CourtCorrect Terms & policies
CourtCorrect takes the privacy and security of your business data and personal
information extremely seriously. This data processing agreement sets out how we, our
partners and suppliers process and store your business data and personal information.
If you have any questions at all about how we handle your data, please don’t hesitate to
contact us at:
By email: hello@courtcorrect.com
By telephone: +44 20 7867 3925
By post: 33 Percy St, W1T 2DF, London, UK
Our governance framework incorporates industry and regulatory best practices to reduce ethical concerns, eliminate ambiguity and promote accountability of our AI systems. By embedding our core ethical principles across the organisation, CourtCorrect aims to continue driving innovation while adhering to the highest standards of safety and reliability.
Important Information and Who We Are
CourtCorrect Ltd is a company registered in England and Wales with company number 12117945 and its registered address at 33 Percy Street, W1T 2DF, London is the data processor and responsible for your business data and personal information (collectively referred to as “CourtCorrect”, "we", "us" or "our" in this data processing agreement).
CourtCorrect is registered with the ICO with reference number C1356101.
This data processing agreement aims to give you information on how CourtCorrect collects and processes your business data and personal information, including any data you may provide through our platform, when you sign up via our website, book or enquire about CourtCorrect.
CourtCorrect is not intended for children, and we do not knowingly collect data relating to children.
It is important that you read this data processing agreement together with anyother terms we may provide on specific occasions when we are collecting or processing business data or personal information so that you are fully aware of how and why we are using your data. Should there be any conflict between any supplementary terms and this data processing agreement, this data processing agreement shall prevail. Decisions influenced by AI systems are documented and made comprehensible for auditing and review, ensuring adherence to FCA guidance on transparency and consumer protection.
Background
The Customer and the Provider are in discussions regarding an agreement under which the Provider will make available to the Customer a technology platform to assist in responding to customer complaints. In order for the Provider to make the Services available, it is necessary for the Customer to share certain Personal Data with the Provider.
This Personal Data Processing Agreement (Agreement) sets out the terms, requirements and conditions on which the Provider will process Personal Datawhen providing the Services to the Customer as set out in recital A. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.
Agreed Terms
The following definitions and rules of interpretation apply in this Agreement:
Business Purposes means the services to be provided by the Provider to the Customer and any other purpose specifically identified;
Commissioner means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018);
Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended;
EEA means the European Economic Area;
Records has the meaning given to it in Clause 12;
Term means this Agreement's term as defined in Clause 10;
UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018;
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
A reference to writing or written includes email but not fax.
The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:
the Customer is the Controller, and the Provider is the Processor.
the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.
this agreement describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect ofwhich the Provider may process the Personal Data to fulfil the Business Purposes.
Provider's Obligations
The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. The Provider will not process the Personal Datafor any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider must promptly notify the
Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.The Provider must comply promptly with any Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires the Provider to process or
disclose the Personal Data to a third-party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.The Provider will reasonably assist the Customer, at no additional cost to the Customer, with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.
The Provider must notify the Customer promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider's performance of the Master Agreement or this Agreement.
Provider's Employees
The Provider will ensure that all of its employees:
are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
are aware both of the Provider's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
Security
The Provider must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in this agreement.
The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of the
security measures.
Personal Data Breach
The Provider will immediately and in any event without undue delay notify the Customer in writing if it becomes aware of:
the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible;
any accidental, unauthorised or unlawful processing of the Personal Data; or
any Personal Data Breach.
Where the Provider becomes aware of any of the above above, it will, without undue delay, also provide the Customer with the following written information:
description of the nature of the breach, including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
the likely consequences; and
a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.
Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to:
assisting with any investigation;
providing the Customer with physical access to any facilities and operations affected;
facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwisereasonably required by the Customer; and
taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law.
The Provider agrees that the Customer has the sole right to determine:
whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
The Provider will cover all reasonable expenses associated with the performance of these obligations unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.
The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy.
Cross-border transfers of personal data
The Provider (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK without obtaining the Customer's prior written consent.
Subcontractors
The Provider may not authorise any third party or subcontractor to process the Personal Data.
The Provider may only authorise a third-party (subcontractor) to process the Personal Data if:
the Customer provides written consent prior to the appointment of each subcontractor;
the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer's written request, provides the Customer with copies of the relevant excerpts from such contracts;
the Provider maintains control over all of the Personal Data it entrusts to the subcontractor; and
the subcontractor's contract terminates automatically on termination of this Agreement for any reason.
Those subcontractors approved as at the commencement of this Agreement are as set out in this Agreement. The Provider must list all approved subcontractors in Annex A and include any subcontractor's name and location and the contact information for the person responsible for privacy and data protection compliance.
Where the subcontractor fails to fulfil its obligations under the written agreement with the Provider which contains terms substantially the same as those set out in this Agreement, the Provider remains fully liable to the Customer for the subcontractor's performance of its agreement obligations.
The Parties agree that the Provider will be deemed by them to control legallyany Personal Data controlled practically by or in the possession of its subcontractors.
Complaints, data subject requests and third-party rights
The Provider must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personaldata, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.
The Provider must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
The Provider must notify the Customer within five working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
The Provider will give the Customer, at no additional cost to the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer's written instructions, or as required by domestic law.
Term and termination
This Agreement will remain in full force and effect so long as the Provider retains any of the Personal Data related to the Terms and Conditions in its possession or control.
Data return and Destruction
At the Customer's request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
On termination of this Agreement, the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and
establishing a specific timeline for deletion or destruction once the retention requirement ends.The Provider will certify in writing to the Customer that it has deleted or destroyed the Personal Data within 5 working days after it completes the deletion or destruction.
Records
The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a
general description of the technical and organisational security measures referred to in this agreement.The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider's compliance with its obligations under this Agreement and the Data Protection Legislation and the Provider will provide the Customer with copies of the Records upon request.
The Customer and the Provider must review the information listed in the Annexes to this Agreement at least once a year to confirm its current accuracy and update it when required to reflect current practices.
Warranties
The Provider warrants and represents that:
its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;
it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Services; and
considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:
the harm that might result from such accidental, unauthorised or unlawful processing and loss or damage;
the nature of the Personal Data protected; and
comply with all applicable Data Protection Legislation and its informationand security policies, including the security measures required in this agreement.
The Customer warrants and represents that the Provider's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
Indemnification
The Provider agrees to indemnify, keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors or agents to comply with any of its obligations under this Agreement and/or the Data Protection Legislation.
Notice
Any notice given to a party under or in connection with this Agreement must be in writing and delivered to:
For the Customer: any email address associated with an administrator account used by the Customer
For the Provider: Ludwig Konrad Bull, CEO & Founder – ludwig@courtcorrect.com
ANNEX A - PERSONAL DATA PROCESSING PURPOSES AND
DETAILS
PROCESSING BY PROVIDER
SCOPE
The Providers employees, its systems and all Client and Complainant personal data in whatever form it is held.
NATURE
The Provider is permitted to collect, sort, save, transfer, restrict and delete data only to the extent necessary to demonstrate its capability in complaint handling.
PURPOSE OF PROCESSING
The Provider is to process the personal data on the basis that the Customer has a legitimate interest in processing its “customers” data for the reasons of complaint handling and to bring a resolution to the Customer’s “customers”. This purpose is to ensure the Customer can fulfil its obligations under this Agreement with each “customer”.
DURATION OF THE PROCESSING
The processing will last no longer than required by the Provider in order to fulfil its obligations of the complaint resolution, or for such a period of time that is reasonably needed to provide the Customer with information with regards to its services executed in the overall complaint resolution
service being provided.
TYPES OF PERSONAL DATA
The Supplier will process the following types of data on behalf of the Client:
Names
Personal contact details (customer and third party)
Details of the complaint
Date of birth
Vulnerabilities
Other evidence that may form part of the complaint
CATEGORIES OF DATA SUBJECT
Customers, family members, and third-party suppliers.
SUBPROCESSORS
OVHCloud
All data transferred under this agreement will be stored exclusively on OVHCloud, our cloud computing provider. We use their relevant S3 Buckets, PostgreSQL DB and Mongo DB services
to store data and documents. The physical infrastructure behind our server instances is located in two separate sites in Frankfurt am Main, Germany.OVHCloud is a leading European compliance and privacy-focused cloud provider with ~€1bn in revenue and its HQ in Paris, France. In addition to being able to offer OVHCloud’s redundancy, security and accreditations (e.g. ISO 27001 / 27017 / 27018 / 27701 / 50001, SOC 1 / 2 / 3 and more) to our customers, we also benefit from OVHCloud’s Data Sovereignty Guarantee, which ensures a higher level of compliance than American cloud providers and future-proofs the deployment of the CourtCorrect Platform with respect to European and UK data protection regulations. You can learn more about OVH’s security protocols and redundancy measures here: https://www.ovhcloud.com/en-gb/cloud-security
We agreed a formal partnership with OVHCloud in October 2023, which gives us access to priority support and dedicated account management, among other benefits:
https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud- uk-courtcorrect/Data held by OVHCloud can be deleted directly by authorized frontend users of the CourtCorrect system. Backup databases will hold the relevant data for another 3 months, unless early deletion is requested in writing.
OpenAI
OpenAI is a provider of large language models. We use OpenAI’s business API to provide large-language model-based services. Some data under this agreement will be processed by OpenAI. We have contractual assurances that such data will not be used for further model training or similar at OpenAI and is deleted permanently from OpenAI databases within 30 days of processing. You can learn more about OpenAI’s data retention and privacy protocols here:https://openai.com/enterprise-privacy
Elasticsearch B.V.
Elastic NV is an American-Dutch company that was founded in 2012 in Amsterdam, the Netherlands, and was previously known as Elasticsearch. It is a search company that builds self-managed and software as a service (SaaS) offerings for search, logging, security, observability, and analytics use cases.
Some personal data processed under this agreement may be replicated temporarily into our Elasticsearch clusters to provide search services. While this data is anonymised before being temporarily stored with this service, we cannot exclude the possibility that some personally-identifying information will be preserved.
Data will be deleted automatically from Elasticsearch within 30 days of this data being deleted in the OVHCloud service.
You can learn more about Elasticsearch’s privacy policy here:
https://www.elastic.co/legal/privacy-statement
Amazon Web Services – Hosting
We use Amazon Web Services (“AWS”) as a hosting provider for our custom and fine- tuned large language models and also to host a variety of frontend and backend applications. Data processed
under this agreement may also be processed by one of our applications built on AWS. However, data will never be stored with AWS and will only be transferred in an encrypted format, such
that there is no permanent record of the data stored anywhere.You can learn more about AWS’ Privacy and Security framework here: https://aws.amazon.com/compliance/data-privacy-faq/
ANNEX B - SECURITY MEASURES
TECHNICAL AND ORGANISATIONAL MEASURES
The Customer is committed to maintaining the confidentiality, integrity and availability of all data it accesses, processes or stores. Where services have been contracted to a third party to access Personal Data, the Provider must ensure that Personal Data is subject to the standards laid out in this Agreement.
Right of Inspection
Customer may, upon giving at least 1 month’s written notice, conduct a security review or audit of any site or component being used by or required to be used by the Provider or its sub-processors or third parties. Customer shall carry out any inspection in such a way to cause as little disruption as reasonably possible to the Provider.
The Provider shall provide all assistance reasonably requested by Customer in relation to any review and shall ensure that arrangements with any third-party service providers or sub-
contractors, shall contain provisions for such an inspection.The Provider will remediate any points that are identified in the review or audit by Customer as being of a risk to Personal Data shared under this Agreement.
Information Security Policy and Governance
The Provider shall ensure that the subject of information security and its importance to the Provider’s business is represented at a senior level within the Provider’s organisation and that a formal strategy for information security management has been approved by management.
A documented and approved information security policy will be maintained. This policy must be communicated to the Provider’s personnel, contractors and all their third parties with access to
Personal Data or the Provider’s information systems.The information security policy must be enforced across the organisation, reviewed on at least an annual basis or -when a significant change has occurred that necessitates the modification of policy. The Provider shall ensure that there is a formal disciplinary process for breaches of this policy.
The Provider shall develop, implement, operate, maintain and continuously improve an Information Security Management System (“ISMS”) which is in alignment to Good Industry Practice and is tested and audited in accordance with ISO 27001.
The Provider will obtain certification of the ISMS to ISO 27001 within 6 months of this agreement and will maintain such certification for the duration of the agreement. This certification will be independently verified and issued by a body formally accredited by the UK Accreditation Service or other such member of the International Accreditation Forum.
Awareness and Training
The Provider shall provide all employees who have access to Personal Data with clear roles and responsibilities pertaining to information security and data protection.
The Provider will provide employees with specific information security training detailing good security practices on at least an annual basis. This training will reflect current, best industry practices and make employees aware of current threat trends.
Access Control
The Provider will ensure that access control to information systems that host, access or process Personal Data is maintained to only those who need access.
Each user should authenticate using a unique username and strong password before being granted access to applications, computers and network devices. The account provided to employees must have permissions that are appropriate to the role they carry out.
The access that has been provided to employees must be reviewed on a regular basis to ensure that access granted is required.
Access provided must be cancelled immediately after an employee leaves the organisation or no longer has a requirement to access the information system.
Secure Configuration
All external connections to the Provider’s networks and applications shall be individually identified, verified, and approved by the Provider in accordance with the Provider’s information security policy.
All network traffic from external sources must be routed through a firewall before being allowed access to the Provider’s network. Firewalls must ensure secure connections between internal and external systems and shall be configured so that only required traffic is allowed to pass through.
Wireless access to the Provider information systems must be subject to authorisation, authentication, and encryption protocols consistent with security industry best practice, and shall only be permitted from locations approved by the Provider.
The Provider will ensure that its computers and network devices should be securely configured, in particular that:
Unnecessary user accounts will be removed or disabled;
Any default password for a user account must be changed to a unique, strong password;
Unnecessary software will be removed or disabled:
A personal firewall (or equivalent) must be enabled on desktop PCs and laptops, and configured to disable unapproved connections by default.
Patch Management
The Provider shall ensure that software running on computers and network devices are kept up-to- date and have the latest security patches installed.
All software running on computers and network devices that are connected to the internet must be licensed and supported to ensure that security patches for known vulnerabilities are made available.
Updates to software running on computers and network devices that are connected to or capable of connecting to the internet should be installed within thirty days of being made available from vendors.
Out-of-date software should be removed from computer and network devices that are connected to or capable of connecting to the internet.
All security patches for software running on computers and network devices that are connected to or capable of connecting to the internet should be installed within 14 days of release or automatically when they become available from vendors.
Malware Protection
The Provider shall ensure that information, applications and computers within the organisation’s internal networks must be protected against unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices.
The organisation should implement robust malware protection onexposed computers. The Provider will ensure that:
Malware protection software should be installed on all computers thatare connected to or capable of connecting to the internet;
Malware protection software should be kept up-to-date:
Malware protection software should prevent connections to maliciouswebsites on the internet.
Networks shall be designed and implemented so as to be able to cope with current and predicted levels of traffic and shall be protected using security best practice controls.
All email communications with the Customer or emails concerning Customer systems are encrypted and are supported and protected by a combination of usage policy, training, awareness and documented procedural and technical security controls.
Monitoring
The Provider shall deploy intrusion detection tools in the Provider IT systems to identify suspected or actual attacks and respond in accordance with its security incident management process.
Logs of all security events will be maintained, such as those that have the potential to impact the service provided to the Customer and that may assist in the identification or investigation of security incidents and breaches of access in relation to the Provider’s systems.
Removable Media
Where the Provider has a requirement to use removable drives, this must be done within a controlled environment. Removable drives must be:
Only used with approval from management and for a justified business reason;
Encrypted with Advanced Encryption Standard (AES) with 256-bit keys;
Information System Development
Activities must be carried out in accordance with a documented system development methodology which shall be shared with Customer upon request. Information security requirements shall be considered from the onset of systems design.
Quality assurance checks and reviews shall be included in the development lifecycle. The Provider shall ensure that all elements of the Provider systems are tested at all stages of the systems development lifecycle before the system is promoted to the live environment.
Changes to information processing systems must be controlled by the use of a formal change control procedure. This procedure will ensure that:
A formal process of documentation is maintained:
Testing is conducted;
Quality control is ensured;
Any change is service introduced;
The ability to regress is enabled.
Where the Provider outsources development to a third party the Provider must ensure that the standards made in this Agreement are adhered to. The Provider third party must also be subject to the Provider’s third party assurance process.
System development activities shall be performed in an IT environment isolated and separate from the production environment.
The Provider shall ensure that live Customer data (including Personally Identifiable Data) will not be used within the test environment.
CourtCorrect Ltd.
33 Percy Street, W1T 2DF, London
hello@courtcorrect.com
+442078673925