This Data Processing Addendum (“DPA”) is incorporated into and forms an integral part of the Master Services Agreement (the “Agreement” or “MSA”) between Glitchcraft, Inc. (“Actioneer” or “Processor”) and the customer entity party to the Agreement (“Customer” or “Controller”). It governs how Actioneer processes personal data on the Customer’s behalf.
Unless otherwise stated or unless the context otherwise requires, each capitalized term will have the meaning set out below.
| “Applicable Data Protection Law” | means all laws and regulations applicable to the processing of personal data under the Agreement, including without limitation: (i) the EU General Data Protection Regulation (“GDPR”); (ii) the UK GDPR and Data Protection Act 2018; and (iii) the Digital Personal Data Protection Act, 2023 (India). |
| “Personal Data” | means any information relating to an identified or identifiable natural person included within Customer Data. |
| “Security Incident” | means any confirmed unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data. |
| “Standard Contractual Clauses” or “SCCs” | means (i) the standard contractual clauses approved by the European Commission for transfers of personal data outside the European Economic Area, and (ii) where applicable, the UK International Data Transfer Addendum (“IDTA”) for transfers of personal data outside the United Kingdom. |
| “Sub-processor” | means any third party engaged by Actioneer to process personal data on behalf of Customer. |
For the purposes of this DPA, Customer is the Controller (or “Business”) and Actioneer is the Processor (or “Service Provider”). Actioneer certifies that it shall not: (a) “sell” or “share” personal data; (b) retain, use, or disclose personal data for any purpose other than for the specific business purpose of providing the Service and as stated in the Agreement; or (c) combine personal data with other data except as permitted by law.
Actioneer shall process personal data solely to provide the Service and perform its obligations under the Agreement. The Agreement and any applicable Order Form constitute Customer’s complete and final documented instructions. Customer acknowledges that AI-driven analysis is performed within the parameters of the Agreement. Usage Data (as defined in the MSA) is not personal data and is excluded from the scope of this DPA. Actioneer shall promptly inform Customer if, in its reasonable opinion, any instruction provided by Customer infringes Applicable Data Protection Law. The details of the processing of personal data under this DPA are further described in Schedule 1 (Processing Details).
Actioneer shall ensure that any person authorized to process personal data is subject to a strict duty of confidentiality (whether contractual or statutory) and processes such data only as necessary as agreed in the Agreement.
The Customer hereby provides a general written authorization for Actioneer to engage sub-processors. Actioneer shall maintain a list of existing sub-processors and relevant certifications in a portal, which shall be made available to the Customer upon request. Actioneer shall provide Customer with at least thirty (30) days’ prior notice (via email, website posting, or updates to the portal) of any new sub-processor. Customer may object on reasonable grounds within five (5) days of notice. If Actioneer cannot resolve the objection, Customer may terminate the affected portion of the Service. Actioneer shall impose data protection terms on any sub-processor that are no less protective than those in this DPA.
Actioneer shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to data subject requests (e.g., access or deletion). Actioneer shall not respond to such requests directly unless authorized by Customer. Actioneer shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and taking into account the nature of the processing.
Actioneer shall maintain the technical and organizational security measures detailed in the security provisions of the Agreement. Upon becoming aware of a Security Incident, Actioneer shall notify Customer without undue delay (and in no event later than 72 hours). Actioneer shall provide reasonable assistance to Customer to enable Customer to comply with its own breach notification obligations.
Customer may audit Actioneer’s compliance with this DPA once per calendar year with thirty (30) days’ prior notice. Actioneer may satisfy the requirements of this clause by providing (subject to confidentiality obligations) to the Customer its most recent SOC 2 Type II or similar independent audit report.
Subject to the data retention provisions of the Agreement, upon termination of the Agreement, Actioneer shall, at Customer’s written election, return or securely delete all personal data within thirty (30) days.
This DPA is an integral part of the Agreement. In the event of any conflict or inconsistency between the terms of this DPA and the MSA, the terms of this DPA shall prevail solely with respect to the processing of personal data. All other terms of the Agreement remain in full force and effect.
Each party’s entire liability, and the liability of its affiliates, arising out of or related to this DPA (whether in contract, tort, or otherwise) shall be subject to the limitation of liability provisions set forth in the MSA. Any reference to the “Agreement” in that clause shall be deemed to include this DPA.
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions set forth in the MSA, unless otherwise required by applicable data protection law.
Except as expressly provided in the Standard Contractual Clauses (SCCs), there are no third-party beneficiaries to this DPA. No data subject may directly enforce any part of this DPA against Actioneer except where permitted by law.
If any provision of this DPA is held by a court of competent jurisdiction to be invalid or unenforceable, such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions shall remain in effect.
Actioneer may modify this DPA from time to time to reflect changes in applicable data protection law or improvements to Actioneer’s security and privacy practices. Actioneer shall provide Customer with at least thirty (30) days’ prior notice of any material modification (via email or website posting). If Customer reasonably objects to a modification on data protection grounds within five (5) days of notice, the parties shall discuss the modification in good faith. If no agreement is reached, Customer may, as its sole remedy, terminate the affected Service upon written notice to Actioneer. Continued use of the Service after the effective date of a modification shall constitute acceptance of the updated terms.
Where personal data is transferred outside the European Economic Area or the United Kingdom, the parties shall implement appropriate safeguards as required under applicable data protection law, including, where applicable, the Standard Contractual Clauses.
Glitchcraft, Inc. (d/b/a Actioneer) · connect@actioneer.com
