This Appendix sets out the Oxford Risk (‘we’, ‘our’, ‘Oxford Risk’) approach to data protection, which are applicable to the Services. Additional terms and details of any personal data may be specified in a Service Order that are unique to our applications are available on request. This policy is reviewed regularly to ensure that compliance with relevant regulations, such as the EU’s General Data Protection Regulation and UK data protection law including the Data Protection Act 2018 (“Data Protection Laws”).
1. Applicable Data
The data that Oxford Risks may process according to these terms are data relating to Customer staff or personnel including login details and other account management data; data relating to Customer’s clients including name, gender, date of birth, address history and financial information. Upon request all data is pseudonymized.
2. Data processing
By transferring data to Oxford Risk, the Customer authorises Oxford Risk to act as a data processor on their behalf of any personal data contained in it. The Customer also acknowledges that they have a lawful basis for collecting the data provided, and that they have obtained proper consent for us to act a data processor. By transferring data to Oxford Risk, the Customer assents to Oxford Risk processing anonymised (i.e., non-personal) data to provide and enhance the Services; for example, by aggregating questionnaire results to reveal how general patterns and differences (e.g., men vs women) emerge over time.
Personal data should only be transferred by Customer to Oxford Risk to the extent that it is required for the specific purpose of the provision of the Services. Any data that are not necessary for that purpose should not be transferred in the first place. Before transferring data to us, Oxford Risk require Customers to remove personal information as much as possible, such as by replacing names with unique identifier numbers. Oxford Risk will not attempt to de-anonymise data provided by the Customer.
3. Scope of Processing
3.1 Purpose; Duration; Data Processed.
The subject matter, nature, and purpose of the Processing of personal data is for the provision of Services. The duration of the Processing is for the term of the Agreement.
Oxford Risk is authorized to Process Personal Data only (i) as necessary to provide theServices in accordance with the Agreement, (which shall be deemed to be written instructions from Customer), and (ii) as required by Data Protection Laws. IfOxford Risk is required by Data Protection Laws to Process Personal Data for any other purpose than pursuant to the Agreement, then Oxford Risk shall informCustomer of the applicable legal requirement before Processing (unless such legal requirement prohibits such information on important grounds of public interest). Oxford Risk shall immediately inform Customer if, in the opinion ofOxford Risk, an instruction from Customer infringes Data Protection Laws.
3.3 Security Measures.
Oxford Risk shall implement and maintain all appropriate technical, physical, and organizational security and confidentiality measures (i) as required by applicable Data Protection Laws, (ii) as necessary to protect against unauthorized or unlawful processing of Personal Data, and (iii) as necessary to protect against accidental or unauthorized loss, alteration, disclosure, or destruction of, or misuse of, or damage to, Personal Data. Oxford Risk shall comply with the data security obligations and controls contained in theAgreement, for as long as Oxford Risk has Personal Data in its possession or control. If Oxford Risk Processes any special categories of data, as defined by applicable Data Protection Laws, then Oxford Risk shall provide a greater level of security to consider the special nature of such data and the harm that could result from the abuse or misuse of such data.
3.4 Disclosure of Personal Data.
Oxford Risk shall restrict access to Personal Data within its organization to personnel who(i) require access to Personal Data to perform the Services, (ii) are trained in information security and data protection, and (iii) are under binding obligations to maintain the confidentiality and security of the Personal Data.
3.5 Data Breach.
(a) Notice of Data Breach.
Oxford Risk shall inform Customer without undue delay and in accordance with applicableLaws after becoming aware of any accidental or unauthorised destruction, loss, alteration, or disclosure of, or access to, Personal Data (including anyPersonal Data Processed by a Subprocessor) (each occurrence, a “Data Breach”).The notification shall be accompanied by a written report that includes information available to Oxford Risk about the nature and surrounding circumstances of the incident, including when the incident occurred or is estimated to have occurred, the type of Personal Data accessed, lost, stolen, deleted, disclosed, or corrupted, if any, and the number of records affected and details of how the incident is being investigated.
Oxford Risk shall take appropriate measures to contain any Data Breach and correct its underlying causes. Oxford Risk shall provide reasonable information about remediation on Customer’s request and cooperate with Customer in any investigation, litigation, or provision of notices deemed necessary by Customer to protect its rights. Oxford Risk shall not respond or communicate directly with an applicable data subject or data protection authority without Customer’s prior written approval.
3.6 Return or Destruction.
Oxford Risk shall without undue delay retrieve and deliver to Customer a copy of all Personal Data processed by the Oxford Risk (i) at any time upon Customer’s request or (ii) at the expiration or termination of the Agreement. Within thirty (30) days of receiving a written request from Customer, Oxford Risk shall securely delete, and cause its Subprocessors to securely delete, all copies of Personal Data processed in connection with the Services and in OxfordRisk’s (and its Subprocessors’) possession or control.
Oxford Risk agrees to cooperate and shall take all reasonable actions deemed necessary byCustomer to permit Customer to comply with its obligations under applicableData Protection Laws, including compliance with any assessment, enquiry, notice, or investigation by a supervisory authority or other regulator. Upon request, Oxford Risk shall provide information necessary to enable Customer to comply with applicable Data Protection Laws if the requested information is inOxford Risk’s possession or control.
3.8 Requests for Disclosure.
Unless legally prohibited, Oxford Risk shall promptly notify Customer of any request for disclosure of Personal Data by law enforcement, government body, or a supervisory authority. Oxford Risk shall cooperate with Customer in relation to such requests.
3.9 Data Subject Rights.
Oxford Risk shall timely assist Customer in addressing the legal rights of data subjects and shall inform Customer within two (2) business days of receiving a request from a data subject relating to such data subject’s Personal Data and without responding to the request.
3.10 Subprocessors and Subcontractors
Oxford Risk shall ensure that all agreements with its Subprocessors are in writing and require the Subprocessor to conform to and comply with commitments the same as or substantially equivalent to those contained in this DPS and the IT security, confidentiality, certification requirements, and qualifications of Personnel). Oxford Risk is fully responsible and primarily liable for all acts and omissions of Subprocessors, Oxford Risk affiliate and subcontractors as if such action or omission was committed by Oxford Risk and shall not be relieved of any duty under this agreement by the use of any such Subprocessors, Oxford Risk affiliate and subcontractors.
Without limiting Customer’s audit rights and Oxford Risk’s obligations under theAgreement, upon request, Oxford Risk shall make available to Customer information regarding Oxford Risk’s or any Subprocessor’s compliance with the obligations set forth in this Appendix and the Agreement, In addition, if there has been a Data Breach, Customer may require the performance of an on audit by a mutually acceptable independent audit of Oxford Risk’s or any Subprocessor’s architecture, systems, and procedures relevant to the Processing of PersonalData the scope, timing, and duration of the audit shall be agreed with OxfordRisk or the applicable Subprocessor.
Oxford Risk shall inform Customer in writing if, in its opinion, an instruction given under Section 4.1 infringes a Data Protection Law requirement applying to Oxford Risk.
5. Storage of data
Unless transferred to Oxford Risk via the API, Oxford Risk will provide customers with access to a ‘bucket’ on Amazon Web Service’s S3, or a similar cloud-hosted service, where they can transfer data files to us via HTTPS. Files are stored using server-side AES-256 encryption (at rest). Customers can also elect to send us files they encrypt themselves. In this case, we will arrange with you to securely share relevant keys.
The Customer’s data are typically hosted in London but may be hosted elsewhere in the EEA (unless the customer requests a specific region). Data will not be hosted outside of the EEA without the customer’s prior consent.
Access to the client data store is controlled using Amazon Web Services Identity and Access Management module, or a similar service. Public and private keys are issued to relevant employees to allow them to access all parts of the data store, which enables employees to read and write data, and provide our services. Keys are also issued to customers that allow them access only to sections dedicated to them, which allows customers to send and receive data from us, but not to access any other customers data or have their data accessed by any unauthorised users. All keys can be revoked by the administrator, and keys are cycled regularly.
Oxford Risk’s employees may need to copy company data onto their local hard drives to perform analyses and provide the service. Company hard drives are protected with AES-256 encryption and require strong passwords to decrypt. Passwords are unique to each user and must be changed regularly to ensure confidentiality.
Employees are permitted to use their own devices for work, provided that they comply with the policy laid out for company-owned equipment.