Place your products directly in front of the people that matter, at the exact time product decisions are made.

The new specification writing and consultancy service from NBS

PlatformPartnersArticlesAbout NBSContact NBS for SpecifiersNBS for ManufacturersBOOK A DEMO 1-800-610-7732

Platform

NBS Chorus Plans and Features ROI Calculator NBS Source NBS Schumann New

Platform

NBS Chorus Plans and Features ROI Calculator NBS Source NBS Schumann New

Digicon Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (“Terms”) entered into by and between Subscriber and Digicon, pursuant to which Subscriber has purchased a subscription to Digicon’s Services (as described in the Contract).

 

The purpose of this DPA is to reflect the parties’ agreement with regard to the Processing of Personal Information in accordance with the requirements of applicable Data Protection Legislation.

 

This DPA consists of two parts: (1) the main body of the DPA, and (2) Annex A – Personal Information Processing Purposes and Details.

 

By signing a Digicon Order Form you agree to be bound by this DPA. If you do not agree to this DPA then you must not sign the Digicon Order Form.

 

In the course of providing the Services to Subscriber pursuant to the Contract, Digicon may Process Personal Information on behalf of Subscriber and the Parties agree to comply with the following provisions with respect to any Personal Information, each acting reasonably and in good faith.

 

This DPA shall not replace any comparable or additional rights relating to Processing of Personal Information contained in the Terms.

 

1. DEFINITIONS AND INTERPRETATION

The following definitions and rules of interpretation apply in this DPA. All capitalized terms used but not defined herein shall have the meaning given to such term in the Terms.

1.1 Definitions:

Authorised Persons: the persons or categories of persons that the Subscriber authorises to give Digicon written Personal Information processing instructions and from whom Digicon agrees to accept such instructions.

Breach: theft or loss, misuse, unauthorized  access to or disclosure of Personal Information or other illegal Processing of Personal Information.

Business Purposes: the services to be provided by Digicon to the Subscriber as described in the Contract and any other purpose specifically identified in ANNEX A.

Data Subject: the identified or identifiable living individual to whom the Personal Information relates.

Term: this DPA's term, as defined in Clause 10.

 

2. PERSONAL DATA TYPES AND PROCESSING PURPOSES

2.1 The Subscriber and Digicon agree and acknowledge that for the purpose of the Data Protection Legislation:

(a) the Subscriber retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, performing any privacy impact assessments that may be required and for the written processing instructions it gives to Digicon.

(b) Annex A describes the subject matter, duration, nature and purpose of the processing and the Personal Information categories and Data Subject types in respect of which Digicon may process the Personal Information to fulfil the Business Purposes.

 

3. PROCESSING OF SUBSCRIBER PERSONAL INFORMATION

3.1 Digicon will comply with all applicable Data Protection Legislation in the Processing of Subscriber Personal Information; and not Process Subscriber Personal Information other than on the Subscriber’s documented instructions, unless Processing is required by Applicable Laws to which Digicon is subject, in which case Digicon will, to the extent permitted by Applicable Laws, inform the Subscriber of that legal requirement before Processing.

3.2 The Subscriber represents having given the appropriate notices to Data Subjects and instructs Digicon (and authorises Digicon to instruct each Subprocessor) to Process and transfer Subscriber Personal Information to any country or territory as reasonably necessary for the provision of the Services provided Digicon participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Digicon (and, where appropriate, the Subscriber) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Legislation.

3.3 Digicon will not act on any specific instructions given by Subscriber from time to time unless they are documented and given by an Authorised Person.

3.4 Digicon will only Process the Subscriber Personal Information in accordance with the Contract and disclose Subscriber Personal Information to:

(a) Subscriber's Users; and

(b) Subscriber's Authorised Persons.

 

4. SUBSCRIBER OBLIGATIONS

4.1 Subscriber represents and warrants that:

(a) the Processing of Subscriber Personal Information has been carried out and will at all times be carried out by the Subscriber in compliance with Data Protection Legislation;

(b) Subscriber has made all necessary disclosures and obtained all necessary consents from Data Subjects to fulfil all of its obligations under this DPA, including the ability to disclose Subscriber Personal Information to Digicon and its Subprocessors and the possibility that the Personal Information be transferred in a foreign jurisdiction;

(c) it is and will remain duly and effectively authorised to give instructions to Digicon under this DPA;

(d) all Subscriber Personal Information is necessary in relation to the purposes for which it is Processed, accurate and where necessary up-to-date; and

(e) any notification that it is required to be made to a supervisory authority has been made, and is complete and correct.

 

5. CONFIDENTIALITY

5.1 Digicon will maintain the confidentiality of the Subscriber Personal Information and will not disclose the Subscriber Personal Information to third parties unless the Subscriber, the Contract or this DPA specifically authorises the disclosure, or as required by Applicable Law, court or regulator.

5.2 Digicon will ensure that persons authorised to Process the Subscriber Personal Information have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

 

6. SECURITY

6.1 Digicon shall at all times implement appropriate technical and organisational measures designed to protect against unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Subscriber Personal Information, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Subscriber Personal Information including, but not limited to, the security measures set out in ANNEX B.

 

7. SUBPROCESSING 

7.1 The Subscriber authorises Digicon to appoint Subprocessors in accordance with this Clause 7.  Digicon may continue to use those Subprocessors identified in Annex A as at the date of this DPA. Digicon will inform Subscriber of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Subscriber the opportunity to object to such changes as set out in Annex A.

7.2 With respect to each Subprocessor, Digicon shall ensure that the arrangement between Digicon and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Subscriber Personal Information as those set out in this DPA.

 

8. ASSISTANCE

8.1 Digicon shall reasonably assist the Subscriber in ensuring compliance with the Subscriber's obligations pursuant to Data Protection Law taking into account the nature of Processing and the information available to Digicon, including as set out in Section 8.3.

8.2 To the extent permitted by Applicable Law, Digicon will promptly notify the Subscriber if it receives a request from a Data Subject under any Data Protection Legislation in respect of Subscriber Personal Information and will, taking into account the nature of the Processing, reasonably assist the Subscriber by appropriate technical and organisational measures, insofar as this is reasonably possible, for the fulfilment of the Subscriber's obligation to respond to requests.

8.3 To the extent permitted by Applicable Law, Digicon shall promptly notify the Subscriber if it becomes aware of a Personal Information Breach or attempted Personal Information Breach affecting Subscriber Personal Information and will reasonably co-operate with the Subscriber and take such commercially reasonable steps as the Subscriber requests to assist in the investigation, mitigation and remediation of each such Personal Information Breach.

 

9. DELETION OF SUBSCRIBER PERSONAL INFORMATION

9.1 The Subscriber chooses, and Digicon agrees, that on the termination of the provision of the Services, Digicon will delete Subscriber Personal Information from Digicon's systems two years from the date of termination, unless earlier deletion is required by applicable Data Protection Legislation, except to the extent that Applicable Laws require Digicon to retain copies of such data.

9.2 Subscriber acknowledges that it bears the sole responsibility for exporting any Subscriber Personal Information it wishes to retain prior to such deletion.

 

10. TERM AND TERMINATION

10.1 This DPA will remain in full force and effect so long as:

(a) the Digicon Order Form and Terms remain in effect; or 

(b) Digicon retains any of the Personal Information related to the Digicon Order Form and Terms in its possession or control (Term).

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Digicon Order Form and Terms in order to protect the Personal Information will remain in full force and effect.

 

11. INFORMATION & AUDIT RIGHTS 

11.1 Digicon will make available such information as is reasonably requested by the Subscriber to demonstrate compliance with the obligations under this DPA. The Subscriber will be entitled to conduct an audit for that same purpose, provided (a) the Subscriber gives Digicon no less than fourteen (14) days’ prior written notice, (b) the audit is conducted remotely, and (c) such audits are conducted no more than once per calendar year, excluding any audit required by any supervisory authority under applicable Data Protection Legislation.

11.2 Digicon shall promptly inform the Subscriber if, in its sole opinion, the Subscriber's instruction to Digicon infringes Data Protection Legislation or other Applicable Laws relating to data protection.

11.3 No audit under section 11.1 will provide the Subscriber with any access to Digicon’s code base, data centres, detailed network schematics or detailed records of security vulnerabilities unless such access is required by a supervisory authority under Data Protection Legislation or by Applicable Law.

11.4 Subscriber shall bear the costs of any audit under section 11.1, unless such audit reveals that Digicon is responsible for a Personal Information Breach or has otherwise materially failed to comply with its obligations under this DPA, the Terms, or the Data Protection Legislation, in which case Digicon shall bear the cost.

 

12. GENERAL 

12.1 Nothing in this DPA is intended to impose upon Digicon any obligations materially more burdensome that those required by applicable Data Protection Legislation.

12.2 In the event of conflict between the terms set out in this DPA and the Terms, the terms set out in this DPA shall prevail solely to the extent of such conflict.

12.3 No other terms or conditions of the Terms shall be amended as a result of this DPA.

12.4 The parties will cooperate in good faith to amend this DPA where required by any change in the Data Protection Legislation applicable to either party.

12.5 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by the law governing the Agreement, without regard to any conflicts of law principles that would require a different result. Each party irrevocably submits to the jurisdiction of the same courts, arbitrators, or other dispute resolution bodies as set out in the Terms, under the same terms set out in the Terms.

 

 ANNEX A Personal Information processing purposes and details

Description

Details

Subject matter of the processing

Providing a cloud-based system to Subscriber

Duration of the processing

The Term of Subscriber’s subscription under the Contract

Nature and purposes of the processing

Hosting of the specification data within the Digicon platform

Type of Personal Information

Names, email addresses and telephone numbers of Project Participants

Categories of Data Subject

Project Participants e.g., Subscriber’s Client, Engineer, Project Manager, Principal Contractor, Principal Designer, Civil Engineer, Quantity Surveyor

 

Approved Subprocessors:

 

Amazon Web Services EMEA SARL (suppliers of our data centres in the UK and Ireland)

 

Digicon will provide notice to Subscriber of its intention to engage third parties as Subprocessors by updating the above Approved Subprocessors list, such notice to be given not less than ten (10) days prior to the engagement of such Subprocessors. 

 

ANNEX B Security measures

 

Digicon has technological safeguards in place to provide the following:

 

1. Information Security Policies and Standards
Digicon’s security measures shall include, at a minimum systems, security policies and standards designed to:

 

- Prevent unauthorised persons from gaining access to Personal Information processing systems (physical access control);

- Prevent Personal Information processing systems being used without authorisation (logical access control);- Ensure that persons entitled to use a Personal Information processing system gain access only to such Personal Information as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Information cannot be read, copied, modified or deleted without authorisation (data access control);

- Ensure that Personal Information cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage, and that the target entities for the transfer of Personal Information by means of data transmission facilities can be established and verified (data transfer control);

- Ensure the establishment of an audit trail to document whether and by whom Personal Information have been entered into, modified in, or removed from Personal Information processing (entry control);

- Ensure that Personal Information is Processed solely in accordance with the Subscriber’s instructions (control of instructions);

- Ensure that Personal Information is protected against accidental destruction or loss (availability control); and

- Ensure that Personal Information collected for different purposes can be processed separately (separation control).

 

These measures are kept up to date and revised whenever relevant changes are made to the information system that uses or stores Personal Information, or to how that system is organised.

 

Security policies and standards include:

- Access Control Policy

- Business Continuity Policy

- Data Protection Policy

- Data Retention and Destruction Policy

- Data Rights Access Policy

- Information Security Policy

- Physical Security Policy

 

2. Physical Security
Digicon and its subsidiaries shall maintain reasonable security systems at all sites at which an information system that uses or stores Personal Information is located and shall reasonably restrict access to such Personal Information appropriately.

 

3. Organisational Security
Digicon shall ensure:

- Procedures have been implemented which are designed to prevent any retrieval or use of Personal Information stored on media which has been disposed of or reused.

- All Personal Information security incidents are managed in accordance with appropriate incident response procedures.

 

4. Network Security
Digicon shall maintain network security using commercially available equipment and industry standard techniques, including anti-virus and malware protection software, firewalls, access control lists and routing protocols.

 

5. Access Control
- Only authorised Digicon employees can grant, modify or revoke access to an information system that uses or stores Personal Information.

- User administration procedures define user roles, how access is granted, changed and terminated, addresses appropriate segregation of duties, and defines the logging/monitoring requirements and mechanisms.

- Digicon implements commercially reasonable physical and electronic security to create and protect passwords.

 

6. Data Centres
Digicon uses AWS datacentres based in the UK and Ireland. Data centre physical and environmental security is managed by AWS as documented here Data Centers - Our Controls (amazon.com).


Last Updated: January 1, 2025