Capitawise

Menu
Contact Us

DATA PROCESSING TERMS

Capitawise Ltd (“Data Processor”) is a private company limited by shares incorporated in England and Wales with company registration number 14421224 and with its registered address at 10 Repton Road, Orpington, BR6 9HS, England. Our email address for any queries related to these Data Processing Terms (“this Agreement”) is info@capitawise.co.uk.

This Agreement applies to the provision of services by the Data Processor which involves the processing of Personal Data as herein defined on behalf of a subscriber to the Services as herein defined offered by the Data Processor under a separate subscription and/or licence agreement (“Service Agreement”). The subscriber shall hereinafter be referred to as “Data Controller”.

WHEREAS:

(1)          Under the Service Agreement between the Data Controller and the Data Processor the Data Processor provides to the Data Controller the Services described in the Service Agreement.

(2)          The provision of the Services by the Data Processor involves it in processing the Personal Data described in the Service Agreement on behalf of the Data Controller.

(3)          Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”) requires an agreement in writing between the Data Controller and any organisation which processes Personal Data on its behalf, governing the processing of that Personal Data.

(4)          The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the UK GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.

(5)          The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.

IT IS AGREED as follows:

  1. Definitions and Interpretation
    • In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

“Data Controller”

shall have the meaning given to the term “controller” in section 6 of the Data Protection Act 2018;

“Data Processor”

shall have the meaning given to the term “processor” in Article 4 of the UK GDPR;

“Data Protection Legislation”

means all applicable legislation in force from time to time in the United Kingdom applicable to data protection and privacy including, but not limited to, the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder), and the Privacy and Electronic Communications Regulations 2003 as amended;

“Data Subject”

shall have the meaning given to the term “data subject” in Article 4 of the UK GDPR;

“EEA”

means the European Economic Area, consisting of all EU Member States plus Iceland, Liechtenstein, and Norway;

“Information Commissioner”

means the Information Commissioner, as defined in Article 4(A3) of the UK GDPR and section 114 of the Data Protection Act 2018;

“Personal Data Breach”

shall have the meaning given to the term “personal data breach” in Article 4 of the UK GDPR;

“Personal Data”

means all such “personal data”, as defined in Article 4 of the UK GDPR, as is, or is to be, processed by the Data Processor on behalf of the Data Controller, as described in the Service Agreement;

“processing”, “process”, “processes”, “processed”

shall have the meaning given to the term “processing” in Article 4 of the UK GDPR;

“Services”

means those services and facilities described in the Service Agreement which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purposes described in the Service Agreement;

“Standard Contractual Clauses”

means the ICO’s International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914; and

“Term”

means the term of this Agreement, as set out in Clause 17.

  • Unless the context otherwise requires, each reference in this Agreement to:
    1. “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
    2. a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
    3. “this Agreement” is a reference to this Agreement;
    4. a Clause or paragraph is a reference to a Clause of this Agreement; and
    5. a “Party” or the “Parties” refer to the parties to this Agreement.
  • The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
  • Words imparting the singular number shall include the plural and vice versa.
  • References to any gender shall include any other gender.
  • References to persons shall include corporations.
  1. Scope and Application of this Agreement
    • The provisions of this Agreement shall apply to the processing of the Personal Data described in the Service Agreement, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
    • The provisions of this Agreement shall be deemed to be incorporated into the Service Agreement as if expressly set out in it. Subject to sub-Clause 2.3, definitions and interpretations set out in the Service Agreement shall apply to the interpretation of this Agreement.
    • In the event of any conflict or ambiguity between any of the provisions of this Agreement and the Service Agreement, the provisions of this Agreement shall prevail.
    • In the event of any conflict or ambiguity between any of the provisions of this Agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.
  1. Provision of the Services and Processing Personal Data
    • The Service Agreement describes the type(s) of Personal Data, the category or categories of Data Subject, the nature of the processing to be carried out, the purpose(s) of the processing, and the duration of the processing.
    • Subject to sub-Clause 4.1, the Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:
      1. for the purposes of those Services and not for any other purpose;
      2. to the extent and in such a manner as is necessary for those purposes; and
      3. in accordance with the authorisation and instructions of the Data Controller (which may be instructions of a general nature).
    • The Data Controller shall retain control of the Personal Data at all times and shall remain responsible for its compliance with the relevant Data Protection Legislation including, but not limited to, its collection, holding, and processing of the Personal Data, having in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to the Data Processor, and with respect to the instructions given to the Data Processor.
  1. The Data Processor’s Obligations
    • As set out above in Clause 3, the Data Processor shall only process the Personal Data to the extent and in such a manner as is necessary for the purposes of the Services and not for any other purpose. All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the Data Protection Legislation. The Data Processor shall act only on the general instructions provided in the Service Agreement and written instructions from the Data Controller unless the Data Processor is required by law to do otherwise (as per Article 29 of the UK GDPR).
    • The Data Processor shall not process the Personal Data in any manner which does not comply with the provisions of this Agreement or with the Data Protection Legislation.
    • The Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the Data Protection Legislation including, but not limited to, the protection of Data Subjects’ rights, the security of processing, the notification of Personal Data Breaches, the conduct of data protection impact assessments, and in dealings with the Information Commissioner (including, but not limited to, consultations with the Information Commissioner where a data protection impact assessment indicates that there is a high risk which cannot be mitigated).
    • For the purposes of sub-Clause 4.3, “all reasonable assistance” shall take account of the nature of the processing carried out by the Data Processor, the information available to the Data Processor, and the resources needed for the Data Processor to provide such assistance.
    • In the event that the Data Processor becomes aware of any changes to the Data Protection Legislation that may, in its reasonable interpretation, adversely impact its performance of the Services and the processing of the Personal Data either under the Service Agreement or under this Agreement, the Data Processor shall inform the Data Controller promptly.
  1. Confidentiality
    • The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose the Personal Data to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than as necessary and for the purposes of the provision of the Services to the Data Controller.
    • Nothing in this Agreement shall prevent the Data Processor from complying with any requirement to disclose or process Personal Data where such disclosure or processing is required by domestic law, court, or regulator (including, but not limited to, the Information Commissioner). In such cases, the Data Processor shall reasonably notify the Data Controller of the disclosure (unless such notification is prohibited by law).
    • The Data Processor shall ensure that all employees who are to access and/or process any of the Personal Data are informed of its confidential nature and are contractually obliged to keep the Personal Data confidential.
  1. Employees [and Data Protection Officer[s]]
    • The Data Processor has appointed a data protection officer in accordance with Article 37 of the UK GDPR, whose details are as follows: Ryan Purvis, Valuu.AI Ltd
    • The Data Processor shall reasonably ensure that all employees who are to access and/or process any of the Personal Data are given suitable training on the Data Protection Legislation, the Data Processor’s obligations under it, their obligations under it, and its application to their work, with particular regard to the processing of the Personal Data under this Agreement.
  1. Security of Processing
    • The Data Processor shall implement appropriate technical and organisational measures, and take commercially reasonable steps necessary to protect the Personal Data against unauthorised or unlawful processing or accidental or unlawful loss, destruction, or damage.
    • The measures implemented by the Data Processor shall be reasonably appropriate to the nature of the personal data and shall have regard for the state of technological development and the reasonable costs of implementation.
  1. Data Subject Rights and Complaints
    • The Data Processor shall take appropriate technical and organisational measures and provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the Data Protection Legislation with particular regard to the following:
      1. the rights of Data Subjects under the Data Protection Legislation including, but not limited to, the right of access (data subject access requests), the right to rectification, the right to erasure, portability rights, the right to object to processing, rights relating to automated processing, and rights to restrict processing; and
      2. compliance with notices served on the Data Controller by the Information Commissioner pursuant to the Data Protection Legislation.
    • In the event that the Data Processor receives any notice, complaint, or other communication relating to the Personal Data processing or to either Party’s compliance with the Data Protection Legislation, it shall notify the Data Controller.
    • In the event that the Data Processor receives any request from a Data Subject to exercise any of their rights under the Data Protection Legislation including, but not limited to, a data subject access request, it shall notify the Data Controller.
    • The Data Processor shall cooperate fully (at the Data Controller’s cost) with the Data Controller and provide reasonable assistance in responding to any complaint, notice, other communication, or Data Subject request, including by:
      1. providing the Data Controller with details of the complaint or request;
      2. providing the reasonably necessary information and assistance in order to comply with a subject access request;
      3. providing the Data Controller with any Personal Data it holds in relation to a Data Subject; and
      4. providing the Data Controller with any other information reasonably requested by the Data Controller.
    • The Data Processor shall act only on the Data Controller’s instructions and shall not disclose any Personal Data to any Data Subject or to any other party except as instructed in writing by the Data Controller, or as required by law.
  1. Personal Data Breaches
    • The Data Processor shall without undue delay notify the Data Controller if it becomes aware of any form of Personal Data Breach including, but not limited to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data.
    • When the Data Processor becomes aware of a Personal Data Breach, it shall provide the following information to the Data Controller without undue delay:
      1. a description of the Personal Data Breach including the category or categories of Personal Data involved, the approximate number of Personal Data records involved, and the approximate number of Data Subjects involved;
      2. the likely consequences of the Personal Data Breach; and
      3. a description of the measures it has taken or will take to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
    • In the event of a Personal Data Breach as described above, the Parties shall cooperate with one another to investigate it. The Data Processor shall provide all reasonable assistance to the Data Controller.
    • The Data Processor shall use commercially reasonable endeavours to restore any Personal Data lost, destroyed, damaged, corrupted, or otherwise rendered unusable in the Personal Data Breach as soon as possible after becoming aware of the Personal Data Breach.
    • The Data Processor shall not inform any third party of any Personal Data Breach as described above without the express written consent of the Data Controller unless it is required to do so by law.
    • The Data Controller shall have the sole right to determine whether or not to notify affected Data Subjects, the Information Commissioner, law enforcement agencies, or other applicable regulators of the Personal Data Breach as required by law or other applicable regulations, or at the Data Controller’s discretion, including the form of such notification.
    • The Data Controller shall have the sole right to determine whether or not to offer any remedy to Data Subjects affected by the Personal Data Breach, including the form and amount of such remedy.
    • Subject to the provisions of Clause 16, the Data Processor shall bear all reasonable costs and expenses incurred by it and shall reimburse the Data Controller for all reasonable costs and expenses incurred by the Data Controller in responding to the Personal Data Breach, including the exercise of any functions or carrying out of any obligations by the Data Controller under any provision of this Clause 9, unless the Personal Data Breach resulted from the Data Controller’s express written instructions, negligence, breach of this Agreement, or other act or omission of the Data controller, in which case the Data Controller shall instead bear and shall reimburse the Data Processor with such costs and expenses incurred by it.
  1. Cross-Border Transfers of Personal Data
    • The Data Processor (and any subcontractor appointed by it) shall have the right to process or transfer the Personal Data outside of the UK and/or the EEA without the prior written consent of the Data Controller.
    • In the event that the Data Processor process or transfer the Personal Data outside of the UK and/or the EEA, the Data Processor may only process (or permit the processing) of the Personal Data outside of the UK and/or the EEA if one or more of the following conditions are satisfied:
      1. the Data Processor (and any subcontractor appointed by it) is processing the Personal Data in a territory that is subject to adequacy regulations under the Data Protection Legislation that said territory provides adequate protection for the privacy rights of individuals.;
      2. the Data Processor (and any subcontractor appointed by it) participates in a valid cross-border transfer mechanism under the Data Protection Legislation under which the Data Processor (and the Data Controller, where appropriate) can ensure that appropriate safeguards are in place to ensure an adequate level of data protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR; or
      3. the transfer of the Personal Data otherwise complies with the Data Protection Legislation for the one or more of the following reasons: i) The Data Processor (and any subcontractor appointed by it) is located in a country with a current determination of adequacy; or ii) Binding Corporate Rules apply, or iii) Standard Contractual Clauses between the Data Processor as the “data exporter” on behalf of the Data Controller and the Data Processor’s affiliate or subcontractor as the “data importer” apply.
    • In the event that the Data Processor is appointing a subcontractor, in accordance with the provisions of Clause 11, and the subcontractor is located outside of the UK and/or EEA, the Data Controller hereby authorises the Data Processor to enter into Standard Contractual Clauses with the subcontractor in the Data Controller’s name and on the Data Controller’s behalf.
  1. Appointment of Subcontractors
    • The Data Processor shall be able to subcontract any of its obligations or rights under this Agreement without the prior written consent of the Data Controller.
    • In the event that the Data Processor appoints a subcontractor to process any of the Personal Data, the Data Processor shall enter into a written agreement with each subcontractor, which shall impose upon the subcontractor reasonably similar obligations, on reasonably similar terms, as are imposed upon the Data Processor by this Agreement, particularly with regard to technical and organisational security measures required to comply with the Data Protection Legislation, which shall permit both the Data Processor and the Data Controller to enforce those obligations, and which shall terminate automatically on the termination of this Agreement for any reason.
    • The Data Processor shall be deemed to legally control any and all Personal Data that may be at any time controlled practically by, or be in the possession of, any subcontractor appointed by it under this Clause 11.
  1. Return and/or Deletion or Disposal of Personal Data
    • The Data Processor shall, at the written request of the Data Controller or at the Data Processor’s choice, securely delete (or otherwise dispose of) the Personal Data or (at the Data Controller’s cost) return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:
      1. the end of the provision of the Services; or
      2. the termination of the Service Agreement, for any reason; or
      3. the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under the Service Agreement.
    • Subject to sub-Clauses 12.3 and 12.4, the Data Processor shall not retain all or any part of the Personal Data after deleting (or otherwise disposing of) or returning it under sub-Clause 12.1.
    • If the Data Processor is required to retain copies of all or any part of the Personal Data by law, regulation, government, or other regulatory body, it shall inform the Data Controller of such requirement(s), including details of the Personal Data that it is required to retain, the legal basis for the retention, details of the duration of the retention, and when the retained Personal Data will be deleted (or otherwise disposed of) once it is no longer required to retain it.
    • The Data Processor may retain one copy of the Personal Data for a period of up to 12 months following termination of the Agreement, strictly for regulatory compliance and audit readiness purposes only, in accordance with applicable data protection laws and contractual obligations.
  1. Warranties
    • The Data Controller hereby warrants and represents that the Personal Data and its use with respect to the Services, the Service Agreement and this Agreement shall comply with the Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing.
    • The Data Processor hereby warrants and represents that:
      1. the Personal Data shall be processed by the Data Processor (and by any subcontractors appointed under Clause 11) in compliance with the Data Protection Legislation and any and all other relevant laws, regulations, enactments, orders, standards, and other similar instruments;
      2. it has no reason to believe that the Data Protection Legislation in any way prevents it from complying with its obligations under the Service Agreement.
  1. Liability and Indemnity
    • The Data Controller shall be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of, any and all actions, proceedings, liabilities, costs, claims, losses, expenses (including reasonable legal fees and payments on a solicitor and client basis), or demands, suffered or incurred by, awarded against, or agreed to be paid by, the Data Processor and any subcontractor appointed by the Data Processor under Clause 11 arising directly or in connection with:
      1. any non-compliance by the Data Controller with the Data Protection Legislation;
      2. any Personal Data processing carried out by the Data Processor or any subcontractor appointed by the Data Processor under Clause 11 in accordance with instructions given by the Data Controller to the extent that the instructions infringe the Data Protection Legislation; or
      3. any breach by the Data Controller of its obligations or warranties under this Agreement.
    • The Data Processor shall be liable for, and shall indemnify (and keep indemnified) the Data Controller in respect of, any and all actions, proceedings, liabilities, costs, claims, losses, expenses (including reasonable legal fees and payments on a solicitor and client basis), or demands, suffered or incurred by, awarded against, or agreed to be paid by, the Data Controller arising directly or in connection with:
      1. any non-compliance by the Data Processor or any subcontractor appointed by the Data Processor under Clause 11 with the Data Protection Legislation;
      2. any Personal data processing carried out by the Data Processor or any subcontractor appointed by the Data Processor under Clause 11 which is not in accordance with instructions given by the Data Controller to the extent that the instructions are in compliance with the Data Protection Legislation; or
      3. any breach by the Data Processor of its obligations or warranties under this Agreement;
    • but not to the extent that the same is or are contributed to by any non-compliance by the Data Controller with the Data Protection Legislation or its breach of this Agreement.
  • The Data Controller shall not be entitled to claim back from the Data Processor under sub-Clause 14.2 or on any other basis any sums paid in compensation by the Data Controller in respect of any damage to the extent that the Data Controller is liable to indemnify the Data Processor under sub-Clause 14.1.
  • Nothing in this Agreement (and in particular, this Clause 14) shall relieve either Party of, or otherwise affect, the liability of either Party to any Data Subject, or for any other breach of that Party’s direct obligations under the Data Protection Legislation. Furthermore, the Data Processor hereby acknowledges that it shall remain subject to the authority of the Information Commissioner and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the Data Protection Legislation may render it subject to the fines, penalties, and compensation requirements set out in the Data Protection Legislation.
  • Subject to sub-Clauses 2.4 and 14.6, nothing in this Clause 16 shall be deemed to be limited, excluded, or prejudiced by any other provision(s) of this Agreement.
  • The total aggregate liability of the Data Processor under this Agreement including for any indemnity or reimbursement provisions set out in this Agreement shall be £10,000.
  1. Term and Termination
    • This Agreement shall come into force on the commencement date of the Service Agreement and shall continue in force for the longer of:
      1. The duration of the Services, as set out in the Service Agreement; or
      2. The period that the Service Agreement remains in effect;
      3. The period that the Data Processor has any of the Personal Data in its possession or control.
    • Any provision of this Agreement which, expressly or by implication, is to come into force or remain in force on or after its termination or expiry or the termination or expiry of the Service Agreement shall remain in full force and effect.
    • In the event that changes to the Data Protection Legislation necessitate the re-negotiation of any part of this Agreement, either Party may require such re-negotiation.
  1. Notices
    • All notices given to the Data Controller under or in connection with this Agreement must be addressed to the latest address of the Data Controller notified by the Data Controller to the Data Processor, or given by the Data processor to the Data Controller via email or electronic message posted in the user dashboard forming part of the Services.
    • All notices given to the Data Processor under or in connection with this Agreement shall be in writing and must be addressed to: Capitawise Ltd, 10 Repton Road, Orpington, BR6 9HS, England.
    • Notices shall be deemed to have been duly given:
      1. when delivered, if delivered by courier or other messenger (including registered mail) during normal business hours of the recipient; or
      2. on the fifth business day following posting, if posted by national ordinary post, postage prepaid; or
      3. when sent by the Data Processor pursuant to sub-clause 16.1.
  1. Law and Jurisdiction
    • This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
    • Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.
  2. Changes to this Agreement
    • The Data Processor may change the terms of this Agreement from time to time. This may be necessary, for example, if the law changes. or if the Data Processor changes its business in a way that affects personal data protection.

Any changes will be immediately posted on the Data Processor’s website on www.capitawise.co.uk and the Data Controller will be deemed to have accepted the amended terms of this Agreement immediately following the posting.

 

 

Last Updated: 17/07/2025