Last updated in May 2019
1. Appointment and role of AskMeWhy
1.1 You appoint AskMeWhy to Process Your Personal Data on your behalf as is necessary for AskMeWhy to provide the Service to you.
1.2 AskMeWhy and you agree that for the purposes of these Terms and AskMeWhy’s Processing of Your Personal Data in connection with the Service, you are the Data Controller and AskMeWhy (and each permitted subcontractor or third party under these Terms) is a Data Processor.
2. Details of Processing
2.1 Processing of Your Personal Data by AskMeWhy under these Terms shall be for the subject-matter, duration, nature and purpose, and the type of Personal Data and categories of Data Subjects, set out in these Terms.
2.2 Your obligations and rights as Data Controller are as set out in these Terms.
3. Complying with Data Protection Laws
3.1 You authorize AskMeWhy to access Your Personal Data (including your directory of users held within the Office 365 environment) for the purpose of providing the Service to you.
3.2 AskMeWhy shall in all cases Process Your Personal Data in compliance with Data Protection Laws
3.3 AskMeWhy shall not cause itself, nor shall it cause another Data Processor, to breach Data Protection Laws.
3.4 AskMeWhy shall procure that any other Data Processor that it engages which has access to or otherwise Processes Your Personal Data shall comply with AskMeWhy’s obligations under these Terms.
4. Acting on controller’s documented instructions
AskMeWhy shall Process Your Personal Data only on your documented instructions or, following AskMeWhy’s prior notification to you, except where mandatory applicable law prohibits such notification on important public interest grounds, otherwise as necessary to perform its obligations under these Terms or as required by law applicable to AskMeWhy.
AskMeWhy shall promptly notify you if in AskMeWhy’s reasonable opinion any of your instructions infringes Data Protection Law, with such notification to include an explanation of why AskMeWhy has formed such an opinion.
5. Ensuring employee confidentiality
5.1 AskMeWhy shall ensure:
- the reliability of any person acting under its authority who may have access to, or who processes, Your Personal Data;
- that any such person is subject to appropriate binding obligations of confidentiality and at all times acts in compliance with Data Protection Law and the data protection obligations under these Terms; and
- that such a person receives regular and appropriate training on the same.
6. Implementation of appropriate technical and organizational measures
6.1 AskMeWhy shall implement all appropriate technical and organizational measures:
- such that any Processing shall meet the requirements of Data Protection Laws and ensure the protection of the rights of Data Subjects; and
- to ensure the security of Your Personal Data, including protection against unauthorized or unlawful Processing (including without limitation unauthorized or unlawful disclosure of, access to, or alteration of Your Personal Data) and against accidental loss or destruct ion of, or damage to, it.
6.2 AskMeWhy shall ensure that the Security Measures are the minimum-security standards (or materially similar security standards) governing AskMeWhy’s Processing of Your Personal Data as further outlined in the Schedule.
7. Data breach notification and assistance
7.1 AskMeWhy shall notify you in writing without delay if it becomes aware of or suspects any unauthorized or unlawful Processing, disclosure of, or access to, Your Personal Data or any accidental or unlawful destruction of, loss of, alteration to, or corruption of, Your Personal Data («Data Breach»), and provide you, as soon as possible, with such information relating to the Data Breach as you require to report the Data Breach to the competent Supervisory Authority or to communicate the Data Breach to affected Data Subjects. Such information shall include, without limitation, the nature of the Data Breach, the nature of the Personal Data affected, the categories and number of Data Subjects concerned, the number of Personal Data records concerned, measures taken to address the Data Breach and the possible consequences and adverse effect of the Data Breach.
7.2 AskMeWhy shall maintain a log of Data Breaches, including facts, effects and remedial action taken.
7.3 AskMeWhy, at its own cost, shall take all steps to restore, re-constitute or reconstruct any of Your Personal Data which is lost, damaged, destroyed, altered, corrupted as a result of a Data Breach, with all possible speed and as if it were the AskMeWhy’s own data, and shall provide you with all reasonable assistance in respect of any such Data Breach.
AskMeWhy shall also provide all reasonable assistance to you in this regard in relation to your compliance with applicable Data Protection Law.
8. Assisting controller with Privacy Impact Assessments and prior consultations
AskMeWhy shall notify you prior to adopting a new or updated type of Processing (including, without limitation, the use of new technology to continue current Processing) in respect of Your Personal Data, and at your request AskMeWhy shall participate in a data protection impact assessment in respect of the new or updated type of Processing which is being proposed by AskMeWhy or you. To the extent applicable, AskMeWhy shall provide assistance to you in consulting with Supervisory Authorities in relation to any high-risk Processing, as reasonably required from time to time by you.
9.1 You authorize AskMeWhy to engage another Data Processor to perform Processing activities in respect of Your Personal Data on your behalf («AskMeWhy Data Processor»), or transfer or disclose any of Your Personal Data to any other party, only as is necessary for the provision of the Service. In such circumstances AskMeWhy shall:
- request consent from you in writing in advance should this be a party outside of AskMeWhy’s group and at the conclusion of such engagement, transfer or disclosure; and
- comply with these Terms in connection with the engagement of the AskMeWhy Data Processor.
9.2 For the purpose of clause 9.1 of this Appendix, you give your consent to Microsoft Corporation performing Processing activities in respect of Your Personal Data on your behalf in order for us to provide the Service to you, and accordingly you acknowledge and agree that Microsoft Corporation is a AskMeWhy Data Processor under this Appendix (to the extent applicable).
9.3 In any case where AskMeWhy is authorized to act pursuant to Clause 9.1 of this Appendix, AskMeWhy shall enter into a written agreement («Processor Contract») with such AskMeWhy Data Processor containing obligations that are equivalent to and no less onerous than those set out in these Terms (including the obligations in relation to engaging another Data Processor)
9.4 AskMeWhy shall remain fully liable to Subscriber for any non-compliance with the terms of these Terms by any AskMeWhy Data Processor.
10. Transferring data outside the EEA
10.1 This clause 10 applies to the extent that any of Your Personal Data is accessed by AskMeWhy in any country or territory within the European Economic Area.
10.2 Subject to clause 10.1 of this Appendix, AskMeWhy shall not, and shall procure that any AskMeWhy Data Processor shall not, transfer any of Your Personal Data to any country or territory (except within the Microsoft Azure environment, and within its datacenter regions detailed at https://azure.microsoft.com/en-us/global-infrastructure/regions/) outside the European Economic Area or to any international organizations («International Recipient») without first obtaining your express written consent and, if you consent to the transfer of Your Personal Data to an International Recipient, AskMeWhy shall ensure that such transfer and any onward transfer to any recipient thereafter:
- is under a written contract including equivalent obligations relating to security and confidentiality of Your Personal Data;
- is affected by way of a legally enforceable mechanism for transfers of Personal Data as may be permitted under Data Protection Laws from time to time (the form and content of which shall be subject to your prior written approval);
- complies with Clause 4 of this Appendix; and
- otherwise complies with Data Protection Laws.
10.3 For the purpose of Clause 10.2 of this Appendix, you approve the use of Standard Contractual Clauses as a legally enforceable mechanism for transfers of Personal Data and provide a power of attorney for AskMeWhy to enter into any such Standard Contractual Clauses with an International Recipient in the name and on behalf of you as the Data Exporter provided that AskMeWhy shall not modify, vary, supplement or disapply any of the Standard Contractual Clauses or its Appendices without your prior written approval.
11. Assisting controller with handling Data Subject rights requests
AskMeWhy shall, insofar as is possible, implement appropriate technical and organizational measures to provide you with prompt co-operation and assistance in responding to any request to exercise Data Subject rights under Data Protection Laws (including access requests) received by, or on behalf of, or in connection with you or these Terms, including to ensure that all such requests it receives are recorded and then referred to you.
12. Deleting or returning of Your Personal Data
12.1 AskMeWhy shall promptly:
- on termination of these Terms, for whatever reason;
- after the end of the provision of the relevant Service related to Processing; or
- if earlier, as soon as Processing by AskMeWhy of any of Your Personal Data is no longer required for AskMeWhy ’s performance of its obligations under these Terms, cease all use of such Personal Data and shall either securely destroy all such Personal Data or securely transfer all such Personal Data to you or a nominated third party, and securely delete existing copies (unless storage of any data is required by applicable law, and if so AskMeWhy shall notify you of this).
13. Providing records, information and assistance
13.1 AskMeWhy shall maintain complete, accurate and up to date written records of all categories of Processing activities containing such information as is required under Data Protection Laws and any other information that you reasonably require («Processing Records»), and shall make available to you on request in a timely manner such information, including the Processing Records, as is reasonably required by you to demonstrate compliance by you with your obligations under Data Protection Laws and these Terms, which you may disclose to the Supervisory Authority or any other relevant regulatory authority.
13.2 AskMeWhy shall permit you, or a third-party reputable auditor acting under your direction, to conduct, at your cost, data privacy and security audits, assessments and inspections concerning AskMeWhy’s data security and privacy procedures relating to the Processing of Your Personal Data, and its compliance with these Terms and Data Protection Laws.
13.3 AskMeWhy shall provide you with such assistance and co-operation as you may reasonably request to enable you to comply with any obligations imposed on you by Data Protection Laws, including, but not limited to:
- on your request, promptly providing written information regarding the technical and organizational measures which AskMeWhy has implemented to safeguard Your Personal Data and the security of processing;
- promptly providing such information and cooperation as you may reasonably require for the purpose of assisting you to carry out a Privacy Impact Assessment;
- disclosing full and relevant details in respect of any and all government, law enforcement or other access protocols or controls which it has implemented; and
- notifying you as soon as possible and as far as it is legally permitted to do so, of any access request for disclosure of data which concerns Your Personal Data (or any part thereof) by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction. For the avoidance of doubt and as far as it is legally permitted to do so, AskMeWhy shall not disclose or release any of Your Personal Data in response to such request served on it without first consulting with and obtaining your written consent.
14. Informing controller of complaints and enquiries
AskMeWhy shall inform you as soon as reasonably possible of any enquiry, complaint, notice or other communication in connection with the Service or your or AskMeWhy’s compliance with Data Protection Laws from any Supervisory Authority or any Data Subject, which AskMeWhy or the third parties appointed by AskMeWhy receives. AskMeWhy shall provide all necessary assistance to you to enable you to promptly respond to such enquiries, complaints, notices or other communications and to comply with Data Protection Laws. For the avoidance of doubt, AskMeWhy shall not respond to any such enquiry, complaint, notice or other communication relating to the Service or your compliance with Data Protection Laws without your prior written consent.
15. Definitions and interpretation
For the purpose of this Appendix, the following words and phrases shall have the following meaning unless the context otherwise requires:
«Data Controller» (or «controller»), «Data Processor» (or «processor»), «Data Subject», «Personal Data», «Processing» and «Sensitive Personal Data» (or «special categories of personal data») all have the meanings given to those terms in Data Protection Laws (and related terms such as «Process» have corresponding meanings).
«Data Exporter» has the meaning set out in the Standard Contractual Clauses.
«Data Protection Laws» means all laws, regulations, legislative and regulatory requirements and codes of practice applicable to the Processing, privacy, and use of Personal Data, as applicable to you, AskMeWhy or the Service (including to the extent applicable and without limitation, Directive 95/46/EC of the European Parliament and of the Council of October 24 1995 and any successor legislation (including the General Data Protection Regulation (EU) 2016/679), the guidance, directions, determinations, codes of practice, circulars, orders , notices or demands issued by any Supervisory Authority, and any applicable national, international, regional, municipal or other data privacy and data protection laws, standards or regulations in any territory in which the Service is provided or which are otherwise applicable.
«Standard Contractual Clauses» means the standard contractual clauses set forth in EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC as may be amended or superseded from time to time;
«Security Measures» means your security policies and measures (including IT policies and measures) for the protection of Personal Data issued to AskMeWhy by you from time to time which as at the date of these Terms are as specified in the Schedule.
«Supervisory Authority» means any competent data protection or privacy authority in any jurisdiction in which you or AskMeWhy is established, AskMeWhy provides the Service, or in which AskMeWhy Processes Your Personal Data.
«Your Personal Data» or «Personal Data» means all Personal Data, in whatever form or medium which is:
- supplied, or in respect of which access is granted to AskMeWhy (or any approved third party) whether by you or otherwise in connection with these Terms, or
- produced or generated by or on behalf of AskMeWhy (or any approved third party) in connection with these Terms, including as set out in the Schedule.
Schedule: Technical and Organizational Security Measures
- Technical and organizational security measures
1.1 AskMeWhy shall adhere to or exceed the following standard or a materially similar standard:
- Encryption of data in transit with https.
- Segregation of Personal Data from other networks.
- Access control and multi-factor user authentication with access rights being subject to an internal audit at least quarterly. All system access is role based and follows the principle of least privilege.
- Employee training on information security. This includes new starter induction training, annual information security refresher courses and ad-hoc information security notifications when new threats emerge.
- Documented information security policies and procedures. These are reviewed at least annually or when new threats emerge.
- Vulnerability tests are performed quarterly (this may be an internal function). External penetration tests are performed at least annually and are performed by an accredited external Penetration Test company.
- Parameter firewalls. The development, staging and production environments are both physically and virtually separated ensuring that code cannot be deployed to the production environment in error.
- Backing up of data. All data follows a regular backup process and data is recoverable in a timely manner following any system issues
- Commercial grade anti-virus protection on all computers. All computers are protected by commercial grade anti-virus. Virus definitions are updated at least daily and full scans occur at least once per week
- All staff under duty of confidence. All staff are subject to both a confidentiality clause in their employment contract or services contract and a confidentiality policy.
Please also feel free to contact us if You have any questions about this DPA. You may also write to us at the following address: