Juro's commitment to the UK GDPR

Compliance
Privacy
May 13, 2024
8
min
Your contracts contain some of your business’ most sensitive data, including personal data.

Juro is a UK-headquartered business. We’re committed to building and maintaining a contract collaboration platform that you can use with confidence if your personal data processing is regulated by the retained EU law version of the General Data Protection Regulation (2016/679) - the UK GDPR - and the Data Protection Act 2018.

This page sets out information about how Juro enables you to comply with the UK GDPR.

Your responsibility

When choosing a contracts platform, you have a duty to use only providers who provide sufficient guarantees to implement appropriate technical and organizational measures, so that the processing of personal data meets UK GDPR requirements.

There are also other technical requirements that your provider must meet to comply with the UK GDPR.

Juro’s approach to UK GDPR compliance

Juro has a strong track record of supporting UK customers to empower their businesses using Juro’s flexible, collaborative platform for creating, agreeing and managing contracts.

At Juro, we take data protection and compliance with the UK GDPR seriously. We know that our customers entrust us with their most sensitive business information, and it is our responsibility to handle personal data within that information with care.

Our approach to UK GDPR compliance is built on a foundation of accountability, transparency, and proactive risk management.

We've implemented an extensive UK GDPR compliance programme that incorporates the UK GDPR’s principles into our:

  • Product development
  • Documentation
  • Contractual agreements
  • Security policies
  • Organizational practices

Data protection by design is at the heart of how we build, maintain and develop Juro. Keep reading to learn more about how we address key UK GDPR compliance topics, such as our Data Processing Agreement, international transfers, data subject rights, and sub-processors.

Juro’s data processing agreement

For customers whose processing of personal data using Juro is governed by the UK GDPR, Juro’s master services agreement includes a detailed data processing agreement (DPA) in a schedule that contains the mandatory clauses required by Article 28(3) of the UK GDPR.

Click on the collapsible menus below to find the mandatory clauses, along with information on how Juro meets those obligations.

UK GDPR reference: Article 28(3)(a)

DPA reference: paragraphs 3.1.1 to 3.1.3

Unless legally required to do otherwise, Juro may only process personal data on your behalf in accordance with your documented instructions. Juro may not process that personal data for any other purpose.

The DPA includes a written instruction to process that personal data in accordance with your contract with Juro (DPA paragraph 2.1), but you may issue other documented instructions through using the Juro platform or in writing to our onboarding or support teams.

We’ll tell you if we think that one of your instructions breaks data protection laws.

UK GDPR reference: Article 28(3)(b)

DPA reference: paragraph 3.1.6

Juro must ensure that people it authorizes to process personal data on your behalf are bound by obligations of confidentiality in relation to that personal data.

All of Juro’s personnel and all of Juro’s sub-processors are subject to binding obligations of confidentiality in relation to the personal data Juro processes on your behalf.

These obligations are put in place when we first engage those personnel or sub-processors, and continue to apply after our relationship with them ends.

UK GDPR reference: Article 28(3)(c)

DPA reference: paragraph 3.1.4

Juro must adopt appropriate technical and organizational measures to ensure an appropriate level of security for the personal data processed on your behalf.

You can find more information about the security measures that Juro currently has in this article on application security. We audit and review these measures frequently.

Juro’s security team keeps the measures described in Juro’s information security policy and in Juro’s encryption policy under constant review to ensure that we continue to adopt best practices in response to emerging threats.

UK GDPR reference: Articles 28(3)(d) and 28(4)

DPA reference: paragraph 5

Like nearly all SaaS providers, Juro relies on trusted third-party technology providers. However, Juro must respect the GDPR’s rules for engaging sub-processors to assist with processing personal data on your behalf. In short, that means:

1. Authorization. Our DPA (paragraph 5.1) contains a general authorization to appoint sub-processors. We take this approach because it isn't practical with shared infrastructure to get specific authorizations to appoint each new sub-processor when we make changes and improvements to our platform.

Instead, in accordance with the UK GDPR, we offer all customers a meaningful opportunity to object to new sub-processors - more on this in DPA paragraph 5.2.2. We’ll consider all objections fully, and also consider objections based on reasons other than UK GDPR compliance. In the case of the latter, we ask that the customer objecting covers the cost of accommodating the objection.

2. Agreement. We have written agreement with all of our sub-processors that require those sub-processors to comply with obligations equivalent to Juro’s under the DPA. Juro remains responsible to you for the performance of any obligations carried out by Juro’s sub-processors - see DPA paragraph 5.3.

You can find a current list of our sub-processors in our privacy policy - simply click “read more” in the “third parties who process your data” section.

UK GDPR reference: Article 28(3)(e)

DPA reference: paragraph 3.1.7.2

Juro must help you by appropriate technical and organisational measures to respond to requests from data subjects exercising their rights under Chapter III of the UK GDPR.

In most cases, you can use features in Juro to find, produce and delete the information you require. For any complex requests that you can’t serve using existing functionality in the platform, just email support@juro.com and we’ll be happy to help.

UK GDPR reference: Article 28(3)(f)

DPA reference: Paragraphs 3.1.4, 3.1.5, 3.1.7.1 and 3.1.7.3

Juro must help you with your own compliance obligations under Articles 32 to 36 of the UK GDPR.

These obligations relate to security of processing, notification of breaches, data protection impact assessments and prior consultation with supervisory authorities. Here’s how Juro helps with:

1. Security. You can find information about how we keep Juro secure on our application security page. If you need further information, contact support@juro.com, your sales representative, or get in touch here.

2. Breach notifications. We are required by law to notify you without undue delay if we become aware of a personal data breach affecting personal data we process on your behalf, irrespective of the level of risk arising from the breach - see Article 33(2) UK GDPR.

We also commit in our DPA to meeting this requirement - see DPA Paragraph 3.1.5. If Juro suffers a personal data breach that affects personal data processed by Juro on your behalf, we’ll provide you with reasonable assistance, at no additional cost to you, to help you meet your notification obligations as a controller under the UK GDPR.

We won’t notify any supervisory authority or affected data subject directly, since this is your obligation as the controller, not ours as the processor.

3. Data protection impact assessments. If you decide it is necessary to conduct a data protection impact assessment (DPIA) and that requires information about the Juro platform, we’ll provide that information.

For some features (like our AI Assistant), we can provide useful DPIA templates to help you on your way. If you make repeat requests or requests that involve significant effort on our part, we may charge for our time in providing that support. We’ll tell you up front if we need to do that.

4. Prior consultation with supervisory authorities. If you need to consult with supervisory authorities about your personal data processing and you need information about the Juro platform to do so, we’ll provide that information.

If you make repeat requests or requests that involve significant effort on our part, we may charge for our time in providing that support. We’ll tell you up front if we need to do that.

GDPR reference: Article 28(g)

DPA reference: paragraph 3.1.10

Juro must return or delete personal data it processes on your behalf at the end of the services, unless retention is required by law. Clause 2.7 of our MSA sets out exactly how this works.

When you terminate your Juro subscription, you have until 60 days after your termination date to request a copy of your data from Juro. If you request this data within this window, we’ll provide it. If we don’t receive a request from you within that window, we’ll securely destroy your data.

We don’t provide a copy of your data automatically because we need to confirm that the request for a copy is genuine before providing it. We also need to make sure we have the right information about where to send your data before sending it. This step helps keep your data secure.

GDPR reference: Article 28(h)

DPA reference: paragraph 3.1.9

Juro must make available to you all information necessary to demonstrate Juro’s compliance with the obligations set out in Article 28 GDPR, and allow for and contribute to audits and inspections.

We meet this obligation by providing a copy of our most recent System and Organization Controls (SOC) 2 report, or other relevant documentation describing the controls implemented by Juro that replace or are substantially equivalent to SOC 2.

Any report Juro provides is confidential, and is covered by the confidentiality obligations in place under our MSA.

International transfers

At Juro, we take seriously our responsibility to put in place appropriate measures designed to protect the personal data we process on your behalf - no matter where in the world that data is processed.

Uploading personal data into Juro

Juro is hosted on AWS servers in the Europe (Ireland) (eu-west-1) region - within the European Economic Area.

The European Economic Area is designated as “adequate” for the purposes of Article 45(1) UK GDPR by virtue of paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018. This means that, under Article 45 UK GDPR, transfers of personal data to Juro via the Juro platform are permitted from controllers who are subject to the UK GDPR.

Our customer support team is based in the United Kingdom. For this reason, any contact with our customer support team does not involve any transfer of personal data to a third country or organization. This means you do not need to take any additional measures required for international transfers of personal data.

Juro’s international sub-processors

Juro has selected trusted partners and technology providers to help provide the Juro platform (these are our sub-processors, since they help Juro process personal data on your behalf). For more information, check our list of current sub-processors.

To ensure we can offer best-in-class capabilities, some of our sub-processors are located in countries that are ‘third countries’ under the UK GDPR.

As the data exporter, it’s Juro’s responsibility in these cases to ensure that international transfers of personal data comply with the rules in the UK GDPR.

Where we have selected a third country sub-processor, we put in place the following measures to ensure an equivalent level of protection for personal data:

  • Supplier assessment: we conduct a detailed assessment of each sub-processor before selection to ensure that they are an appropriate partner.
  • Contract: we put in place a written contract with each sub-processor, containing obligations the same as those in our own DPA with each controller.

    We also agree the latest International Data Transfer Agreement or, alternatively, an International Data Transfer Addendum to the latest EU Standard Contractual Clauses.

    These measures impose contractual responsibilities on the sub-processor to help enhance protection of personal data subject to the UK GDPR when it is processed in the third country
  • International transfer risk assessment: in addition to standard contractual clauses, we conduct a detailed international transfer risk assessment for each sub-processor relationship.

    We do this to ensure that standard contractual clauses are an appropriate transfer mechanism, and to ensure the transfer meets the requirements of Article 46(2)(c) GDPR in light of the judgment of the Court of Justice of the European Union in the Schrems II case (C-311/18).
  • Regular review: we keep our sub-processor relationships under periodic review, including in relation to security and data protection. If we make changes to those relationships, we will update our privacy policy.

As a controller, it’s important that you tell data subjects that their personal data will be transferred to a third country as a result of your use of Juro. This helps to demonstrate that your processing of personal data is fair. It's also a specific requirement under Article 13(1)(f) of the UK GDPR.

Data subject rights

As a controller, you need to be able to use your contract tools to find personal data and implement requests from data subjects to exercise their rights under Chapter III of the UK GDPR.

With Juro, you can use features in the platform for most routine requests. Juro’s OCR functionality allows users to find and retrieve personal data from contracts easily - an essential step in responding to a request from a data subject exercising data rights.

For more complex requests that you can’t serve using existing functionality in the platform, just contact support@juro.com and we’ll be happy to help.

Incident planning

As part of Juro’s compliance programme, we've implemented robust incident response plans to ensure were prepared for any incidents affecting the Juro platform or our business.

We have documented procedures for quickly detecting, investigating and remediating incidents, particularly those that could impact personal data. Our procedures outline roles and responsibilities, communication protocols, containment and mitigation steps, and integration with our personal data breach notification processes.

Juro carries cyber insurance with a market-leading underwriter, which includes rapid access for the Juro team to the specialist resources and support required to respond to sophisticated cyber incidents.

Personal data breaches

We have a documented data breach response plan for detecting, investigating and mitigating the effects of any actual or suspected personal data breach. All personnel at Juro are trained to follow this plan if there is a suspected personal data breach, and that training is refreshed regularly.

If there is a personal data breach affecting personal data that Juro processes on your behalf, Juro will notify you without undue delay (as required under Article 33(2) UK GDPR). When you sign your contract with Juro, we’ll collect details of a privacy contact at your organisation so that we can communicate directly and quickly with the right person in this situation.

We’ll also support you to respond to the personal data breach in line with your own obligations under the UK GDPR, in particular by providing information to support any notification you are required to make to a supervisory authority or affected data subjects. As your processor, we won’t notify any supervisory authority or data subject ourselves.

Business continuity and disaster recovery

We have documented procedures to ensure the continuity and recoverability of our business in the event of an incident. You can find out more about the specific platform measures we have in place on our application security page.

Other incidents (including service outages)

We have an incident response plan for responding to all incidents affecting the Juro service - even the incidents that do not affect personal data. Juro’s support and engineering teams are trained to respond to this if there is an incident, and we have engineers on-call outside of business hours to respond to urgent incidents.

You can find view the current operational status of the Juro platform (including historic uptime) on our status page.

We offer an uptime service level agreement to all our enterprise level customers.

Sub-processors

Juro has selected trusted partners and technology providers to help provide the Juro platform. These are our sub-processors, since they help Juro process personal data on your behalf. Here's a full list of our current sub-processors.

Before selecting any sub-processor, we carry out a detailed assessment of that sub-processor, including an assessment of the technical and organizational security measures in place to protect personal data.

All our sub-processors have written agreements with Juro that contain the minimum contractual commitments required under Article 28(3) UK GDPR.

We update our sub-processor list when we make changes to our platform that remove or add a new sub-processor. When we make changes, we inform you by updating the sub-processor list.

We need the ability to make these updates so that we can continue to improve the Juro platform, and to respond to technological developments and evolving security requirements.

For that reason, our DPA contains a general authorisation to appoint new sub-processors in accordance with Article 28(2) UK GDPR. We remain legally responsible to our customers for the processing of personal data that our sub-processors carry out on our behalf, as set out in Article 28(4) UK GDPR.

Security

We take seriously our responsibility to protect the confidentiality, availability and integrity of the personal data we process on our customers’ behalf.

We've implemented a comprehensive security programme designed to protect personal data in our custody against unauthorised or unlawful processing and against accidental loss, destruction or damage.

You can find out more about the specific measures we have in place in this article on application security.

We update these measures from time to time to reflect updated security practices and to respond to emerging threats.

This article is for general information only - it is not legal advice, so you should not rely on it.

Instantly book a personalized demo

  • Schedule a live, interactive demo with a Juro specialist

  • See in-depth analysis of your contract process - and tailored solutions

  • Find out what all-in-one contract automation can do for your business

4.8
4.8

Schedule a demo

To learn more about the use of your personal data, please consult our readable Privacy Policy.