Data Processing Addendum


To complete this DPA, please email Upon receipt of a validly completed DPA by, such DPA shall become legally binding.

A pdf document version of the DPA can be downloaded here for Customer Review.


Data Processing Addendum

This Data Protection Addendum (“DPA”) forms part of the Agreement (defined below) between and Customer for to provide Services to Customer. Unless otherwise defined herein, all capitalized terms have the meaning given to them in the applicable Agreement. may, in the course of providing Services to Customer pursuant to the Agreement, Process Customer Personal Data that is subject to the European Union’s General Data Protection Regulation, Regulation (EU) 2016/679 (“EU GDPR”) and the EU GDPR as it forms part of United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) (collectively, the “GDPR”) or other Data Protection Laws. This DPA sets forth the obligations of the parties with regard to the Processing of Personal Data pursuant to the Agreement.

In consideration of the mutual obligations set out herein, the parties agree to comply with the following provisions, each acting reasonably and in good faith.




Affiliates” means any person or entity which directly or indirectly owns, controls, or is controlled by, or is under common control with a party, where control is defined as owning or directing more than 50% of the voting equity securities or similar ownership interest in the controlled entity.


Agreement” means all current and future agreements between and Customer in connection with which provides Services involving the Processing of Personal Data on behalf of Customer, such as a Master Subscription Agreement (“MSA”) and all Orders applicable to the Services. This DPA is incorporated into such Agreement(s) by this reference.


Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.


Data Protection Laws” means all data protection laws applicable to protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data under the Agreement, including local, state, national and/or foreign laws and regulations, the GDPR and implementations of the GDPR into national law, as amended, replaced or superseded from time to time.


Personal Data” means any Customer Data (as defined under the Agreement) that relates to an identified or identifiable natural person (“Data Subject”), which is protected under Data Protection Law.


Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed, and for which a Controller is required under Data Protection Law to provide notice to competent data protection authorities or Data Subjects.


Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


"Processor" means the entity which Processes Personal Data on behalf of the Controller.


Services” means the provision of maintenance and support services and/or the provision of software as a service (“SaaS”) and/or any other services, hosted, managed or otherwise, which are provided under the Agreement and for the purposes of which Processes Personal Data on behalf of Customer.


Standard Contractual Clauses” means (i) where the EU GDPR applies, the clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as officially published at  (“2021 SCCs”); and (ii) where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR, as officially published at (“2010 SCCs”).


Subprocessor” means a Affiliate or third party engaged by in connection with the Services and which Processes Personal Data in accordance with this DPA.


Supervisory Authority” means an independent public authority which is established under applicable Data Protection Laws.




2.1. Role of the Parties. This DPA applies to the Processing of Personal Data by and its Subprocessors in connection with its provision of the Services. For the purposes of this DPA, is the Processor and Customer is the Controller.


2.2. Scope of Processing. The subject matter and duration of the Processing of Personal Data are set out in the Agreement, which describes the provision of the Services to Customer. The nature and purposes of Processing for which Personal Data is Processed on behalf of the Customer, the types of Personal Data and categories of Data Subjects are set forth in Annex 1 to this DPA.


2.3. Instructions. shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions. The Agreement (including this DPA) constitutes such documented initial instructions to Process Customer Personal Data and each use of the Services then constitutes further instructions. will use reasonable efforts to comply with other reasonable Customer instructions, provided such are consistent with the terms of the Agreements, required by Data Protection Law and technically feasible. will inform Customer if it cannot comply with an instruction or in’s opinion, any Customer instruction(s) infringe applicable Data Protection Laws.


2.4. Compliance with Laws. The parties agree to comply with all applicable Data Protection Laws, as further detailed below:


2.4.1. shall comply with all Data Protection Laws applicable to in its role as a Processor with respect to Personal Data. When providing the Services, shall Process Personal Data in compliance with Customer’s documented instructions, including with regard to transfers of Personal Data to a third country or international organization (as described in Section 7). may also Process Personal Data where required to do so by applicable Data Protection Laws, in which case shall inform Customer of that legal requirement before Processing unless the law prohibits such notice on important public-interest grounds.


2.4.2. Customer shall comply with all Data Protection Laws applicable to Customer in its role as a Controller and shall obtain all necessary consents, and provide all necessary notifications, to Data Subjects to enable to carry out lawfully the Processing contemplated by this DPA. Customer is responsible for the accuracy and quality of the Personal Data, and the means by which Customer acquired the Personal Data.




3.1. Data Subject Requests. will, in a manner consistent with the functionality of the Services and’s role as a Processor, provide reasonable support to Customer to enable Customer to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).


3.2. Responding to Data Subject Requests. Customer is responsible for responding to Data Subject Requests. If receives a Data Subject Request or other complaint from a Data Subject regarding the Processing of Personal Data, will, to the extent legally permitted, promptly notify Customer, provided the Data Subject has given sufficient information to identify Customer.  Unless required by applicable law, shall not respond to any such Data Subject Request without Customer’s prior written authorization or instruction, except to confirm such request relates to Customer.




4.1. Personal Data Retention. Upon termination of the parties’ Agreement and/or after the end of provision of the Services to which this DPA applies, shall delete or return any Customer Personal Data in accordance with Data Protection Laws and/or consistent with the terms of the Agreement as soon as reasonably practicable, unless applicable law requires further storage.




5.1. Security Measures. will implement and maintain appropriate technical and organizational measures, as specified in Annex II to this DPA, to protect Personal Data against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to, Personal Data in accordance with applicable Data Protection Laws.  Customer is responsible for making an independent determination as to whether the technical and organizational measures for the Services meet Customer’s requirements, including any of its security obligations under applicable Data Protection Laws.


5.2. Personnel. To Process Personal Data, and its Subprocessors shall only grant access to authorized personnel who have committed themselves to confidentiality requirements at least as protective as those of this DPA or the Agreement. Such personnel shall be required to Process Personal Data in accordance with Customer’s instructions as set forth in the Agreement and only to the extent necessary for performance of the Services.




6.1. Use of Subprocessors. Customer authorizes to engage Subprocessors in accordance with this DPA, provided that shall enter into a written agreement with such Subprocessors that is consistent with the terms hereof. shall be liable for the acts and omissions of any Subprocessor to the same extent as if performed by


6.2. Subprocessor List. The list of Subprocessors used by to provide the Services, as of the effective date of this DPA is attached hereto as Annex III and is published at:  (“Subprocessor List”). shall notify Customer of any intended additions or replacements to the Subprocessor List by updating the published Subprocessor List at least thirty (30) days prior to authorizing any new Subprocessor to Process Personal Data.


6.3. Objection Rights. This Section 6.3 shall apply to the extent Customer is established within the European Economic Area (“EEA”), the United Kingdom (“UK”) and/or Switzerland or where otherwise required by Data Protection Laws applicable to Customer. In such event, if Customer objects on reasonable grounds relating to data protection to’s use of a new Subprocessor then Customer shall promptly, and within fifteen (15) days following’s notification pursuant to Section 6.2 above, provide with written notice of such objection. In the event of such objection, will take commercially reasonable steps to address the objections raised by Customer and provide Customer with reasonable written explanation of the steps taken to address such objection.




7.1. Transfers. Customer authorizes and its Subprocessors to Process Personal Data for the purposes of providing the Services, which Processing may include making necessary transfers of Personal Data, in accordance with the terms of this DPA.


7.2. Restricted Transfers. All transfers of Personal Data under this DPA out of the EEA, the UK and/or Switzerland to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws of the foregoing territories (“Restricted Countries”) shall be governed by the relevant Standard Contractual Clauses, which are incorporated into this DPA.  The transfer safeguards, as set forth in this Section 7, shall apply to: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA or Switzerland to a Restricted Country; and (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to a Restricted Country; (“Restricted Transfers”).


7.3. Controller-to-Processor SCCs: The Standard Contractual Clauses will apply to any Restricted Transfers of Personal Data from Customer (as “data exporter”) to (as “data importer”), as follows:


7.3.1. EU Personal Data. With respect to Personal Data that is protected by the EU GDPR, the 2021 SCCs will apply completed as follows: (i) Module Two (Controller to Processor) shall apply and Modules One, Three, and Four shall be deleted in their entirety; (ii) Clause 7 shall be deleted in its entirety and the parties may add additional entities to this DPA by entering into an additional DPA (as made available here; (iii) in Clause 9, Option 2 shall apply, as detailed in Section 6 of this DPA; (v) in Clause 17, Option 1 shall apply and the 2021 SCCs shall be governed by Dutch law; (vi) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands; and (vii) Annex I and Annex II of the 2021 SCCs shall be populated with the information set out in Annex I and II attached to this DPA.


7.3.2. Swiss Personal Data. For the purposes of the 2021 SCCs, the term ’member state’ shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c). Until December 31, 2022, and for any longer period required by applicable Swiss law, the 2021 SCCs shall also protect the data of legal entities in the scope of the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1; “FADP”).


7.3.3. UK Personal Data. With respect to Personal Data that is protected by the UK GDPR, the 2010 SCCs will apply as they pertain to transfers or Personal Data from the UK. Any future changes, updates, or amended versions to the 2010 SCCs introduced by the UK Data Protection Authority for the purpose of complying with the international data transfer provisions of the UK Data Protection Act 2018 shall be incorporated into and shall form a part of the agreement between Customer and Appendix 1 and Appendix 2 of the 2010 SCCs shall be populated with the information set out in Annex I and II attached to this DPA.


7.4. Clarifications. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. In no event does this DPA restrict or limit the rights of any data subject or competent Supervisory Authority. Nothing in this DPA shall be construed to prevail over any conflicting clause of the 2010 SCCs or the 2021 SCCs.  Where this DPA further specifies audit and Subprocessor rules, such specifications also apply in relation to the 2010 SCCs and the 2021 SCCs.


7.5. Alternative Data Transfer Mechanism. For the avoidance of doubt, should the transfer mechanism identified in this Section 7 be deemed invalid by a Supervisory Authority or court with applicable authority, the Parties shall endeavor in good faith to negotiate an alternative mechanism (if available and required) to permit the continued transfer of Personal Data.




8.1. Notification of Personal Data Breach. will notify Customer promptly without undue delay after becoming aware of any Personal Data Breach involving Customer Personal Data Processed by and provide reasonable information in its possession to assist Customer in meeting its obligations to report a Personal Data Breach as required under Data Protection Laws. will use reasonable efforts to identify the cause of such Personal Data Breach and shall take appropriate measures to mitigate the effects and to minimize any damage resulting from the Personal Data Breach to the extent such remediation is within’s reasonable control. Notification will be delivered to Customer in accordance with Section 8.2. Such notification shall not be interpreted or construed as an admission of fault or liability by


8.2. Notice Delivery. Notifications of Personal Data Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by means selects, including via email. Customer is responsible for ensuring it provides and maintains accurate contact information at all times.




9.1. Information Requests. shall make available to Customer, upon reasonable written request, information related to the Processing of Personal Data of Customer as necessary to demonstrate’s compliance with the obligations under this DPA.


9.2. Customer Audit. shall allow for inspection requests by Customer (or its independent auditor) related to Personal Data Processed by in order to verify’s compliance with this DPA, if: (a) has not provided sufficient written evidence of its compliance with the technical and organizational measures, e.g. a certification of compliance with ISO 27001 or other standards; (b) a Personal Data Breach has occurred; (c) an audit is formally requested by Customer’s Supervisory Authority; or (d) Data Protection Law provides Customer with a mandatory on-site inspection right; and provided that Customer shall not exercise this right more than once per year unless mandatory Data Protection Law requires more frequent inspections. Any information provided by pursuant to this Section 9 is subject to the confidentiality obligations of the Agreement. Such inspections will be conducted in a manner that does not impact the security, confidentiality, integrity, availability and continuity of the inspected facilities, networks and systems, nor compromise any confidential data Processed therein.


9.3. Cost of Audit. Customer is responsible for the costs of any audit, unless such audit reveals a material breach by of this DPA, then shall bear its own expenses of the audit. If an audit determines that has breached its obligations under this DPA, will promptly remedy the breach at its own cost.





10.1. If Customer is required by applicable Data Protection Law to perform a data protection impact assessment or prior consultation with a Supervisory Authority related to Customer’s use of the Services, will, upon Customer’s reasonable request, provide such documents as are generally available for the Services; for example, any then-current Service Organizational Control (SOC) SOC 2 reports, ISO/IEC 27001:2013 certifications and/or comparable industry-standard successor reports, as may be applicable to the Services.


10.2. Any additional assistance in the cooperation or prior consultation with a Supervisory Authority in the performance of its tasks relating to this Section 10, to the extent required under Data Protection Law, shall be mutually agreed between the Parties taking into account the nature of the Processing and information available to To the extent legally permitted, Customer shall be responsible for any costs arising from’s provision of such assistance




11.1. Customer Affiliates. Customer is responsible for coordinating all communication with on behalf of its Affiliates regarding this DPA. Customer represents that it is authorized to enter into this DPA and any Standard Contractual Clauses incorporated herein or entered into under this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of its Affiliates.


11.2. Conflict. The applicable law and competent courts for this DPA are those of the main Agreement which this DPA attaches to. If there is any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent that conflict or inconsistency relates to Personal Data.


11.3. Termination. The Term of this DPA will end in accordance with the terms of the Agreement.


11.4. Miscellaneous. Each reference to the DPA herein means this DPA including its Annexes and/or Appendices. The section headings contained in this DPA are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPA.


IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement(s) between Customer and, as of Customer’s Signature Date below. If this document has been electronically signed by either party such signature will have the same legal affect as a hand-written signature.




Description of Processing

This Annex 1 applies to describe the Processing of Customer’s Personal Data for the purposes of the 2010 Standard Contractual Clauses, 2021 Standard Contractual Clauses and applicable Data Protection Law.


Data exporter(s):


1. Name: Customer Name as indicated on the governing Agreement


Address: Customer Address as indicated on the governing Agreement


Contact person’s name, position and contact details: authorized signatory for governing Agreement


Relevant activities: Use of’s products and services pursuant to the Agreement.


Signature and date: By entering into the DPA, data exporter is deemed to have signed the Standard Contractual Clauses incorporated herein as of the effective date of the DPA.


Role (controller/processor):   Controller


Data importer(s):


Name: Software, Inc.


Address: 555 Fayetteville Street, Suite #210, Raleigh, North Carolina 27601


Contact person’s name, position and contact details:


Relevant activities: Provision of’s products and services pursuant to the Agreement.


Signature and date: By entering into the DPA, data importer is deemed to have signed the Standard Contractual Clauses incorporated herein as of the effective date of the DPA.


Role (controller/processor): Processor




Categories of data subjects whose personal data is transferred:


The categories of data subjects include Customer’s Users (as defined under the Agreement) of products and services.


Categories of personal data transferred:


Identification information (name, title, email address); log-in information (username and password); log-in data (time and date of logs); data related to users' support requests.


Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:


No Sensitive Information is processed by


Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):


Transfers will be made on a continuous basis for cloud products and services, and on a one-off basis for support requests.


Nature of the processing: acts as a Processor for the Personal Data submitted by Customer in the course of using’s products and services; the nature of processing includes  transfer, storage and such other processing activities that are specified pursuant to the terms of the Agreement.


Purpose(s) of the data transfer and further processing:


To provide and support’s products and services to Customer as agreed upon in the Agreement (including this DPA).


The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For the duration of the Agreement in place with, except where otherwise specified in the Agreement, or otherwise permitted or required by law.


For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: (Data Importer) uses the sub-processors identified in the Subprocessor List set forth in Annex III, to support in providing its products and services to Customer (Data Exporter). The subject matter and duration of processing is outlined above within this Annex. The nature of the specific sub-processing services are further particularized within the Subprocessor List identified in Annex III.





Identify the competent supervisory authority/ies in accordance with Clause 13:


The competent supervisory authority determined in accordance with Clause 13 of the Standard Contractual Clauses.

• 2021 Standard Contractual Clauses: the governing law of the 2021 SCCs shall be the law of the Netherlands.

• 2010 Standard Contractual Clauses: the 2010 SCCs shall be governed by the laws of the Member State in which the data exporter is established, namely the United Kingdom.



Technical and Organizational Security Measures

This Annex II applies to describe the applicable technical and organizational measures for the purposes of the 2010 Standard Contractual Clauses, 2021 Standard Contractual Clauses and applicable Data Protection Law.

The technical and organizational measures set forth in Annex II have been implemented by data importer to ensure an appropriate level of security, taking into account the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Description of Technical and Organizational measures, including technical and organizational measures to ensure the security of the data:

Information Security Policy, Procedures, and Standards. will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to help secure personal data against accidental or unlawful loss, access or disclosure. A review of all information security policies, procedures and technical standards is conducted at least once annually. Where applicable, backup copies of personal data can be made available and tested periodically to confirm integrity and demonstrate resiliency. A vulnerability assessment is performed on critical systems periodically, and penetration testing is performed at least once annually.

Encryption. utilizes encryption methods which are considered secure according to industry best practices shall be used to secure data both at rest and while in transit. The encryption methods used meet or exceed the Transport Layer Security (TLS) 1.2 or Advanced Encryption Standard (AES) 256.

Audits. Where applicable, will use external auditors and/or performs internal audits to verify the adequacy of its security measures according to ISO 27001, SOC 2 or ISO 13485 standards.

Access Controls. User Identification and Authorization. will maintain access controls and policies to manage what access is allowed to the network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls.

Physical Security. Physical barrier controls are used to prevent unauthorized entrance to facilities where personal data is processed either by or on behalf of The controls exist both at the perimeter and at building access points. Entry typically requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the facilities, and are continually escorted by authorized employees or contractors while visiting the facilities.

Event logging.’s network and systems are configured so that system errors and security events are logged, and the log files are protected from alternation by users.

System Configuration. will develop, document, and maintain a current baseline configuration for all in-scope systems.  Baseline must be reviewed and updated annually and as needed due to system upgrades, patches, or other significant changes.  Previous configurations to support rollback must be retained.  Minimum baseline configuration must be established for information systems or computer with elevated security controls.


Additional information about’s security certifications and practices is located here .ANNEX III

List of sub-processors

  • Amazon Web Services (“AWS”)
    • Description: Cloud service provider
  • Rackspace Technology
    • Description: Cloud service provider

Other subprocessors

  • ServiceRocket, Inc.
    • Description: Cloud based customer support and implementation services
  •, Inc.
    • Description: Cloud based software support and analytics
  • Snowflake, Inc.
    • Description: Database as a service provider
  • Zendesk
    • Description: Customer service software
  • Sumo Logic, Inc.
    • Description: Cloud based software security and log analytics




Service Provider CCPA Addendum

This CCPA Supplemental Addendum (“Addendum”) forms part of the DPA between (for purposes of this Addendum, referred to as the “Service Provider”) and Customer as indicated in the governing Agreement.


In the course of providing Services to Customer pursuant to the Agreement, may process Company Personal Information that is subject to the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”). The following terms are incorporated into the Agreement for the purpose of ensuring compliance with the CCPA.

For the purposes of this Addendum, the following definitions shall apply in addition to the definitions contained in the DPA and Agreement, including all addenda that may complement it.


1. Definitions.

1.1 In this Addendum, the following terms shall have the meanings set out below:

1.1.1 “Company Personal Information” means any personal information, as defined under the CCPA, Processed by Service Provider on behalf of Company or its affiliates pursuant to or in connection with the Agreement;

1.1.2 “Processed” or “Processing” means any operation or set of operations performed on Company Personal Information;

2. Processing of Company Personal Information. To the extent that Service Provider’s performance of its obligations under the Agreement involves Processing Company Personal Information, Service Provider agrees that it will not retain, use, or disclose Company Personal Information for any purpose, including for any commercial purpose, other than for the specific purpose of performing the services specified in the Agreement for Company, or as otherwise permitted by the CCPA or by the regulations promulgated by the California Attorney General pursuant to Cal. Civ. Code § 1798.185.