Effective Date: 24 February 2025
This Data Processing Agreement ("Agreement") is a legally binding contract between Nuworks Ltd, a company incorporated and registered in England, trading as BrokerCentral ("BrokerCentral", "Provider", "we", "our", or "us"), and the individual or entity ("Customer", "you", or "your") that accesses, installs, or uses the BrokerCentral software and related services (the "Services"). This Agreement governs the Provider's processing of Personal Data on behalf of the Customer in connection with the provision of the Services as detailed in the Agreement. In the context of this Agreement, the Customer shall be the "Data Controller" and the Provider shall be the "Data Processor."
Taking into account the nature of the processing and the information available to the Provider, the Provider shall provide reasonable assistance to the Customer in relation to:
The Provider shall ensure that persons authorised to process Personal Data:
The Provider shall promptly inform the Customer if, in the Provider’s opinion, an instruction infringes applicable Data Protection Laws, unless prohibited from doing so by law.
The Provider shall implement appropriate technical and organisational measures to protect Personal Data from unauthorised access, loss, alteration, or disclosure. These measures include, but are not limited to:
The Provider shall make available to the Customer information reasonably necessary to demonstrate compliance with this Agreement and applicable Data Protection Laws. The parties shall initially seek to satisfy audit and assurance requests through:
The Provider shall assist the Customer in responding to Data Subject requests, including:
The Provider shall notify the Customer without undue delay if it receives:
In the event of a Personal Data Breach, the Provider shall notify the Customer without undue delay after becoming aware of the breach. Such notification shall, to the extent reasonably available at the time, include:
Upon receiving notification of a Personal Data Breach, the Customer shall take reasonable steps to mitigate potential harm, including notifying affected data subjects and relevant authorities where required under Applicable Data Protection Laws. The Provider shall assist the Customer in fulfilling these obligations.
The Provider shall not transfer, access, process, store, or otherwise make available Personal Data outside the United Kingdom or any other jurisdiction subject to applicable transfer restrictions unless such transfer complies with applicable Data Protection Laws and this DPA.
Where a Restricted Transfer occurs, the Provider shall implement lawful transfer mechanisms and appropriate safeguards recognised under applicable Data Protection Laws, which may include:
Where reasonably required under applicable Data Protection Laws, the Provider may implement supplementary technical, organisational, or contractual safeguards relating to Restricted Transfers, including:
The Provider may update, replace, adopt, or transition to alternative transfer mechanisms or safeguards where reasonably necessary to:
The Customer acknowledges that Sub-Processors, including AI service providers, cloud infrastructure providers, support providers, analytics providers, and integration providers, may process Personal Data in jurisdictions outside the United Kingdom where lawful transfer mechanisms and safeguards are maintained in accordance with this DPA.
The Provider may maintain transfer governance documentation, including transfer risk assessments, Sub-Processor records, transfer registers, security assessments, and supporting compliance materials relating to Restricted Transfers.
Upon reasonable written request and subject to confidentiality, security, legal, and operational limitations, the Provider may make available information reasonably necessary to demonstrate compliance with this Clause 6.
The Provider shall maintain an up-to-date list of Sub-Processors used in connection with the Services and make such list available to Customers through a website, customer portal, or upon written request.
The Provider remains responsible for the acts and omissions of its Sub-Processors in relation to their processing of Customer Personal Data to the same extent that the Provider would be responsible if it performed the relevant processing itself. The Provider shall ensure that Sub-Processors are subject to written data protection obligations that are no less protective than those set out in this Agreement, to the extent applicable to the relevant Sub-Processor’s processing activities. For the avoidance of doubt, the Provider’s responsibility for Sub-Processors under this Clause 7.3 is subject to the exclusions, limitations, and liability caps set out in the Agreement, including the Terms of Service, except to the extent such exclusions, limitations, or caps are prohibited by applicable law. Where a Sub-Processor causes or contributes to a breach, the Provider may seek recovery, indemnity, contribution, damages, or other contractual remedies from that Sub-Processor, but this shall not affect the Customer’s rights against the Provider under this Agreement, subject to the exclusions, limitations, and liability caps referred to above.
AI Functionality is live and forms part of the Services. The Customer acknowledges that, unless expressly agreed otherwise in writing by Provider, the Customer’s documented instructions include the processing of Customer Data, prompts, inputs, outputs, metadata, operational data, telemetry data, and Personal Data through AI Functionality to the extent such processing is necessary to provide, operate, secure, support, maintain, monitor, and improve the Services in accordance with this DPA and the Agreement. AI Functionality is not a separately disableable processing feature at Customer level unless Provider agrees otherwise in writing. The Customer remains responsible for ensuring that its use of the Services, including AI Functionality, is lawful and that relevant individuals receive appropriate transparency information where required under applicable Data Protection Laws. AI Functionality provides AI-assisted workflow support, including functionality designed to assist with drafting, summarisation, recommendations, operational workflows, and other user-support activities made available within the Services from time to time. Where the Provider uses artificial intelligence, machine-learning, generative AI, large language model, automated recommendation, prediction, ranking, classification, summarisation, conversational, or similar AI-enabled service providers in connection with the Services or AI Functionality, such providers shall be treated as Sub-Processors where they process Personal Data on behalf of the Customer. AI Functionality may process Customer Data, prompts, inputs, outputs, metadata, operational data, and Personal Data where such information is submitted to, generated by, or processed through the AI-enabled features of the Services. AI Functionality is intended to support, and not replace, human decision-making. AI-generated outputs may be inaccurate, incomplete, unreliable, outdated, biased, unexpected, or unsuitable for the Customer’s intended use. The Customer must ensure that appropriately qualified personnel apply meaningful human review, verification, and professional judgment before using or relying on AI-generated outputs. AI-generated outputs must not be used as the sole basis for regulated, legal, financial, insurance, employment, customer-facing, compliance, or similarly significant decisions. The Provider shall use commercially reasonable efforts to ensure that AI-related Sub-Processors are subject to appropriate contractual, technical, organisational, confidentiality, security, and data protection obligations consistent with this DPA and applicable Data Protection Laws. The Provider shall use commercially reasonable efforts to ensure that AI Sub-Processors are contractually restricted from unauthorised disclosure, retention, or use of Customer Personal Data or Customer Data outside the provision of the Services. The Provider does not use Customer Data, Customer Personal Data, prompts or outputs to train public or shared AI models, and contractually restricts relevant AI providers from doing so, unless expressly agreed in writing. Where applicable, the Provider may implement governance measures relating to AI-enabled processing activities, including:
AI-enabled Sub-Processors may process prompts, inputs, outputs, metadata, telemetry, analytics data, operational information, communications metadata, or related Personal Data in connection with AI Functionality;
AI-enabled processing activities may involve international transfers of Personal Data;
AI-generated outputs may be probabilistic in nature and may contain inaccuracies, incomplete information, unintended results, or biased outcomes;
AI Functionality is intended to support human decision-making and is not designed to operate as a solely automated decision-making system unless expressly agreed otherwise in writing;
Customers remain responsible for applying meaningful human review and oversight where AI-generated outputs may materially affect individuals, insurance decisions, financial outcomes, regulatory obligations, legal rights, or similarly significant outcomes; and
the Customer remains responsible for ensuring that its use of AI Functionality complies with applicable laws and regulatory requirements relating to automated decision-making, profiling, discrimination, insurance regulation, financial services, consumer protection, and Data Protection Laws.
The Provider may update, replace, suspend, restrict, or discontinue AI-enabled Sub-Processors or AI Functionality where reasonably necessary for legal, regulatory, security, operational, technical, ethical, or third-party dependency reasons.
Data Retention and Deletion
Upon termination or expiry of the Services, the Provider shall, at the Customer’s choice and subject to applicable law, delete or return Personal Data processed on behalf of the Customer within a reasonable period. The Provider may retain Personal Data where retention is required or permitted for legal, regulatory, security, audit, complaint-handling, insurance, professional indemnity, dispute-resolution, business continuity, backup, archive, or legitimate operational purposes. Where Personal Data is deleted or returned following termination or expiry of the Services, residual copies may remain in routine operational backups, disaster recovery copies, restricted archive snapshots, logs, or archival systems until those copies expire or are overwritten in accordance with the Provider’s standard backup, archive, and retention procedures, unless longer retention is required or permitted under this Agreement, applicable law, or applicable legal, regulatory, security, audit, complaint-handling, insurance, professional indemnity, dispute-resolution, or operational requirements.
Upon the Customer's written request prior to termination, the Provider shall provide a copy of the Customer’s data in a commonly used, structured, and machine-readable format, including but not limited to CSV or JSON. Such data migration assistance will be provided at the Provider’s standard professional service rates.
The Provider may retain different categories of Personal Data for different periods depending on the nature of the Personal Data, the purpose of processing, the Customer’s instructions, the Services used, applicable legal and regulatory requirements, and the Provider’s security, audit, backup, archive, and operational requirements. The table below summarises the Provider’s standard retention approach for Personal Data processed in connection with the Services. Category Retention Approach Customer Data processed through the Platform Retained for the duration of the Services and any applicable post-termination retrieval, deletion, backup, archive, legal, regulatory, security, or operational period described in this Agreement, the Terms of Service, or the Customer’s documented instructions. Account, user administration, and access management records Retained for as long as necessary to administer user access, support the Services, maintain security, investigate misuse, comply with legal or regulatory obligations, and support audit or dispute-resolution requirements. Billing, invoicing, subscription, contract, and payment-related records Retained for as long as necessary for contract administration, tax, accounting, audit, legal, insurance, regulatory, and dispute-resolution purposes. Customer support records, service communications, complaints, and correspondence Retained for as long as reasonably necessary to provide support, manage the customer relationship, investigate issues, resolve complaints, evidence communications, and comply with legal, regulatory, audit, or dispute-resolution requirements. OAuth tokens, authentication tokens, integration tokens, and connected account credentials Retained only for as long as necessary to provide the relevant integration, authentication, account connection, or security function, unless earlier revoked, disconnected, expired, or deleted. Audit logs, access logs, security logs, operational telemetry, diagnostics, and monitoring records Retained for a reasonable period for security, fraud prevention, abuse detection, incident response, troubleshooting, operational resilience, audit, legal, regulatory, and compliance purposes. Routine operational backups Retained for up to ninety (90) days. Monthly archive snapshots May be retained for up to twelve (12) months where reasonably necessary for regulatory compliance, FCA-related record keeping, complaint handling, audit, tax/accounting, insurance, professional indemnity, dispute resolution, security investigation, legal preservation, or business continuity purposes. Annual archive snapshots May be retained for up to seven (7) years where reasonably necessary for regulatory compliance, FCA-related record keeping, complaint handling, audit, tax/accounting, insurance, professional indemnity, dispute resolution, security investigation, legal preservation, or business continuity purposes. Legal, regulatory, audit, complaint-handling, insurance, professional indemnity, dispute-resolution, or litigation-hold records Retained for as long as reasonably necessary to comply with applicable legal, regulatory, audit, complaint-handling, insurance, professional indemnity, dispute-resolution, legal preservation, or enforcement requirements. Personal Data retained in backups, archive snapshots, logs, or restricted archival systems shall remain subject to appropriate technical and organisational measures. Such Personal Data shall not be actively accessed, restored, searched, or otherwise processed except where reasonably necessary for disaster recovery, service restoration, security investigation, incident response, legal or regulatory compliance, audit, complaint handling, dispute preservation, insurance, professional indemnity, business continuity, or other legitimate operational purposes.
The Customer shall indemnify the Provider against third-party claims, regulatory claims, losses, damages, liabilities, fines, penalties, costs, and reasonable legal expenses arising directly from:
The Provider shall indemnify the Customer against third-party claims and regulatory claims arising directly from the Provider’s material breach of this Agreement or Applicable Data Protection Laws to the extent caused by the Provider’s negligence, wilful misconduct, or unlawful processing of Personal Data.
Neither party shall be liable under this Clause to the extent the relevant claim arises from:
The indemnities in this Clause are subject to the limitations and exclusions of liability set out in the Terms of Service unless otherwise prohibited by applicable law.
This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising out of or in connection with this Agreement, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Disputes under this Agreement shall be governed by the dispute resolution provisions of the Terms of Service.
In the event of any conflict between this Agreement and the main Agreement, this Agreement shall prevail with respect to data protection matters.
If any provision of this Agreement is deemed invalid or unenforceable, the remaining provisions shall remain in full force and effect.
This Agreement shall be interpreted in a manner intended to satisfy the requirements of Article 28 of the UK GDPR and applicable Data Protection Laws. ANNEX 1 - Technical and Organisational Measures The Provider shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Personal Data. These measures are designed to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. The following outlines the key technical and organisational measures that the Provider has in place:
The Provider maintains operational monitoring, telemetry, alerting, logging, and incident response procedures designed to support the security, availability, reliability, and integrity of the Services. The Provider may use infrastructure, security, logging, monitoring, and operational telemetry tools where appropriate for service security, incident detection, troubleshooting, abuse prevention, and platform reliability.
The Provider maintains backup procedures designed to support the availability and recoverability of Personal Data processed through the Services. The Provider performs regular backups and conducts daily backup restoration/load checks designed to confirm that backups load correctly. Routine operational backups are retained for up to ninety (90) days. The Provider may also retain restricted monthly and annual archive snapshots in accordance with Clause 8.1. Restoration timing depends on the nature, severity, and scope of the relevant incident, the affected systems or data, and any applicable operational, legal, security, or regulatory constraints. Formal Recovery Time Objective (RTO) and Recovery Point Objective (RPO) commitments are not provided unless expressly agreed in an Order Form or applicable service schedule.
The Provider maintains operational recovery procedures designed to support service continuity and recovery following material disruption. Formal disaster recovery testing commitments, RTOs, and RPOs are not provided unless expressly agreed in an Order Form or applicable service schedule.
The Provider processes Personal Data for the purpose of providing the BrokerCentral software platform, related support services, hosting, maintenance, integrations, analytics, security, and associated operational services under the Agreement.
Personal Data shall be processed for the duration of the Agreement and any applicable post-termination retention, backup, transition, legal, regulatory, security, or disaster recovery periods described in the Agreement and this Data Processing Agreement.
the Customer’s employees, contractors, and authorised users;
the Customer’s clients, customers, policyholders, claimants, prospects, and brokers;
third parties whose information is submitted by the Customer through the Platform;
suppliers, advisers, and business contacts; and
Website or Platform users.
Special Category Data, Criminal Offence Data, and Sensitive Processing
The parties acknowledge that the Services are used in connection with insurance broking, insurance administration, compliance, customer onboarding, claims, underwriting support, fraud prevention, and related workflow activities. Depending on the Customer’s use of the Services and the Personal Data submitted by or on behalf of the Customer, Personal Data processed through the Services may include Special Category Data and/or criminal offence data where such data is uploaded, submitted, generated, stored, or otherwise processed through the Platform by or on behalf of the Customer. Special Category Data may include, for example, health information, medical information, vulnerability information, disability information, or other sensitive information relevant to insurance broking, claims, underwriting, compliance, or customer support activities. Criminal offence data may include information relating to criminal convictions, offences, allegations, fraud indicators, sanctions, adverse checks, or related information where submitted by or on behalf of the Customer. The Customer is responsible for determining whether Special Category Data and/or criminal offence data is processed through the Services and for ensuring that:
(a) an appropriate lawful basis under Article 6 UK GDPR has been identified and documented;
(b) where Special Category Data is processed, an appropriate condition under Article 9 UK GDPR and any applicable condition under the Data Protection Act 2018 has been identified and documented;
(c) where criminal offence data is processed, an appropriate condition under Article 10 UK GDPR and Schedule 1 of the Data Protection Act 2018 has been identified and documented;
(d) all necessary notices, consents, permissions, authorisations, transparency information, policy documents, appropriate policy documents where required, and regulatory requirements have been satisfied;
(e) the processing instructions provided to the Provider are lawful, fair, transparent, proportionate, and compliant with applicable Data Protection Laws;
(f) the Special Category Data and/or criminal offence data submitted to the Services is relevant, adequate, limited to what is necessary, and not excessive for the Customer’s processing purposes; and
(g) appropriate Customer-side safeguards, access controls, retention controls, staff training, and governance measures are implemented.
The Provider shall process Special Category Data and/or criminal offence data solely:
in accordance with the Customer’s documented instructions;
as necessary to provide, secure, support, maintain, or improve the Services;
in accordance with this DPA and the Agreement; and
subject to appropriate technical and organisational measures.
Where applicable, the parties acknowledge that processing of Special Category Data and/or criminal offence data may require additional safeguards, security measures, transfer mechanisms, access restrictions, retention controls, appropriate policy documents, regulatory assessments, or data protection impact assessments under applicable Data Protection Laws. The Customer remains responsible for ensuring that its use of the Services in connection with insurance, claims, underwriting, compliance, fraud prevention, customer onboarding, vulnerability assessment, or other regulated activities complies with applicable Data Protection Laws and any applicable insurance, financial services, consumer protection, anti-discrimination, or regulatory requirements.
International transfers of Personal Data shall be governed by Clause 6 of this Agreement and applicable lawful transfer mechanisms.
The Provider may engage Sub-Processors in accordance with Clause 7 of this Agreement.
Processing shall occur on a continuous and ongoing basis as necessary to provide the Services during the Term of the Agreement.