SalesQL Data Processing Addendum
This Data Processing Addendum (this "DPA") forms part of the agreement between SALESQL LTD ("SalesQL", "we", "us" or the "Processor"), a private limited company registered in England and Wales under company number 11982774, and the customer ("Customer" or the "Controller") that has accepted the SalesQL Terms of Service or has otherwise entered into an agreement with SalesQL for the use of the Services (the "Agreement"). This DPA is incorporated into the Agreement by reference.
This DPA applies where SalesQL processes Customer Personal Data on behalf of the Customer in the course of providing the Services. It does not apply to Profile Data, which SalesQL processes as an independent controller; the Customer's processing of Profile Data is addressed in the SalesQL Terms of Service and the SalesQL Privacy Policy.
By accepting the Agreement (including by clicking "I agree", creating an Account, or otherwise using the Services), the Customer accepts this DPA. Where the Customer requires a counter-signed copy of this DPA, the Customer may request one by writing to legal@salesql.com; SalesQL will return a counter-signed copy reasonably promptly.
#1. Definitions
| Term | Meaning |
|---|---|
| Applicable Data Protection Law | All laws and regulations relating to the processing of personal data and privacy that apply to the parties' performance under this DPA, including: the UK General Data Protection Regulation as it forms part of UK domestic law (the "UK GDPR"), the Data Protection Act 2018 ("DPA 2018"), Regulation (EU) 2016/679 (the "EU GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), and other US state privacy laws, as applicable. |
| Controller, Processor, Subprocessor, Data Subject, Personal Data, Personal Data Breach, Processing, Special Category Personal Data, Supervisory Authority | Have the meanings given in the UK GDPR / EU GDPR (or the equivalent meanings under other Applicable Data Protection Law). |
| Customer Personal Data | Personal Data included in Customer Data and processed by SalesQL on behalf of the Customer in the course of providing the Services. |
| EU SCCs | The standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
| Permitted Affiliates | Any affiliate of the Customer that (i) is permitted to use the Services under the Agreement, (ii) has not entered into its own separate agreement with SalesQL, and (iii) is bound by terms no less protective than this DPA with respect to its use of the Services. |
| Profile Data | Personal data about Business Contacts that SalesQL collects, generates, verifies and maintains in the SalesQL Profiles Database, as further described in the Privacy Policy. Profile Data is processed by SalesQL as a controller. |
| Restricted Transfer | A transfer of Customer Personal Data from a jurisdiction in which the transfer requires an adequacy mechanism, standard contractual clauses or equivalent safeguard (including the EEA, the UK and Switzerland) to a jurisdiction that does not benefit from an adequacy decision applicable to that transfer. |
| Subprocessor | Any third party engaged by SalesQL to process Customer Personal Data in the course of providing the Services. |
| UK Addendum | The international data transfer addendum to the EU Commission Standard Contractual Clauses, version B1.0, in force 21 March 2022, issued by the UK Information Commissioner. |
| UK IDTA | The UK International Data Transfer Agreement, version A1.0, in force 21 March 2022, issued by the UK Information Commissioner. |
In this DPA, capitalised terms used but not defined have the meanings given in the Agreement. The following additional definitions apply:
#2. Roles, scope and duration of processing
#2.1 Roles
For Customer Personal Data, the Customer is the Controller and SalesQL is the Processor. The Customer's Permitted Affiliates whose Personal Data is processed under the Agreement are also Controllers of their respective Customer Personal Data; for the purposes of this DPA, they are deemed represented by, and act through, the Customer.
For Profile Data and other Personal Data SalesQL processes for its own purposes (such as for the operation of the SalesQL website, accounts, analytics, fraud prevention and Service-improvement activities), SalesQL is a Controller. Such processing is outside the scope of this DPA and is addressed in the Privacy Policy.
#2.2 Subject-matter and duration
The subject-matter of the processing under this DPA is the provision of the Services to the Customer. The duration of the processing is the duration of the Agreement and any additional period required for SalesQL to comply with its deletion or return obligations under Section 13 or Applicable Data Protection Law.
#2.3 Nature and purpose of processing
SalesQL processes Customer Personal Data for the purposes of providing the Services to the Customer in accordance with the Agreement, the Customer's documented instructions, and Applicable Data Protection Law. The nature of the processing is described in further detail in Annex 1 (Description of Processing).
#2.4 Types of Personal Data and categories of Data Subjects
The categories of Customer Personal Data and Data Subjects are set out in Annex 1.
#3. Customer instructions and Customer obligations
#3.1 Documented instructions
SalesQL will process Customer Personal Data only on documented instructions from the Customer. The Agreement (including this DPA, the Customer's use of the Services in accordance with the Documentation, and any specific written instructions provided by the Customer that SalesQL has accepted in writing) constitutes the Customer's complete and final documented instructions. Additional or alternative instructions may be agreed in writing between the parties from time to time.
#3.2 Where SalesQL is required by law to process beyond instructions
If SalesQL is required by Applicable Data Protection Law to process Customer Personal Data otherwise than on the Customer's instructions, SalesQL will (where legally permitted) inform the Customer of that legal requirement before processing.
#3.3 Customer warranties and obligations
The Customer represents, warrants and undertakes that:
- it has all necessary rights, lawful bases, consents and notifications in place for the processing of Customer Personal Data, including for SalesQL's processing under this DPA and for any onward transfers to Subprocessors and to other recipients of Customer Personal Data described in the Agreement;
- the Customer's instructions to SalesQL comply with Applicable Data Protection Law;
- the Customer has provided to Data Subjects all notices required by Applicable Data Protection Law (including under Articles 13 and 14 UK/EU GDPR), in respect of the processing performed by SalesQL under this DPA;
- the Customer's use of the Services, including with respect to outbound communications sent through Campaigns, complies with Applicable Data Protection Law and with the additional Customer compliance obligations set out in the Terms of Service.
#3.4 Notification of unlawful instructions
SalesQL will notify the Customer if, in SalesQL's opinion, an instruction infringes Applicable Data Protection Law. This is without prejudice to SalesQL's right to refuse to comply with an unlawful instruction.
#4. Personnel and confidentiality
SalesQL will:
- ensure that personnel authorised to process Customer Personal Data are bound by appropriate written confidentiality obligations or are under a statutory duty of confidentiality;
- limit access to Customer Personal Data to personnel who need access to perform their duties;
- provide appropriate training to those personnel in respect of data protection.
#5. Security
#5.1 Technical and organisational measures
SalesQL will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. The current measures are described in Annex 2 (Technical and Organisational Measures).
#5.2 Updates
SalesQL may update Annex 2 from time to time, provided that the overall level of security is not materially decreased.
#6. Subprocessors
#6.1 General authorisation
The Customer grants SalesQL a general authorisation to engage Subprocessors to process Customer Personal Data, subject to the conditions in this Section 6.
#6.2 Current Subprocessors
SalesQL maintains a current list of Subprocessors at https://salesql.com/legal/subprocessors. The Customer is deemed to have approved the engagement of all Subprocessors listed at the effective date of the Agreement.
#6.3 New Subprocessors
SalesQL will give the Customer at least 30 days' notice before authorising a new Subprocessor. Notice may be provided through the Subprocessors page, by email, or by another in-Service notification mechanism. To receive Subprocessor change notifications by email, the Customer may write to legal@salesql.com with the subject line "Subscribe — Subprocessors notifications".
#6.4 Objection right
The Customer may, in good faith and with reasonable grounds relating to data protection, object in writing to a new Subprocessor within the notice period set out in Section 6.3. SalesQL will discuss the objection with the Customer in good faith. If the parties cannot agree, the Customer may terminate the affected portion of the Subscription with respect to which the new Subprocessor is engaged, and SalesQL will refund Fees pre-paid for the unused portion of the Subscription Term.
#6.5 Subprocessor obligations
SalesQL will impose on each Subprocessor data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures and to ensure that the processing meets the requirements of Applicable Data Protection Law. SalesQL remains liable to the Customer for the performance of each Subprocessor's data protection obligations.
#7. International transfers
#7.1 Locations
The Customer authorises SalesQL to transfer Customer Personal Data to the locations identified for SalesQL and its Subprocessors at https://salesql.com/legal/subprocessors and in Annex 3.
#7.2 Restricted Transfers — EU SCCs
Where SalesQL receives Customer Personal Data subject to the EU GDPR by way of a Restricted Transfer, the EU SCCs Module 2 (Controller to Processor), in the Annex to Commission Implementing Decision (EU) 2021/914, are incorporated into this DPA by reference and apply to such transfer. The parties agree that:
- Clause 7 (Docking Clause) applies.
- Clause 9 (Use of subprocessors) applies, with Option 2 (general written authorisation) selected, and the time period for prior notice of subprocessor changes is 30 days as set out in Section 6.3.
- Clause 11 (Redress) optional language does not apply.
- Clause 17 (Governing law): Irish law applies, unless the Customer is established in another EU Member State, in which case the law of that Member State applies.
- Clause 18 (Choice of forum and jurisdiction): the courts of Ireland, unless the Customer is established in another EU Member State, in which case the courts of that Member State.
- The Annexes to the EU SCCs are completed as set out in Annex 4 of this DPA.
Where SalesQL transfers Customer Personal Data to a Subprocessor outside the EEA in the course of providing the Services, EU SCCs Module 3 (Processor to Processor) is incorporated and applies to that onward transfer, completed mutatis mutandis.
#7.3 Restricted Transfers — UK Addendum
Where SalesQL receives Customer Personal Data subject to the UK GDPR by way of a Restricted Transfer, the UK Addendum is incorporated into this DPA by reference and applies to such transfer. The parties agree that:
- The information for Tables 1 to 3 of the UK Addendum is as set out in Annex 4.
- Table 4: neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.
The parties may alternatively use the UK IDTA in lieu of the UK Addendum for any Restricted Transfer, where mutually agreed.
#7.4 Restricted Transfers — Swiss FADP
Where SalesQL receives Customer Personal Data subject to the Swiss FADP by way of a Restricted Transfer, the EU SCCs are deemed amended as follows:
- references to the EU GDPR are also references to the Swiss FADP;
- references to "EU", "Member States" and "EU Member State" are interpreted to include Switzerland;
- references to "supervisory authority" include the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the courts of Switzerland;
- the governing law for transfers exclusively subject to the Swiss FADP is Swiss law.
#7.5 Schrems II supplementary measures
In addition to the contractual safeguards above, SalesQL applies and contractually requires its Subprocessors to apply the supplementary technical, contractual and organisational measures set out in Annex 5 (Schrems II Supplementary Measures), which include encryption in transit and at rest where applicable, contractual challenge of disproportionate government access requests, and transparency reporting in accordance with applicable law.
#7.6 Conflict
In the event of a conflict between this DPA and the EU SCCs, UK Addendum, UK IDTA, or Swiss adaptations referenced above with respect to a Restricted Transfer, the SCCs / Addendum / IDTA / Swiss adaptations prevail with respect to that Restricted Transfer.
#8. Assistance with Data Subject rights
#8.1 Direct requests
If SalesQL receives a request from a Data Subject in respect of Customer Personal Data (such as a request for access, rectification, erasure, restriction, portability or objection), SalesQL will, without undue delay, refer the Data Subject to the Customer and inform the Customer of the request, except where SalesQL is required by Applicable Data Protection Law to respond directly.
#8.2 Functionality and assistance
Taking into account the nature of the processing, SalesQL will assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to Data Subject rights requests in respect of Customer Personal Data. Such assistance includes the functionality made available within the Services and reasonable cooperation with Customer-initiated rights-handling processes. Additional support beyond that available in the Services may be provided at SalesQL's standard rates.
#9. Personal Data Breach
#9.1 Notification
SalesQL will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent then known, the information required by Article 33(3) UK/EU GDPR.
#9.2 Cooperation
SalesQL will cooperate with the Customer and provide such information as the Customer reasonably requires to meet its breach-notification obligations under Applicable Data Protection Law. Notification of a Personal Data Breach is not, in itself, an admission of fault or liability.
#9.3 Mitigation
SalesQL will take reasonable steps to investigate, contain, mitigate and remediate the effects of the Personal Data Breach.
#10. Data Protection Impact Assessments and prior consultation
Taking into account the nature of the processing and the information available to SalesQL, SalesQL will provide reasonable assistance to the Customer in respect of any data protection impact assessment, and any prior consultation with a Supervisory Authority, that the Customer is required to carry out in connection with the Services. Additional support may be provided at SalesQL's standard rates.
#11. Audits
#11.1 Information
SalesQL will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 UK/EU GDPR and equivalent provisions in this DPA, including by providing the Customer with relevant Service Documentation, this DPA, the Privacy Policy, the AUP, the Subprocessors page, Annex 2 of this DPA, and any third-party security assessment reports, attestations or certifications that SalesQL elects to make available from time to time.
#11.2 Audit
To the extent the information made available under Section 11.1 is insufficient to demonstrate compliance, the Customer may, on no fewer than 30 days' prior written notice and not more than once per calendar year (except where required following a Personal Data Breach affecting Customer Personal Data or where required by a Supervisory Authority), conduct or have a mutually agreed independent third-party auditor conduct an audit of SalesQL's compliance with this DPA. The audit will:
- be conducted at the Customer's expense;
- be subject to confidentiality obligations no less protective than those in the Agreement;
- not unreasonably interfere with SalesQL's business operations;
- not include access to information of other customers, internal pricing or commercially sensitive information not strictly required to demonstrate compliance.
The parties will agree the scope, timing and methodology of the audit in good faith. SalesQL will use reasonable efforts to address any material findings in a timely manner.
#12. Special category data
The Services are not designed to process Special Category Personal Data. The Customer must not upload or otherwise submit Special Category Personal Data through the Services without SalesQL's prior written consent and an additional written agreement specifying the additional safeguards that will apply.
#13. Deletion or return at the end of processing
#13.1 At the Customer's choice
At the end of the provision of the Services, SalesQL will, at the Customer's choice (expressed in writing within 30 days of the end of the provision of Services):
- delete Customer Personal Data; or
- return Customer Personal Data in a structured, commonly used and machine-readable format and delete existing copies.
If the Customer does not express a choice within 30 days, SalesQL will delete Customer Personal Data.
#13.2 Retention permitted by law
SalesQL may retain Customer Personal Data to the extent and for the period required by Applicable Data Protection Law or other applicable law (for example, for evidence in legal proceedings, anti-money-laundering record-keeping, or tax records). During such retention, SalesQL will continue to process the retained Customer Personal Data only as required by such law and will treat it as confidential.
#13.3 Backups
SalesQL's standard backup schedule may temporarily retain copies of Customer Personal Data after deletion. Such backup copies will be overwritten in accordance with SalesQL's standard backup retention cycle (up to 90 days) and during this period will not be processed except for backup-restoration purposes if required.
#14. Liability
#14.1 Limitation
Each party's liability arising under or in connection with this DPA, regardless of the form of action, is subject to the limitations of liability set out in the Agreement.
#14.2 Carve-out
Nothing in this DPA limits or excludes any liability that cannot be lawfully limited or excluded under Applicable Data Protection Law, including the parties' direct liability to Data Subjects under Article 82 UK/EU GDPR.
#15. Term and termination
This DPA enters into effect on the effective date of the Agreement and continues in effect for the duration of the Agreement and any additional period required for SalesQL to comply with its deletion or return obligations under Section 13 or Applicable Data Protection Law.
#16. Order of precedence
In the event of a conflict between the documents that form the relationship between the parties with respect to the processing of Customer Personal Data, the order of precedence is:
- The EU SCCs, the UK Addendum, the UK IDTA, and Swiss adaptations referenced in Section 7, with respect to the matters they address.
- This DPA.
- The Terms of Service or other body of the Agreement.
#17. Miscellaneous
#17.1 Governing law
Subject to Section 7 (which governs the law applicable to specific Restricted Transfers), this DPA is governed by the laws of England and Wales.
#17.2 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.
#17.3 Amendments
SalesQL may update this DPA from time to time as required by changes in Applicable Data Protection Law or to reflect changes in the Services or in the safeguards described in the Annexes, with reasonable notice to the Customer. Updates that materially decrease the protections available to the Customer or to Data Subjects will be subject to the Customer's prior consent or a right of termination.
#17.4 No third-party beneficiaries
Except as expressly provided in the EU SCCs (where Data Subjects are intended third-party beneficiaries), this DPA does not create any third-party beneficiary rights.
#17.5 Counterparts and electronic signature
This DPA may be executed in counterparts and by electronic signature, each of which is deemed an original and which together constitute one and the same instrument.
Annex 1 — Description of Processing
#A. List of parties
| Role | Party |
|---|---|
| Data exporter (Controller) | The Customer, as identified in the Agreement. |
| Data importer (Processor) | SALESQL LTD, 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom. Contact: legal@salesql.com. |
#B. Description of transfer
Categories of Data Subjects whose Personal Data is processed:
- The Customer's End Users (employees, contractors and other personnel of the Customer who use the Services).
- The Customer's prospects, leads, contacts, and Recipients (individuals whose data the Customer uploads to the Services for enrichment, lead management, or outbound communications).
- Other Data Subjects whose Personal Data the Customer uploads, submits or otherwise makes available through the Services.
Categories of Personal Data processed:
- Identification and contact data: full name, work email, direct email, work phone, direct/mobile phone, job title, employer, business address.
- Account and authentication data of End Users.
- CRM and lead-management data uploaded by the Customer.
- Enrichment-request payloads submitted by the Customer through the Services (including the SalesQL REST API and the MCP Server) and the corresponding response payloads returned by SalesQL.
- AI Assistant inputs and outputs, where the AI Assistant is enabled for the Customer: End User prompts, the conversation context the End User chooses to expose to the AI Assistant, and the responses generated by the LLM Provider that powers the AI Assistant.
- Campaign content and metadata: recipient lists, message templates and content, sender identifiers, engagement metadata (deliveries, bounces, opens, clicks, replies, unsubscribes), mailbox-level metadata where the Customer connects its own mailbox.
- Other categories of data uploaded or submitted by the Customer through the Services.
Sensitive Personal Data: the Services are not designed to process Special Category Personal Data; the Customer must not submit such data without SalesQL's prior written consent (Section 12).
Frequency of the transfer: continuous, for the duration of the Services.
Nature of the processing: collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, transmission, dissemination, restriction, erasure or destruction, in each case as necessary for the provision of the Services.
Purpose of the transfer and further processing: the provision of the Services to the Customer in accordance with the Agreement, the Customer's documented instructions, and Applicable Data Protection Law.
Period for which Personal Data will be retained: for the duration of the Agreement plus any additional period required under Section 13 of this DPA or Applicable Data Protection Law.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing: as set out in Annex 3.
#C. Competent Supervisory Authority
The competent Supervisory Authority is identified in accordance with Clause 13 of the EU SCCs and Section 7.3 of this DPA. Where the data exporter is established in the United Kingdom, the competent Supervisory Authority is the UK Information Commissioner's Office (ICO).
Annex 2 — Technical and Organisational Measures (TOMs)
This Annex describes the technical and organisational measures implemented by SalesQL to protect Customer Personal Data. Specific measures may evolve over time; SalesQL reserves the right to update this Annex provided that the overall level of security is not materially decreased.
#A. Pseudonymisation and encryption
- Encryption of Customer Personal Data in transit using TLS 1.2 or higher.
- Encryption of Customer Personal Data at rest using industry-standard symmetric encryption with keys managed through a managed Key Management Service.
- Hashing and salting of credentials.
- Pseudonymisation of identifiers in analytics and engineering datasets where applicable.
#B. Confidentiality of processing systems and services
- Role-based access control with least-privilege principles.
- Multi-factor authentication for personnel access to production systems.
- Single Sign-On / Identity and Access Management for personnel, with centralised provisioning, de-provisioning and access reviews.
- Network segmentation between production, staging and development environments.
- Centralised logging, monitoring and alerting.
- Workstation hardening for personnel: disk encryption, screen lock, endpoint protection, and mobile device management controls.
#C. Integrity of processing systems and services
- Code review and pre-deployment testing for all production changes.
- Automated CI/CD pipeline with audit logs.
- Change-management procedures.
- Anti-tamper and integrity-monitoring controls in production.
#D. Availability and resilience
- Production hosting on Amazon Web Services in the
eu-central-1(Frankfurt, Germany) region, with redundant availability zones. - Encrypted automated backups within the European Union, with periodic restoration testing.
- Disaster-recovery procedures and periodic tabletop exercises.
- Capacity monitoring and auto-scaling.
#E. Process for restoring availability and access
- Documented incident-response procedures.
- Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets, calibrated to the criticality of the affected services.
- Periodic restoration testing.
#F. Process for testing, assessing and evaluating effectiveness
- Internal security review on a periodic basis.
- Vulnerability scanning of production infrastructure.
- Periodic penetration testing engagements with an independent third party.
- Continuous improvement of the information-security programme.
#G. User identification and authorisation
- Unique credentials per user.
- Multi-factor authentication available to End Users; required where the Customer's security configuration mandates it.
- Session management and idle-timeout controls.
- API authentication via personal access tokens with scopes and revocation.
#H. Protection of data during transmission
- TLS 1.2+ enforcement for all customer-facing connections.
- HSTS, CSP and similar HTTP security headers on web properties.
- API-level encryption.
#I. Protection of data during storage
- Encryption at rest in primary database, file storage, backups, and analytics warehouse.
- Key management via a managed Key Management Service provided by SalesQL's primary cloud-infrastructure provider.
- Data minimisation principles in dataset design.
#J. Physical security
- Cloud-provider physical-security controls (SalesQL relies on industry-standard cloud providers; details are available from those providers under their respective compliance reports).
- SalesQL operates a remote-first workplace; corporate access to systems is enforced via SSO and MFA. Where physical office premises are used, standard physical-security controls apply (access control, visitor sign-in, secure handling of paper documents and IT assets).
#K. Logging and monitoring
- Centralised application and security logs.
- Alerting for anomalous events.
- Retention of security logs in accordance with the Privacy Policy and applicable law.
#L. Procurement and Subprocessor management
- Vendor risk assessment for all Subprocessors.
- Contractual obligations on Subprocessors equivalent to those imposed under this DPA.
- Periodic review of Subprocessors.
#M. Personnel
- Background checks where lawfully permitted in the relevant jurisdiction, for personnel with access to Customer Personal Data.
- Mandatory data protection and security training on hire and at least annually.
- Confidentiality undertakings in employment / contractor agreements.
- Documented offboarding procedures including credential revocation.
Annex 3 — Subprocessors
The current list of Subprocessors authorised to process Customer Personal Data is published at https://salesql.com/legal/subprocessors. The list includes, without limitation:
- Cloud infrastructure: Amazon Web Services (AWS), with primary processing in the
eu-central-1(Frankfurt, Germany) region. - Payment processing: Stripe (for billing-related Customer Data such as billing address, VAT/Tax ID, and payment-method tokens).
- LLM Provider, where the AI Assistant is enabled: the third-party large-language-model provider that powers the in-product AI Assistant (and any other AI-assisted features described in the Privacy Policy). The AI Assistant is not enabled for any Customer workspace until the production LLM Provider has been confirmed, contracted, and named on the Subprocessors page.
- Email and notification delivery, analytics, customer support, productivity and security tooling, and affiliates and group entities of SALESQL LTD acting as Subprocessors under intra-group agreements.
Each Subprocessor entry on the published list includes:
- Subprocessor name and corporate entity.
- Country / region in which the Subprocessor processes Customer Personal Data.
- Role and purpose of processing.
- Applicable safeguards for Restricted Transfers (e.g., EU SCCs, UK Addendum, DPF, adequacy).
The Customer authorises the engagement of the Subprocessors listed at the effective date of the Agreement and may subscribe to notifications of changes to the list (Section 6.3).
Annex 4 — Completed information for the EU SCCs and UK Addendum
#A. EU SCCs
Module 2 (Controller to Processor) is incorporated as set out in Section 7.2.
Annex I.A (List of Parties): as set out in Annex 1.A above.
Annex I.B (Description of transfer): as set out in Annex 1.B above.
Annex I.C (Competent Supervisory Authority): as set out in Annex 1.C above.
Annex II (Technical and organisational measures): as set out in Annex 2 above.
Annex III (List of subprocessors): as set out in Annex 3 above and on https://salesql.com/legal/subprocessors.
#B. UK Addendum
Table 1 (Parties): as set out in Annex 1.A above.
Table 2 (Selected SCCs, Modules and Selected Clauses): EU SCCs Module 2 as completed in this DPA, with the choices specified in Section 7.2.
Table 3 (Appendix Information): as set out in Annexes 1, 2 and 3 above.
Table 4 (Ending of the Addendum): neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.
Annex 5 — Schrems II supplementary measures
In addition to the contractual safeguards in Section 7, SalesQL implements the following supplementary measures with respect to Restricted Transfers, in line with the European Data Protection Board's Recommendations 01/2020 on measures that supplement transfer tools:
- Encryption in transit and at rest of Customer Personal Data, including for transfers to Subprocessors.
- Strong access controls over Customer Personal Data within SalesQL and its Subprocessors, with role-based access, multi-factor authentication, and audit logging.
- Contractual challenge of disproportionate access requests by public authorities: SalesQL and its Subprocessors are contractually required to challenge legally invalid or disproportionate requests for Customer Personal Data and to provide only the minimum data lawfully required.
- Transparency to the Customer: SalesQL will, where lawfully permitted, notify the Customer of binding requests by public authorities for access to Customer Personal Data, and will provide the Customer with such information as it lawfully may to permit the Customer to exercise rights of objection or other legal remedies.
- Transfer Impact Assessment (TIA): SalesQL maintains a TIA for transfers to importing jurisdictions where SalesQL processes Customer Personal Data, and updates the TIA periodically and following relevant legal developments. A summary of the TIA is available on request to legal@salesql.com.
- Data minimisation: SalesQL transfers only the Customer Personal Data necessary for the provision of the Services and the Subprocessor's specific function.
Annex 6 — California and US state privacy addendum
This Annex applies where SalesQL processes Customer Personal Data subject to the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") or to other comprehensive US state privacy laws (including those of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Minnesota, Maryland and Rhode Island, as those laws come into force).
#A. Roles under US state privacy laws
For Customer Personal Data subject to US state privacy laws, the parties agree that:
- the Customer acts as the "business" (or equivalent term) under the relevant state law; and
- SalesQL acts as the "service provider" or "processor" (or equivalent term) under the relevant state law, processing Customer Personal Data only for the business purposes described in the Agreement and this DPA, and not for any commercial purpose other than performing the Services.
#B. Restrictions
SalesQL will not:
- sell or share Customer Personal Data within the meaning of the CCPA/CPRA or equivalent state law;
- retain, use, or disclose Customer Personal Data outside the direct business relationship between SalesQL and the Customer and the business purposes specified in the Agreement and this DPA;
- combine Customer Personal Data with personal information that SalesQL receives from or on behalf of another person, or collects from its own interactions with consumers, except as expressly permitted by applicable US state privacy law.
#C. Cooperation
SalesQL will provide the assistance reasonably required for the Customer to comply with consumer rights requests, including requests to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information, in accordance with applicable US state privacy law.
#D. Sensitive personal information
The Services are not designed to process "sensitive personal information" as defined under applicable US state privacy law. The Customer must not submit such information without SalesQL's prior written consent.
#E. Defined terms
Capitalised terms used in this Annex but not defined have the meanings given to them under the applicable US state privacy law.