Published using Google Docs
MASTER Texthelp - DPA to reference in contracts or terms (9 August 2022).docx
Updated automatically every 5 minutes

Data Protection Addendum

This Data Protection Addendum (DPA) forms part of any agreement in which the URL to this DPA is referenced, including, where applicable, our standard Terms of Business (each such agreement, the Agreement) and is entered into by and between Texthelp Ltd., a company incorporated in Northern Ireland with company number NI031186 whose registered office is at Lucas Exchange, 1 Orchard Way, Antrim, Antrim, BT41 2RU (we, us or our, as applicable) and the client entity (you or your, as applicable) that are the parties to the Agreement (each a Party and together, the Parties).

  1. We process personal data in the course of providing the services under the Agreement.  Data protection laws apply to the processing of that data which require that specific provisions are included in the Agreement in respect of processing for which we are a Processor (as defined below).
  2. This DPA, as amended by us from time to time by written notice to you, forms part of and shall be deemed incorporated into the Agreement.
  3. If there is any conflict or inconsistency between the terms of this DPA and the Agreement, the terms of the DPA shall prevail to the extent necessary to resolve the conflict or inconsistency.
  1. Expressions defined in the Agreement shall have the same meanings when used in this DPA.
  2. In this DPA, the following expressions shall have the following meanings:

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process and Processing

shall have the respective meanings given to them (and terms used for similar concepts) in Data Protection Laws, and Customer Personal Data means the Personal Data set out in the Description of Processing where such data is Processed by us as a Processor on your behalf;

Data Protection Laws

any applicable legislation in force from time to time relating to the protection of personal data of individuals including the GDPR and the Data Protection Act 2018 (or any successor legislation);

Description of Processing

the description of our Processing of the Customer Personal Data attached to this DPA;


the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018, supplemented by section 205(4) of the Data Protection Act 2018) and, to the extent applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679;


all losses, reasonable costs, charges, expenses, legal and other professional costs awarded against, suffered, incurred or paid by us or you, as applicable (and Liability shall be construed accordingly); and


the services provided by us to you under the Agreement.

  1. You acknowledge and agree that: (i) you are a Controller and that we are a Processor for the purposes of Processing Customer Personal Data; and (ii) we are a Controller in relation to any Processing described in our privacy and cookie policies located at
  2. In respect of any Customer Personal Data Processed by us, we shall:
  1. only Process Customer Personal Data in accordance with your documented instructions from time to time unless we are required by the laws applicable in the UK, any member state of the European Union or the European Union to Process that data otherwise than in accordance with those instructions (in which case we shall notify you unless the law prohibits us from doing so on public interest grounds);
  2. ensure that those of our staff who have access to and/or Process Customer Personal Data are committed to keeping that data confidential;
  3. implement appropriate technical and organisational measures to protect against accidental, unlawful or unauthorised destruction, loss, alteration or disclosure of, or access to, Customer Personal Data in accordance with our obligations under Data Protection Laws;
  4. with your general authorisation (which you hereby provide) engage other Processors to Process the Customer Personal Data (Sub-Processor) provided we notify you of any intended changes concerning the addition or replacement of Sub-Processor(s) and provide you with the opportunity to object to such changes.  Any objections must be notified to us in writing within 14 days of the date of our notice to you.  If we do not receive an objection from you within such period, you shall be deemed to have agreed to our use of such Sub-Processor. If you object within such period or after we notify you in writing that a Sub-Processor we propose does not accept some or all of the obligations set out above in this DPA (or after we notify you in writing that an existing Sub-Processor is no longer bound by some or all of those obligations), then we and you shall, acting in good faith, discuss, and each of us use reasonable (but commercially prudent) endeavours to resolve your objections. If we are unable to resolve these within fourteen (14) days of your objection, we or you may terminate the Agreement without liability on giving seven (7) days’ written notice to the other Party. A list of Sub-Processors used by us is available on request;
  5. not transfer any Customer Personal Data outside of the United Kingdom and European Economic Area (EEA) if such transfer would directly cause you to breach your obligations under Article 44 of the GDPR. Subject to the foregoing provisions of this paragraph 3.2.5, you hereby consent to us and any of our Sub-Processors transferring Customer Personal Data outside the UK and EEA.  You shall promptly enter into any standard contractual clauses issued by the UK Secretary of State, European Commission or other competent body relating to the transfer of Personal Data to third countries (as defined by Data Protection Law) as we require to comply with this DPA and/or Data Protection Laws.  Any such standard clauses entered into between you and us pursuant to this paragraph 3.2.5 shall, once executed, be incorporated into and form part of this DPA and such standard contractual clauses shall take precedence over any other terms of this DPA in the event of any conflict or inconsistency;
  6. provide such assistance (at your cost and to such extent permitted by Data Protection Laws) as you may reasonably require in responding to any request from a Data Subject and in ensuring compliance with your obligations under Data Protection Laws with respect to security, breach notifications, data protection impact assessments and consultations with any data protection regulators. In no event shall we be obliged to respond directly to any such request or correspondence unless specifically required to do so by law;
  7. without undue delay after becoming aware of a Personal Data Breach, notify you of that breach including, to the extent the information is available, the nature of the breach, the impacted categories of Customer Personal Data; any material consequences of the breach and the measures we have taken to mitigate the consequences of the breach. Any notification made by us under this paragraph 3.2.7 shall be made without any admission of liability and we shall not be liable for any decisions made (or not made) by you based on such notification; and
  8. for the sole purpose of demonstrating our compliance with this DPA, provide such information as you reasonably require, or where, in our reasonable opinion, the provision of information alone is not reasonably sufficient for that purpose, allow for and contribute to an audit (including inspection) of the relevant parts of our business by up to two (2) of your representatives (in each case, at your cost, including any auditors’ or administrative fees).  You shall give not less than one (1) month’s prior written notice prior to the date you wish to conduct the audit and shall conduct any such audit no more than once per calendar year at such time and date that is convenient for us (except where required otherwise by a data protection regulator having competent jurisdiction).  You shall promptly notify us in writing of any non-compliance discovered by such audit. You shall not disclose to any third party (other than, where applicable, the external auditor performing the audit) any information or reports obtained or produced in connection with any such audit and shall use such information and reports solely for the purposes of meeting your regulatory audit requirements and/or confirming our compliance with the requirements of this DPA. You shall provide us a copy of any reports produced in connection with any such audits promptly following completion.  You shall ensure that you take reasonable steps and any steps we request to minimise any interruption to our business when exercising your rights under this paragraph 3.2.8.  If a third party conducts the audit, we may object to the auditor if the auditor is, in our reasonable opinion, not suitably qualified or independent, our competitor or a competitor of our shareholders, or otherwise manifestly unsuitable. If we do object, we may require you to appoint another auditor or to conduct the audit yourself.  
  1. You shall: (i) ensure that all documented instructions you issue to us comply with Data Protection Laws; (ii) be and remain solely responsible for the content of the Description of Processing, for determining the lawful basis and conditions for the Processing of all Customer Personal Data in connection with the Agreement and for the accuracy, quality, and legality of all Customer Personal Data and the means by which you acquired that data; and (iii) not seek our assistance in respect of any activities or tasks that can reasonably be performed by you. You shall immediately notify us in writing if the Description of Processing is inaccurate or incomplete at any time together with full details.
  2. To the extent permitted by law, we accept no liability for any: (i) inaccurate data (including Personal Data) provided to you as part of the Services to the extent that such inaccuracy arises from incorrect data provided by you, any Data Subjects or any sources that are not Sub-Processors; or (ii) representations, guarantees or conditions that the Services or the Customer Personal Data are fit for a particular purpose or shall meet your requirements.
  3. We shall not be liable for any Liabilities in connection with this DPA or the Services to the extent that we are not in any way responsible for the event giving rise to the Liabilities or you are responsible for the Liabilities, in each case, in accordance with Article 82 of the GDPR.
  4. Notwithstanding paragraph 3.2.1, we shall have no obligation to comply (nor any Liability for non-compliance) with your or your authorised users’ use of the Services or any of your instructions which in our opinion shall or are likely to: (i) vary the provisions of the Agreement; (ii) be inconsistent with the Description of Processing; or (iii) breach any Data Protection Laws.
  5. We shall immediately notify you if, in our opinion, any documented instructions you provide to us breach Data Protection Laws. You shall not rely on such notice, which you acknowledge and agree does not constitute legal advice. You shall seek independent legal advice if you wish to determine whether any instruction received by us and which we believe breaches Data Protection Laws, is in fact a breach or likely to be a breach of those laws.
  6. Following expiry or termination of the Agreement (at your option and sole cost) we shall either return to you or delete any Customer Personal Data Processed by us solely as a Processor, in each case, in accordance with the Agreement, except where we are required to store it pursuant to applicable law.
  7. We and you acknowledge and agree that the following shall be determined by your authorised users using the Service in their sole discretion: the type of Customer Personal Data uploaded or posted using the Services and the categories of Data Subject to whom those data relate.

Description of processing

Processing of Customer Personal Data

Subject matter: Processing in connection with the provision of the Services to your authorised users.

Nature: Collection, conversion, making available, storage, retrieval, alteration, restriction, deletion and destruction.

Duration: The term of the Agreement (unless deleted sooner by the authorised user using the tools provided within the Services) or, in the case of any Personal Data that is used for text-to-speech related Services, for the period of the user session.

Purposes of the Processing

The Processing is necessary for the following purposes:

To provide the applicable Services under the Agreement (including the features and functionality as described at to authorised users.

Categories of Data Subjects

The Customer Personal Data relates to the following categories of Data Subjects:

Authorised users of the Services, including teachers and students, as applicable.

Categories of Personal Data

The Customer Personal Data Processed falls within the following categories:

Names and contact details, profile pictures, scores, written feedback and comments on assignments, voice recordings and any Personal Data contained in those recordings or in text selected by Data Subjects for use with the Services.

Special categories of Personal Data and/or criminal offence/conviction data 

The Customer Personal Data Processed falls within the following special categories of Personal Data/criminal offence/conviction data:

None. You agree to ensure that you and your authorised users do not upload any special categories of Personal Data or criminal offence/conviction data to the Services.

Rights and obligations of the Controller

Your rights and obligations as a Controller in relation to the Customer Personal Data shall be as set out in this DPA and Data Protection Laws.