LawDebenture

Data Processing Addendum - ID Verification

This Data Processing Schedule forms part of the IDV Agreement. It is in addition to, and does not relieve, remove, modify, or replace, each party's obligations under Data Protection Legislation.

1. Definitions

1.1. In addition to the definitions and rules of interpretation in the IDV Agreement, the following definitions will apply in this Schedule:  

Data Protection Legislation means the Data Protection Act 2018, the UK GDPR, and any other applicable data privacy or data protection laws, as introduced or amended from time to time.

2. Relationship

2.1. We act as data processor for any personal data collected in connection with ID Verifications, and you act as data controller.

2.2. You agree that you will only share personal data with us where you have appropriate authority and legal basis to do so, and that there will be no prohibition or restriction which prevents us (or any sub-processor appointed) from conducting the processing permitted by this Agreement.

2.3. Both parties agree to provide reasonable cooperation and information to the other in order to assist in the other’s compliance with their own obligations under Data Protection Legislation.

3. Scope

3.1. The scope and purpose of processing by Us, the duration of the processing and the types of personal data and categories of data subject are set out below:

(a) Scope: personal data required by Companies House in order to complete ID Verifications and such additional personal data that is reasonably required to manage the IDV Services;

(b) Purpose of processing: to perform the IDV Services, to contact Clients and Users, to manage invoices due under the IDV Agreement, to exercise rights and perform obligations under the IDV Agreement, to monitor, review and improve the delivery of the IDV Services;

(c) Duration of the processing: the duration of the IDV Services and, following termination of the Services, such period as we may be required in order to comply with all applicable legal and regulatory requirements, and/or with our bona fide data retention policy;

(d) Types of personal data: names, residential addresses (including historical addresses), dates of birth, email addresses, identification numbers, professional titles, biometric data; and

(e) Categories of data subjects: your employees, directors, shareholders, company officers, and other stakeholders involved in the IDV Services.

4. Sub-contractors

4.1. We may appoint sub-processors as required to assist in our provision of the IDV Services from time to time, provided that we comply with the requirements for doing so under Data Protection Legislation. This shall include entering into a written agreement with the sub-processor that includes data protection and security measures which are no less stringent than those set out in this Data Protection Addendum. We will remain responsible to you for the obligations in the IDV Agreement.

4.2. Our right to appoint sub-processors under paragraph 4.1 is limited to the following categories:

(a) Professional services providers;

(b) Providers of digital ID verification tools;

(c) IT service providers (such as but not limited to billing and payment, consulting, customer support, infrastructure, security, staffing etc.); and

(d) Couriers and other providers of logistics services.

4.3. If we make any changes to the types of sub-processors that we may appoint, we will notify you in writing. If you wish to object to any changes, you must do so within 30 days of receipt of such notice to your usual LawDeb contact and legal@lawdeb.com. Please note that objections may have an impact on our ability to continue to provide the IDV Services. 

5. Processor requirements (Article 28 requirements)

5.1. We will, in respect of personal data processed pursuant to the IDV Agreement:

(i) only process personal data in accordance with this Data Protection Addendum and your additional written instructions, if any;

(ii) ensure that we have appropriate technical and organisational measures in place to ensure a level of security appropriate to the risk involved (including via confidentiality obligations on our personnel);

(iii) provide reasonable assistance in relation to your compliance with Data Protection Legislation;

(iv) ensure an adequate level of protection for any personal data transferred to or shared with a sub-processor;  

(v) notify you of any data breaches we become aware of without undue delay;

(vi) promptly notify you of any complaints or notices (including any data subject access requests) received which relate to the processing of personal data in connection with this Agreement, and co-operate with you in relation to the same;

(vii) on written request, provide you with such information as is reasonably necessary to evidence our compliance with this Data Protection Addendum (including third party security reports, if applicable); and

(viii) on termination of the IDV Agreement, destroy (or if you request, return) your personal data, unless we are otherwise required to retain it.

6. Technical and organisational measures

For more  details about the technical and organisational measures we have implemented to ensure an appropriate level of security and to prevent a personal data breach, please see our Information Security Standard available here: https://media.umbraco.io/lawdebenture/oa2lyy4h/information-security-standard-v12-2024.pdf.

7. International Transfers

7.1. Our IDV Services do not typically involve a transfer of personal data to third countries or international organisations. We will have no responsibility to make any such transfer (or liability resulting from not making such a transfer) until the parties have supplemented this Data Processing Addendum with such additional provisions that we reasonably require.  

Appendix – Current list of sub-processors

  1. Yoti Ltd, a company incorporated in England & Wales with company number 08998951 whose registered office is at 6th Floor, 107 Leadenhall Street, London EC3A 4AF.
  2. Microsoft Ireland Operations Ltd, a company registered in Ireland under the number 256 796, with its main office at One Microsoft Place, South Country Business Park, Lepoardstown, Dublin 18, S18P521, Ireland.
  3. Mimecast Services Ltd, a company registered in England & Wales with company number 04901524 whose registered office is at Floor 4, 1 Finsbury Avenue, London, England, EC2M 2PF.
  4. CrowdStrike UK Ltd, a company registered in England & Wales with company number 09625468 whose registered office is at 6th Floor, One London Wall, London, England, EC2Y 5EB.