Clients Freelancers Store Blog About Portal

Data Processing Addendum

Last Updated: October 2025

This Personal Data Processing Addendum (“Addendum”) supplements the agreement between Service Provider and Client ("Agreement") and will apply to the extent that Service Provider processes Personal Data on Client’s behalf pursuant to the Agreement.  In the event of a conflict between the terms of this Addendum and the Agreement, the terms of this Addendum will prevail. 

  1. Definitions. Any capitalized terms used in this Addendum that are not defined below have the meanings set forth in the Agreement.  
    1. “Applicable Data Protection Law” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule, requirement or other binding restriction that applies to the Processing of Personal Data to which a party to the Agreement is subject, including without limitation GDPR and the California Consumer Privacy Act of 2018 (“CCPA”) and other laws of the United States and its states, as well as any other data protection, privacy, and information security laws and regulations that may from time to time apply to Personal Data.
    2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
    3. “EEA” means the Member States of the European Union, as well as Iceland, Liechtenstein, and Norway.
    4. "EEA Restricted Transfer” means (i) a transfer to a Third Country by Client of Personal Data from the EEA or Switzerland, or (ii) the onward transfer by Client to Service Provider of Personal Data that originated in the EEA or Switzerland, or is otherwise subject to the GDPR or the Swiss Federal Act on Data Protection, and for which Client is contractually obligated to impose safeguards that are equivalent to those safeguards required by Applicable Data Protection Law in the EEA or Switzerland on any third party with whom they share the Personal Data.
    5. “EU 2021 EU Standard Contractual Clauses (Modules 2 and 3, with docking clause)” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament of the Council. 
    6. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Movement of Such Data, repealing Directive 95/46/EC, otherwise known as the General Data Protection Regulation, and for the purpose of this Addendum includes the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
    7. “Personal Data” means any and all information relating to an identified or identifiable natural person (“Data Subject”) or will have the meaning assigned to it in the Applicable Data Protection Law, including without limitation “personal information” as such term is defined in the CCPA, and refers to any such data that Client transfers or otherwise discloses to Service Provider or is Processed by Service Provider on Client’s behalf in connection with the Agreement.
    8. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    9. “Processing Services” means any and all services provided by Service Provider under the Agreement that involve Processing of Personal Data.
    10.  1.10. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable a “service provider” as that term is defined under Applicable Data Protection Law.
    11. “Security Breach” means any act or omission that compromises either the security, confidentiality or integrity of Personal Data or the physical, technical, administrative or organisational safeguards put in place by Service Provider, or by Client should Service Provider have access to Client’s systems, that relate to the protection of the security, confidentiality or integrity of Personal Data and/or may potentially or actually have resulted in the unauthorized access, acquisition, disclosure or use of Personal Data.  Without limiting the foregoing, a material compromise includes unauthorized access to or disclosure or acquisition of Personal Data.
    12.  1.12. “Third Country” means any country, organisation, or territory not acknowledged by the European Commission or the UK government, as applicable, to ensure an adequate level of protection for Personal Data in accordance with Article 45 of GDPR.
    13.  1.13. “UK Restricted Transfer” means (i) a transfer to a Third Country by Client of Personal Data from the United Kingdom, or (ii) the onward transfer by Client to Service Provider of Personal Data that originated in the United Kingdom, subject to the Data Protection Act 2018, and for which Client is contractually obligated to impose safeguards that are equivalent to those safeguards required by Applicable Data Protection Law in the United Kingdom on any third party with whom they share the Personal Data. 
    14.  1.14. “UK Addendum” means the International Data Transfer Addendum to the EU Commission 2021 EU Standard Contractual Clauses (Modules 2 and 3, with docking clause), version B1.0, issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018 and in force as of 21 March 2022, as revised by the UK Information Commissioner’s Office from time to time. 
  2. Roles of the Parties; Description of Processing.
    1. Roles of the Parties.  The parties acknowledge that with respect to the Personal Data transferred by Client to Service Provider hereunder, Client is acting as the “Controller” or as a “Processor” of such Personal Data and Service Provider is acting as a “Processor.”  Service Provider will Process Personal Data only as necessary to perform the Processing Services and as specifically permitted by this Addendum, or as otherwise instructed in writing from time to time by Client.  Service Provider will promptly inform Client if, in the opinion of the Service Provider, an instruction from Client infringes any Applicable Data Protection Law.
    2. Description of the Processing.  Except as otherwise agreed upon in writing, the Processing Services will be as described in Schedule 1 hereto.
  3. General Obligations as Processor.
    1. Service Provider shall Process Personal Data only for limited and specified purposes as set forth in the Agreement and this Addendum, and shall not otherwise:
      1. “sell” or “share” Personal Data, as those terms are defined in Applicable Data Protection Law;
      2. retain, use, or disclose Personal Data outside of the direct business relationship between Service Provider and Client; or
      3. combine Personal Data that Service Provider receives from, or on behalf of, Client with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a Data Subject.
    2. Service Provider shall comply with Applicable Data Protection Laws and will provide a level of privacy protection for Personal Data consistent with the requirements of Applicable Data Protection Law.
    3. Service Provider will promptly inform Client in writing if it makes a determination that it cannot comply with Applicable Data Protection Law or any material term of the Agreement or this Addendum regarding the Processing Services.  If this occurs or if Client notifies Service Provider of material gaps or weaknesses in Service Provider’s information security program under Section 6.2 hereof, (i) Service Provider will use reasonable efforts to remedy the non-compliance; (ii) Client will be entitled to only the affected Processing Services. Client’s sole remedy for non-compliance shall be suspension or termination of the impacted Processing Services, provided Service Provider is given at least sixty (60) days to cure, and if such non-compliance is remedied, upon resumption of the Processing Services, offset recoverable damages actually incurred by Client as a result of such non-compliance.  If Service Provider commits a material breach of the Agreement or this Addendum regarding the services, which is not cured within sixty (60) days after Service Provider provides notice in accordance with this Section 3.3 or Client notifies Service Provider of such breach, then Client may, by giving written notice to Service Provider, terminate the Agreement without charge or liability except for payment to Service Provider for Processing Services satisfactorily completed and performed by Service Provider on or before the date of termination that have not been previously paid by Client, subject to offset by recoverable damages actually incurred by Client as a result of such breach.  Any termination by Client for breach will not constitute an election of remedies and will be without prejudice as to Client’s other rights in law or equity resulting therefrom. 
    4. Service Provider will immediately inform Client in writing in the event it receives (i) any request for access to any Personal Data received from an individual who is (or claims to be) the subject of the data; (ii) any request for access to any Personal Data received by Service Provider from any government official (including any data protection agency or law enforcement agency); or (iii) any other requests with respect to Personal Data received from Client’s employees or other third parties, other than those set forth in the Agreement. Service Provider understands that it is not authorized to respond to these requests, unless explicitly authorized by Client or the response is legally required under a subpoena or similar legal document issued by a government agency that compels disclosure by Service Provider.
    5. If the Processing Services involve the collection of Personal Data directly from individuals, Service Provider will provide the individuals with a clear and conspicuous privacy notice that complies with Applicable Data Protection Law, and which notice shall be approved in advance by Client.
    6. Service Provider will cooperate with Client and representatives in responding to inquiries, claims, and complaints regarding the Processing of the Personal Data, including without limitation any exercise of Data Subject rights pursuant to GDPR Chapter 3 or other Applicable Data Protection Law.
    7. Service Provider will promptly correct any errors or inaccuracies in Personal Data to the extent they are caused by Service Provider.  At Client’s request and cost, Service Provider will promptly correct any other errors in Personal Data that Client identifies to Service Provider.
  4. Subprocessors.   
    1. General Authorization. Service Provider may engage subcontractors for the Processing of Personal Data, unless otherwise provided in the Agreement, and subject to the requirements of this Section 4.  Subcontracting of the Processing of Personal Data will be allowed pursuant to a subcontracting agreement between Service Provider and the subcontractor that imposes upon the subcontractor obligations no less protective than those set forth in this Addendum. Service Provider remains responsible and liable for its subcontractors’ compliance with the terms of the Agreement and this Addendum.
    2. Addition or Replacement of Subprocessors.  Service Provider has provided Client with a list of all subcontractors that may be used in connection with the Processing of Personal Data and their locations.  If, during the Term, Service Provider intends to add or replace subcontractor(s) involved in the Processing of Personal Data, Service Provider will inform Client in writing.
  5. Confidentiality; Data Access and Disclosure.
    1. Personal Data is considered Confidential Information of Client and Service Provider must maintain all Personal Data in strict confidence.
    2. Service Provider may disclose Personal Data to its employees and workers, but only to the extent such individuals: (i) require access to the Personal Data to perform the Processing Services; (ii) have been subject to and passed an appropriate background screening where legally permissible and appropriate; (iii) have been trained on the privacy, confidentiality and security requirements set forth in this Addendum related to the Personal Data; and (iv) are subject to an appropriate confidentiality agreement.
    3. Service Provider will not disclose, transmit, or otherwise make the Personal Data available to other third parties (including subcontractors) unless such Processing is required to perform the Processing Services and such third parties or subcontractors have been engaged in accordance with Section 4 (Subprocessors) or as otherwise explicitly authorized by Client in writing.
  6. Information Security Requirements.
    1. Technical and Organisational Measures. Service Provider will have implemented and documented appropriate operational, technical and organisational measures to protect Personal Data against accidental or unlawful destruction, alteration, unauthorized disclosure or access in light of the risks posed by the Processing.  Such measures will at least be sufficient to satisfy Article 32 of GDPR, and will include the measures set forth in Schedule 2 hereto.
    2. Information and Audits.  Subject to the terms of this Section, Client may audit Service Provider’s compliance with this Addendum. Such audit right shall be limited to once in any twelve (12) month period, unless required more frequently by a competent supervisory authority or applicable law. Client must provide at least sixty (60) days’ prior written notice. Any audit shall be conducted during normal business hours, in a manner that minimizes disruption to Service Provider’s operations, and shall be limited in scope to facilities, systems, and documentation relevant to the Processing of Personal Data under this Addendum. Any such audit shall be limited to facilities, systems, and documentation relevant to the Processing Services, shall not include access to Service Provider’s trade secrets, proprietary information, or other clients’ data, and shall be subject to Service Provider’s reasonable security, confidentiality, and safety requirements. Service Provider may satisfy audit obligations by providing recent third-party certifications or audit summaries (e.g., ISO 27001, SOC 2). Client shall bear all costs of the audit, including Service Provider’s reasonable internal costs.
    3. Taking into account the nature of the Processing and the information available to the Service Provider, Service Provider will assist Client in ensuring compliance with Client’s obligations pursuant to Articles 32-36 of GDPR or other Applicable Data Protection Law.
  7. Security Breach Procedures.
    1. In the event of a suspected or actual Security Breach, Service Provider will notify Client without undue delay after confirmation of a Personal Data Breach after Service Provider becomes aware of the same.
    2. Immediately following Service Provider’s notification to Client of a Security Breach, the parties will coordinate with each other to investigate the Security Breach. Service Provider will provide commercially reasonable cooperation and information necessary for Client to meet its legal obligations.
    3. Service Provider will use commercially reasonable efforts to contain and remedy any Security Breach caused by its material failure to comply with this Addendum, at its cost. Client bears its own costs in all other cases.
    4. Notwithstanding anything to the contrary herein or in the Agreement, Service Provider will reimburse Client only to the extent such Security Breach results from Service Provider’s material failure to comply with this Addendum. Client shall otherwise bear its own costs, including all costs of notice and/or remediation.
    5. Service Provider agrees that unless required by Applicable Data Protection Law it will not inform any third party of any Security Breach without first obtaining Client’s prior written consent.
    6. Service provider agrees to maintain and preserve all documents, records and other data related to the Security Breach.
  8. Data Destruction and Return.  At any time during the term of this Agreement at Client’s request or upon the termination or expiration of this Addendum for any reason, Service Provider will promptly return to Client all copies, whether in written, electronic or other form or media, of Personal Data in its possession or the possession of its subcontractors, or securely dispose of all such copies, and certify in writing to Client that such Personal Data has been returned to Client or disposed of securely. Service Provider will comply with reasonable directions provided by Client with respect to the return or disposal of tĥe Data, subject to Service Provider’s standard backup/retention cycles. Irreversible anonymization shall constitute deletion.

 

  1. International Data Transfers.
    1. EEA Restricted Transfers.  If and to the extent Service Provider’s performance of the Services involve an EEA Restricted Transfer, the following terms will apply with respect to such EEA Restricted Transfer provided that no Alternative Transfer Solution, as defined below, applies.
    2. Alternative Transfer Solutions. Service Provider may adopt any solution, other than the EU 2021 EU Standard Contractual Clauses (Modules 2 and 3, with docking clause) and/or the UK Addendum, that enables the transfer of Personal Data in connection with an EEA Restricted Transfer or UK Restricted Transfer in accordance with GDPR, such as binding corporate rules or another approved international data transfer framework (such solution, an “Alternative Transfer Solution”). The Alternative Transfer Solution shall apply in lieu of the EU 2021 EU Standard Contractual Clauses (Modules 2 and 3, with docking clause) and/or the UK Addendum, as applicable, to any EEA Restricted Transfers or UK Restricted Transfers, as applicable, that take place following such written approval.
    3. Supplemental Steps.  Where Applicable Data Protection Law and/or a responsible supervisory authority impose upon Client specific obligations with respect to the transfer or Processing of Personal Data that are not addressed by this Addendum, Service Provider agrees to execute supplemental data processing agreement(s) with Client or take other appropriate steps, including supplemental security and privacy measures required by such Applicable Data Protection Law or responsible supervisory authority that Client concludes, as mutually agreed by the parties in good faith, to the extent required by Applicable Data Protection Laws.  In particular, if requested, Service Provider will promptly execute the EU 2021 EU Standard Contractual Clauses (Modules 2 and 3, with docking clause) and UK Addendum, populated as reasonably required by Client.
    4. No Other Transfers.  Except as expressly provided in the Agreement, Service Provider will not transfer the Personal Data across any national borders or permit remote access to the Personal Data by any affiliate, contractor, or other third party unless Service Provider has obtained the prior written consent of Client for such transfer or access. Service Provider shall strictly comply with the requirements of Applicable Data Protection Law pertaining to the cross-border transfer of Personal Data with respect to any transfers of Personal Data made by Service Provider under the Agreement and this Addendum. 
  2. Indemnification.  Each party will indemnify the other for third-party claims arising from its own failure to comply with this Addendum. Service Provider shall not indemnify Client for claims arising from Client’s unlawful instructions, failure to obtain consents, or provision of prohibited data. Each party’s indemnification obligations under this Section 10 are subject to, and shall not exceed, the limitations of liability set forth in the Agreement. In no event shall either party’s aggregate liability under this Addendum exceed the liability cap agreed between the parties in the Agreement.
  3. Term; Modifications.   Service Provider may make changes to this Addendum from time to time (a) when the changes are required to comply with Applicable Data Protection Law, or (b) when the changes are commercially reasonable. When Service Provider makes changes to the Addendum under this Section 11.3, Service Provider will post the updated version of the Addendum on its webiste and such changes will be effective upon Service Provider’s posting of such updated version.  No other change to this Addendum will be effective unless it is in writing and signed by an authorized representative of each party.

 

 SCHEDULE 1

 

DETAILS OF THE PROCESSING 

 

  1. List of Parties:

 

Data Exporter

Name: Client that permitted Service Provider to perform the Services for Client under the Agreement between Client and Service Provider.

Contact Details: the email and mailing address(es) or Client’s primary contact person(s) as set out in the Agreement.

Activities relevant to the data transferred: Receipt and/or use of the software and/or services provided by Service Provider pursuant to the Agreement.

Role: Controller

Data Importer

Name: Service Provider that is permitted to perform the Services for Client under the Agreement between Client and Service Provider.

Contact Details: the email and mailing address(es) or Service Provider’s primary contact person(s) as set out in the Agreement.

Activities relevant to the data transferred: Provision of the software and/or services provided by Service Provider pursuant to the Agreement.

Role: Processor

 

  1. Description of Transfer:

Categories of Data Subjects whose Personal Data is transferred 

The Categories of Data Subjects may include the following:

  • Employees and contact persons of Client.
  • Prospects, customers, vendors, suppliers, and business partners of Client (who are natural persons).
  • Such other Personal Data that Client makes available to Service Provider for Processing on Client’s behalf in connection with Service Provider’s performance of the Services, as determined and controlled by Client and set forth in the Agreement and any data classification forms completed by Client pursuant to the Agreement.

 

Categories of Personal Data transferred

The Personal Data may include the following categories of data:

 

  • Business contact details
  • Personal contact details
  • Human Resources Data
  • System Access / Usage / Authorization Data
  • Contract and Invoice Data
  • Such other Personal Data that Client makes available to Service Provider for Processing on Client’s behalf in connection with Service Provider’s performance of the Services, as determined and controlled by Client and set forth in the Agreement and any data classification forms completed by Client pursuant to the Agreement.

 

Subject Matter, Nature, and Purposes of Processing

The subject matter of the Processing is Service Provider’s provision of the software and/or services described in the Agreement. The nature and purpose of the Processing is Service Provider’s provision of the software and/or services described in the Agreement.

Period for which Personal Data Will be Processed and Retained

Personal Data will be Processed and retained for the duration of the Agreement and subject to Section 8 (Data Destruction and Return) of the Addendum.

Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Transfers will be made on a continuous basis

For transfers to Subprocessors, the subject matter, nature, and duration of the processing

The subject matter, nature, and duration of processing undertaken by Subprocessors will be the same as set forth in the Addendum and this Schedule 1 with respect to Service Provider and shall be in accordance with Section 4 (Subprocessors) of the Addendum.

C. Competent Supervisory Authority

Under the 2021 EU Standard Contractual Clauses (Modules 2 and 3, with docking clause) entered by the parties pursuant to Sections 9.1 of the Addendum under Module 2 (Transfer Controller to Processor) and Module 3 (Transfer Processor to Processor), the supervisory authority will be the competent supervisory authority that has supervision over Client located in the EEA in accordance with Section 9.1.2.7 of the Addendum and Clause 13 of the 2021 EU Standard Contractual Clauses (Modules 2 and 3, with docking clause), provided that where Section 9.1.2.7(c) of the Addendum applies, the competent supervisory authority will be the Data Protection Commission of Ireland.

 

 SCHEDULE 2

 

MANDATORY OPERATIONAL, TECHNICAL AND ORGANISATIONAL MEASURES

 

Service Provider must implement an Information Security Management System that has policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction and has at least the following controls:

 

1. Access Controls – policies, procedures, and physical and technical controls: (i) to limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Personal Data or information relating thereto to unauthorized individuals; and (iv) to encrypt and decrypt Personal Data where appropriate.

2. Security Awareness and Training – a security awareness and training program that includes the processing/handling of personal data for all members of Service Provider’s workforce (including management), which includes training on how to implement and comply with its information security program.

3. Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.

4. Contingency Planning – policies and procedures including a data backup plan and a diClientter recovery plan for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic, and natural diClientter) that prevents access to or damages Personal Data or systems that contain Personal Data.

5. Device and Media Controls – policies and procedures that govern the receipt and removal of paper, hardware and electronic media that contain Personal Data into and out of a Service Provider facility and the movement of these items within a Service Provider facility, including policies and procedures to address the final disposition of Personal Data, and/or the paper, hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.  Devices shall use encryption consistent with industry standards and Article 32 GDPR.

6. Systems Monitoring and Logging – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

7. Network Security – Policies and procedures to maintain physical and technical controls to monitor and protect its network and systems against external intrusion including, but not limited to: implement secure gateways of the Service Provider’s network, utilize firewall technology at both ingress and egress points, system patches and security updates with regular reviews, approvals, and installations, restricted secure access connections for external networks, encryption protocols for network data transfers, and digital certificates to maintain integrity and non-repudiation for externally facing assets.

8. Storage and Transmission Security – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over electronic communications, including a mechanism to encrypt Personal Data in electronic form while in transit and in storage on networks or systems.

9. Assigned Security Responsibility – Service Provider will designate a security official responsible for the development, implementation, and maintenance of its information security program. Service Provider will inform Client as to the person responsible for security.

10. Vulnerability Management – Service Provider will regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures. Service Provider will periodically identify reasonably foreseeable internal and external risks to the security, confidentiality, availability and integrity of the Personal Data, and ensure that these risks are addressed, including, but not limited to, system patches and security updates with regular reviews, approvals, and installations. Service Provider will conduct vulnerability management appropriate to risk, which may include internal or independent testing at Service Provider’s discretion. Tests may be conducted internally or by qualified independent reviewers, at Service Provider’s discretion.

11. Adjust the Program – Service Provider will monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Service Provider or the Personal Data, and Service Provider’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.  

 

 

 

Annex – U.S. State Law Addendum

For purposes of the California Consumer Privacy Act as amended by the CPRA, and similar U.S. state privacy laws (including but not limited to the Colorado Privacy Act, Virginia Consumer Data Protection Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Texas Data Privacy and Security Act, and Oregon Consumer Privacy Act), Service Provider acts as a 'service provider' or 'processor' on behalf of Client. Service Provider will not 'sell' or 'share' Personal Data, use it for cross-context behavioral advertising, or combine it with other data except as permitted under applicable law and this Addendum. Any assistance provided to Client under these laws shall be limited to available tools and provided at Client’s cost.

 

Annex – Global Data Privacy Addendum

 

For purposes of other global data privacy laws, including Brazil’s LGPD, South Africa’s POPIA, and China’s PIPL, Service Provider will comply only to the extent legally required, using commercially reasonable efforts. Any additional measures, filings, or contractual commitments required under such laws will be implemented only if mutually agreed in writing, and all associated costs shall be borne by Client. Nothing in this Annex expands Service Provider’s liability beyond that set forth in the Agreement or this DPA.

Â