Term of Use

Term of Use

Term of Use

Terms of Use

Effective date: July 01, 2025

These Terms of Use ("Agreement") constitute a legally binding agreement between Clearcue (“Clearcue,” “we,” “us,” or “our”) and you, whether personally or on behalf of an entity ("Customer," “you,” or “your”). This Agreement governs your access to and use of our website, services, and related features (collectively, the “Services”).

By accessing or using our Services, you explicitly accept and agree to comply with all terms set forth herein. If you do not agree with any part of this Agreement, you are expressly prohibited from using the Services.

We reserve the right to modify this Agreement at any time. Changes become effective immediately upon posting on our website. Your continued use after modifications constitutes your acceptance of the revised terms.

1. Definitions

The terms used in this Agreement have the meanings set forth below unless otherwise clearly indicated in the context of this Agreement

  • Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means the possession or direct ownership of more than 50% of the voting interests of such entity.


  • Beta features: Services or functionality provided in an experimental or pre-release form, clearly identified as beta, early-access, preview, or similar designation.


  • Code: Any software development kits (SDKs), JavaScript snippets, or other proprietary code made available by Clearcue for installation or use within Customer’s digital properties.


  • Contractor: Any independent consultant or third-party service provider engaged by the Customer who is not a competitor of Clearcue.


  • Customer data: Any data or content submitted to or processed through the Clearcue platform by or on behalf of the Customer, including information uploaded from third-party platforms integrated with Clearcue.


  • Customer properties: Digital properties including websites, apps, servers, or other digital environments owned, controlled, or operated by or on behalf of the Customer where Clearcue Services are used or integrated.


  • Dashboard: The secure online user interface provided by Clearcue that enables Customers to access, manage, and analyze insights and data derived from the Services.


  • Data processing addendum (DPA): The addendum attached as Exhibit A to this Agreement outlining specific data processing terms and obligations in compliance with applicable privacy laws.


  • Documentation: User guides, manuals, and online help resources provided by Clearcue to facilitate Customer’s use and understanding of the Services.


  • Feedback: Any suggestions, ideas, comments, enhancements, feature requests, or recommendations provided by Customer regarding the functionality, usability, or improvement of the Services, excluding Customer Data.


  • Initial term: The initial subscription period specified in the Order Form, beginning upon the effective date of the Order Form, during which Clearcue will provide access to the Services.


  • Intellectual property rights: All intellectual property rights and protections globally recognized, including but not limited to copyrights, trademarks, patents, trade secrets, moral rights, Feedback, proprietary algorithms, and all derivative or improved forms thereof.


  • Laws: Any applicable international, national, state, regional, or local laws, regulations, guidelines, or standards relevant to the performance of obligations under this Agreement.


  • Order form: Any written or electronic agreement specifying the particular Services ordered by the Customer, referencing and subject to the terms of this Agreement, executed or approved by authorized representatives of both parties.


  • Party/Parties: “Party” refers individually to either Clearcue or the Customer; “Parties” refers collectively to both Clearcue and the Customer.


  • Permitted user: Any individual who is either an employee or authorized Contractor of the Customer or Customer’s Affiliate granted the right to access and utilize the Services.


  • Renewal term: Subsequent subscription periods, each equal in length to the Initial Term, that commence automatically upon the conclusion of the current Subscription Term unless otherwise terminated in accordance with this Agreement.


  • Sensitive personal information: Data defined by applicable law as sensitive or specially protected, including without limitation: (i) financial or payment information subject to PCI DSS; (ii) protected health information governed by HIPAA or similar regulations; or (iii) personal data classified under the GDPR or comparable privacy laws as a "special category" data (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, or data concerning health or sexual orientation).


  • Services: Clearcue’s proprietary software-as-a-service platform, including all associated software, tools, products, analytics, support, and related services provided to the Customer.


  • Subscription term: Collectively refers to the Initial Term and any subsequent Renewal Terms during which the Customer maintains active, paid access to the Services.


  • Support: Standard technical support and service-level commitments provided by Clearcue as further described in the Service Level Agreement attached to or referenced by the Order Form.


  • Taxes: Any applicable taxes, duties, or levies, including sales tax, VAT, GST, use tax, withholding tax, or similar governmental charges, excluding taxes based solely on Clearcue’s net income.

Third-party platform: External software, SaaS applications, APIs, data providers, or other third-party products integrated with or accessible through Clearcue’s Services but not provided or controlled by Clearcue.

2. Services

2.1. Services Provided

Clearcue provides its Services on a subscription basis for a defined Subscription Term. Clearcue agrees to deliver, and the Customer agrees to use the specific Services outlined in each executed Order Form.

2.2. Access and Use of Services

Clearcue grants the Customer the right to access and use the Services solely for the Customer's own internal business purposes, in compliance with this Agreement, the Documentation, and any limitations specified in the applicable Order Form. Only Permitted Users may access the Services. Any access credentials, including API keys or passwords provided by Clearcue, must be kept confidential and secure by the Customer and its Permitted Users. User accounts are personal and non-transferable, assigned exclusively to named individuals, and must never be shared. If third-party credentials (e.g., Google login) are used, the Customer agrees to adhere strictly to all applicable third-party terms. The Customer assumes full responsibility for activities under its user accounts. Upon termination or expiration of a Permitted User’s relationship with the Customer (as employee or Contractor), the Customer must immediately disable their access to the Services.

2.3. Affiliates and Contractors

The Customer may authorize its Affiliates and Contractors to access the Services as Permitted Users. The Customer is solely responsible for ensuring such Permitted Users comply with all obligations set forth in this Agreement, and that their use is exclusively for the benefit of the Customer.

2.4. General Restrictions

The Customer may not, and will not allow any third party to:

  • Rent, lease, sublicense, distribute, or provide third-party access to the Services;

  • Use or incorporate Clearcue’s Services into any commercial product or service intended for third-party resale or distribution;

  • Attempt to reverse-engineer, decompile, disassemble, or derive source code or underlying algorithms of the Services or APIs, unless explicitly permitted under applicable law and only after prior notification to Clearcue;

  • Modify, reproduce, copy, or create derivative works based on the Services or Documentation;

  • Remove, conceal, or alter any proprietary notices or branding within the Services or on reports generated by the Services;

  • Publicly disclose any performance metrics or benchmarking data relating to Clearcue’s Services.

2.5. API Usage

If Clearcue provides API access as part of the Services, Clearcue reserves the right to monitor Customer API usage and impose reasonable usage limits. Clearcue may restrict or suspend API access if the Customer’s use is found to violate this Agreement or is likely to negatively affect the security, reliability, or performance of Clearcue’s platform.

2.6. Applications (“Apps”)

Clearcue may provide additional software applications (“Apps”) as part of the Services. Clearcue grants the Customer a non-exclusive, non-transferable, non-sublicensable, limited license to use these Apps during the Subscription Term solely in connection with the Services, according to the Documentation and this Agreement.

2.7. Deployment of Code

Clearcue grants the Customer a limited, non-exclusive, non-transferable, non-sublicensable license during the Subscription Term to install Clearcue-provided Code onto Customer Properties strictly as directed by Clearcue’s Documentation. The Customer agrees to correctly implement the Code to ensure full functionality of the Services. Clearcue will not be liable for any failure or malfunction of the Services resulting from modifications to Customer Properties after the Code’s initial deployment.

2.8. Trial Subscriptions

Clearcue may offer a free trial subscription or evaluation period (“Trial”) to allow Customers to test the Services. Unless otherwise specified, Trials are limited to fourteen (14) days or as otherwise stated by Clearcue (the “Trial Period”). Trials are solely for Customer’s internal evaluation purposes to assess whether to purchase a paid subscription. Certain features may not be available during Trials. Upon expiration of the Trial Period, Customer’s access to Services will cease unless Customer initiates a paid Subscription Term. Clearcue may terminate any Trial at any time, at its discretion. TRIAL SERVICES ARE PROVIDED “AS-IS” WITHOUT WARRANTIES, SUPPORT, LIABILITY, OR INDEMNITY OF ANY KIND.

2.9. Beta Features

Clearcue may periodically provide Customers access to Beta Features at no charge, solely at Clearcue’s discretion. Customer’s participation in Beta Features is optional and intended for internal testing and evaluation purposes only, not for production use. Beta Features are not supported and may be accompanied by additional terms and conditions. These features are explicitly excluded from Clearcue’s definition of “Services” under this Agreement; however, all Customer obligations and restrictions concerning use remain fully applicable. Clearcue may discontinue Beta Features at any time without notice, may modify them freely, and provides no guarantee that Beta Features will achieve general availability. Customer acknowledges that Beta Features may not meet Clearcue’s standard performance, reliability, security standards, or other policies.


3. Customer Data

3.1. Data Processing

All data processing performed through the Services is subject to and governed by the terms outlined in the DPA (Data Processing Addendum).


3.2. Rights to Customer Data

The Customer retains full ownership rights and Intellectual Property Rights in all Customer Data provided. The Customer grants the Provider a limited, non-exclusive, worldwide, royalty-free license solely to access, use, copy, store, transmit, modify, and display the Customer Data as necessary to deliver the Services under this Agreement.


3.3. Storage of Customer Data

The Provider does not offer archiving or backup services beyond the standard Service functionality. The Provider will not intentionally delete Customer Data during the active Subscription Term but explicitly disclaims responsibility or liability related to data storage beyond this commitment.


3.4. Customer Responsibilities

a) Customer Obligations

The Customer is solely responsible for the accuracy, legality, and appropriateness of all Customer Data. The Customer warrants that it has obtained all necessary permissions, rights, and consents required for submitting and using Customer Data in connection with the Services and granting the rights stated in Section 3.2. Additionally, the Customer guarantees that the Customer Data will not:

  • Infringe or violate third-party Intellectual Property Rights, privacy rights, or other legal rights;

  • Violate applicable Laws; or

  • Breach terms of service, privacy policies, or agreements related to Third-Party Platforms.


The Customer is fully responsible for all Customer Data entered into or used within the Services, including data submitted by its Permitted Users.


b) Restriction on Sensitive Personal Information

Unless explicitly agreed otherwise in writing, the Customer agrees not to use the Services to collect, store, process, or transmit Sensitive Personal Information. The Provider is neither a payment card processor nor PCI DSS compliant. If the Customer inadvertently submits Sensitive Personal Information, the Customer bears sole responsibility, and the Provider shall treat this data solely as standard Customer Data without additional compliance obligations.


c) Legal Compliance

The Customer agrees to use the Services in compliance with all applicable Laws. Specifically, the Customer must not use the Services to conduct unsolicited advertising, marketing, or activities violating applicable Laws.


3.5. Indemnification by Customer

The Customer agrees to defend, indemnify, and hold the Provider harmless from and against any claims arising out of or related to:

  • Customer data;

  • Use of any third-party platform; or

  • The customer's violation of applicable laws through use of the Services.

The Customer’s indemnification obligation includes covering damages, liabilities, and reasonable legal fees resulting from such claims. The Provider will:

  • Promptly notify the Customer of any such claims;

  • Allow the Customer control over the defense and settlement negotiations (subject to the Provider’s right to participate with its own counsel at its expense);

  • Provide reasonable cooperation, at the Customer’s expense.

The Customer must obtain the Provider's written approval before settling any claim that does not fully release the Provider from liability or that imposes obligations upon the Provider.


3.6. Anonymized Data

The Provider may aggregate non-personally identifiable data derived from the Customer’s use of the Services ("Anonymized Data"). The Provider is entitled to use Anonymized Data for purposes including analysis, product improvement, operational support, and the creation of industry benchmarks and best practices, both during and after the term of this Agreement. However, the Provider may not publicly identify the Customer as the source of such Anonymized Data.

4. Security

The Provider will implement and maintain commercially reasonable technical and organizational safeguards to protect the Services and Customer Data from unauthorized access, use, alteration, or disclosure. These safeguards are further detailed in the Technical and Organizational Measures outlined in Schedule B of the DPA (the “Security Policy”).


While the Provider is committed to maintaining a high standard of security, it is not responsible for any issues caused by transmission errors, unauthorized access by third parties, or other events outside its reasonable control.

5. Third-Party Integrations

The Services may offer integrations with certain Third-Party Platforms. To enable these integrations, the Customer may need to provide credentials or authorize access to its accounts on such platforms. By enabling integration, the Customer grants the Provider permission to access and process data from those accounts as necessary to deliver the Services under this Agreement.


The Customer is solely responsible for complying with the terms and policies of any Third-Party Platform it uses in connection with the Services and must ensure its accounts remain active and in good standing. The Provider assumes no responsibility or liability for any Third-Party Platform, including how such platforms handle or process Customer Data once it is transferred outside of the Services.


The Provider does not guarantee continued compatibility or integration with any Third-Party Platform and reserves the right to modify or discontinue integrations at any time, with or without notice.


If the Customer uses features of the Services that rely on beta or pre-release functionality offered by a Third-Party Platform (“Third-Party Beta Releases”), the Provider disclaims all liability arising from or related to participation in or use of those features.

6. Ownership

6.1. Provider Technology

This Agreement grants the Customer a limited right to access and use the Services on a subscription basis. Regardless of any terminology such as "purchase" or "sale" used in this Agreement or related materials, no ownership rights are transferred to the Customer. All rights, title, and interest in and to the Services—including all related software, documentation, deliverables from any professional services, underlying technologies, enhancements, modifications, derivative works, and Feedback (collectively, the “Provider Technology”)—remain exclusively with the Provider and its licensors.

The Services are provided as a hosted, online solution; as such, the Customer has no right to obtain a copy of the Services, except for any Code or Apps made available for implementation as described in this Agreement. Unless explicitly stated otherwise, no other rights to the Provider Technology are granted.


6.2. Feedback

The Customer may provide Feedback to the Provider at its discretion. The Provider may use, modify, and incorporate this Feedback into the Services or other offerings without restriction or obligation to the Customer. While the Provider may share or utilize such Feedback publicly or with third parties, it will not attribute the Feedback to the Customer by name without prior written consent.

7. Subscription Term, Fees & Payment

The duration of the initial Subscription Term and any Renewal Terms will be defined in the applicable Order Form. Unless stated otherwise, each Subscription Term will automatically renew for successive Renewal Terms of equal length unless either party notifies the other in writing of its intention not to renew at least thirty (30) days before the current term ends.


7.2. Fees and Payment

Fees for the Services are outlined in the applicable Order Form and must be paid according to the terms specified therein. Except where explicitly stated in Section 9 (Limited Warranty), Section 13 (Indemnification), or Section 16.7 (Changes to the Agreement), all fees are non-refundable.


Fees do not include any applicable Taxes, which are the Customer’s responsibility. If any Taxes are required to be withheld by Law, the Customer must increase the payment so that the full amount due to the Provider is received net of such withholdings.

Late payments may incur a service charge of 1.5% per month on the overdue balance, or the highest amount permitted by law, whichever is lower.


7.3. Suspension of Service

The Provider may suspend access to the Services, including any related support or professional services, without liability if:
(i) the Customer's account is thirty (30) days or more past due,
(ii) the Customer violates any provision in Section 2.4 (General Restrictions) or Section 3.4 (Customer Obligations), or
(iii) suspension is required to protect the integrity, availability, or security of the Services or prevent harm to other users.

Access will be promptly restored once the issue prompting suspension is resolved, provided this Agreement has not been terminated.

8. Term and Termination

8.1. Term

This Agreement begins on the Effective Date and remains in effect until all Subscription Terms have expired or been terminated in accordance with this Agreement.


8.2. Termination for Cause

Either party may terminate this Agreement, including all active Order Forms, if the other party:

  • materially breaches this Agreement and fails to cure the breach within thirty (30) days of receiving written notice, including failure by the Customer to address any issues described in Section 7.3 (Suspension of Service);

  • discontinues its operations without a successor; 

  • files for bankruptcy, becomes subject to insolvency proceedings, or is placed under a comparable legal process that is not dismissed within sixty (60) days.


8.3. Effect of Termination

Upon expiration or termination of this Agreement:

  • The Customer must immediately stop using the Services and any related Provider Technology.

  • All Documentation, passwords, access credentials, and other Provider Confidential Information in the Customer’s possession must be deleted or, if requested, returned to the Provider.

  • Access to Customer Data stored in the Services will be disabled thirty (30) days after termination. The Provider may permanently delete such data at any time thereafter.

Termination or expiration of this Agreement does not affect any other legal remedies either party may pursue.


8.4. Survival

The following provisions will survive termination or expiration of this Agreement: Sections 2.4 (General Restrictions), 2.8 (Trial Subscriptions), 3.3 (Storage of Customer Data), 3.5 (Indemnification by Customer), 3.6 (Anonymized Data), 6 (Ownership), 7.2 (Fees and Payment), 8 (Term and Termination), 9.1 (Warranty Disclaimer), 12 (Limitation of Remedies and Damages), 13 (Indemnification), 14 (Confidential Information), and 16 (General Terms).

9. Limited Warranty

9.1. Limited Warranty 

The Provider warrants to the Customer that the Services will function in substantial accordance with the Documentation and comply with applicable law. If the Services do not meet this standard, the Provider will, at no additional cost to the Customer, make commercially reasonable efforts to correct the issue. If the Provider determines that a fix is not feasible, either party may terminate the affected Subscription Term. In such case, the Customer will receive a pro-rata refund of any pre-paid fees covering the remainder of the terminated Subscription Term.


This warranty does not apply if:
(i) the Customer does not report the issue within thirty (30) days of first noticing it;
(ii) the issue was caused by misuse, unauthorized modifications, or use with third-party systems, hardware, or services not provided by the Provider; or
(iii) the Services were accessed through a trial, beta, or evaluation license.


9.2. Warranty Disclaimer

EXCEPT AS EXPRESSLY PROVIDED IN SECTION 9.1, THE SERVICES (INCLUDING SUPPORT AND PROFESSIONAL SERVICES) ARE PROVIDED “AS IS” AND “AS AVAILABLE.” SUBJECT TO ANY COMMITMENTS IN A SERVICE LEVEL AGREEMENT, THE PROVIDER AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE—INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, OR ACCURACY.

The Provider does not guarantee that the Services will be uninterrupted, error-free, or meet the Customer’s specific requirements. The Provider is not responsible for delays, disruptions, or failures caused by the internet, third-party platforms, or other systems beyond its control. This Agreement also expressly excludes the application of any implied business practices or commercial customs.

10. Availability, Service Levels, and Support

The Provider will use commercially reasonable efforts to maintain the availability of the Services and to minimize downtime or disruptions. While no system can guarantee 100% uptime, the Provider strives to ensure the Services are reliable and performant. Any applicable service levels and support obligations will be detailed in a Service Level Agreement (if included as part of the Order Form or a separate agreement). Unless otherwise specified, support will be provided during standard business hours and in accordance with the Provider’s standard support policies.

11. Professional Services

From time to time, the Provider may offer optional consulting or implementation support (“Professional Services”) to help the Customer maximize the value of the subscription. These services, if purchased, will be described in an Order Form and further detailed in a Statement of Work (“SOW”) agreed to by both parties. Each SOW will outline the specific scope, deliverables, timelines, and applicable fees.


Unless otherwise stated in the Order Form, Professional Services are provided on a time-and-materials basis at the Provider’s then-current rates. The Customer agrees to reimburse any pre-approved, reasonable travel and accommodation expenses incurred in connection with the delivery of such services.


All outputs, materials, or deliverables provided as part of the Professional Services may be used by the Customer solely in connection with their active subscription to the Services, and are subject to the same usage terms and limitations outlined in Section 2 (Provider Services). The Provider retains all rights, title, and interest in and to any such materials, including any custom code, documentation, enhancements, or derivatives.


For clarity, the availability or performance of Professional Services does not impact or alter the functionality, availability, or service level commitments of the core subscription product. Any Professional Services provided at no cost are offered “as is” without any warranties or performance guarantees.

12. Limitation of Remedies and Damages

12.1. Consequential Damages Waiver

Except for Excluded Claims (as defined below), neither party nor its Affiliates will be liable under this Agreement for any indirect, incidental, special, punitive, or consequential damages, or for any loss of use, data, business, or profits, or interruption of business, whether based on contract, tort, strict liability, or any other legal theory, even if the party knew or should have known such damages were possible.


If the Customer is located in the European Economic Area, this waiver also includes:
(a) losses or damages that were not reasonably foreseeable by both parties at the time of Agreement;
(b) losses known to the Customer but not to the Provider; or
(c) losses that could have been avoided by the Customer, including damages caused by viruses, malware, or the Customer’s use of third-party platforms.


The Provider is not responsible for actions taken by third-party platforms as a result of the Customer’s use of the Services.


12.2. Liability Cap

Except for Excluded Claims, each party’s total aggregate liability arising out of or relating to this Agreement will not exceed the total amount paid or payable by the Customer to the Provider under this Agreement during the twelve (12) months prior to the event giving rise to the claim.


12.3. Limitations to Exclusions

Nothing in this section limits a party’s liability for death or personal injury, gross negligence, or willful misconduct. Some jurisdictions may not allow certain exclusions or limitations in this section, in which case those provisions will apply to the maximum extent permitted under applicable law.


12.4. Excluded Claims

“Excluded Claims” means any claims arising out of or relating to:
(a) a breach of the use restrictions set forth in Section 2.4 (General Restrictions);
(b) Customer obligations and indemnities under Sections 3.4 (Customer Obligations) and 3.5 (Indemnification by Customer);
(c) a breach of either party’s obligations under Section 14 (Confidential Information), excluding claims relating solely to Customer Data.


12.5. Nature of Claims and Failure of Essential Purpose

The limitations and exclusions in this section apply regardless of the theory of liability—whether in contract, tort, strict liability, or otherwise—and even if any remedy fails of its essential purpose.

13. Indemnification

The Provider will defend the Customer against any third-party claim alleging that the Customer’s use of the Services, as provided by the Provider and in accordance with this Agreement, infringes such third party’s Intellectual Property Rights. The Provider will indemnify the Customer from any damages and costs (including reasonable legal fees) finally awarded against the Customer or agreed upon in a settlement by the Provider, provided that:

(i) the Customer promptly notifies the Provider in writing of the claim (with sufficient time to avoid prejudice);
(ii) the Provider has sole control over the defense and any settlement of the claim;
(iii) the Customer provides all necessary cooperation, at the Provider’s expense.


The Customer may, at its own cost, participate in the defense using counsel of its choosing. The Provider will not settle any claim without the Customer’s prior written consent, unless the settlement includes a full and unconditional release of the Customer and does not require the Customer to admit fault or take action.


If the Services are found or believed by the Provider to infringe, or if use of the Services is enjoined, the Provider may, at its sole discretion and expense:

(a) replace the Services with a substantially similar, non-infringing alternative;
(b) secure the right for the Customer to continue using the Services;
(c) if neither (a) nor (b) is commercially reasonable, terminate the Agreement and refund any prepaid fees for the remaining portion of the current Subscription Term.


The Provider’s obligations under this Section will not apply to claims arising from:

  • modifications to the Services not made by the Provider;

  • use of the Services in combination with products, services, or processes not provided by the Provider;

  • unauthorized use of the Services;

  • Customer Data;

  • integrations or use with a Third-Party Platform; 

  • any settlement or admission made by the Customer without the Provider’s prior written approval.


This Section 13 states the Provider’s entire liability, and the Customer’s sole and exclusive remedy, for claims of intellectual property infringement.

14. Confidential Information

Each party (the “Receiving Party”) agrees to protect all non-public business, technical, financial, or other proprietary information received from the other party (the “Disclosing Party”) that is either identified as confidential at the time of disclosure or should reasonably be understood to be confidential given the nature of the information and the context of the disclosure (“Confidential Information”).


Confidential Information includes, without limitation:

  • For the Provider: all Provider Technology, performance data related to the Services, and the terms of this Agreement (including pricing), without the need for any marking or further designation;

  • For the Customer: all non-public data and internal materials submitted in connection with the Services.

Except as expressly permitted by this Agreement, the Receiving Party agrees to:

  • Maintain the confidentiality of the Disclosing Party’s Confidential Information using at least the same level of care it uses to protect its own confidential materials, but no less than reasonable care;

  • Use the Confidential Information solely for purposes of fulfilling its obligations or exercising its rights under this Agreement; 

  • Not disclose the Confidential Information to any third party except to its employees, contractors, Affiliates, or service providers who have a legitimate need to know and are bound by confidentiality obligations no less protective than those in this Section.


The obligations in this Section do not apply to information that the Receiving Party can demonstrate:

  • was already lawfully known to it without restriction at the time of disclosure;

  • becomes public through no breach of this Agreement;
    was lawfully received from a third party without confidentiality obligations; 

  • was independently developed without use of or reference to the Disclosing Party’s Confidential Information.


If required by law, subpoena, or court order, the Receiving Party may disclose confidential information provided it gives prompt written notice (where legally permitted) and reasonably cooperates with the Disclosing Party to seek confidential treatment or other protective measures.


The Receiving Party acknowledges that unauthorized disclosure of confidential Information may cause substantial harm that cannot be remedied by monetary damages alone. Accordingly, the Disclosing Party may seek injunctive or equitable relief in addition to legal remedies.

These confidentiality obligations will remain in effect for a period of three (3) years following the expiration or termination of all Subscription Terms under this Agreement.

15. Publicity

Upon request by the Provider, the Customer agrees to collaborate on a joint press release (the “Press Release”) to be issued on a mutually agreed date, or no later than ninety (90) days after the Effective Date, whichever comes first. Each party will have the right to review and approve the Press Release in advance, and such approval will not be unreasonably delayed or withheld.


The Customer also agrees to participate in reasonable marketing efforts that highlight the benefits of the Services, including but not limited to the use of the Customer’s name and logo on the Provider’s website, in case studies, and in promotional materials. The Customer grants the Provider a limited, non-exclusive, royalty-free license to use its name, logo, and brand assets solely for these marketing purposes, subject to any written brand usage guidelines provided in advance by the Customer.


This publicity does not constitute or imply any endorsement of the Services by the Customer.

16. General Terms

16.1. Assignment

This Agreement will be binding upon and inure to the benefit of each party and its permitted successors and assigns. Neither party may assign or transfer this Agreement without the prior written consent of the other party, except in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Any unauthorized assignment will be null and void.


16.2. Severability

If any provision of this Agreement is found to be invalid or unenforceable, that provision will be limited to the minimum extent necessary so that the remainder of the Agreement remains in full force and effect.


16.3. Governing Law and Dispute Resolution

(a) Governing Law

This Agreement will be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law principles.

(b) Direct Dispute Resolution

Before initiating legal action, the parties agree to make a good-faith effort to resolve any dispute arising from or related to this Agreement (a “Dispute”). The party initiating the Dispute must send a written notice titled “Initial Notice of Dispute,” detailing the nature of the issue. If sent to the Provider, this notice must be emailed to contact@heyreach.io. The parties will then engage in discussions for at least thirty (30) days following receipt of the notice to resolve the matter informally.

(c) Litigation

If the Dispute cannot be resolved through informal discussions, it will be submitted to the courts located in Wilmington, Delaware. Both parties agree to the exclusive jurisdiction and venue of these courts.

(d) Construction and Joinder

This Agreement will be construed as if drafted jointly. Each party agrees that all claims will be brought in its individual capacity only and not as a plaintiff or class member in any class or representative proceeding. Claims under this Agreement may not be joined with any claims involving other customers or users.

(e) Injunctive Relief

Nothing in this section limits the right of either party to seek injunctive or other equitable relief in any court of competent jurisdiction.


16.4. Notices

Notices must be in writing and delivered to the contact addresses specified in the Order Form or such other address as a party may provide. Notices are deemed received: (i) immediately if delivered by hand; (ii) the next business day if sent by overnight courier; (iii) two business days after mailing if sent by certified or registered mail; or (iv) the next business day if sent by email.


16.5. Amendments and Waivers

Except as provided in Section 16.7, this Agreement may only be modified by a written agreement signed by both parties. No waiver of any term will be effective unless in writing and signed by the waiving party. No failure or delay in exercising any right will constitute a waiver.


16.6. Entire Agreement

This Agreement, including any referenced Order Forms and attachments, constitutes the entire agreement between the parties and supersedes all prior discussions, understandings, or agreements.


16.7. Modifications to this Agreement

The Provider may modify this Agreement from time to time. Changes will take effect at the start of the Customer’s next Subscription Term, unless the Provider specifies an earlier effective date. Continued use of the Services after changes take effect constitutes acceptance of the revised terms. If changes are required earlier (e.g., for legal reasons) and the Customer objects within 10 calendar days, the Provider may delay the effective date or terminate the subscription and refund the pro-rata unused portion of the fees. The Provider may also update the Services or Documentation as needed, including updates to any referenced support, security, or service level documentation.


16.8. Force Majeure

Neither party will be liable for any failure or delay in performance due to causes beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, labor disputes, or failures in telecommunications or data networks.


16.9. Hardship

If performance becomes excessively burdensome due to unforeseen events outside a party’s control, the parties will work together in good faith to renegotiate terms. Courts will not have authority to alter the Agreement due to hardship; the risk is expressly assumed by the parties.


16.10. Subcontractors

The Provider may engage subcontractors to deliver the Services, provided that the Provider remains responsible for their compliance with the terms of this Agreement and any obligations in the DPA.


16.11. Court Orders

The Provider may disclose Customer Data if required by law, court order, or subpoena, but will use reasonable efforts to notify the Customer unless legally prohibited.


16.12. Independent Contractors

The parties are independent contractors. This Agreement does not create any partnership, agency, joint venture, or employment relationship.


16.13. Export Control

The Customer agrees to comply with all applicable export and import laws and regulations. The Customer represents that it is not located in or associated with any country or entity restricted under U.S., U.K., or EU law and will not use the Services in violation of such laws.


16.14. Counterparts

This Agreement may be executed in counterparts, each of which will be deemed an original, and all of which together will constitute one and the same agreement.

Exhibit A - Data Processing Addendum

1. Initial Provisions


1.1. Agreement

This Data Processing Addendum (the "DPA"), including its annexes and the Standard Contractual Clauses (as applicable), forms part of and is incorporated by reference into the Agreement between the Provider and the Customer governing the use of the Services.

1.2. Acceptance

By entering into the Agreement, the Customer acknowledges that it has read and understood this DPA and agrees to be bound by its terms.


2. Definitions

Capitalized terms not defined in this DPA will have the meaning assigned to them in the Agreement.

“Account Data” means Personal Data related to the Customer’s relationship with the Provider, including data used to access the Customer’s account, billing details, identity verification, support, service optimization, and legal compliance.

“Applicable Data Protection Legislation” means all applicable privacy and data protection laws governing the processing of Personal Data under the Agreement, including but not limited to:
(a) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”);
(b) the UK GDPR and Data Protection Act 2018 (“UK Data Protection Laws”);
(c) the Swiss Federal Data Protection Act and related regulations (“Swiss DPA”);
(d) the California Consumer Privacy Act and California Privacy Rights Act (collectively, “CCPA and CPRA”);
(e) the Australian Privacy Act 1988 and the Australian Privacy Principles;

in each case, as amended or replaced.


“CCPA and CPRA” means the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, and all applicable implementing regulations, as amended.

“Controller” means the entity that determines the purposes and means of processing Personal Data. This includes equivalents under relevant law, such as “Business” under the CCPA.

“Customer Personal Data” means any Personal Data processed by the Provider as a Processor on behalf of the Customer in the course of providing the Services.

“Europe” means the European Economic Area (EEA), the United Kingdom (UK), Switzerland, and any country recognized as providing adequate protection for personal data by the relevant regulatory body.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and Council.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Legislation.

“Processor” means an entity that processes Personal Data on behalf of a Controller, including equivalent terms under local legislation (e.g., “Service Provider” under the CCPA).

“Processing” means any operation performed on Personal Data, whether or not by automated means, including collection, recording, use, disclosure, storage, alteration, and destruction.

“Restricted Transfer” means:
(i) under the GDPR, a transfer of Personal Data from the EEA to a country without an adequacy decision;
(ii) under UK GDPR, a transfer from the UK to a non-adequate country;
(iii) under the Swiss DPA, a transfer to a country not deemed adequate by the Swiss FDPIC.

“Security Breach” means any accidental, unauthorized, or unlawful access to, disclosure of, or destruction of Customer Personal Data. This excludes unsuccessful attempts that do not compromise data security (e.g., failed login attempts or port scans).

“Standard Contractual Clauses” or “SCCs” means:
(i) for the GDPR, the clauses adopted by the European Commission in Implementing Decision (EU) 2021/914;
(ii) for UK transfers, the UK Addendum or other approved clauses;
(iii) for Swiss transfers, the clauses approved by the Swiss Federal Data Protection and Information Commissioner.

These may be updated, replaced, or superseded from time to time.

“Sub-processor” means any Processor engaged by the Provider (or by a Provider affiliate) to process Customer Personal Data on its behalf. Sub-processors do not include Provider employees or contractors.

“Third Party Request” means any request from a data subject, supervisory authority, or other third party related to the processing of Customer Personal Data.

“UK Addendum” means the UK’s International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018.


3. Applicability and Scope

3.1. Applicability 

This DPA applies solely to the extent that the Provider processes Personal Data on behalf of the Customer and such processing is subject to Applicable Data Protection Legislation.

3.2. Scope 

The subject matter of the processing is the provision of the Services as described in the Agreement. The processing will continue for the duration of the Agreement. Details regarding the nature and purpose of the processing, types of Personal Data, and categories of data subjects are set forth in Schedule A (Details of Processing).

3.3. Provider as a Processor

The parties acknowledge that, with respect to Customer Personal Data, the Customer may act either as a controller or a processor, and the Provider will act solely as a processor. The Provider will process such data in accordance with the Customer’s documented instructions, as further described in this DPA.

3.4. Provider as a Controller of Account Data

The parties acknowledge that with respect to Account Data, the Customer is a controller and the Provider is an independent controller. The Provider will process Account Data:
(a) to manage its business relationship with the Customer;
(b) to carry out internal administrative and business operations;
(c) to detect, prevent, or investigate security incidents, fraud, or abuse of the Services;
(d) to perform identity verification;
(e) to comply with legal and regulatory obligations; and
(f) as otherwise permitted under Applicable Data Protection Legislation, this DPA, the Agreement, and the Provider’s Privacy Policy.


4. Provider as a Processor

4.1. Customer Instructions

The Customer appoints the Provider as a Processor to process Customer Personal Data on its behalf, solely as necessary:
(a) as set forth in the Agreement and this DPA;
(b) to provide the Services, including detecting and preventing exploits, abuse, or security incidents;
(c) to comply with applicable law, including Applicable Data Protection Legislation;
(d) as otherwise agreed in writing by the parties (together, the “Permitted Purposes”).

4.2. Lawfulness of Instructions 

The Customer shall ensure that its instructions to the Provider comply with all Applicable Data Protection Legislation. The Customer acknowledges that the Provider is not responsible for determining which laws apply to the Customer’s business or whether the Services meet those legal requirements. If the Provider believes that any instruction violates applicable law, it will notify the Customer without undue delay.

4.3. Additional Instructions

Any processing instructions not expressly authorized by this DPA or the Agreement must be agreed to in writing by both parties in advance.

4.4. Purpose Limitation

The Provider will process Customer Personal Data solely for the Permitted Purposes. Additional details, including the nature and purpose of the processing, categories of data subjects, and types of Personal Data, are set forth in Schedule A (Details of Processing).

4.5. Responding to Third Party Requests 

If the Provider receives a Third Party Request directly related to Customer Personal Data, it shall notify the Customer without undue delay and provide all relevant details, unless legally prohibited. The Provider will not respond to such requests without the Customer’s prior written consent, unless required by law or to confirm that the request pertains to the Customer.


5. Compliance

The Customer is solely responsible for ensuring the legality of the processing of Customer Personal Data under the Agreement. In particular, the Customer represents and warrants that:

(a) all necessary notices have been provided to, and all required consents and authorizations have been obtained from, data subjects as required by Applicable Data Protection Legislation to permit the Provider (and its affiliates and Sub-processors) to process Customer Personal Data as described in the Agreement and this DPA;
(b) it has complied, and will continue to comply, with all applicable laws, rules, and regulations relating to data protection and privacy, including Applicable Data Protection Legislation;
(c) it has, and will continue to have, the legal right to transfer (or provide access to) Customer Personal Data to the Provider for processing in accordance with the terms of this DPA and the Agreement.


6. Subprocessors

6.1. Authorization for Sub-processing

The Customer authorizes the Provider to engage Sub-processors, including its affiliates and third parties, to process Customer Personal Data on the Provider’s behalf as necessary to provide the Services. The current list of Sub-processors is available on the Provider’s Sub-processor Page, which may be updated from time to time. This authorization is subject to the following conditions:
(a) The Provider will ensure that any Sub-processor only accesses Customer Personal Data as necessary to perform its obligations and is prohibited from using such data for any other purpose.
(b) The Provider will impose data protection terms on each Sub-processor that are no less protective than those set out in this DPA, including obligations regarding appropriate technical and organizational measures.
(c) The Provider will remain fully liable for any breach of this DPA caused by the acts or omissions of its Sub-processors.

6.2. Current Sub-processors

The Customer acknowledges that the provision of the Services may require the processing of Customer Personal Data by Provider affiliates and Sub-processors located outside Europe, including in the United States. The Customer hereby authorizes such transfers, subject to the Provider’s compliance with the terms of this DPA, including Schedule C (List of Sub-processors).

6.3. Notification of Sub-processor Changes

The Provider will notify the Customer of any intended additions or replacements to the Sub-processor Page at least ten (10) days in advance, either through the Services or via email. If the Customer has a reasonable objection to the proposed change based on data protection concerns, it must notify the Provider in writing within thirty (30) calendar days of the notice. The Provider will then work in good faith to address the Customer’s concerns. If no resolution is reached, the Customer may terminate the Agreement without penalty.


7. Impact Assessments and Consultations

To the extent required by Applicable Data Protection Legislation, the Provider will provide the Customer with reasonable assistance—at the Customer’s cost and expense—for the performance of data protection impact assessments or prior consultations with supervisory authorities, in each case solely in relation to the Provider’s processing of Customer Personal Data under the Agreement and this DPA.


8. Security

8.1. Security Measures

The Provider will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Breaches. These measures will, at a minimum, comply with applicable law and include those described in Schedule B (Technical and Organizational Security Measures). The Customer acknowledges that such measures may evolve over time due to technical progress, and the Provider may update them as necessary—provided that any updates do not materially reduce the overall level of protection for Customer Personal Data.

8.2. Personnel Confidentiality

The Provider will ensure that any individual authorized to process Customer Personal Data (including employees, agents, and subcontractors) is subject to a binding duty of confidentiality with respect to that data.

8.3. Security Breach Notification

In the event of a Security Breach involving Customer Personal Data, the Provider will notify the Customer without undue delay after becoming aware of the breach. The Provider will provide the Customer with reasonable information related to the breach to assist in meeting any legal or regulatory reporting obligations. Notification of or response to a Security Breach by the Provider does not constitute an admission of fault or liability.

8.4. Customer Responsibilities

The Customer is solely responsible for:
(a) configuring and using the Services in a manner that ensures an appropriate level of security based on the nature of the Customer Personal Data;
(b) securing all credentials, systems, and devices used to access the Services;
(c) backing up Customer Personal Data where appropriate.


9. Return or Deletion of Customer Personal Data

Upon termination or expiration of the Agreement, the Provider will, at the Customer’s election, either delete or return all Customer Personal Data (including any copies) in its possession or control as soon as reasonably practicable, and in any event within thirty (30) days. This obligation will not apply to the extent the Provider is required by applicable law to retain some or all of the Customer Personal Data, or to data archived on back-up systems. In such cases, the Provider will securely isolate and protect such data from further processing, except as required by applicable law.


10. Audits

10.1. Acknowledgment

The parties acknowledge that, where the Provider is acting as a Processor on behalf of the Customer, the Customer must be able to assess the Provider’s compliance with its obligations under Applicable Data Protection Legislation and this DPA.

10.2. Audit Reports and Certifications

Upon written request and at no additional cost to the Customer, the Provider will make available to the Customer (or the Customer’s designated, appropriately qualified third-party representative) documentation reasonably necessary to demonstrate compliance with this DPA. This may include summaries of relevant audit reports or industry-standard certifications, to the extent such information is available and applicable.

10.3. Customer-Initiated Audit

If the Customer requires a direct audit of the Provider’s data processing practices, the Provider will allow such audit subject to the following terms:
(a) The audit must be requested in writing and conducted at the Customer’s cost, including any internal costs incurred by the Provider.
(b) The scope, duration, and timing of the audit must be mutually agreed upon in advance, and the audit must be conducted in a manner that minimizes disruption to the Provider’s business.
(c) Any audit must be limited to one occurrence per twelve (12) month period, unless otherwise required by a competent supervisory authority or in the event of a Security Breach.
(d) The audit may only access information relevant to the Customer.
(e) The Customer may use a third-party auditor, provided such auditor is not a direct competitor of the Provider and is subject to confidentiality obligations. The Provider may reject an auditor on reasonable grounds and require the Customer to appoint another.

For clarity, the exercise of audit rights under the Standard Contractual Clauses will be carried out in accordance with this Section 10.3.


11. Transfers

11.1. Location of Processing

The Customer acknowledges that the Provider and its Sub-processors may process and transfer Customer Personal Data to the United States and other jurisdictions in which the Provider, its affiliates, or Sub-processors operate, as further detailed on the Sub-processor Page. The Provider will ensure that such transfers comply with Applicable Data Protection Legislation and this DPA.

11.2. Transfer Mechanism

When a transfer of Customer Personal Data from the Customer (as “data exporter”) to the Provider (as “data importer”) constitutes a Restricted Transfer, the parties agree that such transfer will be subject to an appropriate safeguard as required under Applicable Data Protection Legislation. Unless otherwise agreed, the parties will rely on:

  • The Provider’s certification under the EU-U.S. Data Privacy Framework, the UK-U.S. Data Bridge, and the Swiss-U.S. Data Privacy Framework (collectively, the “DPF”) administered by the U.S. Department of Commerce.

  • If the DPF is invalidated or deemed insufficient, the parties will use the applicable Standard Contractual Clauses (SCCs), incorporated into and forming part of this DPA.

The SCCs shall apply as follows:

(a) Transfers under the GDPR (Customer Personal Data):

  • Module Two or Three (as applicable) of the EU SCCs will apply.

  • Clause 7: The optional docking clause applies.

  • Clause 9: Option 2 applies, with the notice period for changes to Sub-processors set out in Section 6.3 of this DPA.

  • Clause 11: The optional language does not apply.

  • Clause 17: Option 1 applies; Irish law governs if no Member State law applies.

  • Clause 18(b): Disputes shall be resolved in the EU Member State of the data exporter, or Ireland by default.

  • Annexes I and II of the SCCs are completed as set out in Schedules A and B of this DPA.

(b) Transfers under the GDPR (Account Data under Section 3.4):

  • Module One of the EU SCCs will apply.

  • Clause 7: Optional docking clause applies.

  • Clause 11: Optional language does not apply.

  • Clause 17: Irish law applies.

  • Clause 18(b): Disputes shall be resolved in Ireland.

  • Annexes I and II are completed as set out in Schedules A and B.

(c) Transfers under the UK GDPR and Swiss DPA:

  • References to GDPR are interpreted under UK Privacy Laws or the Swiss DPA.

  • References to the EU, Union, or Member States are interpreted as UK or Switzerland.

  • Clause 13(a) and Annex I.C do not apply.

  • Supervisory authorities and courts are the UK Information Commissioner or Swiss FDPIC and the courts of England and Wales or Switzerland, as applicable.

  • Clause 17: Governed by English law or Swiss law.

  • Clause 18: Adjusted per UK or Swiss law as outlined above.

(d) UK Addendum (where applicable):

Where SCCs under paragraph (a) cannot lawfully be used for UK Restricted Transfers, the UK SCCs shall apply, completed using the information in Schedules A and B. Table 4 of the UK Addendum shall indicate "neither party" may make changes unilaterally.

11.3. SCC Conflict

If any provision in this DPA or the Agreement conflicts with the Standard Contractual Clauses, the SCCs shall prevail.

11.4. Alternative Transfer Mechanism

If the Provider adopts another lawful transfer mechanism (e.g. an updated version of the SCCs or DPF), such mechanism will apply in place of those specified above upon notice to the Customer, provided the mechanism complies with applicable data transfer requirements.


12. Cooperation and Data Subject Rights

12.1. Data Subject Rights

The Provider offers the Customer self-service tools within the Services to assist in meeting obligations under Applicable Data Protection Legislation. These features may include, without limitation, tools to delete, access, or restrict the use of Customer Personal Data. The Customer may use such features at no additional cost to respond to Third Party Requests, such as data subject access or deletion requests.

Upon written request from the Customer, and to the extent the Customer cannot reasonably fulfill its obligations using the available tools, the Provider will provide reasonable assistance—taking into account the nature of the processing and the information available to the Provider—to support the Customer in responding to data subject rights requests under Applicable Data Protection Legislation. Such assistance may be subject to a reasonable, documented fee.

If the Provider receives a data subject request directly and can reasonably identify the Customer as the Controller, the Provider will notify the Customer without undue delay and will not respond to the request except to confirm receipt and refer the requestor to the Customer, unless otherwise required by law. The Customer will be solely responsible for responding to and fulfilling such requests.


12.2. Cooperation

If either party receives (a) a request from a data subject to exercise any rights under Applicable Data Protection Legislation, or (b) a Third Party Request relating to the other party’s data processing activities under this DPA, that party will promptly notify the other in writing (to the extent legally permitted). Both parties will cooperate in good faith to respond to and resolve such requests in a timely and compliant manner.


13. No Sale or Sharing

To the extent the processing of Customer Personal Data is subject to U.S. data protection laws (including but not limited to the CCPA and CPRA), the Provider certifies and agrees that it shall not:

  • Sell Customer Personal Data or otherwise make it available to any third party for monetary or other valuable consideration;

  • Share Customer Personal Data with any third party for purposes of cross-context behavioral advertising or targeted advertising;

  • Retain, use, or disclose Customer Personal Data for any purpose other than as necessary to perform the business purposes specified in this DPA or as otherwise permitted under applicable U.S. data protection laws;

  • Retain, use, or disclose Customer Personal Data outside of the direct business relationship between the Customer and the Provider; or

  • Combine Customer Personal Data with personal data that the Provider receives from or on behalf of another person or entity, or collects independently, except as permitted under applicable U.S. data protection laws.

The Provider will promptly notify the Customer if it determines that it can no longer meet its obligations under applicable U.S. data protection laws.


14. Miscellaneous

14.1. Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail. The order of precedence shall be: (a) this DPA; (b) the Agreement; and (c) the Provider’s Privacy Policy. In the event of a conflict between the Standard Contractual Clauses and any other terms in this DPA, the Agreement, or the Privacy Policy, the Standard Contractual Clauses shall control to the extent of the conflict.

14.2. Replacement

This DPA supersedes and replaces any prior data processing agreements or addenda previously entered into between the parties in connection with the Services.

14.3. Claims

Any claims arising in connection with this DPA shall be subject to the terms, conditions, limitations, and exclusions of liability set forth in the Agreement.

14.4. Data Subject Rights

Nothing in this DPA shall be construed to restrict or limit the rights of any data subject or any competent supervisory authority under Applicable Data Protection Legislation.

14.5. Compliance with Higher Standards 

In the event of an actual or perceived conflict among Applicable Data Protection Legislation, the parties agree to comply with the more stringent standard, which shall be determined solely by the Provider in the event of a dispute.

14.6. Updates

Notwithstanding anything to the contrary in the Agreement, the Provider reserves the right to modify this DPA as necessary to comply with changes to Applicable Data Protection Legislation. The Provider will notify the Customer of any material updates.

14.7. No Consideration

The parties acknowledge that access to Customer Personal Data by the Provider does not form part of the consideration under the Agreement or any related order form.

14.8. No Third-Party Rights

This DPA does not confer any rights or remedies upon any third party, including any Third-Party Controller, except as expressly provided under Data Protection Laws (including rights for Data Subjects under the DPF or SCCs).


Schedule A

Schedule A(1) List of Parties:

Data Exporter

Data Importer

Name: Customer, as identified in the Order Form

Name: Provider, as identified in the Agreement

Address: As identified in the Order Form

Address: As identified in the Agreement

Contact details: As identified in the Order Form

Contact details: As identified in the Agreement

Activities relevant to the transfer: See Schedule A(2) below

Activities relevant to the transfer: See Schedule A(2) below

Role: Controller

Role: Processor



Schedule A(2): Description of Transfer

Categories of data subjects:

  • Permitted Users – any of Customer's employees or other personnel, suppliers, and other third parties authorized under the Agreement to use the Services.

  • Third Parties – employees, contractors, business partners, customers, or other individuals whose Personal Data is stored, transmitted to, made available to, accessed, or otherwise processed by Provider.

Categories of personal data:

  • Permitted Users – contact data.

  • Third Parties – contact data.

Sensitive data (special categories of personal data):

The Provider does not require any special categories of data to provide the Services and does not intentionally collect or process such data in connection with the provision of the Services.


Frequency of the transfer: Continuous

Nature and subject matter of the processing:

The Personal Data may be subject to the following processing activities:

  • Storage (hosting) and other processing necessary to provide, maintain, and improve the Services provided to the Customer under the Agreement;

  • Technical support provided to the Customer on a case-by-case basis;

  • Disclosures in accordance with the Agreement and this DPA, as compelled by law;

  • Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.


Duration of the processing:

Processing Term (i.e., for the duration of the Agreement unless otherwise required by law)

Purpose(s) of the data transfer and further processing:

(i) To provide, maintain, support, and improve the Services provided to the Customer in accordance with the Agreement;
(ii) Processing initiated by Permitted Users in their use of the Services;
(iii) Processing to comply with other documented, reasonable instructions provided by the Customer (e.g., via email), where such instructions are consistent with the terms of the Agreement (including this DPA)

Retention period (or criteria used to determine it):

Processing Term, unless otherwise required by applicable law

Schedule A(3): Competent Supervisory Authority

With respect to EU Data, the competent supervisory authority is:
The Office of the Information Commissioner of Ireland (the “Supervisory Authority”)

Schedule B

Technical and Organizational Measures

The technical and organizational measures implemented by the Provider to ensure an appropriate level of security, taking into account the nature, scope, context, and purposes of the processing, and the risks to the rights and freedoms of natural persons, include the following:

  • Infrastructure: Provider’s platform is built and hosted on Amazon Web Services (AWS), benefiting from the robust security infrastructure and protocols maintained by AWS.

  • Security certifications: AWS maintains industry-recognized certifications such as ISO 27001, SOC 1/2/3, and PCI-DSS, which extend to the underlying infrastructure used by the Provider.

  • Best practices: Provider follows AWS-recommended security best practices for secure configuration, access control, encryption, and monitoring.

  • Access controls: Role-based access controls (RBAC), least privilege principles, and multi-factor authentication are enforced internally to limit access to Customer Personal Data.

  • Data protection: Customer Personal Data is encrypted both in transit (TLS 1.2 or higher) and at rest (AES-256).

  • Monitoring & incident response: The Provider maintains automated monitoring and alerting systems. In the event of a suspected security incident, the Provider follows a documented incident response procedure to mitigate, respond to, and notify affected parties in accordance with this DPA.

  • Employee training & confidentiality: Employees with access to Customer Personal Data undergo regular security awareness training and are bound by confidentiality agreements.

  • Vendor & sub-processor controls: All sub-processors and service providers are subject to due diligence and contractual obligations consistent with the security commitments outlined in this Schedule B.

More details on the security and compliance standards applicable to AWS infrastructure can be found at: https://aws.amazon.com/compliance

Schedule C

Approved Sub-processors

As of the Effective Date, the following Sub-processor is authorized by the Customer for use by the Provider in accordance with Section 6 (Subprocessors) of this DPA:

  • Sub-processor: Amazon Web Services, Inc.

  • Address: 410 Terry Avenue North, Seattle, WA 98109-5210, United States

  • Purpose: Hosting services for the Provider’s Platform

  • Location of Processing: United States (primary region)

The Provider may update this list in accordance with the notification and objection procedures set forth in Section 6.3 of this DPA. An up-to-date list of Sub-processors is maintained by the Provider and made available to the Customer upon request or through the Provider’s Platform.

Schedule D

UK Addendum to the EU Commission Standard Contractual Clauses

Effective Date

This Addendum becomes effective on the same date as the Data Processing Addendum (DPA).

Background

The UK Information Commissioner considers this Addendum to provide appropriate safeguards under Article 46 of the UK GDPR for transfers of personal data to third countries or international organizations, including transfers from controllers to processors or between processors.

Definitions

For purposes of this Addendum:

  • “This Addendum” refers to the UK Addendum to the Clauses.

  • “The Annex” refers to the Standard Contractual Clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021.

  • “UK Data Protection Laws” refers to all data protection, privacy, and electronic communications laws in force in the UK from time to time, including the UK GDPR and the Data Protection Act 2018.

  • “UK GDPR” means the General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

  • “UK” means the United Kingdom of Great Britain and Northern Ireland.


Interpretation

This Addendum shall be interpreted:

  • In accordance with UK Data Protection Laws.

  • To ensure it provides the appropriate safeguards required by Article 46 of the UK GDPR.

  • To avoid conflict with the rights and obligations set forth in UK Data Protection Laws.

  • To account for legislative changes over time, including any re-enactments or replacements of cited laws.

Hierarchy

In the event of conflict between this Addendum and the Clauses or any related agreements, the provision offering the greatest protection to data subjects will prevail.

Incorporation and Application of the Clauses

This Addendum incorporates the Clauses, which are deemed amended as necessary to operate under UK Data Protection Laws and to provide appropriate safeguards, including:

  • Transfers from the data exporter to the data importer, where UK Data Protection Laws apply.

  • Transfers requiring appropriate safeguards under Article 46 of the UK GDPR.

Required Amendments to the Clauses

The Clauses are amended as follows:

  • References to “the Clauses” shall be interpreted to mean this Addendum including the incorporated Clauses.

  • Clause 6 is replaced with: “The details of the transfer(s) are those specified in Annex I.B where UK Data Protection Laws apply.”

  • References to “Regulation (EU) 2016/679” are replaced with “UK Data Protection Laws”; specific articles are adjusted accordingly.

  • References to Regulation (EU) 2018/1725 are removed.

  • “Union”, “EU”, and “EU Member State” are replaced with “UK”.

  • Clause 13(a) and Part C of Annex II are not used; the competent supervisory authority is the UK Information Commissioner.

  • Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”

  • Clause 18 is replaced with: “Any dispute shall be resolved by the courts of England and Wales. A data subject may also bring proceedings in any UK jurisdiction. The parties agree to submit to the jurisdiction of such courts.”

  • All footnotes to the Clauses are excluded from this Addendum.


Amendments to this Addendum

The parties may:

  • Modify Clauses 17 and 18 to refer to the laws and courts of Scotland or Northern Ireland.

  • Agree to amendments to this Addendum that maintain appropriate safeguards under Article 46 of the UK GDPR.

Execution of the Addendum

The Addendum may be executed in any legally binding manner, including:

  • Attaching this Addendum as a schedule to the DPA.

  • Incorporating signature language in Annex 1A such as:

    • “By signing, we agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses dated [insert date].”

  • Executing the Clauses as amended in accordance with this Addendum.