Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") applies where you subscribe to a "cloud-hosted" edition of MIDAS and personal data is stored or processed within your hosted MIDAS system. It forms part of, and should be read alongside, our Cloud Hosted Terms & Conditions, our Software Privacy Policy, our Data Retention Policy, and our GDPR Statement.

This DPA reflects the requirements of Article 28 of the UK GDPR. Terms such as "controller", "processor", "sub-processor", "data subject", "personal data", "processing", and "personal data breach" have the meanings given to them in the UK GDPR and the Data Protection Act 2018.

1. Roles of the parties

• In respect of any personal data contained within your hosted MIDAS system, you (the customer) are the controller and we are the processor. You determine the purposes and means of processing that data; we process it only on your behalf.

• You confirm that you have a lawful basis for the processing of any personal data you place within your hosted MIDAS system, that the data has been collected lawfully, and that you are entitled to provide it to us for processing under this DPA.

2. Subject matter and details of processing

• Subject matter: the provision of the cloud-hosted MIDAS room booking and resource scheduling service.

• Duration: for the duration of your active cloud-hosted subscription, followed by the retention periods set out in our Data Retention Policy.

• Nature and purpose: the hosting, storage, and processing of data necessary to operate your room booking and resource scheduling system.

• Types of personal data: typically the names and contact details of your MIDAS users and of persons associated with bookings, together with any other personal data you or your users choose to enter into your MIDAS system.

• Categories of data subjects: typically your staff, your MIDAS users, and individuals associated with bookings made within your system.

3. Our obligations as processor

We shall:

• process the personal data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case we will inform you of that legal requirement before processing, unless the law prohibits us from doing so). Your instructions are constituted by this DPA and your use of the features and configuration options within your MIDAS system;

• ensure that persons authorised to process the personal data are subject to an appropriate duty of confidentiality;

• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing;

• taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under the UK GDPR;

• assist you in ensuring compliance with your obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with the Information Commissioner's Office, taking into account the nature of processing and the information available to us;

• notify you without undue delay after becoming aware of a personal data breach affecting your data;

• at your choice, delete or return all the personal data to you after the end of the provision of services relating to processing, and delete existing copies unless we are required by law to retain a copy. The applicable timescales for deletion and the availability of data export are set out in our Data Retention Policy; and

• make available to you all information necessary to demonstrate compliance with the obligations in Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, subject to reasonable notice, confidentiality undertakings, and our reasonable security and operational requirements.

4. Sub-processors

• You provide general written authorisation for us to engage sub-processors to assist in providing the hosted service. We currently engage the following categories of sub-processor: our hosting and data center provider; our content delivery and security provider (Cloudflare); our transactional email delivery provider (SMTP2GO); and, where you enable online or invoice payments, the relevant payment processor (Stripe or PayPal). Further detail is set out in our Software Privacy Policy.

• We will impose on each sub-processor, by way of a written contract, data protection obligations no less onerous than those set out in this DPA. We remain responsible to you for the performance of each sub-processor's obligations.

• We will inform you of any intended changes concerning the addition or replacement of sub-processors, thereby giving you the opportunity to object to such changes.

5. International transfers

• We offer a choice of data center locations for your live MIDAS database. Where personal data is transferred outside the UK, such transfers will be protected by an appropriate safeguard recognised under the UK GDPR, such as the standard data protection clauses adopted or approved for use in the UK.

6. Liability

• The limitations and exclusions of liability set out in our Cloud Hosted Terms & Conditions apply equally to this DPA, save to the extent that any liability cannot lawfully be limited or excluded.

7. Governing law

• This DPA is governed by the law of England and Wales, and is subject to the exclusive jurisdiction of the courts of England and Wales.