DATA PROTECTION ADDENDUM

In this Data Protection Addendum (“DPA”) defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition in this DPA the following definitions have the meanings given below:

1. Introduction & Definitions

“Applicable Law” means applicable laws in the United Kingdom from time to time.

 

“Appropriate Safeguards” means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time.

 

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

“Customer Account Data” means personal data that relates to Customer’s relationship with Salesfire, including the names or contact information of individuals authorised by Customer to access Customer’s account, in addition to billing information. Customer Account Data also includes any personal data Salesfire may need to collect for the purpose of identity verification.

 

“Customer Content” means (a) personal data exchanged as a result of using the Services (as defined below), such as text message bodies, voice and video media, images, email bodies, email recipients, sound, and, where applicable, details the Customer submits to the Services from its designated software applications and services and (b) data stored on Customer’s behalf such as communication logs within the Services or marketing campaign data that Customer has uploaded to the Services (as defined below).

 

“Customer Data” means data and other information made available by you to Salesfire in connection with your use of the Services under our Agreement. Customer Data includes Customer Account Data, Customer Usage Data, Customer Content, End User and Protected Data, each as defined in this Addendum.

 

“Customer Usage Data” means data processed by Salesfire for the purposes of transmitting or exchanging Customer Content utilising phone numbers either through the public switched telephone network or by way of other communication networks. Customer Usage Data includes data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication and (b) activity logs used to identify the source of Service requests, optimise and maintain performance of the Services, and investigate and prevent system abuse.

 

“Data Protection Law” means all laws and regulations applicable to Salesfire’s processing of personal data under the Agreement including but not limited to the Data Protection Act 2018, which incorporates General Data Protection Regulations (“GDPR”), and any statutes or regulations which implement those laws.

 

“Data Protection Losses” means all liabilities including all:

 

(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage) and;

(b) to the extent permitted by Applicable Law; 

(c) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;

(d) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and

(e) the reasonable costs of compliance with investigations of a Supervisory Authority.

 

“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

“Data Subject Request” means a request made by a Data Subject to exercise any right of a Data Subject under Data Protection Laws.

 

“End User” means a Data Subject who has requested or consented to receive marketing communications from the Customer.

 

“Personal Data” means any information relating to a Data Subject.

 

“Processor” means the entity which processes personal data on behalf of the controller.

 

“Processing” (and “process”) means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

 

“Protected Data” means the Personal Data in the Customer Data. 

 

“Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.

 

“Services” means the products and services provided by Salesfire or its affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge or (b) ordered by Customer under an Order Form.

 

“Service Usage Data” means any data that is derived from the use of the Services that does not directly or indirectly identify the Customer or an End User, or any natural person and includes (a) data such as volumes, frequencies, bounce rates, and Service performance data and (b) subject to any restrictions under applicable law or regulation, data that is anonymized, de-identified, and/or aggregated such that it could no longer directly or indirectly identify you, or any natural person. 

 

“Salesfire Privacy Policy” means the privacy policy for the Services, the current version of which is available at https://www.salesfire.co.uk/legal/privacy-policy/.

 

“Sub-processor” means another Processor engaged by Salesfire for carrying out processing activities in respect of the Sensitive Data on behalf of the Customer in order to provide the Services to the Customer. 

 

“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws. 

 

“Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.

 

“Transfer” has the meaning set out in Article 4 of the UK GDPR. Related expressions such as Transfers and Transferring shall be construed accordingly.

 

Any capitalised term not defined in this section will have the meaning provided in this Addendum or the Agreement.

2. Controller and Processor

2.1 Salesfire and the Customer agree that, for the Protected Data, the Customer shall be the Controller and Salesfire shall be the Processor. Nothing in this Agreement relieves the Customer of its responsibilities or liabilities under any Data Protection Laws.

 

2.2 Salesfire shall process Protected Data in compliance with the obligations under Data Protection Laws in respect of its performance of its and the responsibilities under our Agreement, and the terms of our Agreement.

 

2.3 The Customer shall ensure that it, and each Authorised User shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data, the use of the Services and the exercise and performance of its respective rights and obligations under our Agreement, including all relevant regulatory registrations and notifications as required under the Data Protection Laws, as well as the terms of our Agreement.

 

2.4 The Customer warrants, represents and undertakes, that at all times:

 

(a) all Protected Data (if to be processed in accordance with our Agreement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws;

(b) fair processing and other information notices have been provided to the Data Subjects of the Protected Data ( and all such consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by Salesfire and its Sub-Processors in accordance with our Agreement;

(c) the Protected Data is accurate and up to date;

(d) it shall maintain complete and accurate back-ups of all Protected Data provided to Salesfire so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption if such Protected Data by Salesfire or any other person; and

(e) all instructions given to Salesfire in respect of Personal Data shall at all times be in accordance with Data Protection Laws.

3. Instructions and Details of Processing

3.1 In respect of Salesfire processing of Protected Data on behalf of the Customer, it shall:

 

(a) unless required to do so by Applicable Law, (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions (Processing Instructions);

(b) If Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, Salesfire shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest);

(c) shall promptly inform the Customer if it becomes aware of a Processing Instruction that, in it’s reasonable opinion, infringes Data Protection Laws, and to the maximum extent permitted by mandatory law, Salesfire shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer’s Processing Instructions following the Customer’s receipt of that information.

 

3.2 The Customer shall be responsible for ensuring that all Authorised User’s read and understand the Privacy Policy (as may be updated from time to time).

 

3.3 The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Services by an Authorised User will be a Processing Instruction. The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledge that if any Protected Data is deleted pursuant to any such command Salesfire is under no obligation to seek to restore it.

 

3.4 Subject to the Order, the processing of the Protected Data by Salesfire under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Schedule 1.

4. Technical & Security Measures

4.1 Reflecting the nature of the processing, Salesfire shall implement and maintain appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Protected Data and against accidental loss or destruction of, or damage to, Protected Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Protected Data to be protected, having regard to the state of technological development.

5. Staff & Sub-processors

5.1 The Customer provides a general authorisation for Salesfire to appoint the Sub-Processors listed at www.salesfire.com/legal/approved-sub-processors. Salesfire may update this list from time to time and will inform the Customer by email of any update, provided the Customer has subscribed for the notification service on the above website address. The Customer may object to Salesfire's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection, within 30 days of any change being made. In the event of such an objection, Salesfire shall be entitled to terminate the Agreement if the Services become commercially unreasonable without the addition or replacement of the relevant Sub-Processor.

 

5.2 Salesfire shall:

 

(a) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this Addendum that is enforceable by Salesfire (including those relating to sufficient guarantees to implement appropriate technical and organisational measures);

(b) ensure each such Sub-Processor complies with all such obligations; and

(c) remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

 

5.3 Salesfire shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case it shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).

6. Assistance with Compliance and Data Subject Rights

6.1 Salesfire shall refer all Data Subject Requests it receives to the Customer without undue delay, and shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Salesfire) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:

 

(a) security of processing;

(b) data protection impact assessments (as such term is defined in Data Protection Laws);

(c) prior consultation with a Supervisory Authority regarding high risk processing; and

(d) notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach.

7. International Provisions

7.1 Salesfire shall not Transfer any Protected Data to any country outside of the UK or EEA unless:

 

(a) such Transfer is solely for the purpose set out in Annex 1;

(b) an adequacy decision has been made in relation to the relevant country or Appropriate Safeguards are in place;

(c) the Data Subject has enforceable rights and effective legal remedies; and

(d) such Transfer is in accordance with Data Protection Laws and our Agreement and the provisions of our Agreement shall constitute the Customer’s instructions with respect to Transfers in accordance with the provisions of section 3.

8. Information & Audit

8.1 Salesfire shall maintain, in accordance with Data Protection Laws, written records of all categories of processing activities carried out on behalf of the Customer.

 

8.2 Salesfire shall, on request by the Customer, in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate it’s compliance with its obligations under this Data Protection Addendum and Article 28 of the UK GDPR and allow for audits, including inspections, by the Customer for this purpose provided:

 

(a) such audit, inspection or information request is reasonable, limited to information in Salesfire’s (or any Sub-Processor’s) possession or control and is subject to the Customer giving Salesfire reasonable prior notice of such audit, inspection or information request;

(b) the Customer pays Salesfire’s reasonable costs in allowing any audit or inspection (unless such audit or inspection is required by a Supervisory Authority or due to a breach by Salesfire of this Data Protection Addendum);

(c) the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Customer shall comply (including to protect the security and confidentiality of other customers, to ensure Salesfire is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this clause 8.2);

(d) the Customer’s rights under this paragraph 8.2 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if the Customer (acting reasonably) believes that Salesfire is in breach of this Data Protection Addendum;

(e) the Customer shall promptly report any non-compliance identified by the audit, inspection or release of information to Salesfire;

(f) the Customer shall ensure that all information obtained or generated by the Customer in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure required by Applicable Law);

(g) the Customer shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of Salesfire and each Sub-Processor; and

(h) the Customer shall ensure that each person acting on its behalf in connection with such audit or inspection shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of Salesfire or any Sub-Processor whilst conducting any such audit or inspection.

9. Security Incident notification

9.1 In respect of any Security Incident involving Protected Data, Salesfire shall, without undue delay notify the Customer of the Security Incident and provide details of the Security Incident.

10. Deletion of Protected Data and copies

10.1 Following the end of the provision of the Services (or part) relating to the processing of Protected Data the Salesfire shall dispose of Protected Data in accordance with its obligations under this Agreement.

 

10.2 Salesfire shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement.

11. Compensation and claims

11.1 Subject always to the provisions of clause 7 of the Terms and Conditions, Salesfire shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Agreement:

 

(a) only to the extent caused by the processing of Protected Data under our Agreement and directly resulting from Salesfire’s breach of that Agreement; and

(b) in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by the Customer.

 

11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Agreement or the Services, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:

 

(c) make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and 

(d) consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under our Agreement for paying the compensation.

 

11.3 This clause 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

 

(a) to the extent not permitted by Applicable Law (including Data Protection Laws); and

(b) that it does not affect the liability of either party to any Data Subject.

12. Survival

12.1 This Data Protection Addendum shall survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in the possession or control of Salesfire or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely

SCHEDULE 1

Subject Matter of Processing:

The provision of conversion rate optimisation services including the transmission of business marketing communications to end users.

Duration of the Processing:

Until the earlier of final termination or final expiry of our Agreement, except as otherwise expressly stated in our Agreement.

Nature and Purpose of the Processing:

Processing in accordance with the rights and obligations of the parties under our Agreement;

 

Processing as reasonably required to provide the Services;

 

Processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Customer, in each case in a manner consistent with our Agreement.

Type of Personal Data:

Name;

Address;

Mobile Number; 

Email address; and 

any additional data described in an Order Form.

Categories of Data Subjects:

Customers, and/or employees of the Customer, and such End Users of the Customer who have elected to receive marketing communications from the Customer.

 

Last Updated 5/03/2024