Data Processing Provisions Between YUDU Ltd (Licensor) And Our Customers
Data Processing Addendum- YUDU Ltd (t/a Sentinel)
Version 2.0 - April 2023
The objective of this addendum is to define the data protection obligations of YUDU and our customers in relation to the processing of personal data via our Sentinel platform and software as a service. This is an addendum to the Sentinel standard terms and conditions which applies to all contracts between YUDU and our customers entered under the Sentinel Standard Terms (Customer).
- In this addendum, the following defined terms apply:
- "Customer Data" means any personal data provided by or on behalf of the Customer to the YUDU or otherwise collected by YUDU on behalf of the Customer pursuant to this addendum and the Services;
- “Commencement Date" means the data YUDU and Customer entered a contract under the Sentinel Standard Terms.
- “Data controller”, "data processor", "personal data", "joint controller", “data subject” and "processing" shall be as defined in the Data Protection Legislation;
- “Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Customer Data (including, without limitation, the privacy of electronic communications.
- “Security Breach" means any breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, alteration, damage, unauthorised disclosure of or access to the Customer Data.
- “Services” Shall be those services supplied by YUDU to the Customer under a contract entered under the Sentinel Standard Terms.
- “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
- Each party agrees that it will at all times comply with all requirements applicable to it under the Data Protection Legislation.
- For the purposes of the Data Protection Legislation, YUDU is the Processor of the Customer Data and the Customer is the Controller.
- YUDU shall only process the Customer Data (i) in accordance with the written instructions of the Customer or set out in agreements between the Customer and the YUDU (including this addendum and its Appendix 1) or (ii) where required to do so by applicable law.
- The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Data to YUDU and/or lawful collection of the Customer Data by YUDU on behalf of the Customer for the duration and purposes of this addendum.
- YUDU shall, in relation to any Customer Data processed in connection with the performance by YUDU of its obligations under this addendum:
- ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
- ensure that all personnel who have access to and/or process Customer Data are obliged to keep the Customer Data confidential; and
- not transfer any Customer Data outside of the UK (or the European Economic Area for as long as it has an adequacy decision from the UK Government) unless the prior written consent of the Customer has been obtained (see Appendix 1 for details of consent deemed to be given by Customer at the Commencement Date) and the following conditions are fulfilled:
- the Customer or YUDU has provided appropriate safeguards in relation to the transfer;
- the data subject has enforceable rights and effective legal remedies;
- YUDU complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Customer Data that is transferred, including conducting a transfer risk assessment where appropriate; and
- YUDU complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Customer Data;
- assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify the Customer without undue delay on becoming aware of a Security Breach;
- at the written direction of the Customer, delete or return Customer Data and copies thereof to the Customer on termination of the agreement unless required by law to retain the Customer Data; and
- maintain complete and accurate records and information to demonstrate its compliance with this addendum and allow for audits by the Customer or the Customer's designated auditor on reasonable notice.
- The Customer hereby provides its prior, general authorisation for YUDU to:
- appoint sub-processors to process the Customer Data, provided that YUDU:
- shall ensure that the terms on which it appoints such processors comply with Data Protection Laws, and are consistent with the obligations imposed on YUDU in this addendum;
- shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of YUDU; and
- shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to YUDU's reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Law, the Customer shall indemnify YUDU for any losses, damages, costs (including legal fees) and expenses suffered by YUDU in accommodating the objection.
- YUDU shall indemnify and keep indemnified the Customer against all losses arising from any breach by YUDU of thai addendum and or as a result of any bone-fide claim made or brought by an individual or other legal person in respect of any loss, damage or distress caused to them as a result of YUDU’s unauthorised processing, unlawful processing, unauthorised or unlawful destruction of and/or damage to any Customer Data.
- The Customer agrees to reimburse the YUDU for any investigations, report generation or time consumed by the YUDU’s personnel in responding to a request from the Customer following a breach or error by the Customer in their capacity as Data Controller. Fees are set out in Appendix 2.
- This addendum may be amended from time to time to reflect any changes in law or YUDUs compliance processes. Any material changes will be communicated to existing clients and a notice and date of the amendment made on the Sentinel website. YUDU may, at any time on not less than 30 (thirty) days’ notice, revise this addendum by replacing it with any applicable controller to processor standard clauses or similar terms adopted under the Data Protection Legislation or forming part of an applicable certification scheme (which shall apply when replaced by notification).
- This addendum supersedes all prior versions of this addendum, and/or any Data Protection Clauses in prior contracts between YUDU and the Customer.
Personal data stored by YUDU:
This appendix defines the Customer Data which the YUDU shall process on behalf of the Customer in performance of the Services.
YUDU stores authentication data for Data Subjects either employed or managed by Customer using the YUDU’s software (Sentinel), allowing access to YUDU's software, services, such as mobile apps and cloud based services and materials. This data includes Data Subject names, work e-mail addresses, location and work roles, employment information, and personal information provided/stored by the Customer on behalf of the Data Subject as part of receiving the benefit of the services at its discretion (e.g. Customer electing to store employee HR records on the platform in case of disaster recovery being required).
Nature and purpose of processing activities by the YUDU:
Primary processing activities relate to performance of the Services, including i) to store the data, make it available to the Customer and allow the Customer and/or their automatic systems to add, update and delete the data; ii) to authenticate and authorise Data Subjects for access to the Customer’s content and/or the YUDU’s software; and iii) to send push notifications to Data Subjects as agreed with the Customer to advise on new content or services.
Permissions are granted by the Processor to Customer nominated persons to control and manage the Data Subjects access and use of the Services.
Transfer of personal data will be by direct upload to the YUDU's systems over a secure connection, or via a mutually agreed alternative secure mechanism.
The Customer Data shall be processed for the duration of the Services and up to 6 months thereafter, in order to manage run-off and post service queries.
Sub-processors and international transfers
YUDU currently engages the following sub-processors located in the USA, in relation delivery of the Services. Specifically the transfer of phone numbers (only) to a third-party service provider (Twilio); the sending out SMS messages and conducting conference calls, and email addresses (only) to a third-party service (Mailgun).
The Customer’s consent for these transfers is deemed to be given through acceptance of this addendum and Services.
Further information is available here:
Twilio’s Data protection addendum to the YUDU/Twilio agreement:
Mailgun Data Processing Addendum to the YUDU/Mailgun agreement:
Post Incident procedures
In the event of a Security Breach as defined by the Data Protection Legislation or any such event that may impact on the Customer Data the YUDU will upon discovery notify the Customer without undue delay and in any event within 48 hours.
The Customer and YUDU will formulate and agree a breach management plan upon notification of a breach.
In the event that any Customer Data is stolen, subjected to unauthorised access or is lost, becomes damaged, corrupted, destroyed or unusable, the YUDU shall use its best endeavours to restore Customer Data promptly.
In the event that the Data Controller has made an error, is subject to an investigation, or requires support due to a failure in their role as Data Controller the YUDU agrees to provide the support required in a timely fashion at an hourly rate of £600/man/day with payment in accordance with YUDU’s standard terms and conditions of sale.
The DPO will notify the Customer of a Security Breach or data incident by email to the nominated Customer recipients advised by the Customer.
The DPO will notify the Customer within two working days of receipt of any data request or complaints regarding the processing of Customer Data from a Data Subject.
Notifications that amend this agreement will be communicated to existing clients and a notice and date of the amendment made on this site.