Data Processing Agreement
Last Updated: 16 August 2024
This Data Processing Agreement ("DPA"), forms part of the Proof of Concept Agreement or SaaS Agreement (as applicable) between (i) Diesta Limited ("Diesta") and (ii) Customers of Diesta (the "Customer") each being a "Party" and together the "Parties" (such agreement referred to as the "Terms").
1. Definitions
1.1. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
Customer’s Personal Data: means any Personal Data processed by Diesta (i) on behalf of the Customer, or (ii) otherwise processed by Diesta, in each case pursuant to or in connection with instructions given by the Customer in writing, consistent with the Terms;
Data Protection Laws:
- To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
- To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of Personal Data.
EEA: the European Economic Area.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
Services: the services to be supplied by Diesta to the Customer pursuant to the Terms.
Standard Contractual Clauses (SCCs): the ICO's International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO's International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, or such alternative clauses as may be approved by the European Commission or by the UK from time to time.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
1.2. The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor" and “Supervisory Authority” have the same meanings as described in applicable Data Protection Laws, and cognate terms shall be construed accordingly.
1.3. Capitalized terms not otherwise defined in this DPA shall have the meanings ascribed to them in the Terms.
2. Roles of the Parties
2.1. The Parties acknowledge and agree that with regard to the Processing of the Customer’s Personal Data the Customer acts as a Controller and Diesta acts as a Processor.
2.2. The Parties expressly agree that the Customer shall be solely responsible for ensuring timely communications to the Customer’s affiliates or the relevant Controller(s) who receive or make use of the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable the Customer’s affiliates or the relevant Controller(s) to comply with such laws.
3. Description of Personal Data Processing
The Parties have mutually set out their understanding of the processing of the Customer’s Personal Data by Diesta in Annex 1.
4. Diesta’s obligations
4.1. Diesta shall comply with all applicable Data Protection Laws in the Processing of the Customer’s Personal Data.
4.2. Diesta shall process the Customer’s Personal Data relating to the categories of Data Subjects for the purposes of the Terms and for the specific purposes in each case as set out in Annex 1 and otherwise solely on the documented instructions of the Customer, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Terms.
4.3. Diesta shall immediately inform the Customer if, in Diesta’s opinion, a Customer instruction infringes applicable Data Protection Laws.
4.4. Diesta shall ensure that persons authorised to process the Customer’s Personal Data have committed themselves to confidentiality and/or are under an appropriate statutory obligation of confidentiality.
4.5. Diesta shall to the extent required by the applicable Data Protection Laws, provide reasonable assistance to the Customer or the relevant Controller(s)’ with its obligations pursuant to Articles 32 to 36 of the EU or UK GDPR taking into account the nature of the processing and information available to Diesta and the Customer agrees, if requested, to pay Diesta for time and for out of pocket expenses incurred by Diesta in connection with any assistance provided in connection with Articles 35 and 36 of the EU or UK GDPR.
5. Customer’s obligation
5.1. The Customer shall comply with all applicable Data Protection Laws in connection with the performance of this DPA.
5.2. As between the Parties, the Customer shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Diesta of the Customer’s Personal Data.
5.3. The Customer agrees not to provide Diesta with any data concerning a natural person’s health, religion, or any special categories of data as defined in Article 9 of the EU or UK GDPR.
6. Security
Diesta will implement and maintain the technical and organizational measures set out in Annex 3 and, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of processing the Customer’s Personal Data.
7. Subprocessors
7.1. The Customer hereby expressly and generally authorises Diesta to engage another Processor(s) to process the Customer’s Personal Data ("Sub-Processor"), and specifically the Sub-Processors listed in Annex 2 hereto, subject to Diesta:
7.1.1. Notifying the Customer of any intended changes to its use of Sub-Processors listed in Annex 2, by providing reasonable notice of the intended change to the Customer via email;
7.1.2. Including data protection obligations in its contract with each Sub-Processor that are materially the same as those set out in this DPA; and
7.1.3. Remaining liable to the Customer for any failure by each Sub-Processor to fulfil its obligations in relation to the processing of the Customer’s Personal Data.
7.2. In relation to any notice received under section 7.1.1, the Customer shall have a period of 30 (thirty) days from the date of the notice to inform Diesta in writing of any reasonable objection to the use of the Sub-Processor. The parties will then, for a period of no more than 30 (thirty) days from the date of the Customer's objection, work together in good faith to attempt to find a commercially reasonable solution for the Customer which avoids the use of the objected-to Sub-Processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Terms) terminate the relevant Services immediately on written notice to the other Party, without damages, penalty, or indemnification whatsoever.
8. Personal Data Breach
8.1. Upon becoming aware of a Personal Data Breach involving the Customer's Personal Data, Diesta will notify the Customer without undue delay and within 24 hours. This notification will include all information reasonably necessary for the Customer to fulfill its obligations under applicable Data Protection Laws.
8.2. Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the Parties will co-ordinate with each other to investigate the matter. Further, Diesta will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter.
9. Data Subject requests
9.1. Diesta will to the extent legally permissible, promptly notify the Customer of any communication from a Data Subject regarding the processing of the Customer’s Personal Data, or any other communication (including from a Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in respect of the Customer’s Personal Data.
9.2. Diesta will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of EU or UK GDPR. The Customer agrees to pay Diesta, if requested, for time and for out of pocket expenses incurred by Diesta in connection with the performance of its obligations under this section 9.
10. International transfers
10.1. Diesta (and any Sub-Processor) must not transfer or otherwise process the Personal Data outside the EEA without obtaining the Customer's prior written consent.
10.2. Where such consent is granted, Diesta may only process, or permit the processing, of the Personal Data outside the EEA under the following conditions:
10.2.1 Diesta is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. Diesta must identify in Annex 2 the territory that is subject to such adequacy regulations; or
10.2.2 Diesta participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Diesta (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the EU and UK GDPR. Diesta must identify in Annex 2 the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and Diesta must immediately inform the Customer of any change to that status; or
10.2.3 The transfer otherwise complies with the Data Protection Legislation for the reasons set out in Annex 2.
10.3. If any Personal Data transfer between the Customer and Diesta requires execution of SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to Diesta outside the EEA), the parties will complete all relevant details in, and execute, the SCCs, and take all other actions required to legitimise the transfer.
11. Records and audits
11.1. Diesta will keep detailed, accurate and up-to-date written records regarding any processing of the Customer’s Personal Data.
11.2. Diesta will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by the Customer, or an auditor mandated by the Customer.
11.3. For the purposes of demonstrating compliance with this DPA, the Parties agree that once per year during the term of the Terms, Diesta will allow the Customer, on reasonable notice, to audit Diesta compliance with this DPA (including responses to cybersecurity and other assessments). The Customer agrees to pay Diesta, if requested, for time and for out-of-pocket expenses incurred by Diesta in connection with assistance provided in connection with such audits, responses to cybersecurity, and other assessments.
12. Data deletion and destruction
12.1. Diesta will cease processing the Customer’s Personal Data upon the termination or expiry of the Terms, and at the option of the Customer either return or delete (including by ensuring such data is in non-readable format) all copies of the Customer’s Personal Data as processed by Diesta, unless (and solely to the extent and for such period as) country law requires storage of such Personal Data.
12.2. Diesta may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulatory obligations. Any such Personal Data retained shall remain subject to the obligations of confidentiality set forth in the Terms.
13. Precedence
The provisions of this DPA are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this DPA and the provisions of the Terms, the provisions of this DPA shall prevail.
Annex 1: Description of Processing of the Customer’s Personal Data
1. Duration of the Processing of the Personal Data
For the duration of the term of the Terms.
2. The Subject Matter of the Personal Data
The delivery of the Services pursuant to the Terms, particularly the provision of a Software as a Service platform for reconciliation of insurance premiums and associated payments.
3. The Nature and Purpose of the Processing of Personal Data
The collection, storage, disclosure (as permitted by this DPA) and deletion of Personal Data for the purposes of providing the Services.
4. The categories of Data Subject to whom the Customer's Personal Data relates
The categories of Data Subjects include:
- End insured consumer.
- Broker, as applicable.
5. The types of Personal Data to be Processed
The types of Personal Data to be processed include:
- First name and last name
- Contact details (telephone number, email address and physical address)
- Bank account information (name, account number and sort code)
- Bank account transactional data including:
- Transaction reference numbers
- Statement reference numbers
- Insurance policy information (policy ID number)
6. Special categories of Personal Data
None.
Annex 2: Authorised Sub-Processors
| Name of Sub-Processor | Description of Processing | Location of Sub-Processor | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services | Hosting the Production Environment | UK | N/A |
| OpenAI | AI functionality incingestion tool that provides automated field mapping | USA | Customer Data provided by Customer located in the UK in accordance with the EU SCCs as amended by the UK addendum to the EU SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”) |
Annex 3: Security Measures
1. Security Standards
Diesta adheres to industry-leading security standards, including ISO 27001:2022 and SOC 2 Type II, ensuring robust protection and compliance across all operations.
2. Access Control
2.1. Internal Access: We implement role-based access controls (RBAC) and single sign-on (SSO) for internal systems, enforce multi-factor authentication (MFA) for AWS access, and use unique user identifiers. Access is granted based on the principle of least privilege, with periodic audits and prompt revocation procedures.
2.2. Customer Access: Customer Data is logically separated by organisation accounts with unique user identifiers. We use RBAC for Customer access, allow granular permission management, and ensure secure access protocols with comprehensive audit trails.
3. Data Protection
3.1. Encryption: Encryption is used to protect Customer Data both in transit and at rest.
3.2. Data Minimisation: Personal Data collected and processed is limited to what is necessary for its intended purpose.
3.3. Data Retention: Data is retained for the lifetime of the Customer.
3.4. Input Controls: Diesta implements comprehensive input controls to ensure the accuracy, completeness, and authorisation of Customer Data entered into the system. These controls include validation checks, roles-based access controls and authorisation protocols for users, audit trails, edit checks, and segregation of duties to maintain data integrity and prevent unauthorised data modifications. Personal Data cannot be modified on Diesta.
4. Cloud Infrastructure Security
4.1. Environmental Management: Separate production and non-production environments, VPN-backed resource deployment, and network security policies are employed to safeguard infrastructure.
4.2. Network Security: Diesta utilises Virtual Private Cloud (VPC) segmentation to enhance network security and isolation. Regular vulnerability assessments and penetration testing (VAPTs) are conducted to identify and promptly remediate security weaknesses.
4.3. Security Measures: Regular security audits, secrets management, and service log monitoring are integral to our approach.
5. Availability Control
5.1. Resilience & Recovery: Comprehensive backup and disaster recovery plans ensure quick restoration of services. Continuous system monitoring and fault reporting, along with anti-malware and patch management, support ongoing availability.
5.2. Redundancy: Redundancy and failover mechanisms, including geographically distributed data centers in the UK, maintain service availability.
6. Incident Response & Management
6.1. Incident Handling: A comprehensive incident response plan includes proactive monitoring, coordination with stakeholders, and post-incident reviews for continual improvement.
7. Third-Party Risk Management
7.1. Due Diligence: We conduct thorough due diligence and security assessments for Sub-Processors, suppliers, and subcontractors. Contracts mandate robust security measures in line with Diesta’s commitments to its Customers, and ongoing monitoring ensures compliance.
7.2. Incident Coordination: Third parties are integrated into our incident response processes to mitigate any impacts on Customer’s Personal Data.
8. Security Governance
8.1. Regular Audits: Diesta conducts internal and external audits to ensure the effectiveness of security measures and compliance with data protection laws and industry standards (as specified above).
8.2. Policy Review: Security policies and procedures are reviewed and updated at least annually or in response to significant regulatory or threat landscape changes.
8.3. Employee Training & Onboarding: All new employees undergo thorough security checks during onboarding, including background checks where applicable. They receive mandatory training on Diesta’s security policies, procedures, and best practices to ensure they understand and adhere to our security measures.
Diesta/DPA/V03/CD Public Use