Amos Data Processing Addendum (DPA)
Last updated: 26 May 2025
This Data Processing Addendum (“DPA”) forms part of the agreement between Amos IT Ltd (“Amos”) and the Client (“Client”) governing the provision of services (“Services”) by Amos. This DPA outlines the terms and conditions applicable when Amos processes Personal Data on behalf of the Client.
1. Definitions
- Applicable Laws: All data protection laws and regulations applicable to the Processing of Personal Data under this DPA, including GDPR and UK GDPR.
- Controller: The entity that determines the purposes and means of processing Personal Data.
- Processor: The entity that processes Personal Data on behalf of the Controller.
- Client Personal Data: Any Personal Data processed by Amos on behalf of the Client.
- Personal Data: Any information relating to an identified or identifiable natural person.
- GDPR: General Data Protection Regulation (EU) 2016/679.
- UK GDPR: The GDPR as it applies in the United Kingdom.
- Restricted Transfer: Transfer of Personal Data where such transfers would be prohibited by Data Protection Laws without appropriate safeguards.
- Security Incident: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
- Subprocessor: Any third party appointed by Amos to process Client Personal Data.
2. Purpose and Scope of Processing
Amos shall process Client Personal Data only for the purpose of providing Services as set out in the agreement. This DPA applies where Amos acts as a Processor processing Personal Data on behalf of the Client, who acts as Controller.
Data Processing Locations
Amos solutions are hosted and delivered in the cloud using Amazon Web Services (AWS). Client Personal Data is processed exclusively within the European Union. The primary hosting region is AWS EU West (Dublin, Ireland), with failover capabilities in AWS EU Central (Frankfurt, Germany). This infrastructure ensures high availability and compliance with EU data residency and protection requirements.
3. Duration of Processing
Processing shall continue for the duration of the Services or until deletion of Personal Data as instructed by the Client or required by law.
4. Documented Instructions
Amos shall process Personal Data only on the documented instructions of the Client unless required by law. Amos shall immediately inform the Client if any instruction is believed to be in violation of Applicable Laws.
5. Confidentiality and Personnel Access
Amos ensures that all persons authorised to process Personal Data on its behalf:
- Are subject to strict confidentiality obligations, including having signed formal confidentiality and non-disclosure agreements;
- Access Client Personal Data only on a need-to-know basis, limiting exposure to only those personnel necessary to perform their job functions;
- Use secure access mechanisms, including multi-factor authentication and encrypted connections, to access systems hosting or processing Client Personal Data;
- Receive regular training and are made aware of their responsibilities under Applicable Laws and this DPA;
These confidentiality and access controls survive termination of their engagement with Amos.
6. Security Measures
Amos implements appropriate technical and organisational measures including:
- Encryption of data in transit and at rest
- Multi-factor authentication for access
- Access control and segregation
- Incident response and disaster recovery plans
- Regular testing and monitoring of systems
Amos reviews and updates its security measures regularly.
7. Subprocessing
Client provides a general authorisation for Amos to engage subprocessors. Amos shall:
- Enter into written agreements with subprocessors that reflect the obligations in this DPA
- Notify Client of any intended changes to subprocessors
- Remain liable for subprocessors’ acts and omissions
Current subprocessors and links to their DPAs can be accessed here.
8. Data Subject Rights
Amos shall assist the Client, to the extent possible, in fulfilling obligations to respond to requests by Data Subjects, including:
- Access
- Rectification
- Erasure
- Portability
- Objection to processing
Amos shall not respond to such requests directly unless required to do so by law.
9. Data Transfers
Amos shall not transfer Personal Data to a third country or international organisation without implementing safeguards in compliance with Article 44 of the GDPR. These may include:
- EU Standard Contractual Clauses (SCCs)
- UK Addendum to SCCs
- Adequacy decisions
Data Location Compliance
Amos confirms that all Client Personal Data is processed and stored within AWS cloud infrastructure located in Dublin, Ireland (primary region), and Frankfurt, Germany (failover region). No data is transferred outside of the EU/EEA unless such transfer is explicitly authorised by the Client and protected by lawful safeguards.
10. Impact Assessments and Cooperation
Amos shall assist the Client with Data Protection Impact Assessments (DPIAs) and consultations with regulatory authorities when required by law.
11. Security Incidents and Breach Notification
In the event of a Security Incident, Amos shall:
- Notify the Client without undue delay (and in any case within 24 hours)
- Provide details of the breach, including type, scope, and affected data
- Cooperate with the Client to mitigate and remediate the incident
12. Deletion and Return of Data
Upon termination or request, Amos shall:
- Delete or return all Personal Data to the Client
- Confirm completion of deletion in writing
- Retain data only where legally required and only for the specified retention period
13. Audit Rights
Amos shall:
- Provide documentation and certifications upon request
- Allow audits once annually or more frequently if required by law or a regulator
- Cooperate with audits subject to reasonable notice, confidentiality, and non-disruption of operations
14. Client Obligations
The Client shall:
- Ensure lawful basis for processing
- Provide accurate and complete Personal Data
- Comply with its obligations under Data Protection Laws
- Maintain security of access credentials and systems
15. Liability and Indemnity
Each party shall be liable for breaches of this DPA and Applicable Laws in accordance with the liability provisions of the underlying agreement. Neither party excludes liability for:
- Death or personal injury
- Fraud or fraudulent misrepresentation
16. Governing Law
This DPA shall be governed by and construed in accordance with the law specified in the agreement between the parties.
17. Termination and Survival
This DPA shall remain in force until:
- Termination of the Services
- Deletion of all Personal Data
Provisions concerning confidentiality, liability, and data protection obligations shall survive.
18. Entire Agreement
This DPA supersedes any previous agreements relating to data protection between the parties.
