1. Definitions

“Agreement” means the Order Form and any Service Agreement elements contained therein, the accompanying Terms and Conditions, or any such instruction from the Client for Audiem to undertake Data Analysis Services and/or associated Professional Services work.

“Audiem”, “we” “us”, or “our” means Workplace Advantage Ltd. (trading as Audiem), with its registered office at White House Farm, West Rounton, Northallerton, DL6 2LW, with company number 10976073 and VAT number 412702635.

“Audiem Affiliates” means any person carrying out Data Analysis services for the Audiem organisation.

“Audiem Data” means any data resulting from the processing of Client data to make sense of and/or generate insights from it, or any other proprietary data that is related to any services we offer.

“Author” means a person that provides textual (Viewpoint) and numerical or categorical (metadata) content data from, or relating to, a Client organisation.

“Client” means the managing organisation commissioning Audiem to either gather data on their behalf and/or generate insights from Author content.

“Client Data” means any data generated by the Client and/or their Authors that is provided to us for processing using our tools, or that we collect using our tools on their behalf.

“Client User” means anyone authorised by the Client (or their nominated parties) to access and administer the Audiem software platform, or otherwise use our Services.

“Controller” and “Processor” have the meaning set forth in the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”) within, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Data Analysis Services” refers to the whole process of using the Audiem platform to gather viewpoints and generate insights, from the moment data comes into our remit.

“Data Subject” refers to an individual person who can be identified via an identifier such as name or unique ID etc.

“Platform” refers to the Audiem SaaS platform.

The “Policy” is this document in its entirety, including Appendix A.

“PII” means Personally Identifiable Information as set out in the UK GDPR.

2. The purpose of this policy

This Policy sets out the rights and obligations that apply to Audiem’s handling of personal data on behalf of the Client as part of their access to the Platform and the company’s provision of data analysis services (“Data Analysis Services”).

Appendix A of this Policy contains details about the security measures implemented to comply with the UK General Data Protection Regulation (UK GDPR).

3. Data protection principles

Audiem is committed to processing data in accordance with its responsibilities under the UK Data Protection Act and the UK GDPR within.

This legislation requires data to be:

• processed lawfully, fairly and in a transparent manner in relation to individuals;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that any inaccurate personal data, having regard to the purposes for which it is processed, is erased or rectified without delay;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods so long as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the legislation in order to safeguard the rights and freedoms of individuals; and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4. Types of data and data subjects

This Policy covers all data, including Personally Identifiable Information (PII), processed and/or stored by Audiem, including:

• Client data
• Client User data
• Data processed by the Platform and/or Audiem for the purpose of carrying out Data Analysis Services
• New data (i.e. insights) created from the process of Data Analysis Services

Client Data

The data processed/stored by Audiem relating to the Client is only for the purposes of doing business and being able to meet the requirements of the Agreement. Examples of such data is as follows:

• Company name and name(s) of contacts within the company
• Company address(es)
• Company and contact telephone numbers
• Contact email addresses
• Information revealed under a Non-Disclosure Agreement

Client User Data

The data processed/stored pertaining to Client Users, including Personally Identifiable Information (PII), may include some or all of the following:

• Name
• Company
• Email
• Password (encrypted version only)
• IP Address

Client User activity on the Platform

We automatically collect metrics and information about how Client Users interact with and use our Services. We use this information to develop and improve our services, and to inform our sales and marketing strategies. We may share or publish this service data with third parties in an aggregate anonymous manner, but we will not include any Client data or identify Client Users. We use Client data in an anonymised manner for machine learning that supports certain product features and functionality within the Audiem platform.

When you use the Platform, we automatically collect log files. These log files contain certain information about a Client User’s IT system, a Client User’s IP address, browser type, domain names, internet service provider (ISP), the files viewed on site (e.g. HTML pages, graphics, etc.), operating system, clickstream data, access times, and referring website addresses. We use this information to ensure the optimum operation of the Platform and for security purposes. We may link log files to personal data, such as name, email address, address, and phone number for these purposes.

Content Authors

Where Audiem elicits or sources data on the Client’s behalf, all data processed by Audiem for the purpose of Client insight has been published by the content Authors via a data collection (for example survey or feedback tool), or on a public or private forum that we have legitimate access to. Where this is the case, Audiem will only process data when it is within the terms and conditions of the specific data source to do so.

Author Data

The data processed/stored pertaining to content Authors, including Personally Identifiable Information (PII), may include some or all of the following. When accessed from a publicly accessible source this data is fairly consistent in type, but can vary when data is sourced by the Client. Examples of data types are as follows:

• Name
• Company
• IP Address
• Content of a viewpoint or post, which may or may not contain Personally Identifiable Information
• Date of a viewpoint or post
• Something specific to the content Author, such as username, name, unique ID, email.
• Location, where volunteered by the content Author or discernible from IP/location tracking

New Data

The data created from the Data Analysis Services will be visualised and accessible by the Client and Audiem via the Platform.

5. Client's instructions

Audiem are solely permitted to process data when instructed to do so by the Client. For the avoidance of doubt, the Policy constitutes such instruction as sending/uploading data to analyse, agreeing to an Order Form for work and/or any other communication that implies a request for Data Analysis Services.

Data Protection Impact Assessment (DPIA)

All Client instructions pass through a DPIA phase where:

1. Audiem analyse the specific use case and need for the Data Analysis Services
2. Audiem looks at the proposed data set to be processed and may highlight items that don’t require processing and/or need anonymising at source before being uploaded to and processed by the Platform
3. Audiem identify any potential risks in relation to:

• legislation compliance (which Audiem is subject to); and
• data source provider compliance

Audiem shall inform the Client if an instruction, in the opinion of Audiem, infringes any relevant data protection laws and/or the terms of our data source providers.

Specific data processing requirements

Where the Client has specific processing requirements that go beyond or are not specified in this Policy, the Client may provide them in writing to Audiem.

Audiem will comply with all such instructions without additional charge to the extent

necessary for Audiem to comply with its obligations as a Processor under the Regulation in the performance of the Data Analysis Services.

The parties will negotiate in good faith with respect to any other change in the Data Analysis Services and/or fees resulting from any additional instructions.

6. Confidentiality

Audiem shall ensure that persons authorised to process personal data on behalf of the Client have committed themselves to confidentiality or are subject to appropriate statutory obligation of confidentiality.

Audiem ensures that only those persons who are currently authorised are able to access the personal data being processed on behalf of the Controller.

7. Control and processor of personal data and purpose of the personal data processing

The Client will at all times remain the Controller for the purposes of the Data Analysis Services, the Agreement, and this Policy. The Client is responsible for compliance with its obligations as a Controller under data protection laws, in particular for justification of any transmission of Personal Data to Audiem (including providing any required notices and obtaining any required consents and authorisations), and for its decisions and actions concerning the processing and use of the Personal Data.

The Client will also act as a Processor on behalf of the content Authors as defined in this Policy. Audiem is a Processor for the purposes of the Data Analysis Services, the Agreement, and this Policy. Audiem will process data solely for the provision of the Data Analysis Services, and will not otherwise:

1. Process or use data for purposes other than those set forth in this Policy or as instructed by the Client in accordance with the above; or
2. disclose such data to third parties other than Audiem Affiliates or third party Sub-Processors for the aforementioned purposes or as required by law. Audiem will comply with all applicable data protection laws to the extent that such laws by their terms impose obligations directly upon Audiem as a Processor in connection with the services specified in this Policy.

8. Assistance to the client

Audiem, taking into account the nature of the processing, shall, as far as possible, assist the Client by appropriate technical and organisational measures, in the fulfilment of the Client’s obligations to respond to requests for the exercise of the Data Subjects’ rights pursuant to relevant legislation.

Audiem will pass on to the Client any requests of an individual Data Subject to access, delete, correct or block Personal Data processed under this Policy. Audiem will not be responsible for responding directly to the request, unless otherwise required by Law.

Audiem shall assist the Client in ensuring compliance with the Client’s obligations pursuant to UK GDPR, taking into account Audiem’s role and the nature of the processing and the information made available to Audiem. The Client agrees to pay Audiem reasonable fees that may be associated with Audiem performance of any such assistance to the Client.

9. Transfer of data to EEA, outside of the EEA, or to international organisations

Audiem may transfer Personal Data to the EEA, outside of EEA, or international organisations on documented instructions from the Client, or where a UK GDPR compliant Sub-Processor does so as part of its service.

10. Use of sub-processors

The Client accepts that some or all of Audiem’s obligations under this Policy is performed by third party Sub-Processors. Audiem maintains a list of Audiem Sub-Processors that may process data.

Audiem uses the following Sub-Processors:

• Microsoft
• SmartSurvey

Audiem will provide reasonable notice to the Client of any planned changes with regard to additions to or replacement of other data processors.

Audiem shall ensure that Sub-Processors are subject to the same data protection obligations as those specified in this Policy on the basis of a contract or other legal document under relevant legislation, in particular providing the sufficient guarantees that the Sub-Processors will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the governing laws.

11. Security

Audiem take all the measures required pursuant to the UK GDPR which stipulates that – with consideration for the state of the art, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons - the Client and Audiem shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Audiem shall ensure that Personal Data is stored securely using modern software that is kept up-to-date. This provision includes:

• Access to Personal Data shall be limited to need access for the purposes of Data Analysis Services.
• When data is deleted, it is done safely such that the data is irrecoverable.
• Appropriate back-up and disaster-recovery solutions are in place.

Additional measures, and information concerning such measures, including the specific security measures and practices for the Platform and particular Data Analysis Services ordered by the Client, may be specified in the Agreement.

Appendix A of this Policy specifies the level of security and the measures implemented by Audiem to ensure the above.

12. Audit rights

Audiem shall make available to the Client all information necessary to demonstrate

compliance with the outlined duties of a Data Processor and this Policy, and allow for and contribute to audits, including inspections performed by the Controller or another auditor mandated by the Controller.

Any audits are at the Client’s expense. Any request for Audiem to provide assistance with an audit is considered a separate service, if such audit assistance requires the use of resources different from or in addition to those required for access to the Platform or the provision of Data Analysis Services. Audiem will seek the Client’s written approval and agreement to pay any related fees before performing such audit assistance.

13. Penetration testing

Audiem can commission penetration tests at the Client’s request. Unless otherwise agreed, the Client will pay for an external penetration test.

14. Breach notification

Audiem will notify the Client without undue delay after becoming aware of a personal data breach, which may lead to accidental or unlawful destruction, alteration, unauthorised disclosure of or access to the Client’s data.

Audiem will, taking into account the nature of the processing and information available, assist the Client in notifying the personal data breach to the supervisory authority and the data subjects.

15. Personal data upon end of data analysis services

Upon termination of the Data Analysis Services, Audiem shall be under obligation, at the

Client’s discretion, to delete or return all of the Personal Data to the Client and to delete existing copies unless governing legislation requires storage of the Personal Data.

All requests for data removal must be made in writing to notice@audiem.io and will similarly be confirmed actioned in writing.

16. Audiem staff

As part of our employee induction process, all staff are familiarised with our policies on data protection, email and internet usage, remote working and employee information security.

Audiem password policy requires all passwords for applications to be managed by the

LastPass service. Upon an employee leaving the company or changing role, their LastPass authorisation will be changed or removed accordingly. For staff requiring access to the servers via SSH, SSH keys are required for access and will be removed when necessary.

17. Legally required disclosures

Except as otherwise required by law, Audiem will promptly notify the Client of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority (“Demand”) that it receives and which relates to the processing of Personal Data.

At the Client’s request, Audiem will provide the Client with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for the Client to respond to the Demand in a timely manner. The Client acknowledges that Audiem has no responsibility to interact directly with the entity making the Demand, unless required by law.

18. Other disclosures

Where a material or potential data breach occurs Audiem will provide the Client with reasonable information in its possession as soon as possible upon discovery of the (potential) breach.

Audiem will work with the Client to take all reasonable actions to mitigate the (potential) risks from such a breach in a fully transparent manner.

19. Service analyses

Audiem may:

1. compile statistical and other information related to the performance, operation and use of the Data Analysis Services, and
2. use data from the Data Analysis Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (collectively “Service Analyses”)

if no Personal Data is used for the purposes mentioned in (1) or (2).

20. Processing location

Processing of the personal data under this Policy cannot be performed at other locations than the following without the Client’s prior written consent:

• Audiem: Processing is limited to the UK
• Microsoft: Processing is limited to the UK
• SmartSurvey: Processing is limited to the UK

‍

‍

APPENDIX A

Security of processing (level of security and measures)

Physical Access Control

Audiem employs physical security measures for work locations and hardware, designed to prevent unauthorised persons from gaining access to data processing systems in which Personal Data is processed.

System Access Control

All access to the Data Analysis Services is managed with authentication via password and access logs are maintained. Audiem systems used to access Client data have up-to-date malware/virus protection and are secured using unique secure passwords. All hard drives are encrypted.

Data Access Control

Personal Data is accessible and manageable only by properly authorised staff, direct database access is restricted, and application access rights are established and enforced.

Granting Access Rights – Client Superusers

During onboarding, and from time-to-time as new staff/departments use the platform, it is necessary to grant individual access to the platform for Client Users. The process for this is as follows:

1. During onboarding, and whenever subsequently necessary, Audiem will agree with the Client which members of their team are authorised to decide on access permissions for other team members.
2. These people are granted “Superuser” access and the ability to provide access/assign permissions levels (or instruct Audiem to do so on their behalf) to other named individuals.
3. Superusers should be named in the Client documentation for internal reference.
4. Audiem will automatically accept and act upon any requests for access to data or the platform from Superusers.
5. Requests from non-Superusers for access to data or the platform should be referred back to a Superuser for authorisation before any action is taken.

Transmission Control

Except as otherwise specified for the Data Analysis Services, transmissions of confidential data or special categories of data outside the Data Analysis Service environment are encrypted.

Input Control

Where the Personal Data source is under the control of the Client, Personal Data integration into the system is managed by secured transfer from the Client.

Data Backup

Client data is stored and backed-up as part the Data Analysis Services on secure Microsoft servers in the UK (via OneDrive and on Microsoft Power BI). Backups are taken on a regular basis and are secured using a combination of technical and physical controls.

For specific elements of the Data Analysis Services, Client data is also uploaded and temporarily stored and backed-up on other Sub-Processor systems which are subject to the same Data Protection obligations as Audiem.

Data Segregation

Client data being processed under the Agreement is segregated from Audiem’s other clients into their own database. These different databases may be on the same physical hardware or different hardware. This is to provide an extra layer of protection against data leakage between Clients’ databases. User credentials for different Clients (which includes PII) is kept centrally in order to resolve which platform a Client User is allowed to access.

‍

‍