of this effort, ASK4 may provide Customer’s basic contact information to the government body. If compelled to disclose Customer Personal Data to a government body, then ASK4 will (where legally permitted to do so) give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or another appropriate remedy.

4. Security of Data Processing
4.1 ASK4 shall provide sufficient guarantees that it has implemented all necessary or appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
4.2 The parties acknowledge and agree that the Customer is required to co-operate with ASK4’s security measures and shall not by-pass or fail to follow any of ASK4’s security processes.
4.3 As ASK4 has no, or limited knowledge, of the Customer Personal Data the Customer is solely responsible for any: (a) pseudonymisation and encryption to ensure an appropriate level of security; (b) measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are being operated by Customer; (c) measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and (d) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented by Customer (but ASK4 shall ensure that it regularly tests the effectiveness of its security measures).

5. Subprocessing
5.1 Customer agrees that ASK4 may use Subprocessors listed in the Processing Appendix to fulfil its contractual obligations to provide the Services.
5.2 If ASK4 engages any new Subprocessor to carry out processing activities on Customer Personal Data on behalf of the Customer, ASK4 will notify or provide the Customer with a mechanism to obtain notice of that update. If Customer objects to a new Subprocessor within 14 days of the notification by ASK4, then the Customer and ASK4 shall discuss in good faith way to address the Customer’s concerns provided that were the Customer has reasonable grounds for objection that cannot be addressed by ASK4 within a reasonable period from the date of the objection it may terminate it contract for the Services on 14 days’ written notice to ASK4. Except as set forth in this agreement, in the case of an emergency, or as the Customer may otherwise authorise, ASK4 will not permit any Subprocessor to carry out processing activities on Customer Personal Data on behalf of Customer.
5.3 ASK4 will restrict all Subprocessor’s access to Customer Personal Data to the extent necessary to maintain the Services or to provide the Services to Customer and ASK4 will prohibit Subprocessors from accessing Customer Personal Data for any other purpose.
5.4 ASK4 will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor is performing the same data processing services that are being provided by ASK4 under this agreement, ASK4 will impose on the Subprocessor the equivalent contractual obligations that ASK4 has under this agreement and ASK4 will remain responsible for its compliance with the obligations of this agreement and for any acts or omissions of the Subprocessors that cause ASK4 to breach any of ASK4’s obligations under this agreement.

6. Data Subject Rights
6.1 Taking into account the nature of the Services, ASK4 advises that the Customer should put in place its own processes for ensuring that it can comply with its obligations towards Data Subjects. ASK4 shall on written request assist a Customer with its obligations toward Data Subjects taking into account the nature of processing and the information available to ASK4 provided that, the ASK’s obligations towards the Customer in respect of any subject access requests shall be limited to the minimum extent required under the Privacy and Data Protection Laws and all liability and responsibility for subject access requests remains with the Customer.
6.2 Should a Data Subject contact ASK4 with regard to correction or deletion of its Personal Data, ASK4 will use commercially reasonable efforts to forward such requests to the Customer.

7. Security Breach Notification
7.1 ASK4 will: (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimise any damage resulting from the Security Incident.
7.2 The Customer agrees that an Unsuccessful Security Incident will not be subject to this paragraph 8.
7.3 ASK4’s obligation to report or respond to a Security Incident under this paragraph 8 is not and will not be construed as an acknowledgement by ASK4 of any fault or liability of ASK4 with respect to the Security Incident.
7.4 To assist the Customer in relation to any Personal Data breach notifications Customer is required to make under applicable Privacy and Data Protection Laws, ASK4 will include in the notification under paragraph 1 such information about the Security Incident as ASK4 is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to ASK4, and any restrictions on disclosing the information, such as confidentiality.

8. ASK4 Certifications and Audits
8.1 ASK4 will make available its ISO 27001 certification on request.
8.2 ASK4 uses external auditors to verify the adequacy of its security measures. This audit: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent third-party security professionals at ASK4’s selection and expense; and (d) will result in the generation of an audit report (“Report”), which will be ASK4’s confidential information.
8.3 At Customer’s written request, ASK4 shall (provided that the parties have an applicable non-disclosure agreement in place) at its discretion either: (a) provide Customer with a copy of the Report so that Customer can reasonably verify ASK4’s compliance with its obligations under this agreement; or (b) on reasonable notice and not more than once in any 12-month period allow the Customer to conduct a supervised in hours audit.

9. Privacy Impact Assessment and Prior Consultation
9.1 Taking into account the nature of the Services and the information available to ASK4, ASK4 will provide reasonable assistance to the Customer where necessary for the Customer to comply with any obligations in respect of data protection impact assessments and prior consultations required pursuant to applicable Privacy and Data Protection Laws.

10. Transfers
10.1 Any transfer of data to outside of the UK shall take place in compliance with the UK GDPR such that ASK4 will ensure the country the data is transferred to is ensures an adequate level of protection or ASK4 will use standard contractual clauses to ensures an adequate level of protection.

11. Return or Deletion of Customer Personal Data
11.1 The Services generally either: (a) provide the Customer with controls that the Customer may use to retrieve or delete the Customer Personal Data; or (b) allow the Customer to retain control over its access to and deletion of Customer Personal Data. ASK4 will on written request use commercially reasonable efforts to assist the Customer with the retrieval or deletion of Customer Personal Data.
11.2 ASK4 shall cease processing the Customer Personal Data, immediately upon the termination or expiry of the provision of the Services and (unless ASK4 has a legitimate interest to retain Customer Personal Data or is legally required to retain the Customer Personal Data) at the Customer's option either return, or securely delete the Customer Personal Data.

PROCESSING APPENDIX

Subject Matter: The subject matter of the data processing under this agreement is the Customer Personal Data.

Duration of processing: As between ASK4 and Customer, the duration of the data processing is the duration the Services are provided for.

Purpose: The purpose of the Processing is the provision of the Services initiated by Customer from time to time. It is the Customer’s responsibility to inform ASK4 of any other purposes of Processing and of any changes to this nature or purpose.

Nature of the processing: Compute, storage, IT support and such other Services as described in the Customer’s order or initiated by Customer from time to time.

Type of Customer Personal Data: Employee name, contact information, role (including permissions) and technical information (such as information on support queries which may or may not be personal data) related to the Service being provided. The Customer Personal Data uploaded to the Services where hosting or storage Services are provided. Where such Services are provided it is the Customer’s responsibility to inform ASK4 of the types of Customer Personal Data to be Processed and of any changes to these types of data.

Categories of Data Subjects: The Data Subjects may include Customer’s customers, employees, suppliers and end-users. It is the Customer’s responsibility to inform ASK4 of any other categories of Data Subject to whom the Customer Personal Data relates, and of any changes to these categories.

Subprocessors:

  • DRD Communications Ltd (as purchaser of Inclarity Communications Limited (UK based) – where VoiP Services are provided
  • Gamma Telecomm Limited (UK based) – where VoiP Services are provided
  • The wholesale telecommunication line provider – where lease line services are provided (this will be provided on the order or on request)
  • Formagrid, Inc. provide Airtable - which we use as a business process software
  • Aspire Community Enterprise (Sheffield) Ltd - for the secure destruction of electrical equipment
  • Utopi Limited  - where we provide smart metering and associated ESG reporting via the Utopi platform and equipment

NOTE: ASK4 may resell software solutions provided by third parties as part of the services (for example, Microsoft products). The relevant EULA/Customer Agreement (and any data processing annexes or similar incorporated therein) between the Customer and the Provider shall apply to the processing of personal data, not this agreement.