Where Vapour is acting as a Data Processor as defined by the GDPR:
1. All processing performed by Vapour shall be governed by a contract that sets out the subject matter and duration of the processing. Vapour’s lawful basis for processing is a binding contract.
2. Vapour will not engage another sub-processor or process data in another country outside the UK without a prior written authorisation of the controller.
3. Vapour will ensure that only persons that are bound by a confidentiality agreement are authorised to process data.
4. Data will be encrypted where required in accordance with the contract, within the technical constraints of the available technology.
5. Vapour will ensure that the processing systems used to provide an appropriate level of confidentiality, integrity, availability and resilience.
6. Vapour will provide the ability to restore data in a timely manner in the event of a physical or technical incident
7. Vapour will operate a process for regularly testing and assessing the effectiveness of the security measures that are in place.
8. Vapour will take appropriate steps to mitigate the risks associated with processing data, in particular around accidental or unlawful destruction or loss.
9. Vapour will take steps to ensure that any person acting under its authority that has access to personal data does not process them except under the written instructions of the contracted controller or processor.
10. At the choice of the controller, Vapour will delete or return data at the end of the contracted services.
11. Vapour will ensure that backup copies of data are deleted at the end of the contracted retention period.
12. In the event that a controller requests a recovery of backup data, it is the controller’s responsibility to ensure that the recovered data does not contain any personal data that has previously been erased.