1. Definitions
For the purposes of this Data Processing Agreement (DPA):
- "Controller" means the natural or legal person who determines the purposes and means of processing personal data
- "Processor" means the natural or legal person who processes personal data on behalf of the Controller
- "Data Subject" means an identified or identifiable natural person
- "Personal Data" means any information relating to a Data Subject
- "Processing" means any operation performed on personal data
2. Scope and Application
This DPA applies to all processing of Personal Data by Cues.ai (the "Processor") on behalf of the Customer (the "Controller") in connection with the provision of analytics and marketing services.
3. Data Processing Details
3.1 Categories of Data Subjects
- Prospective students visiting university websites
- Current students accessing university platforms
- University staff and administrators
- Website visitors and form respondents
3.2 Types of Personal Data Processed
| Data Category |
Examples |
Purpose |
| Identifiers |
IP addresses, device IDs, cookies |
Analytics and tracking |
| Contact Information |
Names, email addresses, phone numbers |
Lead generation and communication |
| Behavioral Data |
Page views, clicks, form submissions |
User experience optimization |
| Survey Responses |
Preferences, interests, feedback |
Audience insights and segmentation |
| Technical Data |
Browser type, device type, location data |
Performance optimization |
4. Processor Obligations
Cues.ai as the Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational measures to ensure data security
- Only engage sub-processors with the Controller's prior written consent
- Assist the Controller in responding to Data Subject requests
- Delete or return all Personal Data at the end of the service provision
- Make available all information necessary to demonstrate compliance
5. Technical and Organizational Measures
5.1 Security Measures
We implement the following security measures:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256
- Regular security audits and vulnerability assessments
- Access controls and multi-factor authentication
- Regular backups and disaster recovery procedures
- Employee security training and awareness programs
5.2 Organizational Measures
- Data protection policies and procedures
- Regular privacy impact assessments
- Incident response and breach notification procedures
- Data minimization and retention policies
- Privacy by design principles in service development
6. Sub-processors
6.1 Authorized Sub-processors
The Controller consents to the use of the following sub-processors found here.
6.2 New Sub-processors
We will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
7. Data Subject Rights
We will assist the Controller in fulfilling obligations to respond to Data Subject requests for:
- Access to their personal data
- Rectification of inaccurate data
- Erasure of personal data
- Restriction of processing
- Data portability
- Objection to processing
8. International Data Transfers
Any transfer of Personal Data outside the UK/EEA will be subject to appropriate safeguards:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Other approved transfer mechanisms under GDPR/UK GDPR
9. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Controller without undue delay and within 72 hours
- Provide all relevant information about the breach
- Cooperate with the Controller's investigation
- Take immediate steps to mitigate the breach
- Document all breaches and remedial actions taken
10. Audit and Inspection
The Controller has the right to:
- Request information to verify compliance with this DPA
- Conduct audits or inspections (with reasonable notice)
- Review our security practices and procedures
- Request certifications and compliance reports
11. Data Retention and Deletion
Upon termination of services, we will:
- Return all Personal Data to the Controller in a standard format
- Delete all copies of Personal Data from our systems
- Provide certification of deletion upon request
- Retain data only as required by law with appropriate safeguards
12. Liability and Indemnification
Each party shall be liable for damages caused by its processing that infringes applicable data protection laws. The liability provisions in the main service agreement apply to this DPA.
13. Contact Information
For data processing inquiries:
Data Protection Officer
Email: [email protected]
Address: 30 Brunswick Road, Shoreham-by-Sea, West Sussex BN43 5WB
United Kingdom
Last Updated: December 2023
