Data Processing Addendum

(Last Updated: January 2023)

As a responsible, forward-looking business, DealHub Ltd., which operates and develops a platform for sales engagements (“DealHub“), recognizes the need to comply with applicable privacy regulations and ensure that effective measures are in place to protect the Personal Data of its customers. The term “Applicable Law” shall mean whichever legal regime is applicable to the Processing of Personal Data under this DPA, as follows: Regulation (EU) 2016/679 of the European Parliament (General Data Protection Regulation – “GDPR“), the GDPR as amended and adopted into UK law in accordance with the European Union (Withdrawal) Act 2018 and the UK’s Data Protection Act, 2018 (collectively, “UK GDPR“), the Swiss Data Protection Act (“FADP“) and the California Consumer Privacy Act of 2018, Cal. Civil Code Title 1.81.5, as amended by the California Consumer Privacy Rights Act of 2020, and the regulations thereunder (collectively, “CCPA“). 

This Data Processing Addendum (“DPA“) forms part of any other agreement by and between DealHub and the undersigned customer of DealHub (“Customer“) for the provision of certain services by DealHub, including the DealHub platform which serves as a sales engagements management system and related maintenance and support services (the “Services” and the “Main Agreement” relatively).

In the course of providing the Services to Customer pursuant to the Main Agreement, DealHub may Process Personal Data on behalf of the Customer. DealHub agrees to comply with the following provisions with respect to any Personal Data submitted by or for the Customer to DealHub or the DealHub platform, or data which is collected and processed by or for the Customer using DealHub’s Services and systems.

1. Definitions

The following definitions are used in this DPA:

1.1 “Personal Data” means Personal Data as defined under the GDPR or analogous terms in other Applicable Law (including ‘Personal Information’ as defined under the CCPA).

1.2 “Data Subject” shall mean the natural person whose Personal Data is Processed and shall include “Consumer” as defined under the CCPA. 

1.3 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as storage, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1.4 “EEA” means the European Economic Area.

1.5 “Standard Contractual Clauses” means the standard contractual clauses which was set for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in Commission Implementing Decision (EU) 2021/914 and available at: 

https://eur-lex.eur‌opa.eu/legal-‌‌content/EN/TXT/?uri=uriserv%3‌AOJ.L_.2021‌.199.01.0031.01.ENG&toc=OJ%3AL%3A2021%3A199%3AFULL

1.6  UK Addendum” shall mean the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as issued by the UK Information Commissioner under S119A (1) Data Protection Act 2018.

1.7 “Controller“, “Processor“, “Personal Data Breach” and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.

1.8 The terms “Business“, “Sell“, “Share“, and “Service Provider“, shall have the meanings ascribed to them in the CCPA.

2. Status of the parties

2.1 The type of Personal Data which may be processed pursuant to this DPA, the subject matter, duration, nature and purpose of the processing, and the categories of Data Subjects, are as described in Schedule 1.

2.2 With respect to Processing subject to the GDPR, UK GDPR, and/or the FADP: when Personal Data is subject to the GDPR, UK GDPR, and/or the FADP, Customer serves as a Controller of such Personal Data and DealHub serves as a Processor on its behalf.

2.3 For Processing subject to the CCPA: When Personal Data is subject to the CCPA, Customer serves as a Business with respect to such Personal Data and DealHub serves as a Service Provider on its behalf.

2.4 Each party warrants in relation to Personal Data that it will comply (and will procure that any of its personnel comply), with the provisions of the Applicable Law. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired the Personal Data, including any respective consent required. 

2.5 This DPA does not address or limit the processing of anonymous data which can no longer be identified or associated with a natural person, even if such anonymized data is aggregated and/or statistical and was produced using Personal Data (e.g. aggregative data which was derived from raw Personal Data).

3. DealHub’s Undertakings

With respect to all Personal Data processing which shall occur during the provision of the Services, DealHub warrants and undertakes:

3.1 Process Personal Data only in order to provide the Services, and shall strictly act only in accordance with: (i) this DPA; (ii) the Customer’s written instructions as represented by the Main Agreement and this DPA; and (iii) as required by applicable laws;

3.2 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data during the provision of the Services. Those measures will include but will not be limited to: security-related policies and procedures, standards and practices designated for the protection of Personal Data, implement data protection measures by default and by design, and use of technological and organizational tools for preventing access, use, modification or disclosure of Personal Data by DealHub’s personnel, except where otherwise ascribed in this DPA;

3.3 Ensure that DealHub’s personnel who authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.4 Take commercially reasonable steps to ensure that DealHub’s personnel will comply with the terms of this DPA;

3.5 Comply with the provisions set forth in the Applicable Law for engaging another sub-processor, such as the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR. The Customer grants a general authorization to DealHub to appoint any sub-processor or use any outsourced service, as long as DealHub will ensure that any such sub-processor is subject to contractual terms substantially no less protective than those imposed on DealHub in this DPA;

3.6 For Processing subject to the CCPA: DealHub undertakes that it shall not Sell or Share Personal Data when Processing Personal Data as a Service Provider and shall not retain, use, or disclose Personal Data for any commercial purpose other than providing the Services to Customer and as otherwise permitted under the Main Agreement.

3.7 DealHub shall give Customer a notice of the appointment of any new sub-processor, including relevant details of the Processing to be undertaken by the sub-processor. If, within thirty (30) days of receipt of that notice, Controller notifies Processor in writing of any objections to the proposed appointment, DealHub shall not appoint (or disclose any Personal Data to) that proposed sub-processor until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Customer’s reasonable objections then Customer may by written notice to DealHub with immediate effect terminate the Main Agreement to the extent that it relates to the Services which require the use of the proposed sub-processor. In case of termination according to this section, Customer shall receive a pro-rata refund of any paid or unused fees. Failure to object to such new sub-processor in writing within thirty (30) business days following DealHub’s notice shall be deemed as acceptance of the new sub-processor. Additionally, if DealHub’s engagement with a sub-processor involves a cross-border data transfer, DealHub shall comply with relevant cross-border transfer requirements under Applicable Law, including the implementation of appropriate contractual and technical safeguards to ensure compliance with such requirements. 

3.8 Assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations to respond to requests for exercising the Data Subject’s rights under the Applicable Law, and notify the Customer if it receives any such request from any Data Subject on behalf of the Customer;

3.9 Upon Customer request, and taking into account the nature of processing and the available data, DealHub shall provide reasonable assistance to the Customer under Articles 32 to 36 of each of the GDPR and/or the UK GDPR, as applicable, with respect to: (a) data protection impact assessments carried out by the Customer; (b) breach notifications to the supervisory authority and/or any data subject; (c) Customer’s ability to demonstrate its compliance with the provisions of the GDPR and or UK GDPR, as applicable. Customer shall cover all costs incurred by DealHub in connection with such assistance;

3.10 Other than to the extent required to comply with applicable laws, and at Customer’s choice, DealHub shall delete or (where possible) return all the Personal Data to the Customer after the end of the provision of Services as stipulated by the Main Agreement, and delete existing copies unless otherwise required by applicable laws;

3.11 Upon becoming aware of any Personal Data Breach, notify the Customer without undue delay, and provide the Customer with information relating to the breach as reasonably requested by the Customer. DealHub will use reasonable endeavors to assist the Customer in mitigating, where possible, the adverse effects of any such Personal Data Breach; 

 3.12 Give the Customer access to all available information which is necessary to demonstrate compliance with DealHub’s obligations laid down in this DPA, and reasonably contribute to audits conducted by the Customer or another auditor mandated by the Customer.

4. Data Transfers

4.1 To the extent any processing of Personal Data by DealHub that is subject to the GDPR takes place in any jurisdiction outside the EEA, the Customer agrees and DealHub undertakes that, any such processing shall be subject to the provisions of chapter 5 of the GDPR, including processing:

a. in a country which is recognized and approved by an adequacy decision under Article 45 of the GDPR; or

b. subject to the Standard Contractual Clauses, which are incorporated herein by reference, if and as applicable. Annexes 1 and 2 attached hereto shall apply as Annexes 1 and 2 of the Standard Contractual Clauses, if and as applicable to processing of any Personal Data hereunder. DealHub agrees to reasonably cooperate with Customer for the implementation of any technical measures as may be deemed necessary to permit the transfer of Personal Data to countries outside of the European Economic Area on the basis of the Standard Contractual Clauses.

4.2 To the extent that DealHub Processes Customer’s Personal Data that is subject to the UK GDPR and DealHub Processes such data in a country other than the United Kingdom whose data protection laws were deemed inadequate by the United Kingdom, the UK Addendum attached hereto as Schedule 2 shall apply and shall be incorporated herein upon execution of the Main Agreement by the parties. DealHub agrees to cooperate with Customer for the implementation of any technical measures as may be deemed necessary to permit the transfer of Personal Data to countries outside of the United Kingdom on the basis of the UK Addendum and agrees to provide information as needed in order to allow Customer to conduct a transfer impact assessment.

4.3 To the extent a data transfer which is subject to the Standard Contractual Clauses originated in Switzerland and such data transfer is subject to the FADP, Data Subjects from Switzerland shall have the right to conduct legal proceedings relating to the International Transfer in Switzerland. Until the revised Swiss Data Protection Act will enter into force, the Standard Contractual Clauses shall apply to DealHub as a legal entity, to the extent similar provisions apply to legal entities under FADP. 

5. Miscellaneous

5.1 Except as amended by this DPA, the Main Agreement shall remain in full force and effect. 

5.2 This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. In the event of any conflict between the terms of this DPA and the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data. None of the sections herein are intended to conflict with the Standard Contractual Clauses, if and to the extent applicable. If a conflict arises between the terms of this DPA and the Standard Contractual Clauses or UK SCCs (to the extent either applies), where they apply, the Standard Contractual Clauses or UK Addendum, as applicable, shall prevail.

5.3 DealHub’s liability under this DPA is subject to the limitations on liability contained in the Main Agreement.


Schedule 1

Details of the personal data and processing activity

The Personal Data – the Personal Data which shall be processed by DealHub during the provisions of the services may contain: 

  • Full Name;
  • User name and password to DealHub’s system – DealHub;
  • User phone number (optional) and email address;
  • Time of using the system;

Sub-Processor

Subprocessors NameActivityLocation
DealHub Inc.A wholly owned DealHub subsidiary United States
Microsoft CorporationHosting, DatabasesUnited States/EU
Sendgrid, Inc.Emails DistributionUnited States
The Rocket Science Group LLC d/b/a MailchimpEmails DistributionUnited States
Mezmo, Inc.Logs collectionUnited States
Twilio, Inc.SMS – 2FA for DealRoomUnited States
Slack Technologies, Inc.Notifications United States/EU
Feshworks, IncCustomer Support ToolsUnited States/EU

Data Subjects – the DPA may concern the following categories of Data Subjects:

  • Customer’s clients and business affiliates;
  • Customer’s employees and/or external contractors. 

Processing activities and operations – as required and necessary for the provision of the Services under the Main Agreement – mainly contact details for sales engagements management; 

Purpose of processing – for the provision of the Services under the Main Agreement, in accordance with Customer requests – sales engagements management; 

Duration of processing – until the earliest of (a) termination of the provision of the Services under the Main Agreement, or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Main Agreement (to the extent applicable);


Annex 1

ANNEX 1 TO THE STANDARD CONTRACTUAL CLAUSES

The following Annexes form part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in the following Annexes.

Description of Transfer

Categories of data subjects whose personal data is transferred

DealHub processes the following personal data: Name, Phone, Job Title, eMail and Work Address, Customers, Employees.

Categories of personal data transferred

DealHub processes the following categories: personal data, proffesional data, buyer data, customer data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

DealHub does not process Special/Sensitive categories of data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis based on the customer business needs

Nature of the processing

DealHub’s unique collaborative sales engagement platform makes quoting easier and faster, with real-time insights on customer’s prospects engagements and level of interest. DealHub’s sales engagement platform provides a rich & personalized buying experience throughout the sales process – from prospect to close. In order to utilize DealHub’s platform, generate quotes, engage buyers etc., Data Exporter will have to feed the platform with the relevant data to process.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Data will be saved as long as the customer is using the system. Data will be deleted based on customer request.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Data will be processed as long as the customer is using the system.

Competent Supervisory Authority

The competent supervisory authority regarding this transfer is the Malta Information and Data Protection Commissioner in accordance with the laws of Malta, in accordance with Clause 13. 


Annex 2 

ANNEX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Description of the technical and organizational security measures implemented by the data importer in accordance with Clause 8.6 (or document/legislation attached):

In addition to GDPR, DealHub has ISO 27001 and SOC-2 certification and committed to the following: 

Physical Access Controls:

DealHub takes reasonable measures to prevent physical access, such as security personnel and secured buildings and factory premises, to prevent unauthorized persons from gaining access to personal data.

System Access Controls:

DealHub takes reasonable measures to prevent personal data from being used without authorization. These controls based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.

Data Access Controls:

DealHub takes reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing. In addition, DealHub implements an access policy under which access to its system environment, to personal data and other data by authorized personnel only.

Transmission Controls:

DealHub takes reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

Input Controls:

DealHub takes reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered into data processing systems, modified or removed. Also take reasonable measures to ensure that (i) the personal data source is under the control of data exporter; and (ii) personal data integrated into DealHub’s systems is managed by secured file transfer from the platform and data subject.

Data Backup:

DealHub’s back-ups are taken on a regular basis, are secured, and encrypted when storing personal data to protect against accidental destruction or loss when hosted by DealHub.

Logical Separation:

DealHub ensures that data from the data exporter is logically segregated on the DealHub’s systems to ensure that personal data that is collected for different purposes may be processed separately.