Updated: 21 October 2025
This Salable Data Processing Addendum dated 21 October 2025 (the “Addendum” or “DPA”) is between you and Salable Limited (a UK limited company with company number 12742248) (“Salable”). This Addendum, together with the Annex’s thereto attached, amends and forms part of the Salable End User License Agreement (the “Agreement”) and the Salable Website Terms and Conditions (the “Terms.”). This Addendum shall apply to all Personal Data processed by Salable.
2.1 The terms below shall have the following meanings:
2.1.1 “CCPA” means the California Consumer Privacy Act, as may be amended from time to time, and any rules or regulations implementing the foregoing.
2.1.2 “Controller” shall have the meaning as the context provides (i) as given in the GDPR; and additionally (ii) any "business” as defined under the CCPA.
2.1.2.1 "Data Controller" shall have the same meaning as Controller.
2.1.3 “Customer”, “you/You”, “your/Your” means, depending on the context, either (a) the entity or individual entering into the Agreement; or (b) the entity or individual using the Salable Website.
2.1.4 "Data Protection Law" means European Data Protection Law including UK GDPR and U.S. Data Protection Law that are applicable to the processing of Personal Data under this Addendum.
2.1.5 "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "appropriate technical and organisational measures” as used in this Addendum shall be defined as per the GDPR irrespective of whether GDPR, UK GDPR, or U.S. Data Protection Law applies.
2.1.6 "Data Subject Request" means a request from a Data Subject to exercise their rights under the applicable Data Protection Law(s) including right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to Processing, or the right not to be subject to an automated individual decision making.
2.1.7 "Europe" means, for the purposes of this Addendum, the member states of the European Economic Area, Switzerland and the United Kingdom.
2.1.8 "European Data Protection Law" means any data protection and privacy laws of Europe applicable to the Personal Data in question, including where applicable
2.1.8.1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom, the Data Protection Act 2018, UK GDPR and any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded or replaced from time to time;
2.1.8.2 “U.S. Data Protection Law” means data protection or privacy laws applicable to Personal Data in force within the United States, including the CCPA.
2.1.9 “Hosted Services” includes products and services which are commercially available via a cloud-based platform (or SaaS mechanism). Within the Atlassian context, this includes Cloud variants of Salable products available via Atlassian Cloud platforms. This also includes Slack and Trello apps, which are made available via cloud-based SaaS platforms available from those vendors.
2.1.10 “Processor” means, as the context provides, (i) a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller as defined by the GDPR ; and additionally (ii) “service provider” as defined by the CCPA.
2.1.10.1 "Data Processor" shall have the same meaning as Processor.
2.1.11 “Product” means Salable’s software as well as hosted services which are commercially available via a Cloud based platform.
2.1.12 “Sensitive Personal Data” means any (i) special categories of personal data enumerated in European Union Regulation 2016/679, Article 9(1) or any successor legislation; (ii) patient, medical or other protected health information regulated by HIPAA; (iii) credit, debit or other payment card data subject to PCI DSS; (iv) other personal information subject to regulation or protection under specific laws such as the Gramm-Leach-Bliley Act (or related rules or regulations); (v) social security numbers, driver’s license numbers or other government ID numbers; or (vi) any data similar to the foregoing that is protected under foreign or domestic laws or regulations.
2.1.13 "Standard Contractual Clauses" means (i) the standard contractual clauses approved pursuant to the European Commission’s decision (C/2021/3972 of 4 June 2021, at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), as amended, superseded or replaced from time to time in accordance with this Agreement (“EU SCCs”); or (ii) the standard contractual data protection clauses issued, adopted or permitted under Article 46 of the UK GDPR (“UK SCCs”); as amended, superseded or replaced from time to time in accordance with this Agreement.
2.1.14 “Sub-Processor” means a third party data processor engaged by a Data Processor to Process Personal Data.
2.1.15 "UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the ICO in force as of 21 March 2022
3.1 Salable shall implement and maintain appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure in accordance with the provisions of Annex - Security detailed below.
3.2 Salable undertakes analysis of the risks presented by our processing and implements security measures and policies commensurate with the level of risk that is established. These measures and policies are periodically reviewed and may be updated from time to time.
3.3 Where a Personal Data Breach has occurred, Salable shall inform the Customer and, in accordance with relevant Data Protection Law, any other affected parties, without undue delay and take all reasonable measures to mitigate its possible adverse effects.
4.1 Salable shall Process Personal Data on behalf of,with the consent of and upon instruction from the Controller, in compliance with Article 6 of the GDPR. By entering into the Agreement (that this DPA is part of), You agree to the processing of Customer Personal Data in accordance with the terms thereof.
4.2 Customer Personal Data provided is used for the purposes of technical administration of the website, customer management in accordance with the Salable Terms and Conditions and Privacy Policy, the provision of Products to You in accordance with the Agreement, and to understand Customer needs and personalise content on the website.
4.3 Salable does not knowingly Process any Sensitive Personal Data.
4.4 Subject to the Clause “Deletion” of the Annex - Security of this Addendum, Personal Data shall be Processed for the duration of the Agreement unless otherwise agreed to in writing.
4.5 Personal Data shall be Processed as set out in the table below, which describes the Sub-Processors, the Personal Data being Processed (by category) and the Purpose (in terms of whether the purpose of using that Sub-Processor for Processing the Personal Data is for our website including marketing, our Hosted Services, on-premises Products or commercial or payment related, or other reason):
| Sub-Processor | Personal Data being processed | Purpose of the processing | ||||||
|---|---|---|---|---|---|---|---|---|
| Product General Data | Product Administrative Data | Product Personal Profile Data | Transactional and Commerce Data | In-product analytics data | Cookies | Interaction Data | ||
| Elastic.co | Yes | (On-premises) Products Hosted Services |
||||||
| AWS | Yes | Yes | Yes | Yes | Yes | (On-premises) Products Hosted Services |
||
| Vercel | Yes | Yes | Yes | Yes | Yes | Hosted Services | ||
| PlanetScale | Yes | Yes | Yes | Yes | Yes | Hosted Services | ||
| Clerk | Yes | Yes | Hosted Services | |||||
| Stripe | Yes | 3rd Party Payment providers | ||||||
| Paddle | Yes | 3rd Party Payment providers | ||||||
| Segment | Yes | (On-premises) Products Hosted Services |
||||||
| Yes | (On-premises) Products Hosted Services |
|||||||
| Hotjar | Yes | (On-premises) Products Hosted Services |
||||||
| Sentry | Yes | (On-premises) Products Hosted Services |
||||||
| Webflow | Yes | (On-premises) Products Hosted Services Website |
||||||
| Open.ai (API) | Yes | Hosted Services | ||||||
| Intercom | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 3rd Party Support platform |
| Atlassian (JSM) | Yes | Yes | Yes | Yes | Yes | No | Yes | 3rd Party Support platform |
Where the definitions of the different categories of Personal Data and examples are in the table below:
| Data Category | Definition of the Data Category | Personal Data |
|---|---|---|
| (Product) General Data | User generated or configured content or data such as scripts or configuration of cloud based products. | Such data may contain Personal Data depending on whether users configure products to include Personal Data, though it is not necessary by design. |
| (Product) Administrative Data | Automatically generated log files, account configuration, license management or similar data. | Depending on configuration: administrative login details. |
| (Product) Personal Profile Data | Data which relates to an individual user account; data held in a specific set of database tables and for a narrow purpose of logically identifying users. | This Personal Profile Data may include user names, display names and email depending on how the user configures the products. |
| Transactional and Commerce Data | Data related to specific purchases or transactions of products either via a 3rd party marketplace or Salable resource. | This may include Personal Data such as name, address or contact information depending on requirements for processing. |
| (Product) In-Product Analytics Data | This data includes user behaviour information, including but not limited to buttons clicked, pages viewed and actions taken while using one of our apps or browsing one of the connected websites. | This may include IP address. |
| Cookies | This type of data is used across the website, our hosted services and for multiple purposes including analytics, accounts - see the Privacy Policy for fuller details of different cookies. | Personal information to provide our services including: accounts creation & access for hosted services; the website. |
| Interaction Data | Includes information you provide us through website (potentially including support websites), communications with us in various, or through any social media platform. | Data which may include name, email, billing or shipping addresses, telephone numbers, screen names, user IDs (potentially with password) or similar depending on the nature of interaction. |
4.5.1 Notwithstanding other terms of this Addendum, and for the avoidance of doubt, the parties acknowledge and agree that:
4.5.1.1 Salable acts as a Controller in respect of the order management, sales relationship and invoicing process (i.e., for Transactional and Commerce Data within that scope) for all Products which are ordered under the terms of the Agreement.
4.5.1.2 The scope of this Addendum is for Data Processing for Salable’s Products only; in respect of Atlassian or other third party products:
i. Salable does not, by design and by default (see "Data Types: General Data" section in the Privacy Policy at https://www.salable.app/privacy-policy), process any personal data on Your behalf in respect of those Atlassian (or other third party) products,
ii. the Processor is Atlassian (or other third party) with whom You enter a separate and independent product or service agreement(s) and data processing agreement(s).
4.6 Categories for Data Subjects, Personal Data and lawful basis
The categories for Data Subjects and Personal Data are:
| Categories of Personal Data | Product Data Transactional and Commerce Data Interaction Data Cookies and Pixels , all as defined here: https://www.salable.app/privacy-policy |
|---|---|
| Categories of Data Subjects | Prospects, customers, business partners, employees, contractors and vendors of Customer (who are natural persons) Customer’s end users authorized by Customer to use the Products |
The lawful basis for collecting & processing your personal data is:
| Scope | Lawful Basis |
|---|---|
| In relation to Products | Contract performance |
5.1 You agree that this Clause, “Data Transfers” shall apply only to data that is protected by European Data Protection Law and subsequently transferred outside of Europe or any such territory which is subject to a current finding by the European Commission or by a competent United Kingdom authority under the applicable European Data Protection Law that the territory provides adequate protection for the privacy rights of individuals.
5.2 You acknowledge that Salable is a multinational company, with offices located in Europe, North America, Asia and Australia and that from time to time Personal Data may be transferred from one Salable entity, as listed in Annex - Salable Entities, to another Salable entity, in order to provide Customers with the best possible service, subject to the conditions under Clause 5.4.
5.3 You acknowledge that Salable may engage the Sub-Processors listed in Annex – Salable Entities to provide services to You, and that such Sub-Processors that have access to Personal Data may be located outside of Europe or any territory which has an adequacy decision in place, subject to the conditions under Clause 5.4.
5.4 Salable shall only process Personal Data outside of Europe or the UK under the following conditions:
5.4.1 The processing occurs in a territory which is subject to a finding by the European Commission or by a competent United Kingdom authority under the Data Protection Law which states that the territory provides adequate protection for the privacy rights of Data Subjects.
5.4.2 Salable has entered into a valid cross-border transfer mechanism under European Data Protection Law with the entity that will receive such information, either the EU SCCs or the UK SCCs (or UK Addendum). For the purposes of this Addendum, the EU SCCs shall be deemed completed as detailed in the DPA Annex - EU SCCs details, and the UK Addendum shall be deemed completed as detailed in the DPA Annex - UK Addendum, respectively.
6.1 Salable shall use commercially reasonable endeavours to promptly notify Customer, where appropriate, if it receives a Data Subject Request.
6.2 The Customer is responsible for ensuring all Data Subject Requests are handled in accordance with the applicable Data Protection Laws.
6.3 Taking into account the scope and nature of the Processing, Salable shall, by employing appropriate technical and organisational measures, where possible, assist Customer in view of fulfilling Customer’s obligations to respond to a Data Subject Request under the applicable Data Protection Law(s).
6.4 Salable shall, upon Customer’s request, use commercially reasonable efforts to assist Customer to respond to a Data Subject Request, to the extent Salable is legally permitted to do so, and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Salable’s provision of such assistance.
7.1 The Data Controller shall;
7.1.1 Comply with and demonstrate compliance with all applicable Data Protection Laws.
7.1.2 Maintain internal documentation which states how and why Personal Data is processed, to the extent required by applicable Data Protection Laws.
7.1.3 Comply with the ICO or any other relevant supervisory body, including notifying the relevant supervisory body of any Personal Data Breach within 72 hours of becoming aware of such a Breach unless the Breach does not risk the rights and freedoms of the Data Subject.
7.1.4 Notify the Data Subject of any Personal Data Breach which is likely to risk their rights and freedoms without undue delay.
7.1.5 Carry out a data protection impact assessment where the Processing of Personal Data is highly likely to risk the rights and freedoms of the Data Subject, consulting the relevant supervisory body where necessary.
7.1.6 Ensure that its instructions for the Processing of Personal Data shall comply with applicable Data Protection Law(s).
7.2 Controller shall have sole responsibility for the accuracy, quality, acquisition and legality of Personal Data.
7.3 You agree not to use Hosted Services for Processing of Sensitive Personal Data and that Salable has no liability under this Addendum for Processing for Sensitive Personal Data.
8.1 The Data Processor shall;
8.1.1 Process the Personal Data only in accordance with the written instructions of the Data Controller.
8.1.1.1 Customer agrees that this Addendum and the Agreement into which this Addendum is incorporated are Customer’s complete instructions to Salable for the processing of Personal Data.
8.1.2 Obtain authorisation from the Data Controller with regards to engaging a Sub-Processor and shall be responsible for the compliance of the Sub-Processor with all applicable Data Protection Law, as further set out in the terms of Clause “Sub-Processors” below.
8.1.3 Enable and contribute to compliance audits conducted by the Data Controller in accordance with Clause "Audits" of this Addendum.
8.1.4 Notify the Data Controller of any suspected Personal Data Breach without undue delay.
8.1.5 Keep detailed, accurate and up-to-date written records regarding any processing of the Customer Personal Data in accordance with European Data Protection Law(s) and shall provide them to You promptly upon request.
8.1.6 Notify promptly the Data Controller if, in its opinion, the Data Controller’s instructions do not comply with the Data Protection Laws.
8.1.7 Maintain the confidentiality of the Personal Data; the Data Processor will ensure that all of its employees and other persons who process Personal Data are informed of the confidential nature of the Personal Data and are bound by written or statutory confidentiality obligations and use restrictions in respect of the Personal Data.
9.1 Consent to Sub-Processors:
91.1 Customer acknowledges and agrees that Salable may engage as Sub-Processors its Affiliates and third party companies worldwide in connection with the provision of the Hosted Services.
9.2 Engagement of Sub-Processors:
9.2.1 Salable shall enter into a written agreement with each Sub-Processor containing data protection obligations no less protective than those in this Data Processing Addendum or as may otherwise be required by applicable Data Protection Laws. Salable shall remain fully liable to Customer for the performance of any Sub-Processor’s data protection obligations in relation to the provision of the Hosted Services.
9.2.1.1 Customer acknowledges and agrees that Salable may continue to use Sub-Processors who are already engaged by Salable as at the date of this Agreement.
9.3 Use of Sub-Processors:
9.3.1 Upon Customer’s request or as otherwise required by the applicable Data Protection Laws, Salable shall make available information about Sub-Processors that, to Salable’s actual knowledge, will process Personal Data, including their functions relevant to the provision of Salable Hosted Services and locations. This information may be made available by Salable online at a URL provided by Salable to Customer and may be updated by Salable from time to time.
9.4 New Sub-Processors and opportunity to object:
9.4.1 Salable will use commercially reasonable endeavours to inform You in a timely manner of recent and/or upcoming changes of Sub-Processors by periodically updating this Addendum or Customer portal or account information to provide details of Sub-Processors involved in the processing of Personal Data and who are engaged during the term of the Agreement.
9.4.2 If Customer can reasonably show that the use of a specific Sub-Processor will have a material adverse effect on Salable’s ability to comply with applicable Data Protection Laws, then Customer must promptly notify Salable in writing of its reasonable basis for objection to the use of a specific Sub-Processor.
9.4.3 Upon receipt of Customer’s written objection, if the following conditions apply: a) Customer has a termination right under applicable Data Protection Laws, and b) Customer has provided prompt written notice under this Clause, then Customer may terminate the Agreement only with respect to those Hosted Services that cannot be provided by Salable without the use of the specific Sub-Processor.
9.4.3.1 Unless prohibited by applicable Data Protection Laws, in the event of such early termination by Customer, Salable can retain or require payment for Hosted Services through the end of Customer’s current contract term for the terminated Hosted Services.
10.1 Where required in compliance with Article 28(3)(h) of the GDPR, You, acting as Controller, may be permitted to mandate a mutually agreed upon independent third party auditor to carry out audits and inspections on your behalf of the relevant systems and processes used directly in the processing of Your data to ensure compliance with the terms of this Addendum.
10.2 Such audits or inspections shall occur no more frequently than once a year. In addition to this, audits shall be (i) subject to defined scopes and mutually agreed timeframes, (ii) conducted during business hours and (iii) subject to reasonable notice in advance to Salable.
10.3 At no point shall any audit require Salable to disclose to You or any third-party representative of Yours any access to:
10.3.1 Salable client confidential information, or require Salable to breach any confidentiality obligations it has in place;
10.3.2 Salable trade secrets or confidential intellectual property (such as confidential algorithms, code, data, or business information);
10.3.3 Internal financial information, other than that which is already in the public domain;
10.3.4 Any information which may in our reasonable opinion be deemed to compromise the security of our premises or systems.
11.1 In the event that Customer requests Processor to provide assistance which goes beyond the Agreement terms relating to the Hosted Services or terms agreed in this Addendum, then the parties agree that Salable may charge Customer for any costs beyond the agreed upon fees in the Agreement to the extent it is not commercially reasonable for Salable to provide such assistance without charge (considering relevant factors such as volume of requests, complexity of Customer’s request or instructions, and timescale requested). This shall include, without limitation, costs incurred by Salable in executing Customer’s Instructions relating to the erasure, additional storage and/or retention of Customer’s Personal Data, compliance with any subject access request received by Customer, and audits.
12.1 This Addendum shall be in force until the latter of either the termination of the Agreement and/or the Terms, or until such point as the cessation of the processing of Your Personal Data has occurred.
12.2 Upon termination of the Addendum, Salable shall return or erase all Personal Data from their systems, retaining only such data as may be necessary to demonstrate compliance with any applicable laws and regulations or as reasonably may be required for archiving purposes. Any such retained data shall be subject to provisions no less onerous than those of this Addendum.
12.3 From time to time and at our sole discretion, Salable may publish updates or amendments or additions to this Addendum on its website with or without notice to you (the “Published DPA Updates”). “Necessary Published DPA Updates” means those Published DPA Updates which (1) do not materially reduce the level of data privacy protection set out in this Addendum, and (2) are: (i) necessary or required for continued effective execution of Salable’s obligations under this Addendum, commercial operation or provision of the applicable Products, including to reflect changes over time for underlying technical architecture, design and operational decisions relating to the Products; or (ii) mandatorily required under Data Protection Law, including notifying company structure changes.
12.3.1 You hereby give your written consent that through your continued use of the Products under the terms of the Agreement, you agree to the terms of Necessary Published DPA Updates, and that these shall supersede terms of this Addendum.
13.1 Order of Precedence: This Addendum is incorporated into and forms part of the Agreement. For matters not addressed by this Addendum, the terms of the Agreement will apply. In the event of a conflict or inconsistency between the terms of the Agreement and this Addendum, the terms of this Addendum will prevail.
Salable is committed to working with You to ensure compliance with all applicable laws and regulations concerning the protection of Personal Data. Should you wish to exercise any of the rights outlined in this Addendum, or have further queries with regards to this Addendum, please contact us at contractuals@adaptavist.com.
IN WITNESS WHEREOF, the parties have authorised the entering into this Addendum in their applicable roles of Controller and/or Processor as stated below, as of the Effective Date which is defined below and by the signatories set out below.
| Effective Date of this Addendum | |
|---|---|
| Signed for and on behalf of Salable | Signed for and on behalf of the Customer |
| Role of the party for this Addendum (select or specify as applicable) - Processor: Yes |
Role of the party for this Addendum (select or specify as applicable) - Controller: Yes |
| Salable Ltd Adaptavist, 25 Wilton Road, Victoria, London, United Kingdom, SW1V 1LW |
Customer company name and address: |
| Name: | Name: |
| Title: | Title: |
| Signature: |
Signature: |
| Date of Signature: | Date of Signature: |
DPA Annex- Adaptavist Entities
| Entity | Location |
|---|---|
| Adaptavist (Bilisim) Teknolojileri Limited Sirketi | Sisli, Turkey |
| Adaptavist (Switzerland) GmbH | Zug, Switzerland |
| Adaptavist B.V | Amsterdam, Netherlands |
| Adaptavist Canada Limited | Ontario, Canada |
| Adaptavist Cyprus Limited | Cyprus |
| Adaptavist d.o.o. | Zagreb, Croatia |
| Adaptavist Germany GmbH | Cologne, Germany |
| Adaptavist HK Ltd | Hong Kong |
| Adaptavist Inc. | California, USA |
| Adaptavist Italy S.r.l | Milan, Italy |
| Adaptavist Limited Greek Branch | Athens, Greece |
| Adaptavist OÜ | Tallin, Estonia |
| Adaptavist Pty Ltd | Sydney, Australia |
| Adaptavist Sendirian Berhad | KL, Malaysia |
| Adaptavist Singapore PTE Ltd | Singapore |
| Adaptavist South Africa (Pty) Ltd | South Africa |
| Adaptavist Spain SL | Madrid, Spain |
| Adaptavist UA LLC | Kyiv, Ukraine |
| Adaptavist UK Services Limited | United Kingdom |
| ARUK Global Limited | United Kingdom |
| Clever Consultants Limited | United Kingdom |
| Adaptavist FZE | Dubai, UAE |
DPA Annex- Security
Annex- Security
DPA Annex - SCCs for EU GDPR
The terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply as follows:
Applicable Module(s):
Only MODULE TWO: Transfer controller to processor shall apply.
Details for Module II – Controller to Processor
| Clause 7 - Docking Clause | Shall not apply. |
|---|---|
| Clause 9(a) - Use of Sub-Processors | Option 1 under Clause 9 shall apply. The data importer shall notify the data exporter 30 days in advance of any intended changes (via addition or replacement) to the list of sub- processors. |
| Clause 11 – Redress | The optional language shall not apply. |
| Clause 13 | The data exporter’s competent Supervisory Authority will be determined in accordance with the GDPR and/or the SCCs. |
| Clause 17 – Governing law | TOption 1 shall apply; the Parties agree that the SCCs shall be governed by the laws of the Republic of Ireland. |
| Clause 18(b) - Jurisdiction | Disputes will be resolved before the courts of the Republic of Ireland. |
Details for the Annexes of the EU SCCs:
Annex I.A – List of Parties
| Customer | Salable | |
|---|---|---|
| Role | Controller | Processor |
| Relevant activities | Use of the Product | Provision of the Product as set out in the Agreement and/or the applicable purchase order. |
| Name, address, and contact details | As detailed in the Agreement or the applicable purchase order. | |
| Signature and date | By entering into the Agreement and/or DPA, the parties are deemed to have signed these SCCs incorporated herein in this Addendum, as of the Effective Date of the Agreement. | |
Annex I.B – Description of Transfer: As detailed in clauses 4 and 5 of this Addendum, as applicable.
Annex I.C – Competent Supervisory Authority (in accordance with Clause 13):
The competent supervisory authority shall be that of the Republic of Ireland, unless otherwise determined in accordance with the GDPR and/or the SCCs.
Annex II –Technical and Organizational Measures: As detailed in the DPA Annex - Security.
Annex III – List of Sub-Processors: As detailed in clause 4.5 of this Addendum as well as the DPA Annex - Salable Entities.
DPA Annex - UK Addendum (for data processing/GDPR)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018:
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses.
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
| Start date | The Effective Date of the Agreement and/or the applicable purchase order. | |
|---|---|---|
| The Parties | Exporter (who sends the Restricted Transfer). | Importer (who receives the Restricted Transfer). |
| Parties’ details | Customer entering into the Agreement and/or as set out on a purchase order or order form for Products | Salable Ltd |
| Key Contact | Full Name (optional): Job Title: Contact details including email: |
Full Name (optional): Job Title: Contact details including email: |
Table 2: Selected SCCs, Modules and Selected Clauses
| Addendum EU SCCs | ☐ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Reference (if any): Other identifier (if any): Or ☑ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
| Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) |
Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
|---|---|---|---|---|---|---|
| 2 | 2 | Not applicable | Not applicable | General Written Authorisation | 30 days | No |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
| Annex 1A: List of Parties: Salable Ltd and Customer entering into the Agreement and/or as set out on a purchase order or order form for Products |
|---|
| Annex 1B: Description of Transfer: As set out in clauses 4 and 5 of this DPA |
| Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set out in DPA ANnex Security of this DPA. |
| Annex III: List of Sub processors (Modules 2 and 3 only): s set out in clause 4.5 of this DPA.. |
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ☑ Importer ☑ Exporter ☐ neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
1) Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2) Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3) Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
| Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
|---|---|
| Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
| Appendix Information | As set out in Table 3. |
| Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
| Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
| Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
| ICO | The Information Commissioner. |
| Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
| UK | The United Kingdom of Great Britain and Northern Ireland. |
| UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
| UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4) This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5) If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6) If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7) If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9) Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10) Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11) Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12) This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b) Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c) this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13) Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14) No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15) The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a) References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b) In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c) Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d) Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e) Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f) References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g) References to Regulation (EU) 2018/1725 are removed;
h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j) Clause 13(a) and Part C of Annex I are not used;
k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l) In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m) Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n) Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o) The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16) The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17) If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18) From time to time, the ICO may issue a revised Approved Addendum which:
a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b) reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19) If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a) its direct costs of performing its obligations under the Addendum; and/or
b) its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20) The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
By entering into the Agreement, the parties are deemed to have signed this UK Addendum incorporated herein, as of the Effective Date of the Agreement.