Terms & Conditions
Brego Terms v1.0
1. Definitions
In this Agreement, the following words shall have the following meanings:
“Agreement” means these Terms and Conditions together with each Order
Form, the DPA and the Privacy Policy;
“Authorised Users” means employees, agents, consultants, clients, customers or
independent contractors of the Customer who have been
expressly authorised by the Customer to receive a password in
order to access the Services;
“Business Day” means 9.00 am to 6.00 pm UK local time on a Monday to Friday
(excluding any national holiday in the UK);
“Company” means Brego Limited;
“Confidential Information” means any and all information in whatsoever form relating to the
Company or the Customer, or the business, prospective
business, finances, technical processes, computer software
(both source code and object code), Intellectual Property Rights
or finances of the Company or the Customer (as the case may
be), or compilations of two or more items of such information,
whether or not each individual item is in itself confidential, which
comes into a party’s possession by virtue of its entry into this
Agreement or provision of the Services, and which the party
regards, or could reasonably be expected to regard, as
confidential and any and all information which has been or may
be derived or obtained from any such information;
“Customer Data” means all data imported into the Services for the purpose of
using the Services or facilitating the Customer’s use of the
Services;
“Customer” means the company or person named in the Order Form;
“DPA” means the data processing agreement of the Company
published at https://www.brego.io/dpa as amended from time to
time;
“Effective Date” means the date set out in the Order Form;
“Feedback” means feedback, innovations or suggestions created by the
Customer or Authorised Users regarding the attributes,
performance or features of the Services;
“Fees” means the fees set out in the Order Form payable by the
Customer during the Term for the Services, after expiry of the
Trial Period;
“Force Majeure” means anything outside the reasonable control of a party,
including but not limited to, acts of God, fire, storm, flood,
earthquake, explosion, accident, acts of the public enemy, war,
rebellion, insurrection, sabotage, epidemic, pandemic,
quarantine restriction, labour dispute, labour shortage, power
shortage, including without limitation where Company ceases to
be entitled to access the Internet for whatever reason,
transportation embargo, failure or delay in transportation, any
act or omission (including laws, regulations, disapprovals or
failures to approve) of any government or government agency;
“Intellectual Property Rights” means all copyrights, patents, utility models, trademarks,
service marks, registered designs, moral rights, design rights
(whether registered or unregistered), technical information,
know-how, database rights, semiconductor topography rights,
business names and logos, computer data, generic rights,
proprietary information rights and all other similar proprietary
rights (and all applications and rights to apply for registration or
protection of any of the foregoing) as may exist anywhere in the
world;
“Order Form” means each Company order form completed by the parties;
“Privacy Policy” means the privacy policy of the Company published at
https://www.brego.io/privacy-policy as amended from time to
time;
“Renewal Term” means the renewal period set out in the Order Form;
“Services” means the software applications services of the Company,
ordered by the Customer and set out in each Order Form which
are made available to the Customer and its Authorised Users in
accordance with the terms of this Agreement, including any
computer software programmes and, if appropriate, Updates
thereto;
“Statistical Data” means aggregated, anonymised data derived from the
Customer or an Authorised User’s use of the Services which
does not include any personal data or Customer Confidential
Information;
“Subscription Fee” means the subscription fee set out in each Order Form payable
by the Customer to the Company for the Services during the
Term;
“Term” means the Trial Period, plus any Renewal Terms together;
“Terms and Conditions” means these terms and conditions of the Company;
“Trial Period” means any free trial period included in an Order Form;
“Updates” means any new or updated applications services or tools
(including any computer software programmes) made available
by the Company as part of the Services.
2. Services
2.1 The Customer engages the Company and the Company agrees to provide the Services to the
Customer from the Effective Date for the Term in accordance with the terms of this Agreement.
2.2 The Customer and Authorised Users shall use the Services in accordance with the terms of the
this Agreement.
3. Licence
3.1 The Customer is granted a non-exclusive and non-transferable licence to permit Authorised
Users to use the Services (including any associated software, Intellectual Property Rights and
Confidential Information) during the Term. Such licence shall permit the Customer to make
cache copies of software or other information as are required for the Customer to receive the
Services via the Internet. Where open source software is used as part of the Services, such
software use by the Customer will be subject to the terms of the open source licences.
3.2 No right to modify, adapt, or translate the Services or create derivative works from the Services
is granted to the Customer. Nothing in this Agreement shall be construed to mean, by inference
or otherwise, that the Customer has any right to obtain source code for the software comprised
within the Services.
3.3 Disassembly, decompilation or reverse engineering and other source code derivation of the
software comprised within the Services is prohibited. To the extent that the Customer is granted
the right by law to decompile such software in order to obtain information necessary to render
the Services interoperable with other software (and upon written request by the Customer
identifying relevant details of the Services(s) with which interoperability is sought and the nature
of the information needed), the Company will provide access to relevant source code or
information. The Company has the right to impose reasonable conditions including but not
limited to the imposition of a reasonable fee for providing such access and information.
3.4 Unless otherwise specified in this Agreement, the Services are provided and may be used
solely by the Customer as part of the Customer’s website/desktop architecture. Except as
specifically stated in this Agreement, the Customer may not: (i) lease, loan, resell or otherwise
distribute the Services save as permitted in writing by the Company; (ii) use the Services to
provide ancillary services related to the Services; or (iii) permit access to or use of the Services
by or on behalf of any third party.
3.5 The Customer warrants and represents that it shall maintain reasonable security measures (as
may change over time) covering, without limitation, confidentiality, authenticity and integrity to
ensure that the access to the Services granted under this Agreement is limited as set out under
this Agreement.
3.6 The Company may suspend access to the Services, or portion thereof, at any time, if in the
Company’s sole reasonable discretion, the integrity or security of the Services is in danger of
being compromised by acts of the Customer or Authorised Users. Where possible, the
Company shall give the Customer 24 hours written notice, before suspending access to the
Services, giving specific details of its reasons.
4. Intellectual Property Rights
4.1 All Intellectual Property Rights and title to the Services (save to the extent incorporating any
Customer Data, Customer or third party owned item) shall remain with the Company and/or its
licensors and subcontractors. No interest or ownership in the Services, the Intellectual Property
Rights or otherwise is transferred to the Customer under this Agreement.
4.2 The Customer shall retain sole ownership of all rights, title and interest in and to Customer Data
and its pre-existing Intellectual Property Rights. The Customer grants the Company a
non-exclusive, licence to use Customer Data, Customer Intellectual Property Rights and any
third party owned item from the Effective Date for the Term to the extent required for the
provision of the Services.
4.3 The Customer is not allowed to remove any proprietary marks or copyright notices from the
Services.
4.4 The Customer grants the Company a non-exclusive, non-transferable, revocable licence to use
the Customer’s name, logo and trademarks, as designated and/or amended by the Customer
from time to time for the purposes of providing the Services.
4.5 The Customer assigns all rights, title and interest in any Feedback to the Company. If for any
reason such assignment is ineffective, the Customer shall grant the Company a non-exclusive,
perpetual, irrevocable, royalty free, worldwide right and licence to use, reproduce, disclose,
sub-licence, distribute, modify and exploit such Feedback without restriction.
4.6 The Customer grants the Company the perpetual right to use Statistical Data and nothing in this
Agreement shall be construed as prohibiting the Company from using the Statistical Data for
business and/or operating purposes, provided that the Company does not share with any third
party Statistical Data which reveals the identity of the Customer or Customer’s Confidential
Information.
4.7 The Company may take and maintain technical precautions to protect the Services from
improper or unauthorised use, distribution or copying.
5. Fees, Invoicing and Payments
5.1 No Subscription Fees shall be charged for use of the Services during a Trial Period.
5.2 Upon expiry of a Trial Period the Company will charge the Customer the Subscription Fees for
each Renewal Period.
5.3 The Company shall issue invoices to the Customer for the Fees as set out in the Order Form.
5.4 Fees are based upon the actual bandwidth used or API call ups as set out in each Order Form.
5.5 All Fees exclude any Value Added Tax legally payable on the date of the invoice, which shall be
paid by the Customer in addition, where applicable.
5.6 The Customer shall pay all Fees to the Company within 30 days of the date of each invoice
unless stated otherwise in the Order Form.
5.7 Where payment of any Fees is not received within 7 days of the due payment date, the
Company may, without liability to the Customer, disable the Customer’s password, account and
access to all or part of the Services or Implementation Services and the Company shall be
under no obligation to provide any or all of the Services or Implementation Services while the
invoice(s) concerned remains unpaid. The Company shall be entitled to charge interest on
overdue Fees at the applicable statutory rate.
5.8 The Company reserves the right to recover any costs and reasonable legal fees it incurs in
recovering overdue payments.
5.9 The Company is entitled to increase Fees upon giving the Customer 60 days prior written notice
of any changes. Increases shall apply from the start of the next applicable Renewal Period,
unless the Customer terminates the Agreement. The Company shall not increase prices more
than inflation unless there is a change in the services offered which are agreed by both parties
in writing prior.
6. Use of the Services
6.1 The Customer specifically agrees that it has the sole responsibility for the legality, reliability,
integrity, accuracy and quality of the Customer Data and all data created via any use of the
Services, in particular any price indications created by the Services.
6.2 All information created by the Services or used by the Customer, its Authorised Users or any
third party, in particular any price indications, are provided for guidance purposes only to assist
the Customer in evaluating market values of vehicles. All price indications are provided purely
for the purpose of assisting the Customer in making its own assessment of the actual or likely
future value of any particular vehicle.
6.3 No price indications should be relied upon or used by the Customer, without the Customer
making its own individual professional assessment of the actual or future market value of each
vehicle and the Company excludes all liability whatsoever for any reliance upon or use of the
price indications by the Customer, its Authorised Users or a third party.
6.4 For the purposes of these terms, "Mobile Homes" or “Holiday Homes” refer to prefabricated
structures that are transportable in one or more sections and designed to be used as dwellings
when connected to the required utilities. This definition specifically excludes any land, plot, site,
pitch, or any leasehold or freehold interests associated with the location where the mobile home
is situated.
6.5 The Customer acknowledges that any price indications or valuations provided by the Services
for Mobile Homes pertain solely to the mobile home asset itself. These valuations expressly
exclude any value associated with the plot of land, site, pitch, or any leasehold or freehold
interests upon which the Mobile Home is situated.
6.6 It is the sole responsibility of the Customer to assess and consider any additional factors
affecting the overall value of a Mobile Home. This includes, but is not limited to, the value of the
land or plot, site fees, ground rent, and any other associated costs, rights, or obligations.
6.7 The Company expressly disclaims any liability for any claims, losses, damages, costs, or
expenses arising from the Customer's reliance upon the price indications for Mobile Homes,
including any misunderstandings or disputes concerning the inclusion of land or plot value in
such valuations.
6.8 The Customer agrees not to misrepresent or imply to any third party that the valuations provided
include the value of the plot of land or any associated real estate interests.
6.9 The Customer shall indemnify and hold harmless the Company against any and all liabilities,
damages, losses, costs, and expenses (including reasonable legal fees) arising out of or in
connection with any breach of this clause by the Customer or its Authorised Users.
6.10 Any downloadable materials provided to the Customer through the Services, including but not
limited to PDF reports and valuation documents, are furnished solely for the Customer’s own
internal and personal use. The Customer shall not reproduce, distribute, transmit, sell, rent,
lease, sublicense, share, or otherwise make these materials available to any third party without
the Company’s prior written consent. Save that the Customer may share material with an
individual at any of the Customer’s holiday park locations in the context of a transaction or
potential transaction between the Customer and an individual owner or potential owner at one of
its parks. The Customer must make the individual owner or potential owner aware that the
valuation is for guidance purposes only and is only for the Mobile Home or Holiday Home asset.
7. Warranties
7.1 Each party warrants and represents that: (i) it has full corporate power and authority to enter
into this Agreement and to perform the obligations required hereunder; (ii) the execution and
performance of its obligations under this Agreement does not violate or conflict with the terms of
any other agreement to which it is a party and is in accordance with any applicable laws; and
(iii) it shall respect all applicable laws and regulations, governmental orders and court orders,
which relate to this Agreement.
7.2 The Company warrants to the Customer that: (i) it has the right to license the Services; (ii) the
Services shall be performed with reasonable skill and care and in a professional manner in
accordance with good industry practice; (iii) the Services shall operate to materially provide the
facilities and functions provided by the Company; and (iv) in performing the Services the
Company will not infringe the Intellectual Property Rights of any third party or be in breach of
any obligations it may have to a third party. The foregoing warranties shall not: (a) cover
deficiencies or damages relating to any third party components not furnished by the Company;
or (b) any third party provided connectivity necessary for the provision or use of the Services.
7.3 No warranty is made regarding the results of usage of the Services or that the functionality of
the Services will meet the requirements of the Customer or that the Services will operate
uninterrupted or error free.
7.4 The Customer warrants and represents to the Company that: (i) it rightfully owns the necessary
user rights, copyrights and ancillary copyrights and permits required for it to fulfil its obligations
under this Agreement; (ii) it shall maintain reasonable security measures (as may change over
time) covering, without limitation, confidentiality, authenticity and integrity to ensure that the
access to the Services granted under this Agreement is limited as set out under this Agreement.
In particular the Customer and Authorised Users shall treat any identification, password or
username or other security device for use of the Services with due diligence and care and take
all necessary steps to ensure that they are kept confidential, secure and are used properly and
are not disclosed to unauthorised persons. Any breach of the above shall be immediately
notified to the Company in writing. The Customer shall be liable for any breach of this
Agreement by any Authorised Users; and (iii) it shall ensure that its network and systems
comply with the relevant specification provided by the Company from time to time and that it is
solely responsible for procuring and maintaining its network connections and
telecommunications links from the Customer’s systems to the Company’s data centres and all
problems, conditions, delays, delivery failures and all other loss or damage arising from or
relating to the Customer’s network connections or telecommunications links or caused by the
Internet.
7.5 All third party content or information provided by the Company via the Services, for example
price indications is provided “as is”. The Company provides no warranties in relation to such
content or information and shall have no liability whatsoever to the Customer for its use or
reliance upon such content or information.
7.6 Except as expressly stated in this Agreement, all warranties and conditions, whether express or
implied by statute, common law or otherwise (including but not limited to satisfactory quality and
fitness for purpose), are hereby excluded to the fullest extent permitted by law.
7.7 The Customer acknowledges that Services should not be used for high risk applications where
precise locations or features on maps are essential to the Customer.
8. Liability
8.1 Neither party excludes or limits its liability to the other for fraud, death or personal injury caused
by any negligent act or omission or wilful misconduct.
8.2 In no event shall either party be liable to the other whether arising under this Agreement or in
tort (including negligence or breach of statutory duty), misrepresentation or however arising, for
any Consequential Loss. ‘Consequential Loss’ shall for the purposes of this section mean: (i)
pure economic loss; (ii) losses incurred by any client of the Customer or other third party; (iii)
loss of profits (whether categorised as direct or indirect loss); (iv) losses arising from business
interruption; (v) loss of business revenue, goodwill or anticipated savings; and (vi) losses
whether or not occurring in the normal course of business, wasted management or staff time.
8.3 Subject to clauses 8.1 and 8.2, the total liability of the Company to the Customer in aggregate
(whether in contract, tort or otherwise) under or in connection with this Agreement or based on
any claim for indemnity or contribution shall be limited to one hundred (100) per cent of the total
Fees (excluding any VAT, duty, sales or similar taxes) paid or payable by the Customer to the
Company during the twelve (12) month period prior to the date on which such claim arose. If the
duration of the Agreement has been less than twelve (12) months, such shorter period shall
apply.
8.4 The Customer shall be liable for any breaches of this Agreement caused by the acts, omissions
or negligence of any Authorised Users who access the Services as if such acts, omissions or
negligence had been committed by the Customer itself.
8.5 In no event shall the Customer raise any claim under this Agreement more than one (1) year
after: (i) the discovery of the circumstances giving rise to such claim; or (ii) the effective date of
the termination of this Agreement.
8.6 The parties acknowledge and agree that in entering into this Agreement, each had recourse to
its own skill and judgement and have not relied on any representation made by the other, their
employees or agents.
9. Indemnities
9.1 The Company, shall at its own expense: (i) defend, or at its option, settle any claim or suit
brought against the Customer by a third party on the basis of infringement of any Intellectual
Property Rights by the Services (excluding any claim or suit deriving from any Customer
provided item); and (ii) pay any final judgement entered against the Customer on such issue or
any settlement thereof, provided that: (a) the Customer notifies the Company promptly of each
such claim or suit; (b) the Company is given sole control of the defence and/or settlement; and
the (c) Customer fully co-operates and provides all reasonable assistance to the Company in
the defence or settlement.
9.2 If all or any part of the Services becomes, or in the opinion of the Company may become, the
subject of a claim or suit of infringement, the Company at its own expense and sole discretion
may: (i) procure for the Customer the right to continue to use the Services or the affected part
thereof; or (ii) replace the Services or affected part with other suitable non-infringing service(s);
or (iii) modify the Services or affected part to make the same non-infringing.
9.3 The Company shall have no obligations under this clause 9 to the extent that a claim is based
on: (i) the combination, operation or use of the Services with other services or software not
provided by the Company, if such infringement would have been avoided in the absence of such
combination, operation or use; or (ii) use of the Services in any manner inconsistent with the
terms of this Agreement; or (iii) the negligence or wilful misconduct of the Customer.
9.4 The Customer shall defend, indemnify and hold the Company and its employees,
sub-contractors or agents harmless from and against any cost, losses, fines, liabilities and
expenses, including reasonable legal costs arising from any claim relating to or resulting directly
or indirectly from: (i) any claimed infringement or breach by the Customer of any Intellectual
Property Rights with respect to the Customer’s use of the Services outside the scope of this
Agreement; (ii) any access to or use of the Services by Authorised User or a third party in
breach of the terms of this Agreement; and (iii) use by the Company of any Customer Data or
Customer or Authorised User’s provided item; and (iv) breaches of data protection law or
regulations or the terms of the DPA by the Customer; and the Company shall be entitled to take
reasonable measures to prevent the breach from continuing.
9.5 Subject to clauses 9.1 to 9.4 inclusive, each party (‘the first party’) indemnifies and undertakes
to keep indemnified the other party, its officers, servants and agents (‘the second party’) against
any costs or expenses (including the cost of any settlement) arising out of any claim, action,
proceeding or demand that may be brought, made or prosecuted against the second party
under clause 9 of this Agreement. Such indemnity extends to and includes all costs, damages
and expenses (including legal fees and expenses) reasonably incurred by the second party in
defending any such action, proceeding claim or demands.
10. Term and Termination
10.1 This Agreement shall begin on the Effective Date and continue for the Trial Period. Upon expiry
of the Trial Period, the Agreement shall automatically renew for successive Renewal Terms until
a party terminates the Agreement in accordance with its rights set out below.
10.2 The Company may immediately terminate this Agreement or the provision of any Services
provided pursuant to this Agreement if: (i) the Customer has used or permitted the use of the
Services otherwise than in accordance with this Agreement; or (ii) the Company is prohibited,
under the laws of England or otherwise, from providing the Services.
10.3 Either party may terminate this Agreement at any time by giving at least 30 days written notice
prior to the start of any Renewal Term. Such notice shall be effective from the start date of the
next applicable Renewal Term.
10.4 Either party shall be entitled to terminate this Agreement on written notice to the other party if
the other party: (i) goes into voluntary or involuntary liquidation (otherwise than for the purpose
of a solvent reconstruction or amalgamation) or has a receiver or administrator or similar person
appointed or is unable to pay its debts within the meaning of s268 Insolvency Act 1986 or
ceases or threatens to cease to carry on business or if any event occurs which is analogous to
any of the foregoing in another jurisdiction; or (ii) commits a material breach of any term of this
Agreement which, if capable of remedy, is not remedied within 30 days of receipt of a written
notice specifying the breach and requiring it to be remedied; (iii) is prevented by Force Majeure
from fulfilling its obligations for more than 28 days.
10.5 Upon termination of this Agreement: (i) the Company shall immediately cease providing the
Services to the Customer and all licences granted hereunder shall terminate; (ii) the Customer
shall promptly pay the Company all unpaid Fees for the remainder of the Term. No Fees already
paid shall be refunded if the Agreement is terminated prior to the end of the Term; (iii) at the
option of the Customer, following receipt of a request from the Customer delete (in accordance
with the terms of the DPA) or return all Customer Data stored in the Company’s database in a
machine readable format, free of charge, provided that such request is made within 30 days of
termination. If the Customer requires any Customer Data to be returned in a different format the
Company reserves the right to charge for this additional service on time and materials basis.
10.6 Termination of this Agreement for whatever reason shall not affect the accrued rights of the
parties. All clauses which by their nature should continue after termination shall, for the
avoidance of doubt, survive the expiration or sooner termination of this Agreement and shall
remain in force and effect.
11. Confidential Information
11.1 Each party may use the Confidential Information of a disclosing party only for the purposes of
this Agreement and must keep confidential all Confidential Information of each disclosing party
except to the extent (if any) the recipient of any Confidential Information is required by law to
disclose the Confidential Information.
11.2 Either party may disclose the Confidential Information of the other party to those of its
employees and agents who have a need to know the Confidential Information for the purposes
of this Agreement but only if the employee or agent executes a confidentiality undertaking in a
form approved by the other party.
11.3 Both parties agree to return all documents and other materials containing Confidential
Information immediately upon completion of the Services.
11.4 The obligations of confidentiality under this Agreement do not extend to information that: (i)
was rightfully in the possession of the receiving party before the negotiations leading to this
Agreement; (ii) is, or after the day this Agreement is signed, becomes public knowledge
(otherwise than as a result of a breach of this Agreement); or (iii) is required by law to be
disclosed.
12. Data Protection
12.1 Each party undertakes to comply with its obligations under relevant applicable data protection
laws, principles and agreements.
12.2 To the extent that personal data is processed when the Customer or its Authorised Users, use
the Services, the parties acknowledge that the Company is a data processor and the Customer
is a data controller and the parties shall comply with their respective obligations under
applicable data protection law and the terms of the DPA.
12.3 If a third party alleges infringement of its data protection rights, the Company shall be entitled to
take measures necessary to prevent the infringement of a third party’s rights from continuing.
12.4 Where the Company collects and processes personal data of the Customer, as a data controller,
when providing the Services to the Customer for example when the Customer provides an email
address upon registering to use the Services, such collection and processing shall be in
accordance with the Privacy Policy.
13. No Third Party Rights
Nothing contained in this Agreement is intended to be enforceable by a third party under the
Contracts (Rights of Third Parties) Act 1999, or any similar legislation in any applicable
jurisdiction.
14. Force Majeure
14.1 If a party is wholly or partially prevented by Force Majeure from complying with its obligations
under this Agreement, then that party’s obligation to perform in accordance with this Agreement
will be suspended.
14.2 As soon as practicable after an event of Force Majeure arises, the party affected by Force
Majeure must notify the other party of the extent to which the notifying party is unable to perform
its obligations under this Agreement. If the Force Majeure event last for more than 28 days the
non-defaulting party may terminate this Agreement with immediate effect without penalty.
15. Miscellaneous
15.1 Should a provision of this Agreement be invalid or become invalid then the legal effect of the
other provisions shall be unaffected. A valid provision is deemed to have been agreed which
comes closest to what the parties intended commercially and shall replace the invalid provision.
The same shall apply to any omissions.
15.2 This Agreement constitutes the whole agreement and understanding between the parties and
supersedes all prior agreements, representations, negotiations and discussions between the
parties relating to the subject matter thereof.
15.3 In the event of any inconsistency between the content of the Order Form, the Terms and
Conditions, the DPA and the Privacy Policy, the provisions of the Order Form shall prevail
followed by the Terms and Conditions, the DPA and then the Privacy Policy.
15.4 No party may assign, transfer or subcontract its rights under this Agreement without the prior
written consent of the other party, such consent shall not be unreasonably withheld, however
the Company shall be entitled to assign the Agreement to any company in the Company’s group
of companies; or (ii) any entity that purchases the shares or assets of the Company as the result
of a merger, takeover or similar event, who is not a competitor of the Customer.
15.5 The Company and the Customer are independent contractors and nothing in this Agreement will
be construed as creating an employer-employee relationship.
15.6 Amendments to, or notices to be sent under this Agreement, shall be in writing and shall be
deemed to have been duly given if: (i) sent by registered post to a party at the address given for
that party in this Agreement; or (ii) to the email address of each party usually used to
correspond within the Services for invoicing purposes. Notwithstanding the aforesaid, the
Company may change or modify the terms of this Agreement upon giving the Customer 30 days
notice via email. All changes shall be deemed to have been accepted by the Customer unless
the Customer terminates the Agreement prior to the expiry of the 30 day period.
15.7 Neither party shall make any public statement, press release or other announcement relating to
the terms or existence of this Agreement, or the business relationship of the parties, without the
prior written consent of the other party. Notwithstanding the aforesaid the Company may use the
Customer’s name and trademarks (logo only) to list the Customer as a client of the Company on
its website and in other marketing materials and information.
15.8 This Agreement shall be governed by the laws of England and Wales. The courts of England
shall have exclusive jurisdiction for the settlement of all disputes arising under this Agreement.
Appendix 1 - DATA PROCESSING AGREEMENT
This DPA is entered into between the Controller and the Processor and is incorporated into and
governed by the terms of the Agreement.
1. Definitions
Any capitalised term not defined in this DPA shall have the meaning given to it in the Agreement.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or
is under common control of a party. “Control”, for purposes of this
definition, means direct or indirect ownership or control of more than
50% of the voting interests of a party;
“Agreement” means the agreement between the Controller and the Processor for
the provision of the Services;
“CCPA” means the California Consumer Privacy Act of 2018, along with its
regulations and as amended from time to time;
“Controller” means the Customer;
“Data Protection Law” means all laws and regulations, including laws and regulations of the
European Union, the European Economic Area, their member states
and the United Kingdom, any amendments, replacements or renewals
thereof, applicable to the processing of Personal Data, including
where applicable the Data Protection, Privacy and Electronic
Communications (Amendments etc.) (EU Exit) Regulations 2020, the
EU GDPR, the UK GDPR, the FDPA, the UK Data Protection Act
2018, the CCPA and any applicable national implementing laws,
regulations and secondary legislation relating to the processing of the
Personal Data and the privacy of electronic communications, as
amended, replaced or updated from time to time, including the
Privacy and Electronic Communications Directive (2002/58/EC) and
the Privacy and Electronic Communications (EC Directive)
Regulations 2003 (SI 2003/2426);
“Data Subject” shall have the same meaning as in Data Protection Law or means a
“Consumer” as that term is defined in the CCPA;
“DPA” means this data processing agreement together with Exhibits A, B
and C;
“EEA” means the European Economic Area;
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of
the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement
of such data, (General Data Protection Regulation);
“FDPA” means the Swiss Federal Act on Data Protection of 19 June 1992 (SR
235.1; FDPA) and as amended from time to time;
“Personal Data” shall have the same meaning as in Data Protection Law;
“Processor” means the Company, including as applicable any “Service Provider”
as that term is defined by the CCPA;
“Restricted Transfer” means:
(i) where the EU GDPR applies, a transfer of Personal Data via the
Services from the EEA either directly or via onward transfer, to any
country or recipient outside of the EEA not subject to an adequacy
determination by the European Commission; and
(ii) where the UK GDPR applies, a transfer of Personal Data via the
Services from the United Kingdom either directly or via onward
transfer, to any country or recipient outside of the UK not based on
adequacy regulations pursuant to Section 17A of the United Kingdom
Data Protection Act 2018; and
(iii) a transfer of Personal Data via the Services from Switzerland
either directly or via onward transfer, to any country or recipient
outside of the EEA and/or Switzerland not subject to an adequacy
determination by the European Commission;
“Services” means all services and software applications and solutions provided
to the Controller by the Processor under and as described in the
Agreement;
“SCCs” means:
(i) where the EU GDPR applies, the standard contractual clauses
annexed to the European Commission's Implementing Decision
2021/914 of 4 June 2021 on standard contractual clauses for the
transfer of personal data to third countries published at
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32
021D0914&from=EN/, (“EU SCCs”); and
(ii) where the UK GDPR applies standard data protection clauses
adopted pursuant to Article 46(2)(c) of the UK GDPR as set out in
Exhibit C of this DPA, (“UK SCCs”); and
(iii) where Personal Data is transferred from Switzerland to outside of
Switzerland or the EEA, the EU SCCs as amended in accordance
with guidance from the Swiss Data Protection Authority; (“Swiss
SCCs”);
“Sub-processor” means any third party (including the Processor’s Affiliates) engaged
directly or indirectly by the Processor to process Personal Data under
this DPA in the provision of the Services to the Controller;
“Supervisory Authority” means a governmental or government chartered regulatory body
having binding legal authority over a party;
“UK GDPR” means the EU GDPR as it forms part of the law of England and
Wales, Scotland and Northern Ireland by virtue of section 3 of the
European Union (Withdrawal) Act 2018.
2. Purpose
2.1 The Processor has agreed to provide the Services to the Controller in accordance with the
terms of the Agreement. In providing the Services, the Processor shall process Customer Data
on behalf of the Controller. Customer Data may include Personal Data. The Processor will
process and protect such Personal Data in accordance with the terms of this DPA.
3. Scope
3.1 In providing the Services to the Controller pursuant to the terms of the Agreement, the
Processor shall process Personal Data only to the extent necessary to provide the Services in
accordance with the terms of the Agreement, this DPA and the Controller’s instructions
documented in the Agreement and this DPA, as updated from time to time.
3.2 The Controller and Processor shall take steps to ensure that any natural person acting under
the authority of the Controller or the Processor who has access to Personal Data does not
process them except on the instructions from the Controller unless required to do so by any
Data Protection Law.
4. Processor’s Obligations
4.1 The Processor may collect, process or use Personal Data only within the scope of this DPA.
4.2 The Processor confirms that it shall process Personal Data on behalf of the Controller in
accordance with the documented instructions of the Controller.
4.3 The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the
instructions regarding the processing of Personal Data provided by the Controller, breach Data
Protection Law.
4.4 The Processor shall ensure that all employees, agents, officers and contractors involved in the
handling of Personal Data: (i) are aware of the confidential nature of the Personal Data and
are contractually bound to keep the Personal Data confidential; (ii) have received appropriate
training on their responsibilities as a data processor; and (iii) are bound by the terms of this
DPA.
4.5 The Processor shall implement appropriate technical and organisational measures to protect
Personal Data, taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons.
4.6 The Processor shall implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risk, including inter alia as appropriate: (i) the
pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going
confidentiality, integrity, availability and resilience of processing systems and services; (iii) the
ability to restore the availability and access to Personal Data in a timely manner in the event of
a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating
the effectiveness of technical and organisational measures for ensuring the security of the
processing. In accessing the appropriate level of security, account shall be taken in particular
of the risks that are presented by processing, in particular from accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data
transmitted, stored or otherwise processed.
4.7 The technical and organisational measures detailed in Exhibit B shall at all times be adhered
to as a minimum security standard. The Controller accepts and agrees that the technical and
organisational measures are subject to development and review and that the Processor may
use alternative suitable measures to those detailed in the attachments to this DPA, provided
such measures are at least equivalent to the technical and organisational measures set out in
Exhibit B and appropriate pursuant to the Processor’s obligations in clauses 4.5 and 4.6
above.
4.8 The Controller acknowledges and agrees that, in the course of providing the Services to the
Controller, it may be necessary for the Processor to access the Personal Data to respond to
any technical problems or Controller queries and to ensure the proper working of the Services.
All such access by the Processor will be limited to those purposes.
4.9 Taking into account the nature of the processing and the information available to the
Processor, the Processor shall assist the Controller by having in place appropriate technical
and organisational measures, insofar as this is possible, for the fulfilment of the Controller's
obligation to respond to requests for exercising the Data Subject's rights and the Controller’s
compliance with the Controller’s data protection obligations in respect of the processing of
Personal Data.
4.10 The Processor may not: (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for
commercial purposes other than providing the Services under the terms of the Agreement; or
(iii) retain, use, or disclose Personal Data outside of the Agreement.
5. Controller’s Obligations
5.1 The Controller represents and warrants that: (i) it shall comply with this DPA and its obligations
under Data Protection Law; (ii) it has obtained any, and all, necessary permissions and
authorisations necessary to permit the Processor, its Affiliates and Sub-processors, to execute
their rights or perform their obligations under this DPA; and (iii) all Affiliates of the Controller
who use the Services shall comply with the obligations of the Controller set out in this DPA.
5.2 The Controller shall implement appropriate technical and organisational measures to protect
Personal Data, taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons. The Controller shall implement
appropriate technical and organisational measures to ensure a level of security appropriate to
the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of
Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and
resilience of processing systems and services; (iii) the ability to restore the availability and
access to Personal Data in a timely manner in the event of a physical or technical incident; (iv)
a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing. In accessing the
appropriate level of security account shall be taken in particular of the risks that are presented
by processing, in particular from accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise
processed.
5.3 The Controller acknowledges and agrees that some instructions from the Controller including
the Processor assisting with audits, inspections, DPIAs or providing any assistance under this
DPA, may result in additional fees. In such case the Processor shall notify the Controller of its
fees for providing such assistance in advance and shall be entitled to charge the Controller for
its reasonable costs and expenses in providing such assistance, unless agreed otherwise in
writing.
6. Sub-processors
6.1 The Controller acknowledges and agrees that: (i) Affiliates of the Processor may be used as
Sub-processors; and (ii) the Processor and its Affiliates respectively may engage
Sub-processors in connection with the provision of the Services.
6.2 All Sub-processors who process Personal Data in the provision of the Services to the
Controller shall comply with the obligations of the Processor set out in this DPA.
6.3 The Controller authorises the Processor to use the Sub-processors included in the list of
Sub-processors published at: https://www.brego.io/sub-processors to process the Personal
Data. During the term of this DPA, the Processor shall provide the Controller with 30 days prior
notification, via email, of any changes to the list of Sub-processors before authorising any new
or replacement Sub-processor to process Personal Data in connection with provision of the
Services.
6.4 The Controller may object to the use of a new or replacement Sub-processor, by notifying the
Processor promptly in writing within fifteen (15) calendar days after receipt of the Processor’s
notice. If the Controller objects to a new or replacement Sub-processor, the Controller may
terminate the Agreement with respect to those Services which cannot be provided by the
Processor without the use of the new or replacement Sub-processor. The Processor will
refund the Controller any prepaid fees covering the remainder of the term of the Agreement
following the effective date of termination with respect to such terminated Services.
6.5 All Sub-processors who process Personal Data shall comply with the obligations of the
Processor set out in this DPA. The Processor shall prior to the relevant Sub-processor carrying
out any processing activities in respect of the Personal Data: (i) appoint each Sub-processor
under a written contract containing materially the same obligations to those of the processor in
this DPA enforceable by the Processor; and (ii) ensure each such Sub-processor complies
with all such obligations.
6.6 The Controller agrees that the Processor and its Sub-processors may make Restricted
Transfers of Personal Data for the purpose of providing the Services to the Controller in
accordance with the Agreement. The Processor confirms that such Sub-processors: (i) are
located in a third country or territory recognised by the EU Commission or a Supervisory
Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the
applicable SCCs with the Processor; or (iii) have other legally recognised appropriate
safeguards in place.
7. Restricted Transfers
7.1 The parties agree that, when the transfer of Personal Data from the Controller to the
Processor or from the Processor to a Sub-processor is a Restricted Transfer, it shall be
subject to the applicable SCCs.
7.2 The parties agree that the EU SCCs shall apply to Restricted Transfers from the EEA. The EU
SCCs shall be deemed entered into (and incorporated into this DPA by reference) and
completed as follows:
(i) Module Two (Controller to Processor) shall apply where the Customer is a Controller of
Customer Data and the Company is processing Customer Data;
(ii) Module Three (Processor to Processor) shall apply where the Company is a Processor of
Customer Data and the Company uses a Sub-processor to process the Customer Data;
(iii) In Clause 7 of the EU SCCs, the optional docking clause will not apply;
(iv) In Clause 9 of the EU SCCs Option 2 applies, and the time period for giving notice of
Sub-processor changes shall be as set out in clause 6.3 of this DPA;
(v) In Clause 11 of the EU SCCs, the optional language shall not apply;
(vi) In Clause 17 of the EU SCCs, Option 1 applies and the EU SCCs shall be governed by Irish
law;
(vii) In Clause 18(b) of the EU SCCs, disputes shall be resolved by the courts of Ireland;
(viii) Annex I of the EU SCCs shall be deemed completed with the information set out in Exhibit A
of this DPA;
(ix) Annex II of the EU SCCs shall be deemed completed with the information set out in Exhibit B
of this DPA.
7.3 The parties agree that the EU SCCs as amended in clause 7.2 above, shall be adjusted as set
out below where the FDPA applies to any Restricted Transfer:
(i) The Swiss Federal Data Protection and Information Commissioner (“FDPIC”) shall be the sole
Supervisory Authority for Restricted Transfers exclusively subject to the FDPA;
(ii) Restricted Transfers subject to both the FDPA and the EU GDPR, shall be dealt with by the
EU Supervisory Authority named in Exhibit A of this DPA;
(iii) The term ’member state’ must not be interpreted in such a way as to exclude Data Subjects in
Switzerland from the possibility of suing for their rights in their place of habitual residence
(Switzerland) in accordance with Clause 18(c) of the EU SCCs;
(iv) Where Restricted Transfers are exclusively subject to the FDPA, all references to the GDPR in
the EU SCCs are to be understood to be references to the FDPA;
(v) Where Restricted Transfers are subject to both the FDPA and the EU GDPR, all references to
the GDPR in the EU SCCs are to be understood to be references to the FDPA insofar as the
Restricted Transfers are subject to the FDPA;
(vi) The Swiss SCCs also protect the Personal Data of legal entities until the entry into force of the
revised FDPA.
7.4 The parties agree that the UK SCCs shall apply to Restricted Transfers from the UK and the
UK SCCs shall be deemed entered into (and incorporated into this DPA by reference), as set
out in Exhibit C of this DPA.
7.5 In the event that any provision of this DPA contradicts directly or indirectly any SCCs, the
provisions of the applicable SCCs shall prevail over the terms of the DPA.
8. Data Subject Access Requests
8.1 The Controller may require correction, deletion, blocking and/or making available the Personal
Data during or after termination of the Agreement. The Controller acknowledges and agrees
that the Processor will process the request to the extent it is lawful and will reasonably fulfil
such request in accordance with its standard operational procedures to the extent possible.
8.2 In the event that the Processor receives a request from a Data Subject in relation to Personal
Data, the Processor will refer the Data Subject to the Controller unless otherwise prohibited by
law. The Controller shall reimburse the Processor for all costs incurred resulting from providing
reasonable assistance in dealing with a Data Subject request. In the event that the Processor
is legally required to respond to the Data Subject, the Controller will fully cooperate with the
Processor as applicable.
9. Audit
9.1 The Processor shall make available to the Controller all information reasonably necessary to
demonstrate compliance with its processing obligations and allow for and contribute to audits
and inspections.
9.2 Any audit conducted under this DPA shall consist of examination of the most recent reports,
certificates and/or extracts prepared by an independent auditor bound by confidentiality
provisions similar to those set out in the Agreement. In the event that provision of the same is
not deemed sufficient in the reasonable opinion of the Controller, the Controller may conduct a
more extensive audit which shall be: (i) at the Controller’s expense; (ii) limited in scope to
matters specific to the Controller and agreed in advance; (iii) carried out during the
Processor’s usual business hours and upon reasonable notice which shall be not less than 4
weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does
not interfere with the Processor’s day-to-day business.
9.3 This clause shall not modify or limit the rights of audit of the Controller, instead it is intended to
clarify the procedures in respect of any audit undertaken pursuant thereto.
10. Personal Data Breach
10.1 The Processor shall notify the Controller without undue delay after becoming aware of (and in
any event within 72 hours of discovering) any accidental or unlawful destruction, loss,
alteration or unauthorised disclosure or access to any Personal Data (“Personal Data
Breach”).
10.2 The Processor shall take all commercially reasonable measures to secure the Personal Data,
to limit the effects of any Personal Data Breach, and to assist the Controller in meeting the
Controller’s obligations under applicable law.
11. Compliance, Cooperation and Response
11.1 The Processor will notify the Controller promptly of any request or complaint regarding the
processing of Personal Data, which adversely impacts the Controller, unless such notification
is not permitted under applicable law or a relevant court order.
11.2 The Processor may make copies of and/or retain Personal Data in compliance with any legal
or regulatory requirement including, but not limited to, retention requirements.
11.3 The Processor shall reasonably assist the Controller in meeting the Controller’s obligation to
carry out data protection impact assessments (DPIAs), taking into account the nature of the
processing and the information available to the Processor.
11.4 The Controller shall notify the Processor within a reasonable time, of any changes to
applicable data protection laws, codes or regulations which may affect the contractual duties of
the Processor. The Processor shall respond within a reasonable timeframe in respect of any
changes that need to be made to the terms of this DPA or to the technical and organisational
measures to maintain compliance. If the Processor is unable to accommodate necessary
changes, the Controller may terminate the part or parts of the Services which give rise to the
non-compliance. To the extent that other parts of the Services provided are not affected by
such changes, the provision of those Services shall remain unaffected.
11.5 The Controller and the Processor and, where applicable, their representatives, shall
cooperate, on request, with a Supervisory Authority in the performance of their respective
obligations under this DPA and Data Protection Law.
12. Liability
12.1 The limitations on liability set out in the Agreement apply to all claims made pursuant to any
breach of the terms of this DPA.
12.2 The parties agree that the Processor shall be liable for any breaches of this DPA caused by
the acts and omissions or negligence of its Sub-processors to the same extent the Processor
would be liable if performing the services of each Sub-processor directly under the terms of
the DPA, subject to any limitations on liability set out in the terms of the Agreement.
12.3 The parties agree that the Controller shall be liable for any breaches of this DPA caused by the
acts and omissions or negligence of its Affiliates as if such acts, omissions or negligence had
been committed by the Controller itself.
12.4 The Controller shall not be entitled to recover more than once in respect of the same loss.
13. Term and Termination
13.1 The Processor will only process Personal Data for the term of the DPA. The term of this DPA
shall commence on the Effective Date of the Agreement and this DPA shall terminate
automatically together with termination or expiry of the Agreement.
14. Deletion and Return of Personal Data
14.1 The Processor shall at the choice of the Controller, upon receipt of a written request received
within 30 days of the end of the provision of the Services, delete or return Personal Data to the
Controller. The Processor shall in any event delete all copies of Personal Data in its systems
within 1 year of the effective date of termination of the Agreement or deactivation of the
Customer’s account unless applicable law or regulations require storage of the Personal Data
after termination.
15. General
15.1 This DPA sets out the entire understanding of the parties with regards to the subject matter
herein.
15.2 Should a provision of this DPA be invalid or become invalid then the legal effect of the other
provisions shall be unaffected. A valid provision is deemed to have been agreed which comes
closest to what the parties intended commercially and shall replace the invalid provision. The
same shall apply to any omissions.
15.3 Subject to any provision of the SCCs to the contrary, this DPA shall be governed by the laws of
England and Wales. The courts of England shall have exclusive jurisdiction for the settlement
of all disputes arising under this DPA.
12.4 The parties agree that this DPA is incorporated into and governed by the terms of the
Agreement.
Exhibit A
List of Parties, Description of Processing and Transfer of Personal Data, Competent
Supervisory Authority
MODULE TWO: CONTROLLER TO PROCESSOR
A. LIST OF PARTIES
The Controller:
means the Customer.
Address: As set out for the Customer in the Agreement.
Contact person’s name, As provided by the Customer in its account and used for
position and contact details: notification and invoicing purposes.
Activities relevant to the data Use of the Services.
transferred under the SCCs:
Signature and date: By entering into the Agreement, the Controller is deemed to
have signed the SCCs incorporated into this DPA and including
their Annexes, as of the Effective Date of the Agreement.
Role: Data Exporter.
Name of Representative (if Any UK or EU representative named in the Controller’s privacy
applicable): policy.
The Processor:
means Brego Limited
Address: The Stable Yard Vicarage Road, Stony Stratford, Milton
Keynes, Buckinghamshire, England, MK11 1BN
Contact person’s name, Simon Hunt, CEO, legal@brego.io
position and contact details:
Activities relevant to the data The provision of cloud computing solutions to the Controller
transferred under the SCCs: under which the Processor processes Personal Data upon the
instructions of the Controller in accordance with the terms of
the Agreement.
Signature and date: By entering into the Agreement, the Processor is deemed to
have signed the SCCs, incorporated into this DPA, including
their Annexes, as of the Effective Date of the Agreement.
Role: Data Importer
В. DESCRIPTION OF PROCESSING AND TRANSFERS
Categories of Data Subjects: Employees, agents, advisors, consultants, freelancers of the
Controller (who are natural persons).
Affiliates and Authorised Users of the Controller who access or
use the Services in accordance with the terms of the
Agreement.
Categories of Personal Data: The Controller may submit Personal Data to the Services, the
extent of which is determined and controlled by the Controller.
The Personal Data includes but is not limited to:
● Personal details, first name, middle name and surname,
email addresses and company name of Authorised
Users of the Services.
● Unique identifiers such as username, account number
or password.
● Personal Data derived from an Authorised User’s use of
the Services such as records and business intelligence
information.
● Vehicle registration plates and VINs.
● Personal Data within email and messaging content
which identifies or may reasonably be used to identify
individuals.
● Meta data including sent, to, from, date, time, subject,
which may include Personal Data.
● Geolocation based upon IP address.
● Financial data required for invoicing.
● Data concerning education and profession.
● File attachments that may contain Personal Data.
● Feedback and assessment messages.
● Information offered by an Authorised Users as part of
support enquiries.
● Other data added by the Controller from time to time.
Sensitive Data: No sensitive data special category data will be processed or
transferred and shall not be contained in the content of or
attachments to, emails.
The frequency of the processing Continuous basis for the duration of the Agreement.
and transfer (e.g. whether the
data is transferred on a one-off
or continuous basis):
Nature of the processing: Processing operations include but are not limited to: displaying
the logged in users name within the Platform, sending update
emails about Brego services and caching VRM or VINs to
specific vehicles.
Purpose(s) of the data transfer Personal Data is transferred to sub-contractors who need to
and further processing: process some of the Personal Data in order to provide their
services to the Processor as part of the Services provided by
the Processor to the Controller.
The period for which the Unless agreed otherwise in writing, for the duration of the
Personal Data will be retained, Agreement, subject to clause 14 of the DPA.
or, if that is not possible, the
criteria used to determine that
period:
For transfers to (Sub-) The Sub-processor list published at:
processors, also specify subject https://www.brego.io/sub-processors sets out the Personal Data
matter, nature and duration of processed by each Sub-processor and the services provided by
the processing: each Sub-processor.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent Where the EU GDPR applies, the Irish Data Protection
supervisory authority/ies (e.g. in Authority - Data Protection Commission, (“DPC”).
accordance with Clause 13 of
the SCCs)
Where the UK GDPR applies, the UK Information
Commissioner's Office, (ICO).
Where the FDPA applies, the Swiss Federal Data Protection
and Information Commissioner, (FDPIC).
MODULE THREE: PROCESSOR TO PROCESSOR
A. LIST OF PARTIES
The Data Exporter: is the Company.
The Data Importers: are the Sub-processors named in the Sub-processor list set out above, which
contains the name, address, contact details and activities relevant to the data transferred to each Data
Importer.
В. DESCRIPTION OF PROCESSING AND TRANSFERS
The Sub-processor list includes the information about the processing and transfers of the Personal
Data, for each Data Importer:
● categories of Data Subjects
● categories of Personal Data
● the nature of the processing
● the purposes of the processing
Personal Data is processed by each Data Importer:
● on a continuous basis
● to the extent necessary to provide the Services in accordance with the Agreement and the
Data Exporter’s instructions.
● for the duration of the Agreement and subject to clause 14 of the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
The competent Supervisory Authority of the Data Exporter shall be:
● Where the EU GDPR applies, the Irish Data Protection Authority - Data Protection
Commission, (“DPC”).
● Where the UK GDPR applies, the UK Information Commissioner's Office, (ICO).
● Where the FDPA applies, the Swiss Federal Data Protection and Information Commissioner,
(FDPIC).
Exhibit B
Technical and Organisational Security Measures
(Including Technical and Organisational Measures to Ensure the Security of Data)
Below is a description of the technical and organisational measures implemented by the Processor
(including any relevant certifications) to ensure an appropriate level of security, taking into account the
nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of
natural persons.
Where applicable this Exhibit B will serve as Annex II to the SCCs.
Measure Description
Measures of pseudonymisation For the purpose of transfer control, an encryption technology is
and encryption of Personal Data used (e.g. remote access to the company network via two factor
VPN tunnel and full disk encryption). The suitability of an
encryption technology is measured against the protective
purpose.
The Controller is assigned a unique encryption key, generated
using a FIPS 140-2 compliant crypto library, which is used to
encrypt and decrypt all of the Controller’s archived data. In
addition to the unique encryption keys, all data being written to
the storage grid includes the Controller’s unique account code.
The Processor’s systems that write data to the storage grid
retrieve the encryption key from one system and the customer
code from another, which serves as a cross check against two
independent systems. The Controller’s encryption key is further
encrypted with a Processor key stored within a centralised and
restricted key management system. In order for the Processor to
access Personal Data via the master key, the key management
system provisions individual keys following a strict process of
approval that includes multiple levels of executive authorisation.
Use of these master encryption keys is limited to senior
production engineers and all access is logged, monitored, and
configured for alerting by security via a centralised Security
Incident and Event Management (“SIEM”) system.
The Controller’s archived data is encrypted at rest using
AES256 bit encryption
Data in transit is protected by Transport Layer Security (“TLS”).
Measures for ensuring ongoing Access to data necessary for the performance of the particular
confidentiality, integrity, availability task is ensured within the systems and applications by a
and resilience of processing corresponding role and authorisation concept. In accordance to
systems and services the “least privilege” and "need-to-know" principles, each role has
only those rights which are necessary for the fulfilment of the
task to be performed by the individual person.
To maintain data access control, state of the art encryption
technology is applied to the Personal Data itself where deemed
appropriate to protect sensitive data based on risk.
Measures for ensuring the ability to All our applications are built stateless by using Cloud-formation
restore the availability and access templates and can be easily recreated in different geographical
to Personal Data in a timely regions. Data is stored in triplicate across 2 data centres, with 2
manner in the event of a physical separate cross connections. The data centres can be switched
or technical incident in the event of flooding, earthquake, fire or other physical
destruction or power outage protect Personal Data against
accidental destruction and loss.
The Processor maintains redundancy throughout its IT
infrastructure in order to minimize the lack of availability to or
loss of data. Backups are maintained hourly and daily in
accordance with our backup procedures. The Processor
maintains a disaster recovery policy and at least once per
calendar year practice executing the policy.
Processes for regularly testing, The Processor conducts multiple internal audits. The Processor
assessing and evaluating the strives to automate audits hence the majority of our monitoring
effectiveness of technical and of its infrastructure is automated and running 24/7 and based on
organisational measures in order to various frameworks (CIS, NEST etc.). The Processor obtains an
ensure the security of the external security and compliance audit once per calendar year.
processing
Measures for user identification Remote access to the data processing systems is only possible
and authorisation through the Processor’s secure VPN tunnel. If the users first
authenticate to the secure VPN tunnel, after successful
authentication authorisation is executed by providing a unique
user name and password to a centralised directory service. All
access attempts, successful and unsuccessful are logged and
monitored.
Measures for the protection of data Data in transit is protected by Transport Layer Security (“TLS”).
during transmission
Measures for the protection of data Personal Data is only retained internally, and on the third party
during storage data centre servers, which are covered by AWS certifications.
The Controller’s archived data is encrypted at rest using
AES256 bit encryption and data in transit is protected by
Transport Layer Security (“TLS”).
Measures for ensuring physical Due to their respective security requirements, business
security of locations at which premises and facilities are subdivided into different security
Personal Data are processed zones with different access authorisations. Third party data
centres are monitored by security personnel. Access for
employees is only possible with an encoded ID with a photo on
it. All other persons have access only after having registered
before (e.g. at the main entrance).
Access to special security areas for remote maintenance is
additionally protected by a separate access area. The
constructional and substantive security standards comply with
the security requirements for data centres.
Measures for ensuring events System inputs are recorded in the form of log files therefore it is
logging possible to review retroactively whether and by whom Personal
Data was entered, altered or deleted.
Measures for ensuring system Our system configuration is based on the Security Technical
configuration, including default Implementation Guides (STIG). System configuration is applied
configuration and maintained by software tools that ensure the system
configurations do not deviate from the specifications. Deviations
will be fixed automatically and reported to our SOC.
Measures for internal IT and IT Employees are instructed to collect, process and use Personal
security governance and Data only within the framework and for the purposes of their
management duties (e.g. service provision). At a technical level, multi-client
capability includes separation of functions as well as appropriate
separation of testing and production systems.
The Controller’s Personal Data is stored in a way that logically
separates it from other customer data.
Measures for The Processor is ISO 27001 and ISO 27018 certified and will
certification/assurance of continue to maintain these certifications for the term of the
processes and products Agreement. The technical and organisational measures defined
herein are implemented on the basis of the international
standard ISO 27001 and ISO 27018. The Processor shall
maintain controls materially as protective as those provided in
the ISO 27001 and ISO 27018.
The Processor utilises third party data centres that maintain
current ISO 27001 certifications. The Processor will not utilise
third party data centres that do not maintain the aforementioned
certifications and/or attestations, or other substantially similar or
equivalent certifications and/or attestations.
Upon the Controller’s written request (no more than once in any
12 month period), the Processor shall provide within a
reasonable time, a copy of the most recently completed
certification and/or attestation reports (to the extent that to do so
does not prejudice the overall security of the Services). Any
audit report submitted to the Controller shall be treated as
Confidential Information and subject to the confidentiality
provisions of the Agreement between the parties.
Measures for ensuring data If Personal Data is no longer required for the purposes for which
minimisation it was processed, it is deleted promptly. It should be noted that
with each deletion, the Personal Data is only locked in the first
instance and is then deleted for good with a certain delay. This
is done in order to prevent accidental deletions or possible
intentional damage.
Measures for ensuring data quality All of the data that the Processor possesses is provided by the
Controller. The Processor not assess the quality of the data
provided by the Controller. The Processor provides reporting
tools within our product to help the Controller understand and
validate the data that is stored.
Measures for ensuring limited data The Processor uses a data classification scheme for all data that
retention it stores and our retention policy specifies how each type of data
is retained. When a record with Personal Data is deleted then it
will be permanently evicted from our active databases. The data
is retained in our backups until they are rotated out by more
recent backups per the data retention policy.
Measures for ensuring The Processor internally reviews its information security policies
accountability semi-annually to ensure they it is still relevant and are being
followed. All employees that handle sensitive data must
acknowledge the information security policies. These employees
are re-trained on information security policies once per year. A
disciplinary policy is in place for employees that do not adhere to
information security policies.
Measures for allowing data The Services have built-in tools that allows the Controller to
portability and ensuring erasure export and permanently erase data.
Measures to be taken by the (Sub-) The transfer of Personal Data to a third party (e.g. customers,
processor to be able to provide sub-contractors, service providers) is only made if a
assistance to the Controller (and, corresponding contract exists, and only for the specific
for transfers from a Processor to a purposes. If Personal Data is transferred outside the EEA, the
Sub-processor, to the Data Processor provides that an adequate level of data protection
Exporter). exists at the target location or organisation in accordance with
the European Union's data protection requirements, e.g. by
employing contracts based on the EU SCCs.
Exhibit C
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted
Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for
Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date The date set out in Annex I of the Approved EU SCCs.
The Parties Exporter (who sends the Importer (who receives the
Restricted Transfer) Restricted Transfer)
Parties’ details Full legal name: the Customer Full legal name: Brego Limited.
named in the Agreement. Main address: The Stable Yard
Main address (if a company Vicarage Road, Stony Stratford,
registered address): As set out in Milton Keynes, Buckinghamshire,
Annex I of the Approved EU SCCs. England, MK11 1BN
Official registration number (if any) Official registration number (if any)
(company number or similar (company number or similar
identifier): Where set out in the identifier): 13710133.
Agreement.
Key Contact Full Name (optional): As set out in Full Name (optional): Simon Hunt
Annex I of the Approved EU SCCs. Job Title: Director
Job Title: As set out in Annex I in Contact details including email:
the Approved EU SCCs legal@brego.io
Contact details including email: As
set out in Annex I the Approved EU
SCCs.
Signature (if no signature is required. no signature is required.
required for the
purposes of
Section 2)
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU ☒ the Approved EU SCCs, including the Appendix Information and with
SCCs only the following modules, clauses or optional provisions of the
Approved EU SCCs brought into effect for the purposes of this
Addendum:
Module Module in Clause 11 Clause 9a Clause Is personal data received from
operation (Option) General 9a (Time the Importer combined with
Authorisatio period) personal data collected by the
n Exporter?
1 no not used - - -
2 yes not used Yes 30 days -
3 yes not used Yes 30 days -
4 no not used - - no
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as
set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this
Addendum is set out in:
Annex 1A: List of Parties: for Module 2 and Module 3
Annex 1B: Description of Transfer: for Module 2 and Module 3
Annex II: Technical and organisational measures including technical and organisational measures
to ensure the security of the data: for Module 2
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Which Parties may end this Addendum as set out in Section 19:
Addendum Importer
when the
Approved Exporter
Addendum
changes
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange
for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for
the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way
that makes them legally binding on the Parties and allows data subjects to enforce their rights as
set out in this Addendum. Entering into this Addendum will have the same effect as signing the
Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall
have the same meaning as in the Approved EU SCCs. In addition, the following terms have the
following meanings:
Addendum This International Data Transfer Addendum which is made up of this
Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is
appended to, as set out in Table 2, including the Appendix Information.
Appendix Information As set out in Table 3.
Appropriate Safeguards The standard of protection over the personal data and of data subjects’
rights, which is required by UK Data Protection Laws when you are
making a Restricted Transfer relying on standard data protection
clauses under Article 46(2)(d) UK GDPR.
Approved Addendum The template Addendum issued by the ICO and laid before Parliament
in accordance with s119A of the Data Protection Act 2018 on 2
February 2022, as it is revised under Section 18.
Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission
Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO The Information Commissioner.
Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.
UK The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws All laws relating to data protection, the processing of personal data,
privacy and/or electronic communications in force from time to time in
the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR As defined in section 3 of the Data Protection Act 2018.
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection
Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way
which is not permitted under the Approved EU SCCs or the Approved Addendum, such
amendment(s) will not be incorporated in this Addendum and the equivalent provision of the
Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK
Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which
most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or
specific provision) as it may change over time. This includes where that legislation (or specific
provision) has been consolidated, re-enacted and/or replaced after this Addendum has been
entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all
related agreements between the parties, the parties agree that, for Restricted Transfers, the
hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum
EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except
where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides
greater protection for data subjects, in which case those terms will override the Approved
Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect
transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties
acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent
necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to
the extent that UK Data Protection Laws apply to the data exporter’s processing when
making that data transfer, and they provide Appropriate Safeguards for those data
transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by
the laws of England and Wales and (2) any dispute arising from it is resolved by the courts
of England and Wales, in each case unless the laws and/or courts of Scotland or Northern
Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section
12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12
may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors
to processors, standard contractual clauses pursuant to Article 28(7) of Regulation
(EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that
are transferred and the purpose(s) for which they are transferred) are those specified
in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing
when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the
UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to
Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data (General
Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection
Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the
equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and
“EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause
11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the
“Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data
Protection Act 2018 that cover the transfer of personal data to which these clauses
apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England
and Wales. A data subject may also bring legal proceedings against the data exporter
and/or data importer before the courts of any country in the UK. The Parties agree to
submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for
footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the
laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the
Approved Addendum, they may do so by agreeing to the change in writing, provided that the
change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including
correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved
Addendum are effective and whether the Parties need to review this Addendum including the
Appendix Information. This Addendum is automatically amended as set out in the revised
Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4
“Ending the Addendum when the Approved Addendum changes”, will as a direct result of the
changes in the Approved Addendum have a substantial, disproportionate and demonstrable
increase in:
a its direct costs of performing its obligations under the Addendum; and/or
b its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not
substantial and disproportionate, then that Party may end this Addendum at the end of a
reasonable notice period, by providing written notice for that period to the other Party before the
start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but
any changes must be made in accordance with its terms.
Appendix 2 - Service Level Agreement
This Brego Service Level Agreement (this “SLA”) is a policy governing the use of Brego’s
services* and applies separately to each account using Brego services. In the event of a conflict
between the terms of this SLA and the terms of Brego’s standard terms and conditions, or other
agreement with us governing your use of our Services (the “Agreement”), the terms and
conditions of this SLA apply, but only to the extent of such conflict. Capitalised terms used herein
but not defined herein shall have the meanings set forth in the Agreement.
*For purposes of this SLA, Brego services include the Brego Platform and the Brego API.
SLAs
For Brego’s API or Platform, Brego will use commercially reasonable efforts to make the services
available with a Monthly Uptime Percentage of at least 99.99%, in each case during any monthly
billing cycle. In the event Brego does not meet the SLA, you will be eligible to receive a Service
Credit as described below.
Monthly Uptime Percentage Service Credit Percentage
Less than 99.5% but equal to or greater than 99.0% 10%
Less than 99.0% but equal to or greater than 95.0% 15%
Less than 95.0% 20%
Brego will respond to any reported or detected issue within 24 hours and will aim for any
detected or reported issues to be fixed within 72 hours.
Brego will notify all customers of expected downtime, giving at least 7 days notice.
The Customer will have the right to terminate if Brego fails to resolve downtime within 2
working days.
SLA Credits
Service Credits are calculated as a percentage of the monthly bill. We will apply any Service
Credits only against future payments for Brego services otherwise due from you. Service Credits
will not entitle you to any refund or other payment from Brego. A Service Credit will be applicable
and issued only if the credit amount for the applicable monthly billing cycle is greater than one
pound (£1 GBP). Service Credits may not be transferred or applied to any other account.
Credit Request and Payment Procedures
To receive a Service Credit, you must submit a claim by opening a case in the Brego Dashboard.
Your credit request must be received by us by the end of the second billing cycle after which the
incident occurred and must include the information specified below.
All SLA requests must include:
1. the words “Brego SLA Request” in the subject line;
2. the dates, times, and affected Brego service of each Unavailability incident that you are
claiming;
3. your request logs that document the errors and corroborate your claimed outage**.
** Please replace any confidential or sensitive information with asterisks.
If a claim is confirmed by us as valid, we will issue you a Service Credit within one billing cycle
following the month in which your request is confirmed by us.
Your failure to provide the requested and other information as required above will disqualify you
from receiving a Service Credit. Unless otherwise provided in the Agreement, this SLA sets forth
your sole and exclusive remedies, and Brego’s sole and exclusive obligations, for any
unavailability, non-performance, or other failure by us to provide Brego services.
SLA Exclusions
Brego SLAs do not apply to any suspension or termination of Brego services, or any other Brego
performance issues, directly or indirectly: (i) caused by factors outside of our reasonable control,
including any force majeure event or Internet access or related problems beyond the demarcation
point of Brego services; (ii) that result from any actions or inactions of you; (iii) that result from
your equipment, software or other technology; or (iv) arising from our suspension or termination
of your right to use the applicable Brego services in accordance with the Agreement. If availability
is impacted by factors other than those used in our Monthly Uptime Percentage calculation, then
we may issue a Service Credit considering such factors at our discretion.
SLA Definitions
● “Monthly Uptime Percentage” is calculated by subtracting from 100% the percentage of
minutes during the month in which Brego service was in the state of Unavailability.
● A “Service Credit” is a pound credit, calculated as set forth above
● “Unavailable” and “Unavailability” mean:
○ For the SLA, your Brego service has no external connectivity.