Controller: The Representative (and their organisation) using the Platform.
Processor: Philoware Limited, PhilHQ, Foxford, Co. Mayo, F26 PP40, Ireland.
1.1 Processing of personal data contained in Cases and user accounts for the purpose of providing the Platform.
1.2 Duration: for the term of the Representative’s subscription and thirty (30) days thereafter for export/closure.
2.1 Hosting, storage, transmission, display, indexing, analytics (aggregated/anonymised), support and security monitoring necessary to operate the Platform.
3.1 Personal data may include names, contact details, location, case descriptions, attachments and communication logs.
3.2 Data subjects include Citizens, Representatives and authorised staff.
4.1 Process personal data only on documented instructions of the Controller (including these Terms and in-product settings).
4.2 Ensure personnel confidentiality; provide regular training.
4.3 Implement appropriate technical and organisational measures including: encryption in transit (TLS 1.3) and at rest (AES-256), 2FA, role-based access control, secure development life-cycle, logging and monitoring, regular vulnerability management and annual penetration testing.
4.4 Assist the Controller with data-subject requests, DPIAs, and consultations.
4.5 Breach notification: notify the Controller without undue delay and within 24 hours of becoming aware of a personal data breach affecting the Controller’s data, with details and mitigation updates.
4.6 Deletion/return: at the end of the engagement, delete or return personal data at the Controller’s choice within 30 days, subject to legal retention requirements.
4.7 Make available information necessary to demonstrate compliance and allow audits (on reasonable notice, subject to confidentiality, security and frequency limits).
5.1 Controller authorises Processor to use sub-processors necessary to deliver the Service, including:
5.2 Processor shall maintain a public list at /subprocessors and provide notice of changes. Controller may object on reasonable grounds; if unresolved, Controller may terminate affected services.
6.1 Primary hosting is in Ireland. Any transfers outside the EEA will rely on lawful mechanisms (e.g., Standard Contractual Clauses) with supplementary measures.
7.1 Each party remains liable for its own compliance with GDPR. Processor’s aggregate liability under this DPA is limited as set out in the Representative Terms.
8.1 Irish law and the courts of Ireland.
