Universoftware logoUniversoftware
Legal

Data Processing Addendum

This Data Processing Addendum applies where Universoftware Ltd processes personal data on behalf of a customer in connection with services governed by the Platform Services Terms or another written agreement that incorporates this addendum.

Scope

This addendum applies only to processing activities for which:

  • the customer acts as a controller, business, or equivalent primary decision-maker for the relevant personal data; and
  • Universoftware Ltd acts as a processor, service provider, or equivalent data handler on the customer's behalf.

If the parties each determine the purposes and means of processing for their own separate activities, they act as independent controllers for those activities and this addendum does not convert those activities into processor relationships.

Subject Matter and Duration

The subject matter, nature, purpose, categories of personal data, categories of data subjects, and duration of processing depend on the applicable services and the customer's documented use of them.

Unless more specific information is set out in an order form, statement of work, service description, or other written instruction, processing under this addendum may include hosting, storage, transmission, organisation, retrieval, support, maintenance, security monitoring, troubleshooting, backup, migration, and deletion of customer personal data as reasonably necessary to provide the services.

Roles of the Parties

The customer:

  • determines whether the services are appropriate for its intended processing;
  • remains responsible for the lawfulness of the personal data it submits or makes available; and
  • is responsible for providing required notices and obtaining required consents or other lawful bases.

Universoftware Ltd:

  • processes customer personal data only on documented instructions from the customer, unless applicable law requires otherwise;
  • may process customer personal data as necessary to comply with law, prevent fraud, maintain security, and protect the services, provided that such processing remains consistent with applicable law; and
  • acts as an independent controller for its own business operations where applicable, including account management, billing, relationship management, legal compliance, and security logging relating to its own services.

Customer Instructions

The parties agree that the customer's configuration, use of the services, support requests, order forms, statements of work, and written directions constitute documented instructions for processing under this addendum.

If Universoftware Ltd reasonably believes an instruction breaches applicable data protection law, it may suspend the affected processing and notify the customer.

Confidentiality

Universoftware Ltd ensures that persons authorised to process customer personal data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

Security

Universoftware Ltd implements appropriate technical and organisational measures designed to protect customer personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the nature of the processing, the state of the art, implementation cost, and the risks to individuals.

Such measures may include, where appropriate:

  • access controls and least-privilege access;
  • logical separation of environments and accounts;
  • encryption in transit and, where applicable, at rest;
  • logging, monitoring, and incident response processes;
  • vulnerability management, remediation, and security review processes; and
  • backup, recovery, and resilience measures.

Subprocessors

The customer authorises Universoftware Ltd to use subprocessors to support delivery of the services.

Universoftware Ltd maintains information about its subprocessors at Subprocessors.

Universoftware Ltd remains responsible for the performance of its subprocessors' obligations to the extent required by applicable data protection law and the parties' agreement.

International Transfers

Where customer personal data is transferred outside the UK or EEA, Universoftware Ltd ensures that an appropriate transfer mechanism is used as required by applicable law, which may include adequacy decisions, the UK addendum, the UK extension or bridge to an approved framework, standard contractual clauses, or another valid transfer mechanism.

Assistance

Taking into account the nature of the processing and the information available to it, Universoftware Ltd provides reasonable assistance to the customer with:

  • responding to requests from data subjects;
  • data protection impact assessments and prior consultations where required;
  • demonstrating compliance with the processor obligations under applicable data protection law; and
  • managing personal data breach response obligations.

Security Incidents

If Universoftware Ltd becomes aware of a confirmed personal data breach affecting customer personal data processed under this addendum, it notifies the customer without undue delay and provides information reasonably available to it about the nature of the incident, likely consequences, and the measures taken or proposed.

Deletion and Return

On termination or expiry of the relevant services, Universoftware Ltd deletes or returns customer personal data covered by this addendum, unless retention is required by applicable law or is reasonably necessary for security, backup integrity, dispute resolution, fraud prevention, or legal compliance.

Audits and Information

Universoftware Ltd makes available information reasonably necessary to demonstrate compliance with this addendum and applicable processor obligations.

Where information provided is insufficient and applicable law gives the customer an audit right, the customer may request a reasonable audit or independent assessment subject to appropriate confidentiality, security, scope, timing, and cost controls.

Liability and Precedence

This addendum forms part of the agreement governing the relevant services. Liability arising under this addendum is subject to the liability framework in the applicable services agreement unless applicable data protection law requires otherwise.

If there is a conflict between this addendum and the applicable services agreement on data processing matters, this addendum prevails to the extent of that conflict.

Contact

Questions about this addendum can be sent to:

Universoftware Ltd
Company number 12780329
71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ
legal@universoftware.ai