Our Privacy Policy

‍

1. Preamble

This Data Processing Agreement ("DPA") supplements and forms part of the SaaS and Services Agreement between the Client and SalesAPE ("Agreement") to the extent applicable Privacy Laws apply to SalesAPE’s processing of Client Personal Data (defined below) in provision of the Services under the Agreement. 

‍

2. Obligations of the Parties

‍

1. This DPA applies when Client Personal Data is processed by SalesAPE      on behalf of the Client under applicable Privacy Laws. 
2. For the purposes of applicable Privacy Laws, the Client is the Controller of the Client Personal Data and SalesAPE is a Processor processing Client Personal Data on Client’s behalf.
3. The Client shall at all times provide documented instructions to SalesAPE for the processing of Client Personal Data, in compliance with applicable Privacy Laws.  
4. Details of the processing activities carried out by SalesAPE are set forth at Schedule 1 to this DPA. Schedule 1 and the terms of this DPA constitute the Client’s documented, written instructions for the purposes of applicable Privacy Laws. 
5. SalesAPE will process Client Personal Data in accordance with the Client’s documented instructions. Any additional instructions outside the scope of this DPA and Schedule 1 (if any) shall be subject to prior written agreement between the parties.
6. Each party will comply with all laws, rules and regulations applicable to it in the performance of this DPA, including applicable Privacy Laws.
7. Client is solely responsible for the accuracy, quality, and legality of (a) the Client Personal Data provided to SalesAPE by or on behalf of the Client; (b) how the Client acquired any such Client Personal Data (e.g., appropriate notices and/or consent); and (c) the instructions it provides to SalesAPE regarding the processing of Client Personal Data. 
8. The Client shall not provide or submit to the Services any Personal Data in breach of the Agreement, this DPA or applicable Privacy Laws or any Personal Data which would be inappropriate for the nature of the Services.

‍

3. Confidentiality of Client Personal Data

‍

1. SalesAPE will not access or use, or disclose to any third party, any Client Personal Data, except: 

‍

1. as necessary to maintain or provide the Services (such as in order to transmit such Client Personal Data to an approved Sub-processor); or
2. as necessary to comply with the law, a Valid Government Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). 

‍

2. If a governmental body sends SalesAPE a Valid Government Request for access to Client Personal Data, SalesAPE will use commercially      reasonable      efforts to attempt to redirect the governmental body to request that data directly from the Client. SalesAPE may provide the Client’s basic contact information to the governmental body. 

‍

3. If SalesAPE is legally required to disclose Client Personal Data to a governmental body pursuant to a valid court order, then SalesAPE will use commercially reasonable efforts to provide the Client with prior notice of the request to allow the Client to take action as it sees fit, unless SalesAPE is legally prevented from giving such notice due to the terms of the order or request.

‍

4. Use of Sub-processors

‍

1. The Client hereby generally authorises SalesAPE to engage Sub-processors in accordance with this Article 4. 

‍

2. The Client hereby provides its written consent for the appointment of the Sub-processors listed at Schedule 2.

‍

3. The Client acknowledges that SalesAPE may remove, replace, or appoint new or replacement Sub-processors to support the provision of the Services. SalesAPE will provide the Client with an opportunity to object to any change in its Sub-processors where required under applicable Privacy Laws. Any objections or enquiries in this regard may be directed to SalesAPE at support@salesape.ai. 

‍

4. If the Client reasonably objects to the engagement of a new or replacement Sub-processor (such objection necessarily relating to objective and documented concerns of the proposed Sub-processor’s compliance with applicable Privacy Laws), SalesAPE, at its sole discretion, will use commercially reasonable efforts to: (a) make available to the Client a change in the Services; or (b) recommend a commercially reasonable change to Client’s configuration or use of the Services to avoid processing of Client Personal Data by the objected-to replacement or new Sub-Processor. If SalesAPE does not, or is unable to make available, such change within a reasonable timeframe, then the Client may terminate the applicable part of the Services which cannot be provided by SalesAPE without the use of the objected-to replacement or new Sub-Processor, by providing no less than thirty (30) business days written notice to SalesAPE. Such termination will be for Client’s convenience and shall not be for breach by SalesAPE. Client’s termination under this Article 4(4) will not relieve the Client of its payment obligations under the Agreement, provided, however, that the Client shall be entitled to reimbursement of pro-rated amounts for any unused portion of the Services already paid for, excluding the notice period, if applicable.

‍

5. If the Client does not object to a proposed Sub-processor's appointment within ten (10) days of notice by SalesAPE, that new Sub-processor shall be deemed accepted by the Client. 

‍

6. Where SalesAPE appoints a Sub-processor pursuant to this Article 4:

‍

1. SalesAPE will restrict the Sub-processor’s access to Client Personal Data only to what is necessary to provide or maintain the Services;
2. Prior to the relevant Sub-processor carrying out any processing activities in respect of Client Personal Data, SalesAPE shall ensure that each Sub-processor is bound by a written contract (which may include standard terms of service or data processing agreements offered by Sub-processors) containing substantially similar obligations as those set out under this DPA. 
3. SalesAPE shall: (a) remain fully liable to the Client under this DPA for all the acts and omissions of each Sub-processor as if they were committed by SalesAPE (but not to a greater extent than that); and (b) ensure that all persons authorised by SalesAPE (including SalesAPE’s personnel) or any Sub-processor to process Client Personal Data are subject to a binding written contractual obligation to keep the Client Personal Data confidential. 

‍

5. Security

‍

To protect Client Personal Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access, SalesAPE shall implement and maintain the technical and organisational measures in accordance with SalesAPE’s security commitment set out at Schedule 3 to this DPA. 

‍

6. Assistance and Personal Data Breach

‍

1. SalesAPE shall (at the Client’s cost) assist the Client in ensuring compliance with Client’s obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under the applicable Privacy Laws) taking into account the nature of the processing and the information available to SalesAPE. SalesAPE shall (at the Client’s cost) taking into account the nature of the processing, assist the Client (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the Client’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Privacy Laws) in respect of any Client Personal Data. 

‍

2. SalesAPE shall notify the Client without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Client Personal Data.  

‍

7. Audits

‍

During the term of this DPA, SalesAPE shall, in accordance with applicable Privacy Laws, make available to the Client such information that is in its possession or control as is necessary to demonstrate SalesAPE’s compliance with the obligations placed on it under this DPA and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent applicable Privacy Laws), and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose (subject to a maximum of one (1) audit request in any twelve (12) month period, and provided that such audit is conducted on reasonable notice, during normal business hours,  and results in minimal disruption to SalesAPE’s business, except where the audit relates to or follows a Personal Data Breach).  

‍

8. International Transfers of Personal Data

‍

1. The Client acknowledges and agrees that SalesAPE may transfer and process Client Personal Data to and in the United States and anywhere else in the world where SalesAPE or its Sub-processors maintain data processing operations. SalesAPE shall ensure that such transfers are made in compliance with applicable Privacy Laws and this DPA.

‍

2. Subject to Article 8(3), where SalesAPE transfers Client Personal Data from Europe to Sub-processors located in the United States, SalesAPE will rely on the respective Sub-processor’s certification to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK-US Data Bridge Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (together the “DPF Certification”), where available, to effect such transfer. 

3. Where a DPF Certification is not available or applicable, the parties hereby agree to apply one of the following, to the extent that a GDPR (Chapter V) data transfer mechanism or equivalent is legally required in descending order of preference, such that the item higher in the list that is applicable and available will automatically apply during the term of this DPA and for as long as Client Personal Data is retained by SalesAPE in its capacity as processor: (i) a suitable framework or other legally adequate transfer mechanism recognized by the European Commission or United Kingdom Government or Swiss Government (or other relevant authority or court as applicable) providing an adequate level of protection for personal data, including the DPF Certification; (ii) any mechanism, derogation, exemption, or exception that a party is able to invoke, such as the consent of the relevant Data Subjects, or a derogation under Article 49 of the GDPR or its equivalent under applicable Privacy Laws; or (iii) the applicable Standard Contractual Clauses completed and incorporated herein pursuant to Schedule 5 (or variations of those Standard Contractual Clauses made under Article 8(5) of this DPA or as otherwise proposed by a party or a Sub-processor (as long as such variations are compliant with applicable Privacy Laws)). The Client agrees to the international transfer of Client Personal Data, provided that SalesAPE ensures that one of the foregoing mechanisms in descending order of preference is implemented. 

‍

4. Insofar as the Agreement involves the transfer of Client Personal Data from any other jurisdiction where applicable Privacy Laws require that additional steps, or safeguards, be imposed before Client Personal Data can be transferred to a second jurisdiction, SalesAPE agrees to cooperate with the Client to take appropriate steps to comply with applicable Privacy Laws.

‍

5. The parties agree that, to the extent required under applicable Privacy Laws, such as due to legislative changes, court decisions, and/or to reflect measures or guidance from supervisory authorities, including, without limitation and only where applicable, the adoption of standards for contracts with processors according to Article 28(7) or (8) of the GDPR (or equivalent) or the invalidation, amendment, replacement or repeal of a decision adopted by the EU Commission or UK Government in relation to international transfers on the basis of Article 45(3) or Article 46(2) GDPR (or equivalent), such as, in particular, with respect to the Standard Contractual Clauses or similar transfer mechanisms, either party may request reasonable changes or additions to this DPA to reflect applicable requirements. If a party makes a request to change or supplement this DPA pursuant to this Article 8(5), the parties will in good faith negotiate such changes and additions (including, where applicable, providing for reimbursement of SalesAPE’s costs and expenses for undertaking additional obligations) and neither party will unreasonably withhold or delay agreement to any variations to this DPA.

‍

9. Effect of Termination.

‍

1. Upon termination of provision of the Services under the Agreement for any reason, at the Client’s cost and at the Client’s option, SalesAPE shall either return all Client Personal Data to the Client in a common machine-readable format or securely dispose of Client Personal Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires SalesAPE: (a) to retain such Client Personal Data; or (b) SalesAPE is required to retain such data for the establishment, exercise or defenc     e of legal claims.

‍

2. If Client does not exercise its return option under this Article 9 within thirty (30) calendar days following termination or expiry of the Agreement for whatever reason, SalesAPE shall have no obligation to keep any Client Personal Data and will proceed to automatic deletion of such Client Personal Data. The deletion/return requirement shall not apply to SalesAPE to the extent that: (a) SalesAPE is the controller of any Personal Data (in such case, such Personal Data shall be retained in accordance with SalesAPE’s Privacy Policy); (b) any Client Personal Data  has been anonymised or aggregated so that Data Subjects and the Client cannot be personally and individually identified (“Anonymised Data” and/or “Aggregated Data”, as applicable). Such Anonymised or Aggregated Data is not Personal Data for the purposes of applicable Privacy Laws and the Client expressly acknowledges that SalesAPE may process such Anonymised or Aggregated Data as it sees fit, including for its own business and product improvement.  

‍

10. General Provisions
    
    1. SalesAPE’s liability arising out of or in connection with this DPA or the applicable Privacy Laws shall not exceed the total, aggregate amount of (i) 200% of the fees paid or payable by the Client to SalesAPE under the Agreement for the 12-month period immediately preceding the breach,or (ii)       one million pounds (1,000,000 GBP), whichever is lower. To the extent required by applicable law, (a) this Article 10(1) is not intended to modify or limit the parties’ liability for Data Subject claims made against a party where there is joint and several liability under applicable Privacy Laws, or (b) limit either party’s responsibility to pay penalties imposed on such party by a regulatory authority.
    2. This DPA will continue in force until the termination of the Agreement, provided that the data protection obligations of this DPA and the SCCs shall continue to apply for so long as SalesAPE processes Client Personal Data. This DPA will remain in effect until, and automatically expire when, SalesAPE deletes or anonymises all Client Personal Data.
    3. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    4. Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Client Personal Data are resolved in the following order of priority: (1) the SCCs, where applicable; (2) the DPA; and (3) the Agreement.

‍

11. Definitions

‍

Unless otherwise defined in the Agreement, all capitalised terms used in this DPA will have the meanings given to them below:

1. "Client Data", "SalesAPE", and "Services" shall each have the meaning ascribed to it in the Agreement.
2. “supervisory authority'' means (i) the competent supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioner's Office. With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
3. "Controller" means the entity that determines as a legal person alone or jointly with others the purposes and means of the processing of Personal Data. Unless otherwise specified, Controller or "data exporter" refers to the Client.
4. "Client", as used on this DPA, shall mean the Client (as defined in the Agreement).
5. "Client Personal Data" means Client Data submitted to SalesAPE forprocessing in connection with the Services pursuant to the Agreement, which is Personal Data.
6. "Privacy Laws" means any data protection and privacy laws and regulations that are applicable to the processing of Client Personal Data by SalesAPE, including, where applicable, the laws listed in SalesAPE’s Jurisdiction Specific Terms set forth at Schedule 4, as may be amended, superseded or replaced from time to time.
7. "Data Subject" means the identified or identifiable person to whom Client Personal Data relates.
8. "Europe" means the European Economic Area and Switzerland and the United Kingdom.
9. "GDPR " means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation).
10. "Personal Data" means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Privacy Laws.
11. "Personal Data Breach" means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data processed by SalesAPE or SalesAPE’s Sub-processors.
12. "processing" (unless defined differently under applicable Privacy Laws) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
13. "Processor" means an entity which processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or "data importer" in this DPA refers to SalesAPE.
14. "Valid Government Request" means a government agency or law enforcement authority, including a court, tribunal or authority request for information.
15. "Services" means the services provided by SalesAPE as set forth in the Agreement.
16. "Standard Contractual Clauses" or "SCCs" means : (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC")(the "Swiss SCCs").
17. "Sub-processor" means any Processor engaged by SalesAPE to support SalesAPE in processing Client Personal Data in connection with the Services under the Agreement and this DPA. 
18. "UK GDPR" means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the UK's Data Protection Act 2018.

‍

Schedule 1 – Details of Processing Activities

‍

1. Purpose: The purpose of the processing under the DPA is the provision of the Services by SalesAPE to the Client as specified in the Agreement.

‍

2. Duration: SalesAPE will process Client Personal Data for (i) the duration of the Agreement; and/or (ii) for as long as SalesAPE retains and/or processes Client Personal Data. 

‍

3. Nature of the Processing: Client Personal Data is processed by SalesAPE in order to provide the Services under the Agreement and/or any applicable Order or Statement of Work.

‍

4. Categories of Data Subjects: The Data Subjects of the Client which may include the Clients’ Authorised Users, employees, contractors, or other third parties whose Personal Data is submitted by the Client to SalesAPE for use in connection with the Services, including the Client’s end-users, Customers or prospects.

‍

5. Categories of data: Contact detail including name, email, phone number and addresses); technical data such as IP addresses, log files, and login information; location information derived from IP addresses); and other Personal Data that the Client or its Authorised Users submit to the Services.

‍

6. Special categories of data (if appropriate). SalesAPE and/or its Sub-processors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreement. If such data is submitted by the Client and/or its Authorised Users, then Client warrants that such submission has been carried out on the basis of the Data Subject’s prior, express and written consent. 

‍

Schedule 2 - List of SalesAPE Sub-processors

‍

A current list of SalesAPE’s Sub-processors is set forth below:

‍

‍

‍

‍

Schedule 3 – Minimum Technical and Organizational Security Measures

In accordance with applicable Privacy Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Client Personal Data to be carried out under or in connection with the Agreement, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Client Personal Data transmitted, stored or otherwise processed, SalesAPE shall implement appropriate technical and organisational security measures appropriate to the risk, including, as appropriate, those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR. For instance, these measures include encryption of personal data in transit and at rest, separation of production and development cloud environments, access controls following the principle of least privilege, a secure software development lifecycle, and static code analysis to identify and patch known vulnerabilities.

‍

Schedule 4 – Jurisdiction Specific Terms

Certain jurisdictions require other specific terms. Where required under applicable Privacy Laws, this DPA fully incorporates the applicable Jurisdiction Specific Terms set forth below:

‍

State of California, United States:

The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.

The obligations of SalesAPE to the Client under the DPA are limited to those which are expressly required as obligations imposed by the CCPA that require that a “Business” and a “Service Provider” to have in place. Each party is responsible for fulfilling its respective obligations set out in the CCPA.

SalesAPE shall not collect, sell, retain, disclose or use the Personal Information of the Consumer for any purpose other than to perform the Services specified in the Agreement, or as otherwise permitted by CCPA. The terms used in the applicable provisions of the DPA shall be replaced as follows: “Personal Data” shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer" (collectively, the “replaced terms”). Further, the replaced terms shall have the definitions ascribed to in the CCPA.

‍

Canada:

SalesAPE shall comply with all applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), and any applicable provincial privacy laws such as the Personal Information Protection Act (PIPA) in Alberta and British Columbia, and An Act Respecting the Protection of Personal Information in the Private Sector in Quebec. SalesAPE shall handle Personal Information in a manner that is consistent with the privacy principles outlined in the Canadian Standards Association Model Code for the Protection of Personal Information, which is incorporated into PIPEDA. SalesAPE shall ensure that any collection, use, or disclosure of Personal Information is done with the knowledge and consent of the individual, except where inappropriate. The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information" as defined in PIPEDA; "Controller" shall mean an "Organization" as defined in PIPEDA; and "Processor" shall mean an entity processing Personal Information on behalf of an Organization.

‍

Schedule 5 – Standard Contractual Clauses

‍

1. With respect to the EU SCCs, the same are incorporated by reference into this DPA on an unchanged basis, save for the following:
   
   1. Only “Module 2” of the EU SCCs applies;
   2. For the purposes of clause 9(a) of the EU SCCs, option 2 (“General Prior Authorisation”) is selected and the specified time period is 5 Business Days in advance. Article 4 of this DPA supplements clause 9;
   3. For the purposes of clause 11(a) of the E.U. Standard Contractual Clauses, the optional language is deleted;
   4. For the purposes of clause 13 of the EU SCCs: (i) if Controller is established in an EU Member State, the relevant supervisory authority acting as the competent supervisory authority is the supervisory authority of the EU Member State in which Controller is established, (ii) if Controller is not established in an EU Member State but has appointed a representative pursuant to GDPR Article 27(1), the relevant supervisory authority acting as the competent supervisory authority is the supervisory authority of the EU Member State in which Controller’s representative is established, and (iii) if Controller is not established in an EU Member State and has not appointed a representative pursuant to GDPR Article 27(1), then the supervisory authority of one of the EU Member States in which the data subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them are located will act as competent supervisory authority. This paragraph will constitute “Annex I.C” for the purposes of the EU SCCs;
   5. For the purposes of clause 17 of the EU SCCs, the governing law is Ireland;
   6. For purposes of clause 18(b) of the EU SCCs, the selection is Ireland; and
   7. The relevant party identification information from the Agreement and the description of processing at Schedule 1 of this DPA together will constitute “Annex 1” for the purposes of the EU SCCs. Article 5 and Schedule 3 of this DPA will constitute “Annex 2” of the EU SCCs. Schedule 2 of this DPA will constitute “Annex 3” of the EU SCCs.
2. With respect to the UK SCCs, the same are incorporated by reference into this DPA on an unchanged basis, save for the following:
   
   1. In Table 2, the selection made is the EU SCCs as described, completed and detailed in section (a) of this Schedule 5;
   2. In Table 4, both “importer” and “exporter” are selected; and
   3. The relevant party identification information from the Agreement, Schedules 1 and 2 to this DPA, and Article 5 and Schedule 3 of this DPA will be incorporated into (and will constitute completion of) Tables 1 and 3 of the UK SCCs, as applicable.

‍

‍