Skip to the main content.
Contact Us
Contact Us

Data Processing Agreement

Office-banner
Data Processing Addendum 

This Data Processing Addendum, including its Annexures, forms part of the Master Subscription and Services Agreement (MSSA) between Customer and Redcat Hospitality Technology Limited (company number 14339267) of Ibex House, 61 Baker Street, Weybridge, England, KT13, or the Redcat contracting entity under the MSSA (Redcat), which is available at [insert link], as updated from time to time between Customer and Redcat, governing Customer’s use of the Services.   

Any capitalised term used in this DPA will have the meaning given to it in section 3 of this DPA, or as otherwise defined in the MSSA. 

1. Data Processing Terms  

1.1 Processing of Customer Data

(a) This DPA applies where Redcat processes Customer Data.  

(b) If, and solely to the extent that, Redcat processes any Customer Data to which GDPR applies then, each party acknowledges and agrees that Customer will be the data controller (or processor) and Redcat will be the data processor (or sub-processor) of such Customer Data.

(c) The parties agree that this DPA (and clause (e) below) and the MSSA, including Customer providing instructions via configuration tools on the Redcat Platform and any APIs made available by Redcat for the Services, constitute Customer’s documented instructions regarding Redcat’s processing of Customer Data (Documented Instructions).  

(d) Redcat will: 

(i) not process Customer Data other than in accordance with the Documented Instructions, unless required to do otherwise by Applicable Data Protection Law to which Redcat (or any of its sub-contractors) is subject; and  

(ii) where legally permitted to do so, inform the Customer if, in Redcat’s reasonable opinion, any instruction of the Customer may result in a breach of Applicable Data Protection Law. Taking into account the nature of the processing, Customer agrees that it is unlikely Redcat can form an opinion on whether Documented Instructions infringe Applicable Data Protection Law. However, if Redcat forms such an opinion, Customer is entitled to withdraw or modify its Documented Instructions. 

(e) Customer: 

(i) instructs Redcat (and, as applicable, authorises Redcat to instruct each sub-contractor) to:  

(A) process Customer Data; and 

(B) in particular, transfer Customer Data to any country or territory, 

as reasonably necessary for the provision of the Services in accordance with the MSSA. Additional instructions outside the scope of the Documented Instructions, including under this clause (if any), require prior written agreement between Redcat and Customer, including agreement on any additional fees payable by Customer to Redcat for carrying out such instructions; and 

(ii) warrants and represents that it is, and will at all times remain, duly and effectively authorised to give the instructions set out under this clause on behalf of itself and any Customer affiliate.  

(f) Annex A to this DPA sets out certain information regarding Redcat’s processing of Customer Data, including the nature and purpose of the processing, the processing activities, duration of processing and types of personal data and categories of individuals affected. Nothing in Annex A confers any right or imposes any obligation on any party. 


1.2 Redcat Personnel  

Redcat will ensure that any person (including employees and workers) that it authorises to have access to, or process Customer Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality. 


1.3 Data Security  

(a) During the Term, Redcat will implement and maintain (and will use reasonable endeavours to ensure that each Subcontractor implements and maintains) the technical and organisational measures set out in Annex B with respect to the security of Customer Data.  

(b) The Customer may implement, or request the implementation of, additional security measures (Customer Security Measures) from time to time provided always that:  

(i) such Customer Security Measures are compatible with the measures set out in Annex B as determined by Redcat, acting reasonably; and  

(ii) neither Redcat nor any Subcontractor will be required to change any of the measures set out in Annex B or to incur any costs implementing or supporting the implementation of Customer Security Measures.   

(c) Customer represents, undertakes and warrants that, at the date of this DPA and during the term of the MSSA: 

(i) The Customer is solely responsible for making an independent determination as to whether the technical and organisational measures set out in Annex B, together with any Customer Security Measures (if any) agreed to be implemented by Redcat, meet:  

(A) Customer's requirements; 

(B) data security requirements set out in Applicable Data Protection Law, including UK GDPR; 

(C) and provide a level of security appropriate to the risk with respect to the Customer's Data, 

taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of Customer Data, as Redcat as the risks and any anticipated harm to individuals. 

(ii) Customer has and will take all steps necessary, including without limitation providing appropriate fair collection and processing notices to its individual end-users and staff, and obtaining all necessary consents and approvals to support an approved lawful basis for the Customer under the UK GDPR, including so as to ensure that the processing of Customer Data by Redcat (and its' subcontractors) is at all times compliant, and in accordance with all Applicable Data Protection Law. 


1.4 Sub-Processing  

(a) Under the MSSA, Customer authorises Redcat to appoint (and permit each sub-processor appointed in accordance with this clause to appoint) sub-processors in accordance with this clause. 

(b) By way of general authorisation, the Customer acknowledges and agrees that Redcat may continue to use those sub-processors already engaged by Redcat as at the Effective Date. 

(c) Redcat will provide to Customer prior written notice of the appointment of any new sub-processor (not already engaged as at the date of this DPA), including known details of the processing to be undertaken by the sub-processor. If, within thirty (30) calendar days of receipt of that notice, Customer notifies Redcat in writing that it has any objections (on reasonable grounds related to data processing) to the proposed appointment:  

(i) Redcat will work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed sub-processor, to the extent practicable; and 

(ii) if such a change cannot be made within three (3) months from Redcat 's receipt of Customer’s objection notice (or such earlier date as agreed), notwithstanding anything in the MSSA or this DPA, Customer may by reasonable written notice to Redcat suspend or terminate that part of the Services which require the use of the proposed sub-processor. 

(d) If no objection has been notified by Customer within the timeframe set out above, Redcat will deem the new Sub-processor an authorised sub-processor pursuant to this clause. 

(e) With respect to each sub-processor, Redcat will use its best endeavours to: 

(i) procure that the arrangement between Redcat and the sub-processor is governed by a written contract including terms which, where the sub-processor carries out the same processing activities as carried out by Redcat under this DPA, contain provisions on confidentiality no less protective of Customer Data as set out under this clause; 

(ii) if that arrangement involves a Restricted Transfer, the EU Standard Contractual Clauses (Module 3 Processor – Sub-Processor), and/or as applicable, the UK Data Protection Law, will be deemed to be incorporated into the agreement between Redcat (or first sub-processor) and that sub-processor in accordance with the provisions of clause 2.4 below; and 

(iii) Redcat remains responsible for all acts or omissions of the sub-processor that cause Redcat to breach any of its obligations under this DPA. 


1.5 Data Subject / Individual Rights   

(a) Redcat will: 

(i) notify Customer if it receives a written request to exercise Data Subject rights under Applicable Data Protection Law, including access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or right not to be subject to automated individual decision making under the EU/UK GDPR; 

(ii) on demand and at Customer cost, provide Customer with reasonable support and assistance in responding to Data Subject rights’ requests under (i) above; and 

(iii) unless set out under this clause, not otherwise have any obligation to handle the request (unless otherwise agreed in writing with Customer), and the options under clause 11 of the EU SCCs (and respective terms of the UK Data Protection Law, as applicable) will not apply. 

(b) Taking into account the nature of the processing, Customer agrees that it is unlikely that Redcat would become aware that Customer Data transferred under this DPA is inaccurate or outdated. Nonetheless, in the event that Redcat becomes so aware, it will inform Customer of the details promptly and without undue delay. Redcat will use reasonable endeavours to cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred under this DPA by erasing or rectifying the Customer Data itself, or by providing instructions or the service controls that Customer can itself use to erase or rectify Customer Data.  


1.6 Government Access Requests 

For the purposes of clause 15(1)(a) of the EU SCCs (and respective terms of the UK Data Protection Law, as applicable), Redcat will notify Customer (only) and not the Data Subject(s) in the event that it becomes aware of or receives any Government Access Request. Redcat will not otherwise have any obligation to handle any Government Access Request (unless otherwise agreed in writing with Customer) and, for the avoidance of all doubt, Customer will be solely responsible for promptly notifying any Data Subject, where necessary. 

 

2. Further Terms 

2.1 Data Breach 

(a) Redcat will without undue delay (and in any event within 5 (five) business days) upon becoming aware of a Data Breach affecting Customer Personal Data, provide Customer with such information (as and when available) as Redcat is able to disclose to Customer, taking into account the nature of the processing, the information available to Redcat, and any restrictions on disclosing the information, such as confidentiality, to assist Customer in its endeavours to meet any obligations to report to a regulator or inform Data Subjects of the Data Breach under Applicable Data Protection Law. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of any such Data Breach.    

(b) On demand and at Customer cost, Redcat will co-operate with Customer and take such reasonable commercial and practicable steps as may be directed by Customer to assist in the investigation, prevention (as applicable), mitigation and remediation of a Data Breach affecting Customer Personal Data. 


2.2 Deletion / Return of Customer Data 

(a) Subject to the remaining provisions of this clause, Redcat will promptly, following the date of cessation of the Services involving the processing of Customer Data for any reason (including as a result of termination of the MSSA or if any insolvency event impacting the Customer or other termination or expiration event set out in the MSSA) (the Cessation Date), delete and procure the deletion of all copies of Customer Data. 

(b) Customer may in its absolute discretion by written notice to Redcat within at least 45 business days prior the Cessation Date (as stipulated in the MSSA) require Redcat to: (a) return a complete copy of all Customer Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Redcat; and (b) delete and procure the deletion of all other copies of Customer Data processed by Redcat. 

(c) Any certification of deletion of Customer Data, as described in clause 8.5 and clause 16(d) of the EU SCCs (and UK DP Act, as applicable) will be provided by Redcat to Customer only upon the Customer's prior written request. 


2.3 Audit rights 

(a) To the extent not already captured under the MSSA, and without prejudice to such provisions, Redcat will make available to Customer, on Customer reasonable request and at Customer cost, information as may be necessary to demonstrate Redcat’s compliance with this DPA, by  allowing for and contributing to audit reports, and (where feasible and/or practicable, in Redcat’s opinion, acting reasonably) inspections, by Customer or Customer auditors in relation to the processing of Customer Personal Data by Redcat and (where applicable and feasible) Redcat’s sub-processors. Customer confirms that this provision meets the relevant requirements of Applicable Data Protection Law (including, as applicable, Customer and Redcat’s obligations under Article 28(3)(h) of the GDPR). 


2.4 Restricted Transfers – outside the UK [or EEA, as applicable] 

(a) Redcat and Customer each agree that, to the extent that a transfer of Customer Data to Redcat involves a transfer  from the EU either directly or via onward transfer, to any country or recipient outside of these jurisdictions, including to Australia or the USA, that is not recognized by the relevant competent authority as providing an adequate level of protection for personal data (within the meaning of the EU GDPR and applicable European Data Protection Laws), the EU Standard Contractual Clauses will be deemed incorporated by reference and form an integral part of the MSSA and this DPA. The EU Standard Contractual Clauses will apply from the Effective Date with respect to transfers of Customer Data that in the absence of their application, would cause either party to breach European Data Protection Laws.  

(b) The parties each further agree that in respect of transfers under (a) above, the EU Standard Contractual Clauses will apply as follows: 

(i) Module Two (Controller – Processor) will apply where Customer is the Controller and data exporter and Redcat is the Processor of Customer Personal Data; 

(ii) Module Three (Processor – Processor) will apply where Customer is the Processor and data importer and Redcat is the sub-processor of Customer Personal Data; Taking into account the nature of the processing, Customer agrees that it is unlikely that Redcat will know the identity of Customer data controller(s) in this regard and because Redcat has no direct relationship with such controllers Customer will fulfil any of Redcat’s obligations to Customer controllers under the Module Three (Processor-to-Processor) clauses. 

(iii) in clause 7, the optional docking clause will apply and each of Customer and Redcat affiliates may accede to the EU Standard Contractual clauses under the same terms and conditions as this DPA, subject to the mutual agreement of the parties; 

(iv) in clause 9, option 2 (General Authorisation) is selected and the process and time period for prior notice of sub-processors will be as set out in this DPA; 

(v) in clause 11, the optional language will not apply; and 

(vi) Annex I and Annex II will be deemed completed with the information set out in the Annexes to this DPA. 

(c) Redcat and Customer each further agree that, in respect of transfers of Customer Data from the UK, either directly or via onward transfer, to any country or recipient outside of the UK, including to Australia or the USA, that is not currently recognized by the competent UK regulatory authority or governmental body for the UK as providing an adequate level of protection for personal data, the EU Standard Contractual Clauses as implemented by (a) and (b) above will apply with the following modifications: 

(i) the EU Standard Contractual Clauses will be modified and interpreted in accordance with Schedule 2 of the UK DP Act, which will be deemed incorporated and form an integral part of the MSSA and this DPA; 

(ii) References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent article or section of UK Data Protection Laws; 

(iii) Tables 1, 2 and 3 in Part 1 of the UK Data Protection Act 2018 will be deemed completed with the information set out in the Annexes to this DPA and Table 4 will be deemed competed by selecting 'neither party'; and 

(iv) any conflict between the terms of the EU Standard Contractual Clauses and the UK DP Act will be resolved in accordance with Sections 10 and 11 of the UK Data Protection Act 2018


2.5 Data Transfer Impact Assessment 

(a) Taking into account the nature of the processing and the information available to Redcat as processor, Redcat will, acting collaboratively and in good faith, use its best endeavours to assist Customer in complying with Customer’s obligations in respect of the preparation and completion of any required data protection transfer impact assessments and prior consultation, by providing the information Redcat makes available to Customer under clause 1.3 (Data Security) and clause 2.3 (audit) of this DPA and such additional information as the Customer may request, acting reasonably at all times.    


2.5 Liability 

(a) Subject to clause 2.6(b) below, each of Redcat and Customer's respective liability in respect of the processing of Customer Data under this DPA will be determined by the provisions on liability set out in the MSSA. 

(b) Redcat's liability in all cases will be limited to any loss or damage caused by its (or its sub-processors) processing of Customer Data where it can be shown that Redcat has not complied with its own direct regulatory obligations under either of the: (i) EU GDPR; or (ii) UK DP Act as specifically directed to processors, or where it has been shown to have acted directly outside of or contrary to lawful written instructions of the Customer.  


2.6 General Terms 

(a) Without prejudice to clauses 17 (Mediation and Jurisdiction) and 18 (Governing Law) of the EU SCCs and UK DP Act: 

(i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the MSSA with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and 

(ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the MSSA. 

(b) Subject to clause 2.7(c) below, in the event of any conflict or inconsistency between this DPA, the EU Standard Contractual Clauses and the UK DP Act, the UK DP Act shall prevail to the extent of the conflict or inconsistency. 

(c) Without prejudice to any other provision of this DPA, with regard to the transfer and protection of Customer Personal Data, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the MSSA, the provisions of this DPA will prevail. 

(d) This DPA may be varied and updated from time to time by Redcat as a result of any change in Applicable Data Protection Law, including any variation which is required to the EU SCCs or UK DP Act. 

 

3. Definitions 

In this DPA, capitalised terms will have the meanings provided in the MSSA, save that, and unless the context requires otherwise, the following defined terms have the following meaning: 

Applicable Data Protection Law means UK Data Protection Law, European Data Protection Law and any other privacy and data protection laws and policies of any jurisdiction including all resulting statutory and regulatory requirements applicable to the Processing and protection of Personal Data in the jurisdiction where the Data Subjects of the Processing are located and where the data is Processed. 

Customer Data means the Customer data that is uploaded to the Services under the Customer’s account with Redcat, as more particularly described in the MSSA, and includes Customer Personal Data. 

Data Breach means any unauthorised or unlawful destruction, loss, alteration, disclosure of or access to Customer Personal Data processed by Redcat and/or its sub-processors in connection with the provision of the Services and includes Personal Data Breach as defined in UK Data Protection Law. 

Data Processing Addendum or DPA means this data processing addendum. 

Data Subject means the identified or identifiable individual to whom Personal Data relates. The definition of “Data Subject” includes “Relevant Data Subject” as defined under the UK Data Protection Law. Legal entities are only Data Subjects to the extent required by law.  

The terms "Controller", "Data Subject", "Personal Data", "Processing", "Processor" and "Special Categories of Personal Data" have the same meaning as in Applicable Data Protection Law (or where not defined in Applicable Data Protection Law, have the meaning in the GDPR), and in each case construed accordingly. 

European Data Protection Law means all laws applicable to the protection of Personal Data in the EEA, in each case as may be amended, superseded or replaced from time to time, including the EU GDPR and EU SCCs.  

EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.  

EU Standard Contractual Clauses or EU SCCs means the standard contractual clauses approved by and annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, including the: (i) clauses between controllers and processors currently located at: https://d1.awsstatic.com/Controller_to_Processor_SCCs.pdf; and (ii) clauses between processors, currently located at: https://d1.awsstatic.com/Processor_to_Processor_SCCs.pdf.   

GDPR means the EU GDPR and the UK GDPR collectively, except where expressly stated otherwise. 

MSSA means Redcat’s Master Subscription and Services agreement to which the Customer is already, or will become, a party. 

Personal Data means information that relates to a Data Subject, as defined under Applicable Data Protection Law. To the extent applicable, the definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Laws such as the Australian Privacy Act 1988

Restricted Transfer means transfer (directly or via onward transfer) of Personal Data to a country outside of the country where the Personal Data was collected from the Data Subject, which requires additional data protection safeguards to be implemented for the purpose of the transfer, including but not limited to a transfer outside of the UK that is not subject to an adequacy decision by the competent UK authority (as applicable). 

Services means the provision of the Redcat Platform and Services to Customer as more particularly described under, and pursuant to, the MSSA. 

Supervisory Authority means the relevant independent public authority responsible for monitoring and/or enforcing Applicable Data Protection Law. 

UK DP Act means the UK Data Protection Act 2018

UK Data Protection Law means all laws applicable to the protection of Personal Data in the United Kingdom, in each case as may be amended, superseded or replaced from time to time, including: 

(a) the UK DP Act; 

(b) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (UK GDPR), as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018, defined as the same in section 3 (as supplemented by section 205(4)) of the UK DP Act; and 

(c) the Privacy and Electronic Communications (EC Directive) Regulations, 2003, as amended.; and  

UK IDPA means the International Data Transfer Addendum to the EU SCCs as issued by the UK Information Commissioner’s Office, as may be updated, amended or replaced from time to time, the form of which is included and completed at Annex B. 

 

Annex A – Data Processing Activities   

Data task

Description of processing

Nature and purpose of processing

Processing required to perform the Services under the MSSA. 

Duration of processing

For the duration of the MSSA as signed by the Customer. 

Types of personal data

Basic personal identifiers, location data, economic and financial data, demographic information, health data.

Sensitive/special category personal data

Sensitive data will generally not be processed.

Categories of individuals affected

Customers or prospective customers, Customer employees, Customer end users. 

 

Annex B – International Data Transfer Addendum 

This Addendum is attached to and forms part of the DPA. The parties hereby enter into this Addendum as a legally binding contract for the purpose of transfers of Customer Personal Data to third countries outside of the United Kingdom.  

Unless otherwise defined in this Addendum, all capitalised terms used in this Addendum will have the meanings given to them in the DPA. 

 

4. Tables 

4.1 Parties 

Start date: The Effective Date specified in the applicable Order Form.   

 

Redcat 

Customer 

Party Details 

Name: Redcat Hospitality Technology Limited (company number 14339267) 

Address: Ibex House, 61 Baker Street, Weybridge, England, KT13 8AH  

OR 

Name: Redcat Pty Ltd (ABN 88 090 409 920)  

Address: Level 1, 51 Stephenson Street, Cremorne, Victoria, Australia, 3121 

Refer to Order Form. 

Key Contact 

Name: Jeff Lamb 

Title: Managing Director 

Email: lambj@redcat.com.au 

Refer to Order Form. 

Signature (if required for the purposes of Section 2) 

By transferring UK Customer Data to UK Third Countries on Customer’s instructions, the Importer will be deemed to have signed this Addendum 

By using the Services to transfer UK Customer Data to UK Third Countries, the Exporter will be deemed to have signed this Addendum 

 

4.2 Selected Standard Contractual Clauses, Modules and Selected Clauses 

Addendum EU SCCs 

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Annex Information: 

  • Date: The date that Customer starts to use the Services to transfer Customer Data to Third Countries.  

  • Reference (if any): N/A 

This Addendum is appended by reference to the following versions of the Approved EU SCCs (as applicable): 

  • the Controller-to-Processor Clauses available here (under Module 2). 
  • the Processor-to-Processor Clauses available at here (under Module 3). 

 

4.3 Annex Information 

Annex Information” means the information which must be provided for the selected modules as set out in the Annex of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:  

(a) Annex IA: List of Parties: 

Data exporter(s):  

Name: The entity identified as “Customer” in the DPA.  

Address: The address for Customer specified above, or as otherwise specified in the Order Form. 

Contact person’s name, position and contact details: The contact details of the Key Customer above, or as otherwise specified in the DPA or the MSSA.  

Activities relevant to the data transferred under these Clauses: The activities specified in the Documented Instructions.  

Signature and date: By using the Services to transfer Customer Data to Third Countries, the data exporter will be deemed to have signed Annex I.  

Role (controller / processor): (I) where the Controller-to-Processor Clauses apply, the data exporter will be a controller; and (ii) where the Processor-to-Processor Clauses apply, the data exporter will be a processor.  

Data importer(s):  

Name: "Redcat” as identified in the MSSA.  

Address: The address for Redcat specified above.  

Contact person’s name, position and contact details: The contact details of the  Customer above, or as otherwise specified in the MSSA.  

Activities relevant to the data transferred under these Clauses: The activities specified in the Documented Instructions.  

Signature and date: By transferring Customer Data to Third Countries on Customer’s instructions, the data importer will be deemed to have signed Annex I.  

Role (controller / processor): Processor. 

(b) Annex 1B: Description of Transfer: 

Categories of data subjects whose personal data is transferred: Categories of data subjects are specified in Annex A of the DPA.  

Categories of personal data transferred: The personal data is described in Annex A of the DPA.  

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The data exporter might include sensitive personal data in the personal data described in Annex A of the DPA.  

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the Documented Instructions.  

Nature of the processing: The nature of the processing is described in Annex A of the DPA.  

Purpose(s) of the data transfer and further processing: To provide the Services.  

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Not applicable because the data exporter determines the duration of processing in accordance with the terms of the DPA. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: The subject matter, nature and duration of the processing are described in Annex A of the DPA. 

(c) Annex II: Technical and organisational measures to ensure the security of the data: 

The technical and organisational security measures that Redcat has in place are described in Annex C. 

(d) Annex III: List of Sub processors (Modules 2 and 3 only): 

The sub-processors are those sub-processors already engaged by Redcat as at the date of the DPA. 

 

4.4 Ending this Addendum when the Approved Addendum Changes 

Ending this Addendum when the Approved Addendum changes 

Redcat may end this Addendum as set out in section 19. 

 


5. Mandatory Clauses 

Entering into this Addendum 

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum. 

2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows Data Subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs. 


Interpretation of this Addendum  

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings: 

Addendum

This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. 

Annex Information

As set out in clause 1.3 of this Annex. 

Appropriate Safeguards

The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. 

Approved Addendum

The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as may be revised or updated from time to time 

Approved EU SCCs

The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. 

ICO

The Information Commissioner. 
 

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Law and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards. 

5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place. 

6. If there is any inconsistency or conflict between UK Data Protection Law and this Addendum, UK Data Protection Law applies. 

7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Law applies.  

8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into. 

 

Annex C – Technical & Organisational Security Measures 

Software and Hardware level security:  

  • Identity Management, authorisation, and access controls 

  • EDR and threat intelligence protected networks, 

  • Network segmentations and separation. 

  • Managed RDS service with encrypted disks,  

  • Secure access to specified users,  

  • Siloed databases servers.  

  • Next Gen firewalls, 

Security Operations Centre (SOC):  

  • Managed SIEM, 

  • Managed 24hours, 7days a week, 

  • Endpoint detection on servers and staff devices, 

  • Vulnerability Management Service,

  • Threat intelligence service, 

  • Incident response team.  

Data Management: 

  • Data retention and handling policies, 

  • Identity Management, Authentication and Access Controls,  

  • Daily Backups are performed,  

  • Data is encrypted at rest and transit.  

Business Controls: 

  • Information Security Policies and Procedures, 

  • Change Management functions, 

  • Disaster Recovery, Data Breach Incident Response Plan, 

  • Business Continuity Plans, 

  • Risk Management,  

  • Software Development Life Cycle (SDLC), 

  • Regular Penetration Tests, 

  • Vulnerability Disclosure Policy. 

Employees: 

  • Mandatory compliance training, 

  • Background checks.