Data Processing Agreement (DPA)

 

Our services involve the use and sharing of personal data. This Data Processing Agreement (DPA) sets out the relationship and obligations between Qlearsite and its customer to ensure that both parties use and share any personal data in a responsible, compliant and secure way.  Qlearsite Privacy Policy and paragraph 7 of the Qlearsite Terms and Conditions supplements this DPA and should be read in conjunction.

1.                  Capitalised terms in this DPA that are not otherwise defined, shall have the meaning set out in GDPR.

2.                It is agreed that you are the Data Controller and Qlearsite is the Data Processor for any Processing of Personal Data under this DPA. With respect to such Processing, you:

a.                confirm that you have the right to transfer and otherwise provide access to such Personal Data to Qlearsite for the purposes set out in the T&Cs; and

b.                shall ensure that, to the extent required by applicable Data Protection Laws, the relevant Data Subjects and third parties have been informed of and/or given their consent to, such use, processing, and transfer.

c.                warrant that you have a separate agreement with any Third Party Suppliers, with whom you choose to integrate Qlearsite Services(such as a HR information system). You also warrant that these agreements contains any contractual clauses required by the Data Protection Laws.

3.                Qlearsite shall, with respect to Processing of Personal Data under this DPA:

a.                only process Personal Data (i) in accordance with your written instructions (which included authorising Qlearsite to provide the Service under the T&Cs and (ii) in such manner as is reasonably necessary to provide the Service or as is required by any applicable law;

b.                implement appropriate technical and organisational measures to protect the Personal Data against unauthorised and unlawful processing and accidental loss, destruction, disclosure, damage or alteration;

c.                ensure that only those Qlearsite and subcontractor personnel that need to have access to Personal Data are given access to such data, and only (i) to the extent necessary to provide the Service and (ii) provided that the relevant personnel are legally bound by the obligations set out in this DPA;

d.                not publish or disclose any Personal Data to any third party, except for a third party within the European Economic Area or the UK processing Personal Data on Qlearsite’s behalf subject to these T&Cs and Data Protection Laws, unless you have given prior written consent, and Qlearsite will provide you with:

i.                  a list of current sub-processors (which you accept by accepting the T&Cs); and

ii.                 any changes to such sub-processors list and an opportunity to object to the changes within 14 days of notice;

e.                not transfer Personal Data outside the European Economic Area (other than to the UK or a country found by the European Commission to have adequate Data Protection Laws) without (i) your prior written consent and (ii) first ensuring that the relevant transferee entity is subject to relevant obligations of EU Data Protection Laws via a data transfer agreement or otherwise;

f.                 taking into account the nature of processing of Personal Data for the Services and the information available to Qlearsite, assist you as the Data Controller:

i.                  by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the obligation to respond to requests from Data Subjects for exercising their rights; and

ii.                 in complying with Your obligations under GDPR regarding security of processing, personal data breaches, security impact assessments, and prior consultation with data protection authorities;

g.                make available to you upon request all information necessary to demonstrate compliance with the obligations of Article 28 of GDPR; and

h.                allow for and contribute to audits and inspections conducted by You or on your behalf regarding Qlearsite’s compliance with Data Protection Laws.

i.                  return, delete, destroy or anonymise the data once the processing of the data is complete (unless there is a requirement under EU or relevant member state law to preserve a specific type(s) of data) as specified by the T&Cs.

4.                Where there has been any breach or where Qlearsite suspects there has been a breach of this DPA, Qlearsite shall inform you promptly.

List of sub-processors

Qlearsite may use the following sub-processors to host Customer Data (Employee Data) or provide other infrastructure that helps with delivery of our Services:

Entity NameSub-processing activitiesEntity CountrySub-Processor Data Protection Documents
Amazon Web ServicesApplication Hosting, Data StorageUK, IrelandDPA, Terms, Privacy Policy
Merge.devHRIS integration facilitator and data transfer (optional as per Customer set-up)International*DPA, Subscriber Agreement, Privacy Policy
Mailgun Technologies, IncE-mail service (Qlearsite domain)EEADPA, Terms, Privacy Policy

*Subject to GDPR, UK GDPR and Third Countries, SCCs. Please refer to original 3rd Party DPA provided above.

Qlearsite may use other sub-processors, which help with product support, product development and analytics or provide additional relationship management, for example with marketing and sales support:

Entity NameSub-processing activitiesEntity CountrySub-Processor Data Protection Documents
Sharepoint (Microsoft)Document storage and file uploadUKDPA, Terms, Privacy Policy
Help ScoutCustomer issue trackingUSADPA, Terms, Privacy Policy
HeapProduct analytics servicesUSADPA, Terms, Privacy Policy
HubspotCustomer and marketing management systemNorth AmericaDPA, Terms, Privacy Policy

Updates to Data Processing Agreement

Qlearsite will provide written notice to customers of updates to this DPA that may include updating the list of Sub-Processors used by Qlearsite to deliver its Services.

Customer may object in writing to the processing of its Personal Data by a new Sub-Processor within fourteen (14) days after being notified of proposed changes, and such objection shall describe the Customer’s legitimate reason(s) for objection. If the Customer does not object during such time period, the new Sub-Processor(s) shall be deemed accepted.

Updated: 27 March 2024