top of page

DPA Policy

Gyre: Data Processing Addendum - (Users)
Last Update: January 2024

In order to provide the Services to its users (“User” or “you”), The Developing Leaders Partnership Limited (T/A Gyre) processes data of customers or visitors of the Users’ site or services (herein: “Users-of-Users”). The processing of such data by Gyre is hereinafter referred to as “Processing”. The following Data Processing Addendum (“DPA”) sets forth the terms of such Processing by Gyre.

This DPA forms part of the Gyre Privacy Policy (the “Privacy Policy”) and any other applicable Gyre terms or agreement governing the use of the Services (collectively, the “Agreement”). The terms of the Agreement shall apply to this DPA as applicable. In any event of contradiction between this DPA and the Agreement, the provisions of this DPA shall govern solely with respect to the Processing of Users-of-Users Information. Any capitalised term not defined herein, shall have the meaning ascribed to it in the Gyre Policies.

To the extent Users-of-Users Information is Processed by Gyre on your behalf you acknowledge and agree that Gyre will process Users-of-Users Information as necessary to provide you with the Services and as further detailed herein, and by using the Gyre Services, you instruct Gyre to process such Users-of-Users Information on your behalf pursuant to this DPA.

 

A. DEFINITIONS

​For the purpose of this DPA, the following terms have the following meaning

  • ​“Adequate Country” means, as applicable (i) with respect to the EEA, a country outside the EEA that is designated as a country that is deemed to ensure an adequate level of protection by the European Commission in accordance with Article 45 of the GDPR. For the purpose of this DPA, “EEA” means the member states of the European Union as well as Iceland, Liechtenstein and Norway; and (ii) with respect to the UK and/or Switzerland, a third country outside the UK or Switzerland (as applicable) that offers an adequate level of protection to data pursuant to an adequacy decision published by the relevant data protection authority

  • “Data Protection Laws” means all privacy and data protection laws and regulations applicable to Processing of Personal Data of natural persons under this DPA in connection with the Gyre Services, including the European Union Regulation 2016/679 (the “GDPR”) and the national law of the applicable EEA member state that implements the GDPR, and California Civil Code Section 1798.100-1798.199 (the “CCPA”), the UK General Data Protection Regulation (the “UK GDPR”) (as applicable), and any laws or regulations ratifying, implementing, adopting, or supplementing such laws; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.

  • “Data Subject” means the identified or identifiable person to whom the Personal Data relates.

  • The terms “Controller”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Processor”, as used in these DPA, shall have the meanings given to them in the GDPR and shall be meant to include any different but similar term used in any other Data Protection Laws.

  • “Jurisdiction Specific Terms” means terms and conditions that apply to Users who are subject to certain additional jurisdiction-specific data protection laws, as specified in Schedule 1 of this DPA.

  • “Standard Contractual Clauses” or the “Standard Clauses” means the EU Standard Contractual Clauses as approved by the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en) (in each case, as applicable while taking into consideration the nature and roles of the data exporter and data importer).

  • “Users-of-Users Information” means Personal Data of Users-of-Users (as such terms is defined in the Privacy Policy) that you submit to Gyre or may otherwise be Processed by Gyre on your behalf.

  • "Gyre Security Documentation" means the technical and organisational measures Gyre deploys and maintains to protect Users-of-Users Information, as detailed in the https://www.gyreteams.com/data-security-summary (or as otherwise made reasonably available by Gyre), all as may be updated from time to time.

 

​B. PROCESSING OF USERS-OF-USERS INFORMATION BY GYRE

​1. Roles of the Parties. You acknowledge and agree that with regard to the Processing of Users-of-Users Information performed on your behalf, (i) you are the Controller and Gyre is the Processor of such of such Users-of-Users Information; and (ii) for the purposes of the CCPA (if applicable), you are the “Business” and Gyre is the “Service Provider” (as such terms are defined in the CCPA).

2. Details of the Processing by Gyre. Gyre will process Users-of-Users Information in order to provide the Services in accordance with the Agreement and this DPA. The nature and purposes of the Processing, its duration, the types of Personal Data Processed and categories of Data Subjects are further specified in Schedule 2 (Details of the Processing) to this DPA.

3. Processing by Gyre. When Gyre Processes Users-of-Users Information on your behalf in the course of providing the Service, Gyre shall:

a. Process Users-of-Users Information only for the following purposes: (i) provisioning the Services to you in accordance with the Agreement and this DPA (including any applicable Jurisdiction Specific Terms), (ii) in accordance with your reasonable documented instructions in this DPA and as may subsequently be instructed by you, to the extent your instructions are compatible with the Services and this DPA; and (iii) as required under the laws applicable to Gyre or subject to a competent authority's requirement, provided that if Gyre is required by law to Process your Users-of-Users Information for any other purpose, Gyre will provide you with prior notice of this requirement, unless Gyre is prohibited by law from providing such notice.

 

b. Ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and have committed themselves to confidentiality.

 

c. Implement reasonable technical and organisational measures to enable you to comply with Data Subject Requests (as defined below) that you are obligated to fulfil

4. Processing by you. When using the Gyre Service, you shall:

 

a. Ensure that your submission of Personal Data to Gyre, your instructions for the Processing of Users-of-Users Information by Gyre, and your processing of Users-of-Users Information in your use of the Services will comply with Data Protection Laws.

b. Establish and have any and all required consents, legal bases and authorizations in order to collect, use and otherwise process and transfer to Gyre the Users-of-Users Information, and to authorise the Processing by Gyre, and for Gyre’s Processing activities on your behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.

c. In some instances (and when relevant) flag specific data as Personal Data in order for Gyre to treat it as such. You have sole responsibility for the accuracy, quality, and legality of Users-of-Users Information and the means by which it was obtained.

d. Be solely responsible for any transfer of Users-of-Users Information by you (or any other person operating on your behalf) to any platform other than Gyre, or any other third party.

C. SUB-PROCESSORS

General Authorization for use of Sub-processers. You hereby grant Gyre a general authorization to engage sub-processors to Process your Users-of-Users Information in order to provide the Gyre Services without obtaining any further written, specific authorization from you, subject to the following conditions:

1. Gyre will restrict the sub-processor’s access to Users-of-Users Information only to what is necessary to provide the Services, and will prohibit sub-processors from processing Users-of-Users Information for any other purpose.

a. Gyre’s use of any specific sub-processor to process Users-of-Users Information shall comply with applicable Data Protection Laws and Jurisdiction Specific Terms (if any) and will be governed by a contract between Gyre and such sub-processor that sets forth a level of protection and security to Users-of-Users Information comparable to this DPA.

b. Gyre shall remain liable to you under applicable Data Protection Laws and Jurisdiction Specific Terms for any breach of this DPA that is caused by an act, error, or omission of its sub-processors.

c. Current Sub-processors and Notification of Sub-processor Changes. A current list of sub-processors engaged by Gyre that may Process Users-of-Users Information is available at Gyre Sub Processors List (https://www.gyreteams.com/sub-processors). Upon your first use of the Services, you acknowledge and deem authorized the Gyre Sub-Processor List effective as of the date of such first use.

 

2. Objection Right for new Sub-processors. You may reasonably object to the appointment or replacement of a sub-processor by Gyre on documented reasonable grounds relating to data protection, by submitting a written and reasoned objection to Gyre at  support@gyreteams.com.

In such an event, Gyre may, in its sole discretion, choose to use commercial reasonable efforts (but is not required to) make available to you an alternative solution to avoid the Processing of your Users-of-Users Information by the new Sub-processor you objected to. Until Gyre makes a decision concerning your objection, Gyre may be required to temporarily suspend the Processing of the related Users-of-Users Information, including, if required for this matter, suspend or limit access to your User Account or suspend or limit certain features of the Services offered to you.

If Gyre finds that it is unable to resolve your objection or to provide you with such alternative solution, within thirty (30) days from receipt of your valid reasoned objection, as determined in Gyre’s full and sole discretion (with no obligation to provide any reasoning), you may, as a sole remedy, discontinue the use of the affected Service(s) by providing written notice to Gyre. Such discontinuation will be without prejudice to any fees incurred by you prior to the discontinuation of the affected Services and you will have no further claims against Gyre in connection with the discontinuation of the affected Service(s). If no objection has been raised to the replacement or appointing a new sub-processor within the above mentioned time frame, Gyre will deem you to have authorised the new sub-processor.

D. SECURITY AND SECURITY NOTIFICATIONS

1. Security Measures. Gyre has implemented and will maintain industry-standard technical and organisational security measures as required to appropriately ensure the protection of Users-of-Users Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Users-of-Users Information, and the confidentiality and integrity of Users-of-Users Information, including those measures set forth in the Gyre Security Documentation.
These measures shall be appropriate to the harm which might result from any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Users-of-Users Information, and the nature and scope of the Users-of-Users Information which is to be protected.

2. Your responsibility. You are responsible for reviewing the information Gyre makes available regarding its data security, and making an independent determination as to whether the Gyre Services meet your needs, requirements and legal obligations, including your obligations under applicable Data Protection Laws to ensure the appropriate level of security when using the Gyre Services, taking into consideration any risks with respect to Users-of-Users Information.
You are further responsible for properly configuring the Gyre Services and using features and functionalities made available by Gyre to maintain appropriate security in light of the nature of the data processed by your use of the Gyre Services. By using any of Gyre’s Services, you agree to the adequacy of the organisational, technical and security measures implemented by Gyre to protect the Users-of-Users Information. Some of those measures are referred to in the Gyre Security Documentation.

3. Security Notifications. Gyre will, to the extent permitted by applicable law, notify you without undue delay, after becoming aware of any Personal Data Breach that affects your Users-of-Users Information, as required under applicable Data Protection Laws. Gyre shall use reasonable efforts to include in such notifications relevant information concerning: the nature of the related breach, the scope and type of affected records and affected Data Subjects, anticipated consequences and details about any remediation and other measures that Gyre has taken and/or intends to take to mitigate any potential negative effects of such breach.
You acknowledge that Gyre’s notification concerning a Personal Data Breach shall not be deemed or construed as an acknowledgement by Gyre of any fault or liability with respect to such incident.
You also acknowledge that in the event of a Personal Data Breach, you may also be obligated to take measures required under applicable Data Protection Laws in connection with your Users-of-Users Information.

E. DATA SUBJECT REQUESTS AND RELATED ASSISTANCE

1. Data Subject Requests. Gyre shall promptly notify you if Gyre receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), unless Gyre is legally prohibited from doing so. Gyre shall assist you, in a timely manner, to the extent you, in your use of the Service, do not have the ability to address a Data Subject Request, by the appropriate measures and, as reasonably possible (considering the nature of the relevant Processing), in the fulfilment of your obligation to respond to a Data Subject Request under applicable Data Protection Laws, unless Gyre is legally prohibited from doing so.

 

2. Records. Gyre will keep records of its Processing in compliance with applicable Data Protection Laws and provide you with necessary records to demonstrate compliance upon reasonable request.

3. Data Protection Impact Assessment Upon your request, Gyre will provide you with reasonable cooperation and assistance needed to fulfil your obligation under the GDPR to carry out data protection impact assessments and consultations with the competent supervisory authority in relation to your use of the Service, where, in your reasonable judgement, the Processing performed by Gyre is likely to result in a high risk to the rights and freedoms of natural persons, and to the extent you do not otherwise have access to the relevant information, and to the extent such information is available to Gyre.

4. Further Assistance. Upon your reasonable written request, at reasonable intervals (no more than once every 12 months) and subject to confidentiality (if applicable) undertakings by you, Gyre will

a. Make available to you: (a) reports, certifications or extracts thereof where available from a source charged with auditing Gyre’s data protection practices to enable you to assess Gyre’s compliance with the terms of this DPA; (b) Information necessary to demonstrate your compliance with your obligations under this DPA and applicable Data Protection Laws; and/or (c) a copy of Gyre most recent third-party certifications that Gyre has attained, as set forth in the Gyre Security Documentation.

b. Allow for and contribute to audits, including inspections, conducted by you or by an independent auditor mandated by you (at your cost); provided, that: (a) access will take place only during business hours; (b) findings shall be restricted only to data relevant to you; (c) such audits, inspections and the results therefrom, (i) shall only be used by you to assess compliance with this DPA, and not for any other purpose, and (ii) shall not be disclosed to any third party without Gyre’s prior written approval; and (c) Upon Gyre’s request, you will return to Gyre all records or documentation in your possession or control provided by Gyre in the context of the audit and/or the inspection. In the event of such an audit or inspection, you shall be responsible to ensure that you (and each of your mandated auditors) will not cause any damage, injury or disruption to Gyre’s premises, equipment, personnel, services and business, as applicable, while conducting such audit or inspection.

5. Costs. Subject to applicable Data Protection Laws, to the extent any assistance described in this Section E entails material costs or expenses to Gyre, the parties shall first come to agreement on your reimbursement to Gyre of such costs and expenses.

 

6. Deletion of Users-of-Users Information. Upon termination of your use of the Services or your written request submitted through one of the methods detailed in the Privacy Policy, Gyre shall delete your Personal Data and related Users-of-Users Information as soon as reasonably practicable and according to the Agreement and applicable laws.
Notwithstanding the forgoing, Gyre may retain Users-of-Users Information (or a portion of it), if required under the Agreement or by applicable law or regulation (including applicable Data Protection Laws); provided such Users-of-Users Information remains protected in accordance with the terms of this DPA and applicable Data Protection Laws.

 

F. INTERNATIONAL TRANSFERS

 

1. General. You acknowledge that Gyre may Process Users-of-Users Information anywhere in the world so long as it complies with applicable Data Protection Laws, applicable Jurisdiction Specific Terms and this DPA.

2. Appropriate Safeguards for Cross Border Data Transfers from the EEA, Switzerland and the United Kingdom. Gyre shall only transfer Users-of-Users Information from the EEA, Switzerland and the United Kingdom (“UK”), using the applicable mechanisms required to ensure that the relevant cross-border transfer is in compliance with applicable Data Protection Laws, as follows:

a. Transfers to gyreteams.com. Users-of-Users Information that Gyre receives and Processes is initially transferred by you and/or the applicable Data Subject to gyreteams.com in Ireland under the European Commission’s adequacy decision 211/61/EU.

b. Onward Transfers to Adequate Countries. Onward transfers of Users-of-Users Information by Gyre to a recipient operating on Gyre’s behalf that is located in an Adequate Country will be conducted under the applicable adequacy decision published by the relevant data protection authority (with no need for any other safeguard).

c. Onward Transfers to Gyre Sub-contractors in Other Countries. Any onward transfer of Users-of-Users Information by Gyre to a recipient operating on Gyre’s behalf that is located in a third country outside the EEA, the UK, and Switzerland shall be conducted by either: (i) entering into the Standard Clauses or any similar mechanism approved by the competent authority in the EU, UK or Switzerland; or (ii) ensuring that other appropriate safeguards pursuant to Article 46 of the GDPR or any equivalent provision in the applicable Data Protection Law are in place.

d. Onward Transfers at Your Instructions.  In case of a transfer to a third party that is not a sub-processor of Gyre, which is conducted by Gyre at your instructions, or by you in accordance with an agreement between you and such third-party (which Gyre is not a party to), you shall be solely responsible for the transfer of Users-of-Users Information and its compliance with applicable laws.

e. If the applicable transfer mechanism is amended, replaced, or otherwise invalidated, Gyre shall enter into any updated version of such mechanism or any alternative mechanism endorsed by the applicable competent authority.

G. MISCELLANEOUS

1. This DPA shall be in effect for as long as you use any of the Gyre Services; provided, however, that in the event Gyre is obligated, according to the terms of this DPA or the Agreement, to keep Users-of-Users Information following the termination of the Services, this DPA shall remain in effect for as long as Gyre holds Users-of-Users Information.

2. For avoidance of doubt and to the extent allowed by applicable law, all liability under this DPA, including limitations thereof, will be governed by the relevant provisions of the Gyre Terms of Use.

3. You acknowledge and agree that Gyre may amend this DPA as may be required from time-to-time, by posting the relevant amended and DPA on Gyre’s website https://www.gyreteams.com  and any amendments to the DPA are effective as of the date of posting. Your continued use of the Services after the amended DPA is posted constitutes your agreement to, and acceptance of, the amended DPA.

4. If any provision of this DPA is deemed by a court of competent jurisdiction to be invalid, unlawful, void, or for any reason unenforceable, then such provision shall be deemed severable and will not affect the validity and enforceability of the remaining provisions.

5. Any questions regarding this DPA should be addressed to the Gyre Data Protection Officer at support@gyreteams.com. Gyre will attempt to resolve any complaints regarding the use of your Users-of-Users Information in accordance with this DPA and the Agreement.

6. This DPA was written in English and may be translated into other languages for your convenience. If a translated (non-English) version of this DPA conflicts in any way with its English version, the provisions of the English version shall prevail.

​Schedule 1 – Data Protection Laws

1. California. Applicable Data Protection Laws and Jurisdiction Specific Terms for California Residents:

a. The definition of “Data Protection Law” includes the CCPA.

b. The definitions of “Personal Data”, “Data Subject”, “Controller” and “Processor” includes the definitions “Personal Information”, “Consumer”, “Business”, and “Service Provider”, respectively, all as defined under CCPA.

c. Gyre will process, retain, use, and disclose personal information only as necessary to provide its Services, which constitutes a business purpose.

d. Gyre agrees not to: (i) sell (as such terms is defined under the CCPA) Personal Data (including Users-of-Users Information); (ii) retain, use, or disclose Personal Data (including Users-of-Users Information) for any commercial purpose (as defined by the CCPA) other than providing the Services; or (iii) retain, use, or disclose Users-of-Users Information outside of the scope of the Agreement.

 

e. Gyre certifies that its sub-processors, as described in Article C of the DPA, are Service Providers under CCPA, with whom Gyre has entered into a written contract that includes terms ensuring at least the same level of protection and security as those set out in this DPA. 

 

f. Gyre will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Article D of this DPA.

 Schedule 2 – Details of User-of-User Information Processing

1. Nature and Purpose of Processing. We may use your User-of-User Information for the following purposes (and tasks related to such purposes), all in accordance with the Agreement and in a way that is proportionate and that respects your and your Users-of-Users privacy rights:

a. Providing you with the Services;

b. Acting upon your instructions, including providing you with professional assistance, only upon your request; provided your instructions are consistent with the terms of this DPA and the Services;

c. Performing and enforcing the Agreement and this DPA and other contracts executed by and between us (if any)), and defending Gyre’s rights;

d. Preventing, investigating and mitigating data security risks and incidents, fraud, errors and/or illegal or prohibited activities;

e. Complying with applicable laws and regulations;

2. Duration of Processing. Prior to the termination of your use of the Services, Gyre will process your User-of-User Information in accordance with this DPA and the Agreement until you elect to delete such User-of-User Information (or part thereof) on your own, directly through our Services, as you are the solely responsible for deleting your User-of-User Information via the Services. Upon such termination, deletion of your Users-of-Users Information will be handled by Gyre in accordance with Section 16 (Deletion of Users-of-Users Information) of this DPA.

3. Type of Personal Data. Subject to your content restriction obligations under this DPA and the Agreement, you may submit Users-of-Users Information to the Service, in scope and nature that is controlled and determined solely by you.

4. Categories of Data Subjects. Subject to your content restriction obligations under this DPA and the Agreement, you may submit Users-of-Users Information to the Service, which may include (but is not limited to), Personal Data relating to the following categories of Data Subjects, all as controlled and determined solely by you: Your existing and prospective employees, candidates, agents, consultants, freelancers, business partners and/or sub-contractors (and their respective employees, contact persons, agents, etc.), who are natural persons;(ii) your existing and prospect customers and end users (and their respective employees, contact persons and agents), who are natural persons; and (iii) any other third party individual with whom you decide to engage through the Service.

bottom of page