Data Processing Agreement

In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below:

• "Controller" means the entity that determines the purposes and means of processing personal data.
• "Processor" means CISO Assurance Ltd (trading as Reputation Scorecard), which processes personal data on behalf of the Controller.
• "Data Subject" means any identified or identifiable natural person whose personal data is processed.
• "Personal Data" has the meaning given in Article 4(1) GDPR.
• "Processing" has the meaning given in Article 4(2) GDPR.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Services" means the reputation scoring, monitoring, and intelligence services provided by the Processor.
• "Sub-processor" means any third party engaged by the Processor to assist in processing personal data.

This DPA applies where you use Reputation Scorecard for business purposes, for example to assess the reputation of individuals in connection with your professional activities, or where you are a corporate subscriber submitting data about third parties.

This DPA forms part of, and is subject to, the Terms of Service. In the event of conflict between this DPA and the Terms of Service with respect to data processing matters, this DPA shall take precedence.

Individuals assessing their own reputation are governed by the Privacy Policy rather than this DPA.

The Processor processes personal data on behalf of the Controller as follows:

Subject Matter

Reputation assessment and scoring services, including the collection and analysis of publicly available information to generate reputation scores and insights.

Duration

For the term of the Service agreement, plus any retention period required by law.

Nature of Processing

Collection, storage, analysis, structuring, use, and erasure of personal data for the purpose of reputation scoring.

Purpose of Processing

Generating reputation scores and reports as requested by the Controller.

Categories of Data Subjects

Individuals whose reputation is being assessed, either the Controller itself or third parties with respect to whom the Controller has a lawful basis for processing.

Categories of Personal Data

• Identity data (name, aliases, date of birth)
• Professional data (employment history, qualifications)
• Publicly available online data (news, social media, professional directories)
• Legal and regulatory records (public court records, regulatory filings)

The Processor shall implement and maintain the following technical and organisational measures in accordance with Article 32 GDPR:

Technical Measures

• AES-256 encryption at rest for all stored personal data
• TLS 1.3 encryption in transit for all data transmissions
• Multi-factor authentication for all administrative access
• Role-based access control with principle of least privilege
• Regular automated vulnerability scanning and penetration testing
• Intrusion detection and security monitoring systems
• Automated backup with tested recovery procedures

Organisational Measures

• Documented data protection policies and procedures
• Staff training on data protection obligations
• Data protection by design and by default
• Incident response and data breach notification procedures
• Regular internal data protection audits

The Processor shall only engage sub-processors with appropriate data protection guarantees in place. The Controller grants general authorisation for the Processor to engage sub-processors from the approved list, subject to the following conditions:

• Sub-processors are bound by written agreements no less protective than this DPA
• Sub-processors are located within the EEA or in countries with an EU adequacy decision
• The Processor remains liable for sub-processor compliance

Current sub-processor categories include: cloud infrastructure (EU), payment processing (PCI DSS compliant), and anonymised analytics (EU-hosted).

The Processor will provide at least 14 days advance notice of any intended new sub-processor or changes to existing sub-processors. The Controller may object on reasonable grounds within this period.

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests under Articles 15–22 GDPR.

Where a data subject submits a rights request directly to the Processor:

• The Processor will notify the Controller within 5 business days
• The Processor will not respond to the data subject without the Controller's prior instruction, unless legally required
• The Processor will provide all information reasonably necessary to enable the Controller to respond

The Processor shall implement privacy by design features to enable data subject access, rectification, and erasure requests to be fulfilled efficiently.

In the event of a personal data breach affecting data processed under this DPA:

• The Processor will notify the Controller without undue delay and within 48 hours of becoming aware
• Notification will include: nature of the breach, categories and approximate numbers of data subjects affected, contact details for the DPO, likely consequences, and measures taken or proposed
• Where not all information is available at the time of notification, the Processor will provide it in phases as it becomes available
• The Processor will cooperate fully with the Controller in meeting its own notification obligations to supervisory authorities and data subjects

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

• Audits shall be conducted no more than once per calendar year (except following a security incident)
• At least 30 days advance written notice must be provided
• Audits shall be conducted during normal business hours with minimal disruption
• The Controller shall bear the costs of any audit it initiates

The Processor may satisfy audit obligations by providing its most recent third-party security certification or audit report in lieu of a direct audit, where this covers the scope of the Controller's enquiry.

This DPA takes effect on the date you first access the Service and remains in force for the duration of the Service agreement.

Upon termination of the Service agreement, the Processor shall, at the Controller's option:

• Delete: Securely delete all personal data processed under this DPA within 30 days of termination
• Return: Return all personal data in a portable format (JSON or CSV) within 30 days

The Processor shall provide written confirmation of deletion upon request. Retention of data beyond this period is only permitted where required by applicable law.

For DPA-related enquiries, including requests to sign a custom DPA for enterprise deployments:

Data Protection Officer
Email: dpo@reputationscorecard.ai
Enterprise enquiries: Contact our enterprise team