Charanga Terms of Use

Print this page

Last updated: 21/11/2024

Charanga Ltd operate and manage this site on behalf of Surrey Arts.

Charanga Ltd is a UK-based music education and technology company that provides a configurable online music teaching and learning platform for curriculum programmes worldwide. Charanga is part of the WiseMusic group, which includes MusicFirst based in the US.

1. About our Terms
2. Using the Platform
3. Uploading content to the Platform and content standards
4. Ownership, use and intellectual property rights
5. Accuracy of information on the site
6. Privacy and data protection
7. Hyperlinks and third-party sites
8. Limitation on our liability
9. Events beyond our control
10. Rights of third parties
11. Variation
12. Disputes
13. Licensing requirements

Schedule to Terms of Use: Data Processing Terms

---

1. About our Terms

   1. These terms (‘Terms’) explain how you may use this teaching and learning platform (‘Platform’), which we provide to registered users (‘Users’). You should read these Terms carefully before using the Platform.
   2. By accessing or using the Platform, you confirm that you accept these Terms and that you agree to comply with them. If you do not agree with or accept any of these Terms, you should stop using the Platform.
   3. If you have any questions about the Platform, please contact us by emailing gdpr@charanga.com or calling 01273 823900. We may record calls for quality and training purposes.
   4. The Platform is operated by us. We are Charanga Limited, registered in England and Wales under company number 01693650 and have our registered office at 14-15 Berners Street, London, W1T 3LJ, UK.
   5. We reserve the right to vary these Terms from time to time. Our updated terms will be displayed on the Platform and by continuing to use and access the Platform following such changes, you agree to be bound by any variation made by us. It is your responsibility to check these Terms from time to time to verify such variations.

2. Using the Platform

   1. The Platform is for use only by registered users (‘Users’). These are teachers, students and other individuals who have been issued with login details by Charanga or by an organisation authorised by Charanga. These details enable the user to enter the Platform using a personal password-protected method for a specified, agreed-upon length of time. If you are not a registered user, you must not use this Platform and you must not grant access to the Platform to any non-registered user.

   2. You agree that:

      1. you are solely responsible for all costs and expenses you may incur in relation to your use of the Platform and
      2. you will keep your password and other account details confidential and not share them with non-registered users.
      3. if you are a teacher or an organisation, you acknowledge that you are solely responsible for the appropriate use and adaptation of the Platform and products for the use by your student users.

   3. You may not use the Platform:

      1. in any way that breaches any applicable law or regulation;
      2. in any way that is unlawful or fraudulent, or has any unlawful or fraudulent purpose or effect;
      3. for the purpose of harming or attempting to harm minors in any way;
      4. to send, knowingly receive, upload, download, use or re-use any material that does not comply with our content standards as set out in these Terms;
      5. to transmit or procure the sending of any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation;
      6. to knowingly transmit any data, send or upload any material that contains viruses, Trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware.

   4. You also agree:

      1. not to reproduce, duplicate, copy or re-sell any part of the Platform in contravention of these Terms;
      2. not to access without authority, interfere with, damage or disrupt:
         1. any part of the Platform;
         2. any equipment or network on which the Platform is stored;
         3. any software used in the provision of the Platform; or
         4. any equipment, network or software owned or used by any third party.
      3. We may prevent, terminate or suspend your access to the Platform with immediate effect if you do not comply with any part of these Terms, any terms or policies to which they refer or any applicable law. If we exercise our rights under this clause then we will have no further liability to you, including liability to refund fees.
      4. We may update and change the Platform from time to time and we do not guarantee that the Platform, or any content on it, will always be available or be uninterrupted. We may suspend, withdraw or restrict the availability of all or any part of the Platform for business and operational reasons. We will try to give you reasonable notice of any suspension or withdrawal.
      5. While we try to make sure that the Platform is secure, we cannot guarantee the security of any information that you supply to us, and therefore, we cannot guarantee that it will be kept confidential.

3. Uploading content to the Platform and content standards

   1. Whenever you make use of a feature that allows you to upload content to the Platform, or to make contact with other users of the Platform, you must comply with the content standards set out in these Terms.
   2. Only Users may upload content to the Platform.
   3. The following content standards apply to all Users of the Platform. All content:
      1. must comply with all applicable laws and regulations;
      2. must not promote discrimination based on race, sex, religion, nationality, disability, sexual orientation or age;
      3. must not infringe any copyright, database right or trademark of any other person;
      4. must not breach any legal duty owed to a third party, such as a contractual duty or a duty of confidence;
      5. must not promote any illegal activity;
      6. must not be in contempt of court;
      7. must not be threatening, abuse or invade another's privacy or cause annoyance, inconvenience or needless anxiety;
      8. must not impersonate any person or misrepresent your identity or affiliation with any person;
      9. must not advocate, promote, or incite any party to commit or assist any unlawful or criminal act;
      10. must not contain a statement which you know or believe, or have reasonable grounds for believing, that members of the public to whom the statement is, or is to be, published are likely to understand as a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism;
      11. must not contain any advertising or promote any services or web links to other websites.
   4. You warrant and represent that any content you upload to the Platform will comply with our content standards. You will be liable to us and indemnify us for any breach of these warranties and representations. This means you will be responsible for any loss or damage we suffer as a result of your breach of these warranties and representations.
   5. Failure to comply with our content standards constitutes a material breach of these Terms and may result in our taking all or any of the following actions:
      1. immediate, temporary or permanent withdrawal of your right to use the Platform;
      2. immediate, temporary or permanent removal of any content uploaded by you to the Platform;
      3. issue of a warning to you;
      4. legal proceedings against you for reimbursement of all costs on an indemnity basis (including reasonable administrative and legal costs) resulting from the breach;
      5. further legal action against you;
      6. disclosure of such information to law enforcement authorities as we reasonably feel is necessary or as required by law.
   6. We exclude our liability for all actions we may take in response to breaches of our content standards. The actions we may take are not limited to those described above, and we may take any other actions we reasonably deem appropriate.
   7. We are under no obligation to oversee, monitor or moderate any uploading or interactive service we provide on the Platform, and we expressly exclude our liability for any loss or damage arising from the use of any uploading or interactive service by a User in contravention of our content standards, whether the service is moderated or not.
   8. Any content you upload to the Platform will be considered non-confidential and non-proprietary. You retain all of your ownership rights in your content, but you hereby grant us and other users of the Platform a licence to use, store and copy that content and to distribute and make it available to third parties. We also have the right to disclose your identity to any third party who is claiming that any content posted or uploaded by you to the Platform constitutes a violation of their intellectual property rights or of their right to privacy. By submitting, posting, or displaying content on the Platform, you give Charanga a perpetual, irrevocable, worldwide, royalty-free and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any content which you submit, post, or display on or through, the Platform.
   9. You are solely responsible for securing and backing up your content.
   10. Student Users can only upload content to their own Yumu workspace using their own Yumu login and cannot directly share uploaded content with anyone other than the teacher/s who has/have given them access to Yumu. Students are asked to abide by straightforward Yumu rules for uploading content and to ask their teacher for advice if unsure. Teachers can view all their own students’ uploaded and saved work directly from their teacher’s My Workspace student groups section.

   Yumu does not allow user-to-user communication, sharing or networking between students.

   We advise teachers and parents who permit children to use an interactive service that it is important that they communicate with them about their safety online. Minors and young people who use any interactive service should always be made aware of the potential risks to them. Teachers, parents, carers and children can find online safety information and advice from their own schools, trusted support organisations or their national governments. An example support organisation in the UK is Childnet. In the US, the government has published guidelines for parents and guardians on the SAMSHA website here Kids Online Health & Safety Task Force.

   Please also refer to our Child Protection and Online Safety Policy Statement.

4. Ownership, use and intellectual property rights

   1. This Platform and all intellectual property rights in it are owned by us, our licensors or both (as applicable). We and our licensors reserve all of our and their rights in any intellectual property in connection with these Terms.
   2. Nothing in these Terms grants you any legal rights in the Platform other than as necessary to enable you to access and use the Platform. You agree not to adjust to try to circumvent or delete any notices contained on the Platform and in particular, in any digital rights or other security technology embedded or contained within the Platform.

5. Accuracy of information on the Platform

   1. While we try to make sure that the Platform is accurate, up-to-date and free from bugs, we cannot promise that it will be. Furthermore, we cannot promise that the Platform will be fit or suitable for any purpose. Any reliance that you may place on the information on this Platform is at your own risk.
   2. Content on the Platform does not constitute technical, financial or legal advice or any other type of advice and should not be relied on for any purposes.

6. Privacy and data protection

   Use of the Platform is subject to the provisions of the Schedule hereto and our Privacy Notice.

7. Hyperlinks and third-party sites

   The Platform may contain hyperlinks or references to third-party websites other than the Platform. Any such hyperlinks or references are provided for your convenience only. We have no control over third-party websites and accept no legal responsibility for any content, material or information contained in them. The display of any hyperlink and reference to any third party website does not mean that we endorse that third party's website, products or services. Your use of a third-party site may be governed by the terms and conditions of that third-party site.

8. Limitation on our liability

   1. Except for any legal responsibility that we cannot exclude in law (such as for death or personal injury), we are not legally responsible for any:
      1. losses that:
         1. were not foreseeable to you and us when these Terms were formed; or
         2. were not caused by any breach on our part
      2. business losses; and
      3. losses to non-consumers.

9. Events beyond our control

   We shall have no liability to you for any breach of these Terms caused by any event or circumstance beyond our reasonable control, including strikes, lock-outs or other industrial disputes; breakdown of systems or network access; or flood, fire, explosion or accident.

10. Rights of third parties

    No one other than a party to these Terms has any right to enforce any of these Terms.

11. Variation

    No changes to these Terms are valid or have any effect unless agreed by us in writing.

12. Disputes

    1. If you are unhappy with us, please contact us as soon as possible. We will try to resolve any disputes with you quickly and efficiently.
    2. If you are a consumer, please note that these Terms of Use, their subject matter and their formation are governed by the laws of England and Wales. You and we both agree that the courts of England and Wales will have exclusive jurisdiction, except that if you are a resident of Northern Ireland, you may also bring proceedings in Northern Ireland. If you are a resident of Scotland, you may also bring proceedings in Scotland.
    3. If you are a business, these Terms of Use, their subject matter and their formation (and any non-contractual disputes or claims) are governed by the laws of England and Wales. We both agree to the exclusive jurisdiction of the courts of England.

13. Licensing requirements

    Depending on the nature of your organisation and your intended use of Charanga and its content, you may be required by law to obtain certain licences. We have set out in this clause some information and links that you may find helpful in determining what licence(s) you may require and what reporting obligations may attach to those licences, but please note that this information is non-exhaustive. It is your responsibility to ensure that all necessary licences are in place before you begin using Charanga and its content and that you comply with your obligations as Account Holders and Authorised Users under those licences.

    1. Licensing bodies. Your use of Charanga and its content may require a licence from some or all of the following (or their foreign equivalent outside of the UK, where applicable):

       1. the Copyright Licensing Agency (CLA), which licenses the copying and sharing of certain content;
       2. Printed Music Licensing Limited (PMLL), which licenses the photocopying of printed music and digitally downloaded printed music;
       3. Christian Copyright Licensing International (CCLI), which provides licences to churches and schools for various uses of certain content;
       4. the Performing Right Society (PRS), which licenses performances of music in a public venue;

    2. Most schools in the UK already have the following licences in place:

       1. an Education Licence from the CLA. See more information about CLA;
       2. a Schools Printed Music Licence (SPML) from PMLL. See more information about SPML; and
       3. a Collective Worship Copyright Licence (CWCL) and a Collective Worship Music Reproduction Licence (CWMRL) from CCLI. See more information about CWCL

       These licences allow Account Holders and Authorised Users in UK schools to use the content within the school’s normal educational activities.

    3. Reporting obligations. Account Holders and Authorised Users are required to report the following to the appropriate third-party collecting society in the UK or other applicable country:

       1. all displaying of song lyrics in assemblies and collective worship;
       2. all printing and copying (including digital copying) of music scores and lyrics;
       3. all performances of content in public;
       4. any other usage is required to be reported by the applicable collecting society.

---

SCHEDULE to Terms of Use: Data Processing Terms

The terms of this Schedule shall apply to the User’s relationship with Charanga as set out in the Terms, which govern the User’s use of the Platform.

For the purposes of this Schedule, the User and Charanga are each referred to as a ‘Party’ and are referred to collectively as the ‘Parties’.

If you are a Registered User, including any individual or organisation that has either entered into a financial agreement with Charanga or completed a booking form to access its products and services, this may require Charanga to process personal data on your behalf.

The terms of this Schedule (the Data Processing Terms) set out the additional terms, requirements and conditions on which Charanga will process Customer Personal Data when providing services to Registered Users. These Data Processing Terms contain the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between Controllers and Processors and the General Data Protection Regulation ((EU) 2016/679)

1. Definitions and Interpretation
2. Personal data types and processing purposes
3. Charanga’s obligations
4. Charanga’s employees
5. Security
6. Personal data breach
7. Cross-border transfers of Personal Data
8. Subcontractors
9. Complaints, data subject requests and third-party rights
10. Term and termination
11. Data return and destruction
12. Records
13. Audit
14. Warranties
15. Indemnification
16. Conflict of laws
17. Notice

Annex A: Personal data processing purposes and details

Annex B: Security measures

---

1. Definitions and Interpretation

   1. The following definitions and rules of interpretation apply to these Data Processing Terms.

      Adequacy Decision: a finding by the Personal Data exporting country’s privacy regulator that a third country, territory, specific sector in a third country or an international organisation offers levels of data protection that are essentially equivalent to that within the originating country. Any reference to an Adequacy Decision in these Data Processing Terms shall mean an Adequacy Decision made by the applicable exporting country’s privacy regime.

      Authorised Persons: the persons or categories of persons that the Customer authorises to give Charanga written instructions for the Processing of Customer Personal Data and from whom Charanga agrees solely to accept such instructions.

      Business Purposes: the services to be provided by Charanga to the Customer as described in the Terms of Use and any other purpose specifically identified in Annex A.

      Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018).

      Controller, Processor, Data Subject, Personal Data Breach and Processing: have the meanings given to them in the applicable Data Protection Legislation.

      Customer: [you] individuals who have entered into an agreement with Charanga, financial or otherwise, on behalf of an organisation or otherwise, to enable you or your members and/or employees to become Users of the Charanga platform and its products and services for a specific, agreed-upon length of time and for a specific number or limited number of Users per the agreement, subject to the Terms and Conditions of use (‘The Agreement’).

      Customer Personal Data: Personal Data that Charanga processes on behalf of the Customer as a result of, or in connection with, the provision of the services to the Customer on the basis of being a User or in a financial billing arrangement between Customer and Charanga.

      Data Protection Legislation: means the applicable legislation protecting the fundamental rights and freedoms of individuals and, where required by law, legal entities, and in particular, their right to privacy with respect to the Processing of Personal Data and which contains restrictions on the cross-border transfer of Personal Data including, but not limited to, the EU GDPR, any national legislation supplementing the EU GDPR in member states of the EEA and the UK GDPR.

      EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

      EEA: the European Economic Area.

      Personal Data: has the meaning ascribed to it under applicable Data Protection Legislation and shall be construed to have the same meaning as the term ‘Personal Information’ where such latter term is used under and for the purposes of applicable Data Protection Legislation.

      Records: has the meaning given to it in Clause 12 of these Data Processing Terms.

      Term: the term of these Data Processing Terms as defined in Clause 10 of these Data Processing Terms.

      UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

   2. These Data Processing Terms are subject to and incorporated into the terms of the Agreement between the Customer and Charanga. The interpretations and defined terms outlined in the Agreement and the Terms of Use apply to the interpretation of these Data Processing Terms.
   3. The Annexes form part of these Data Processing Terms and will have effect as if set out in full in the body of these Data Processing Terms. Any reference to these Data Processing Terms includes the Annexes.
   4. A reference to writing or written includes email.
   5. A reference to any English and Welsh action, remedy, method of judicial proceeding, court, official, legal document, legal status, legal doctrine, legal concept, or thing shall, in respect of any jurisdiction other than England and Wales, be deemed to include a reference to that which most nearly approximates to the English and Welsh equivalent in that jurisdiction.
   6. A reference to a term defined or described in the EU GDPR shall, in respect of the application of any other applicable Data Protection Legislation, be deemed to reference that term which most nearly approximates the EU GDPR equivalent under that other Data Protection Legislation.
   7. In the case of conflict or ambiguity between:
   1. any provision contained in the body of these Data Processing Terms and any provision contained in the Annexes, the provision in the body of these Data Processing Terms will prevail;
   2. the terms of any accompanying invoice or other documents annexed to these Data Processing Terms and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
   3. any of the provisions of these Data Processing Terms and the provisions of the Customer, the provisions of these Data Processing Terms will prevail.

2. Personal data types and Processing purposes

   1. The Customer and Charanga agree and acknowledge that for the purpose of the Data Protection Legislation:

      1. The Customer is the Controller, and Charanga is the Processor.
      2. The Customer retains control of the Customer's Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents and for the written Processing instructions it gives to Charanga.
      3. Annex A describes the subject matter, duration, nature and purpose of the Processing and the Personal Data categories and Data Subject types in respect of which Charanga may Process the Customer Personal Data to fulfil the Business Purposes.

3. Charanga’s obligations

   1. Charanga will only Process the Customer Personal Data to the extent, and in such a manner, as is necessary for Business Purposes in accordance with the Customer's written instructions from Authorised Persons. Charanga will not Process the Customer Personal Data for any other purpose or in a way that does not comply with these Data Processing Terms or the Data Protection Legislation. Charanga must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
   2. Charanga must promptly comply with any Customer written instructions requiring Charanga to amend, transfer, delete or otherwise Process the Customer's Personal Data or to stop, mitigate or remedy any unauthorised Processing.
   3. Charanga will maintain the confidentiality of the Customer Personal Data and will not disclose the Customer Personal Data to third parties unless the Customer or these Data Processing Terms specifically authorises the disclosure or as required by applicable law, competent courts or a competent regulator (including but not limited to, the Commissioner). If applicable law, a competent court or a competent regulator (including, but not limited to, the Commissioner) requires Charanga to Process or disclose the Customer Personal Data to a third party, Charanga must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement unless the applicable law prohibits the giving of such notice.
   4. Charanga will reasonably assist the Customer, at no additional cost to Charanga, with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of Charanga’s Processing and the information available to Charanga, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under applicable Data Protection Legislation.
   5. Charanga must notify the Customer promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting Charanga’s performance of its obligations under the agreement or these Data Processing Terms.
   6. Charanga will only collect Customer Personal Data for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer's identity, the purpose or purposes for which their Personal Data will be Processed, and any other information that, having regard to the specific circumstances of the collection and expected Processing, is required to enable fair Processing. Charanga will not modify or alter the notice in any way without the Customer's written consent.

4. Charanga’s employees

   1. Charanga will ensure that all of its employees:
   1. are informed of the confidential nature of the Customer Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Customer Personal Data;
   2. have undertaken training on the Data Protection Legislation and how it relates to their handling of the Customer Personal Data and how it applies to their particular duties; and
   3. are aware of Charanga’s duties and their personal duties and obligations under the Data Protection Legislation and these Data Processing Terms.

5. Security

   1. Charanga must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Personal Data and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data including, but not limited to, the security measures set out in Annex B. Charanga must document those measures in writing and periodically review them at least annually to ensure they remain current and complete.
   2. Charanga must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
   1. the pseudonymisation and encryption of Personal Data;
   2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
   3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
   4. a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

6. Personal data breach

   1. Charanga will, within 48 hours and in any event without undue delay, notify the Customer in writing if it becomes aware of:
      1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Customer Personal Data. Charanga will restore such Customer Personal Data at its own expense as soon as possible.
      2. any accidental, unauthorised or unlawful processing of the Customer Personal Data; or
      3. any Personal Data Breach affecting the Customer Personal Data.
   2. Where Charanga becomes aware of (6.a.i), (6.a.ii) and/or (6.a.iii) above, it will, without undue delay, also provide the Customer with the following written information:
      1. a description of the nature of (6.a.i), (6.a.ii) and/or (6.a.iii), including the categories of in-scope Customer Personal Data and the approximate number of both Data Subjects and the Customer Personal Data records concerned;
      2. the likely consequences; and
      3. a description of the measures taken or proposed to be taken to address (6.a.i), (6.a.ii) and/or (6.a.iii), including measures to mitigate its possible adverse effects.
   3. Immediately following any accidental, unauthorised or unlawful Customer Personal Data Processing or Personal Data Breach affecting the Customer Personal Data, the parties will cooperate in investigating the matter. Further, Charanga will reasonably cooperate with the Customer at no additional cost to the Customer in the Customer's handling of the matter, including but not limited to:
      1. assisting with any investigation;
      2. providing the Customer with physical access to any facilities and operations affected;
      3. facilitating interviews with Charanga’s employees, former employees and others involved in the matter, including, but not limited to, its officers and directors;
      4. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
      5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the relevant Personal Data Breach or accidental, unauthorised or unlawful Customer Personal Data Processing.
   4. Charanga will not inform any third party of any accidental, unauthorised, or unlawful Processing of all or part of the Customer Personal Data and/or a Personal Data Breach affecting the Customer Personal Data without first obtaining the Customer's written consent except when required to do so by applicable law.
   5. Charanga agrees that the Customer has the sole right to determine:
      1. whether to provide notice of the accidental, unauthorised or unlawful Processing and/or the Personal Data Breach affecting the Customer Personal Data to any affected Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by applicable law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
      2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
   6. Charanga will cover all reasonable expenses associated with the performance of the obligations under 6.a to 6.c of these Data Processing Terms unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of these Data Processing Terms, in which case the Customer will cover all reasonable expenses.
   7. Charanga will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful Processing and/or a Personal Data Breach affecting the Customer Personal Data to the extent that Charanga caused such, including all costs of notice and any remedy as set out in 6.e.

7. Cross-border transfers of Personal Data

   1. Charanga (and any subcontractor) must not transfer or otherwise Process the Customer Personal Data outside the UK, the EEA [or any other third country which is subject to an EU Adequacy Decision] without obtaining the Customer's prior written consent.

8. Subcontractors

   1. Charanga may only authorise a third party (subcontractor) to process the Customer Personal Data if:
      1. the Customer is provided with an opportunity to object to the appointment of each such subcontractor within five working days after Charanga supplies the Customer with full details in writing regarding such subcontractor;
      2. Charanga enters into a written contract with the subcontractor that contains terms substantially the same as those set out in these Data Processing Terms, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer's written request, provides the Customer with copies of the relevant excerpts from such contracts;
      3. Charanga maintains control over all of the Customer Personal Data it entrusts to the subcontractor; and
      4. the subcontractor's contract (insofar as it relates to the processing of Customer Personal Data) terminates automatically on termination of these Data Processing Terms for any reason.
   2. Those subcontractors approved as at the commencement of these Data Processing Terms are as set out in Annex A. Charanga must list all approved subcontractors in Annex A and include any subcontractor's name and location and the contact information for the person responsible for privacy and data protection compliance.
   3. Where the subcontractor fails to fulfil its obligations under the written agreement with Charanga which contains terms substantially the same as those set out in these Data Processing Terms, Charanga remains fully liable to the Customer for the subcontractor's performance of its agreement obligations.
   4. The Parties agree that Charanga will be deemed by them to control legally any Customer Personal Data controlled practically by or in the possession of its subcontractors.

9. Complaints, data subject requests and third-party rights

   1. Charanga must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate and promptly provide such information to the Customer as the Customer may reasonably require to enable the Customer to comply with:
      1. the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase Personal Data, object to the Processing and automated processing of Personal Data, and restrict the Processing of Personal Data; and
      2. information or assessment notices served on the Customer by the Commissioner or other relevant regulator under applicable Data Protection Legislation.
   2. Charanga must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Customer Personal Data or to either Party's compliance with the Data Protection Legislation.
   3. Charanga must notify the Customer within five working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
   4. Charanga will give the Customer, at no additional cost to the Customer, its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request.
   5. Charanga must not disclose the Customer Personal Data to any Data Subject or to a third party other than in accordance with the Customer's written instructions or as required by applicable law.

10. Term and Termination

    1. These Data Processing Terms will remain in full force and effect so long as:
       1. The Agreement between the Customer and Charanga remains in effect; or
       2. Charanga retains any of the Customer Personal Data related to The Agreement in its possession or control.
    2. Any provision of these Data Processing Terms that expressly or by implication should come into or continue in force on or after termination of The Agreement between the Customer and Charanga in order to protect the Customer Personal Data will remain in full force and effect.
    3. Charanga’s failure to comply with the terms of these Data Processing Terms is a material breach of The Agreement between the Customer and Charanga. In such event, the Customer may terminate The Agreement between the Customer and Charanga effective immediately on written notice to Charanga without further liability or obligation of the Customer.
    4. If a change in any Data Protection Legislation prevents either Party from fulfilling all or part of its Agreement obligations, the Parties shall suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the Parties are unable to bring the Processing of the Personal Data into compliance with the Data Protection Legislation within 2 (two) months, a Party may terminate the Master Agreement on written notice to the other Party.

11. Data return and destruction

    1. At the Customer's request, Charanga will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of the Customer Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
    2. On termination of The Agreement between the Customer and Charanga for any reason or expiry of its term, Charanga will retain data and anonymised / pseudonymised data for specified periods and for business purposes, including renewal of agreements as outlined in Charanga’s Data Retention and Destruction policy and then securely delete or destroy or, if directed in writing by the Customer, return and/or not retain, all or any of the Customer Personal Data related to these Data Processing Terms in its possession or control.
    3. If any law, regulation, or government or regulatory body requires Charanga to retain any documents, materials or Customer Personal Data that Charanga would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Customer Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

12. Records

    1. Charanga will keep detailed, accurate and up-to-date written records regarding any Processing of the Customer Personal Data, including but not limited to, the access, control and security of the Customer Personal Data, approved subcontractors, the Processing purposes, categories of Processing, and a general description of the technical and organisational security measures referred to in 5. (Security).
    2. Charanga will ensure that the Records are sufficient to enable the Customer to verify Charanga’s compliance with its obligations under these Data Processing Terms and the Data Protection Legislation, and Charanga will provide the Customer with copies of the Records upon request.
    3. The Customer and Charanga must review the information listed in the Annexes to these Data Processing Terms at least once a year to confirm its current accuracy and update it when required to reflect current practices.

13. Audit

    1. At least once a year, Charanga will conduct site audits of its Personal Data Processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under these Data Processing Terms, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
    2. On the Customer's written request, Charanga will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as Charanga’s confidential information on the basis of the Agreement.
    3. Charanga will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by Charanga’s management.

14. Warranties

    1. Charanga warrants and represents that:
       1. its employees, subcontractors, agents and any other person or persons accessing the Customer Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;
       2. it and anyone operating on its behalf will Process the Customer Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
       3. it has no reason to believe that the Data Protection Legislation prevents it from providing any of the contracted services under The Agreement; and
       4. considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful Processing of Customer Personal Data and the loss or damage to the Customer Personal Data and ensure a level of security appropriate to:
       • the harm that might result from such accidental, unauthorised or unlawful Processing and loss or damage;
       • the nature of the Customer Personal Data protected; and
       • comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in 5. Security
    2. The Customer warrants and represents that Charanga’s expected use of the Customer Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

15. Indemnification

    1. Charanga agrees to indemnify, keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses incurred by the Customer or for which the Customer may become liable due to any failure by Charanga or its employees, subcontractors or agents to comply with any of its obligations under these Data Processing Terms and/or the Data Protection Legislation.
    2. Any limitation of liability set forth in The Agreement will not apply to the indemnity or reimbursement obligations under these Data Processing Terms.

16. Conflict of Laws

    1. When a Party is subject to more than one data protection legislative regime, it shall, as far as possible, meet all its obligations under all applicable Data Protection Legislation. Where there is a conflict of requirements under applicable data protection legislative regimes, a Party shall adhere to the data protection legislative elements of each regime, which applies the strictest level of data protection and data subject rights to a relevant Data Subject's Personal Data.

17. Notice

    1. Any notice or other communication given to a Party under or in connection with these Data Processing Terms must be communicated in writing.

    2. 17.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

       The application of these Data Processing Terms shall coincide with the application of the Terms of Use.

Annex A: Personal Data Processing purposes and details

Subject matter of Processing: Processing of Provider Data in connection with the Services

Duration of Processing: Processing activities shall continue for the duration of the Services

Nature of Processing: Collection, recording, structuring, storage, disclosure by transmission or otherwise making available, erasure or distribution (whether or not by automated means) of Provider Data

Business Purposes: Performance of the Services to our Providers

Personal Data Categories: Provider Data (as defined by our Privacy Notice)

Data Subject Types: Customers/Registered Users

Authorised Persons: Charanga employees and Approved Subcontractors

Third-Party Data Processors

Like most companies, we rely on third-party providers to support the provision of our products and services, such as online file storage and communications. Some of these service providers will, by necessity, have access to or be directly involved in processing or storing a subset of the personal information you share with us.

All our third-party data processors have been carefully selected as responsible service suppliers who also practise responsible data handling. We believe that each has appropriate protections to ensure the security of the data we store or process with them and clear policies for how they treat that data. But if in doubt, you should review their individual Privacy Policies.

Google (Website analytics and email services): https://support.google.com/analytics/answer/6004245?hl=en

Stripe (customer payments): https://stripe.com/gb/privacy

37 Signals / Highrise (customer relationship management): https://37signals.com/policies/privacy

Campaign Monitor (email marketing): https://www.campaignmonitor.com/trust/privacy-hub/

Survey Monkey (surveys/event feedback): https://www.surveymonkey.com/mp/legal/privacy/

Annex B: Security measures

Charanga takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including:

• Charanga hosts its websites on Amazon Web Service’s (AWS) European data centres in Ireland. The Charanga servers in AWS are in a locked-down VPC (virtual private cloud), where access to those machines in the VPC is logically isolated from any other AWS instances.
• Charanga uses AWS’ geographic controls to ensure that no data leaves the EU data centres in Ireland. This ensures we are in compliance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
• The VPC acts like an isolated LAN. Network access is strictly controlled by security groups. Traffic in and out of the VPC from specific machines (ie the web server and only the web server) to the wider internet is further limited by firewall rules which only permit a limited set of protocols; HTTP, HTTPS, SMTP and SSH.
• SSH access into the VPC is only allowed from a set of whitelisted IP addresses. Password access is not permitted, nor is root access. Access is solely from SSH keypairs, which are reviewed on a regular basis.
• Data is stored on an AWS RDS (Relational Database Service) instance, which is a managed MySQL database. Backups are automatically maintained and securely stored on Amazon’s S3 infrastructure. The AWS VPC, RDS and S3 services all comply with ISO 27001.
• Access to personal data is strictly controlled internally within Charanga with a multi-tiered access hierarchy. Strict care of personal data is part of updated employment contracts for all staff. Employees are also periodically trained on the nature and importance of GDPR compliance.
• Charanga’s internal systems are Cyber Essentials self-certified.