Skip to the main content.
Want our sockets in your home?

We’re working hard to get our plug sockets available for UK homes.

Sign up for updates

Data Processing Agreement 

Understanding your data protection responsibilities

Schedule 1: Data Processing Addendum

The purpose of this Data Processing Addendum (“DPA”) is to set out each party's obligations relating to the personal data processed by the parties pursuant to the Contract entered into between them and to which this DPA is attached and incorporated.

1. Definitions

Defined terms in this DPA shall have the same meaning as set out in the Contract unless otherwise defined below.

Appropriate

means such legally enforceable mechanism(s) for transfers of Personal Data as may.

Safeguards

permitted under Data Protection Laws from time to time.

Applicable Law

means as applicable and binding on Customer, the Supplier and/or the Services:

  1. any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject;
  2. any court order, judgment or decree; or any direction, policy, rule or order that is made or given by any regulatory body having jurisdiction over a party.

Captured Data

has the meaning given in the Contract.

Controller

means the entity which determines the purposes and means of the Processing of Personal Data.

Customer

means the party named or identified as such in the Contract being the recipient of the Services.

Customer Personal Data

any Personal Data which the Supplier processes in connection with the Contract, in the capacity of a processor on behalf of the Customer.

Data Subject

means the identified or identifiable person to whom Personal Data relates.

Data Subject Request

means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws.

Data Protection Laws

as applicable and binding on Supplier and the Customer in relation to the Service:

  1. to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data;
  2. and to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier is subject, which relates to the protection of personal data.

Data Protection Losses

means all losses and liabilities, including all:

  1. costs (including legal costs), claims, demands, actions, settlements, interest, charges, expenses, losses and damages; and
  2. administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; and
  3. compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
  4. the reasonable costs of compliance with investigations by a Supervisory Authority;
  5. costs of investigation including forensic investigation;
  6. cost of breach notification including notifications to the Data Subjects; and
  7. cost of complaints handling including providing Data Subjects with credit reference checks, setting up contact centres (e.g. call centres), producing end customer communication materials, provision of insurance to end customers (e.g. identity theft), and reimbursement of costs incurred by end customers (e.g. changing locks).

Excluded Losses

means any and all of the following:

  1. Loss of reputation or goodwill;
  2. loss of profits;
  3. loss of savings;
  4. loss of opportunity;
  5. wasted expenditure (in each of (a) to (e) inclusive whether direct or indirect); and any indirect or consequential losses.

EU GDPR

means the General Data Protection Regulation (EU) 2016/679.

Personal Data

means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.

Personal Data Breach

means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.

Processor

means the entity which Processes Personal Data on behalf of the Controller.

Processing

means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and related terms such as process have corresponding meanings).

Protected Data

means Personal Data in Captured Data collected through the Services and/or used in any Reports.

Reports

has the meaning given in the Contract.

Services

means the service provided to Customer by the Supplier pursuant to the Contract.

Supervisory Authority

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

Supplier

means the party named or identified as such in the Contract being the provider of the Services.

UK GDPR

has the meaning given to it in the Data Protection Act 2018.

2. Roles and Obligations

  1. The parties agree that, for the Protected Data both Supplier and Customer shall be Controllers as they each process the Protected Data for their own purposes and deciding their own means of processing.

  2. Each party agrees to process the Protected Data in compliance with the obligations of Controllers under Data Protection Laws and the terms of this DPA.

  3. Should the determination in Clause 2.1 change, then each party shall work together in good faith to make any changes which are necessary to this addendum or the related exhibits.

  4. By entering into the Contract, the Customer consents to (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by the Supplier in connection with the processing of Customer Personal Data.

  5. Without prejudice to the generality of Clause 2.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Supplier and  lawful collection of the same by the Supplier for the duration and purposes of the Contract.

  6. In relation to the Customer Personal Data, this addendum sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.

  7. The Customer hereby provides its prior, general authorisation for the Supplier to appoint processors to process the Customer Personal Data, provided that the Supplier:

    1. shall ensure that the terms on which it appoints such processors comply with applicable Data Protection Laws, and are consistent with the obligations imposed on the Supplier in this addendum;

    2. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and

    3. shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Supplier's reasonable satisfaction, that the objection is due to an actual or likely breach of applicable Data Protection Law, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection.

3. Processing Details

The Personal Data processed by the parties shall comprise that set out In Schedule 1, as may be updated from time to time by written agreement of the parties.

4. Technical and Organisational Measures

  1. The Supplier shall implement and maintain, at its cost and expense, the technical and organisational measures prescribed by Data Protection Laws and as described in Exhibit 2 to this DPA.

  2. The Customer shall implement and maintain, at its cost and expense, the technical and organisational measures prescribed by Data Protection Laws as well as those recommended by the Supplier as set out in Exhibit 3 to this DPA and as may be updated from time to time.

  3. Each party shall, taking into account the nature of the processing, take the technical and organisational measures necessary to assist the other party insofar as is reasonably possible and without cost in the fulfilment of the other party’s obligations to respond to Data Subject Requests (subject to Clause 6.1).

5. Sub Processors and Staff

Each party as a Controller shall be responsible for ensuring the Appropriate Safeguards are in place with all of its suppliers and staff as required by Applicable Data Protection Laws. A list of Supplier’s suppliers is set out in Exhibit 1.

6. Data subject request and assistance

  1. If legally permitted to do so, each party shall provide a copy of all Data Subject Requests it receives relating to the Protected Data to the other party within three business days of receipt of the request, provided its’ reasonably incurred internal costs and external fees for handling such requests are promptly reimbursed within 30 days of request.

  2. Provided it is legally permitted to do so and its reasonably incurred internal costs and external fees for providing such assistance are promptly reimbursed within 30 days of request, each party shall provide such assistance to the other as the other reasonably requires (taking into account the nature of processing and the information available to it ) to ensure compliance with each party’s obligations under Data Protection Laws with respect to:

    1. Data Subject Requests;

    2. security of processing;

    3. data protection impact assessments (as such term is defined in Data Protection Laws);

    4. prior consultation with a Supervisory Authority regarding high risk processing; and

    5. notifications to the Supervisory Authority and/or communications to Data Subjects in response to any Personal Data Breach.

7. Overseas Transfers

To the extent required under Data Protection Laws, each party as Controller shall ensure that any transfers (and any onward transfers) of Protected Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories, are effected by way of Appropriate Safeguards and in accordance with such Data Protection Laws.

8. Records and Audits

Each party shall maintain all records as required under Data Protection Laws including but not limited to written records of processing activities.

9. Breach Notification

In respect of any Personal Data Breach involving Protected Data, each party shall comply with its obligations as required by Data Protection Laws.  

10. Liability

  1. Subject to Clauses 10.2, 10.3 and 10.4, each party (the "indemnifying party") shall indemnify and keep indemnified the other party (the "indemnified party") in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by the indemnified party arising from or in connection with any:

    1. non-compliance by the indemnifying party with the Data Protection Laws; and

    2. breach of any of the indemnifying party’s obligations under the Contract.

  2. If a party receives a compensation claim from a person (including but not limited to a Data Subject) relating to processing of Protected Data processed by the Supplier under the Contract, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:

    1. make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and

    2. consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible for paying the compensation.

  3. Between the Supplier and the Customer liability for all Data Protection Losses arising out of any breach of this Data Processing Addendum, shall be subject to the exclusions and caps on liability set out in the Contract.

  4. In no circumstances shall either party be liable to the other party for:
    1. any Excluded Losses;

    2. any Losses arising as a result of combination and/or use of Protected Data with other Personal Data not provided by one party to the other pursuant to the Contract.

  5. In no circumstances shall the Supplier be liable for any Losses arising as a result of Customer’s failure to implement the recommended security measures and/or from vulnerabilities in the Customer networks.

  6. This Clause 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects except to the extent not permitted by Applicable Law (including Data Protection Laws).

11. Change in Law

Notwithstanding anything to the contrary in this DPA, in the event: (i) of a change in any law or regulation or (ii) a regulator issues a binding instruction, order or requirement which changes the basis on which the Protected Data can be processed, transferred or stored pursuant to this DPA, the parties agree to negotiate in good faith to agree an amendment to this DPA and the Contract (to the extent necessary) to address change in law or regulation or to comply a binding instruction, order or requirement as applicable.

Exhibit 1: Data Processing Particulars

Subject-matter of processing

Power consumption data collected via supplier provided power socket devices that are connected to the internet.

Duration of the processing:

Subject to Clause 10 of this DPA, Protected Data will be shared and processed for so long as necessary to perform the Services, unless otherwise agreed upon in writing.

Nature and purpose of the processing:

To use the Protected Data for the purpose of providing and making use of the Services and as otherwise detailed in the Contract, and as further determined by Customer in its use of the Services.

Type of Personal Data:

  • Connection data e.g. IP address

  • Localisation data

Special Category Data:  

None

Categories of Data Subjects:

Individuals located in the premises where the Hardware is installed who share an internet protocol address with the Hardware or connect to the Hardware to manage the Services.

Processing Instructions

To use the Protected Data for the purpose of providing the Services and as otherwise detailed in the Contract.

Sub-processors1

Name Location Processing Activity

Google Inc (Google Cloud)

London, United Kingdom

EU Data Centres

Cloud hosting provider (with no logical access to data)

Amazon Inc (AWS)

London, United Kingdom

EU Data Centres

Software hosting provider (with no logical access to data)

Exhibit 2: Supplier Security Measures

  • Firewall and protection of the Supplier's domain and all subdomains by Cloudflare.

  • Firewall and protection of the Supplier's servers and databases by Google Cloud Platform and Amazon Web Services.

  • Password protection for all services.

  • User management and identification for all services by the Supplier's team.

  • Hardware cryptography on Hardware for all data sent to and from the Supplier to provide the Services.

Exhibit 3: Recommended Security Measures to be Implemented by Customer

  • Secure IoT specific Wi-Fi network with specific list of devices allowed to access network using MAC addresses or similar process.

  • Change the passwords regularly and immediately when you suspect passwords have been compromised.

  • Do not save passwords within browsers.

  • Do not leave the Software open after use (i.e. close browser).

  • Do not use the Software on public access devices.

Purple background with aqua waveforms on top.

Start eliminating wasted energy

Minimise your carbon emissions and reduce your electricity costs by at least 20%.

What are you waiting for?

Get started