This Data Processing Addendum (the Addendum) forms part of the Terms of Use (and any additional or related documentation), as updated or amended from time to time (the Agreement), between you, the Customer (as defined below) and Board Secure Ltd t/a Governance360 Group.
All capitalised terms not defined in this Addendum have the meaning set out in the Agreement.
This Addendum only applies if and to the extent Board Secure Ltd processes personal data on behalf of a Customer that qualifies as a controller with respect to that personal data under Applicable Data Protection Law (as defined below). If the Customer entered into earlier data processing terms with Board Secure Ltd, this Addendum replaces those terms.
This Addendum was last updated on 4th February 2025.
In this Addendum, the following terms have the following meanings:
a) controller, processor, data subject, personal data, processing (and process) and special categories of personal data have the meanings given in Applicable Data Protection Law
b) Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation 2016/679) (the GDPR) and/or the UK General Data Protection Regulation (the UK GDPR) and any EU Member State and/or UK laws made under or pursuant to the GDPR and/or UK GDPR
c) Customer has the same meaning as ‘'Business Customer' in clause 4 of the Terms of Sale
The Customer (the controller) appoints Board Secure Ltd as a processor to process the personal data described in Appendix B (the Data) only on the controller’s documented instructions (and as per the terms set out in this Addendum) for the purposes described in the Agreement or as otherwise agreed in writing by the parties (the Permitted Purpose). Each party must comply with the obligations that apply to it under Applicable Data Protection Law.
Unless explicitly requested by Board Secure Ltd to do so, the Customer will not disclose (and will not permit any data subject to disclose) any special categories of personal data to Board Secure Ltd for processing. See clause 6 (Member Content) of the Terms of Use for more.
This topic is covered in more detail in Clause 9 of the GDPR statement here, which is regularly updated.
Board Secure Ltd will ensure that any person it authorises to process the Data (an Authorised Person) will protect the Data in accordance with Board Secure Ltd’s confidentiality obligations under the Agreement.
Board Secure Ltd will implement technical and organisational measures, as set out in Appendix A, which may be amended and updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a Security Incident). This are also covered in more detail here - Security Measures.
The Customer consents to Board Secure Ltd engaging third-party subprocessors to process the Data for the Permitted Purpose provided that:
(i) Board Secure Ltd maintains an up-to-date list of its subprocessors, which is available on its website here - Sub Processors
(ii) Board Secure Ltd imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and
(iii) Board Secure Ltd remain liable for any breach of this Addendum that is caused by an act, error or omission by its subprocessor. The Customer may object to Board Secure Ltd’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Board Secure Ltd will either not appoint or replace the subprocessor or, if Board Secure Ltd determines at its sole discretion that this is not reasonably possible, the Customer may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination).
Board Secure Ltd will provide reasonable and timely assistance to the Customer (at the Customer’s expense) to enable the Customer to respond to:
(i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and
(ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to Board Secure Ltd, Board Secure Ltd will promptly inform the Customer, providing full details.
If Board Secure Ltd believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it will inform the Customer and provide reasonable cooperation to the Customer in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
If it becomes aware of a confirmed Security Incident, Board Secure Ltd will inform the Customer without undue delay and will provide reasonable information and cooperation to the Customer so that they can fulfil any data breach reporting obligations they may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Board Secure Ltd will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep the Customer informed of all material developments in connection with the Security Incident.
This is covered in detail, and regularly updated, within our GDPR notice, clause 8 which can be found here.
Board Secure Ltd will make available to the Customer, any Regulator or their representatives any information required to demonstrate compliance with its obligations under this Addendum and allow for and contribute to audits conducted by the Customer or another auditor mandated by the Customer at the Customer's cost.
Information regarding the technical and organisational measures in place to protect Data in accordance with clause 1.6 of this Addendum is available on Board Secure Ltd's security page - Security Measures
1. Subject matter and duration of processing of personal data
The subject matter of personal data to be processed is that entered by the Customer into the Governance360 platform. This is covered in more detail in Clause 7 of the GDPR statement.
2. Nature and purpose of processing personal data
The nature and purpose of processing personal data is to enable the functionality of the Governance360 Platform as set out in the Agreement and related documentation.
3. Types of personal data processed
The types of personal data processed are outlined in Clause 6 of our GDPR statement.
4. Categories of data subjects
The categories of data subjects are outlined in our GDPR statement
Data Security Breach notifications will be made electronically and contain at least the following minimum details regarding the Data Security Breach:
1. Nature of the Breach
[Board Secure Ltd will include details of the breach which will include categories of the breach and approximate numbers of affected data subjects]
2. Potential consequences
[Board Secure Ltd will describe the likely consequences of the breach, for example media coverage]
3. Mitigation measures
[Board Secure Ltd will outline the measures it will take to address and mitigate the breach]