Data Processing Agreement

1. INTERPRETATION AND DEFINITIONS

1.1 Headings and References

The headings contained in this DPA are for convenience only and shall not limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require.

1.2 Relationship to Terms of Service

This DPA supplements and forms part of the Terms of Service available at https://salesrook.com/terms-of-service (the "Terms of Service" or "Agreement"). In the event of any conflict between this DPA and the Terms of Service, the order of precedence set out in Section 1(f) of the Terms of Service shall apply. Capitalised terms not defined herein shall have the meanings assigned to such terms in the Terms of Service.

1.3 Definitions

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control", for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
• "Authorised Affiliate" means any of Customer's Affiliate(s) which (a) is subject to the Data Protection Laws and Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and SalesRook, but has not signed its own separate agreement with SalesRook.
• "Controller" or "Data Controller" means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the term "Data Controller" includes Customer and, where applicable, Customer's Authorised Affiliates.
• "Data Protection Laws and Regulations" means all applicable laws and regulations relating to the Processing of Personal Data, including without limitation the UK GDPR, the UK Data Protection Act 2018, the EU General Data Protection Regulation (EU) 2016/679, and any successor or replacement legislation.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "Material Sub-processor" means any third party that (a) Processes Personal Data in the course of providing core Services functionality, or (b) has direct access to unencrypted Personal Data. Material Sub-processors do not include infrastructure providers where data is encrypted at rest, professional service providers bound by confidentiality (such as legal counsel or accountants), or incidental service providers with no access to Personal Data.
• "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• "Personal Data Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by SalesRook or its Sub-processors.
• "Process(ing)" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• "Processor" or "Data Processor" means the entity which Processes Personal Data on behalf of the Controller.
• "Security Documentation" means SalesRook's security-related policies and procedures, including: Information Security Policy, Data Classification Policy, Business Continuity Policy, Secure Coding Development Standard, and related technical and organisational measures. These documents are made available to Customer upon reasonable written request to [email protected] subject to appropriate confidentiality undertakings.
• "Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined in Article 9 of the UK GDPR and EU GDPR.
• "Sub-processor" means any Data Processor engaged by SalesRook or its Affiliates to Process Personal Data on behalf of Customer in connection with the Services.
• "Supervisory Authority" means an independent public authority established by an EU Member State or the United Kingdom pursuant to applicable Data Protection Laws and Regulations, including the UK Information Commissioner's Office (ICO).
• "UK GDPR" means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

2. ROLES AND RESPONSIBILITIES

2.1 Roles of the Parties

The Parties acknowledge and agree that with regard to the Processing of Personal Data:

(a) Customer is the Data Controller who determines the purposes and means of Processing Personal Data;

(b) SalesRook is the Data Processor who Processes Personal Data on behalf of and in accordance with Customer's documented instructions; and

(c) SalesRook may engage Sub-processors pursuant to Section 5 of this DPA.

2.2 Customer's Processing of Personal Data

Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer shall:

(a) Comply with all obligations applicable to Data Controllers under Data Protection Laws and Regulations;

(b) Ensure it has all necessary legal bases, consents, and authorisations to collect, Process, and transfer Personal Data to SalesRook;

(c) Provide any required privacy notices to Data Subjects and comply with transparency obligations;

(d) Ensure that its instructions for Processing Personal Data comply with Data Protection Laws and Regulations;

(e) Have sole responsibility for the lawfulness of the Personal Data and the means by which it was obtained; and

(f) Promptly notify SalesRook if it becomes aware that its instructions for Processing Personal Data may violate Data Protection Laws and Regulations.

Customer shall defend, indemnify, and hold harmless SalesRook, its Affiliates, and their respective directors, officers, employees, and agents from and against any claims, liabilities, damages, or expenses arising from Customer's breach of this Section 2.2 or violation of Data Protection Laws and Regulations.

2.3 SalesRook's Processing of Personal Data

Subject to the Terms of Service and this DPA, SalesRook shall Process Personal Data only on Customer's documented instructions for the following purposes:

(a) Processing in accordance with the Terms of Service and this DPA to provide the Services;

(b) Processing to enable Customer to use the Services as intended;

(c) Processing in accordance with other reasonable documented instructions provided by Customer (e.g., via email to [email protected]) where such instructions are consistent with the terms of the Agreement; and

(d) Processing as required by applicable law, in which case SalesRook shall inform Customer of such legal requirement before Processing (unless prohibited by law on important grounds of public interest).

SalesRook shall immediately inform Customer if, in its opinion, an instruction from Customer infringes Data Protection Laws and Regulations.

2.4 Details of the Processing

Subject Matter: The subject matter of Processing is the performance of the Services as described in the Terms of Service, including AI-powered WhatsApp communication management, lead qualification, CRM integration, and related messaging services.

Duration: The duration of Processing is the term of the Agreement, plus the period required for secure deletion or return of Personal Data as specified in Section 9 of this DPA.

Nature and Purpose: SalesRook Processes Personal Data to enable Customer (estate agents, mortgage brokers, and property professionals) to communicate with their customers and prospects via WhatsApp and other messaging channels, qualify leads, integrate with CRM systems, and manage customer relationships.

Types of Personal Data: The Personal Data Processed may include:

• Contact information (names, email addresses, phone numbers)
• Communication content (WhatsApp messages, SMS messages)
• Property enquiry details (property preferences, budgets, timelines)
• Professional information (employment status, income details for mortgage applications)
• Location data (property addresses, postcodes)
• Identifiers (unique user IDs, CRM record IDs)

Categories of Data Subjects: Data Subjects include:

• Customer's clients and prospects (property buyers, sellers, tenants, landlords)
• Individuals enquiring about properties or mortgage services
• Individuals communicating with Customer via WhatsApp or other messaging platforms

Data Location: All Personal Data is stored on Google Cloud Platform servers located in Belgium (europe-west1 region). Personal Data may be processed by certain US-based Sub-processors under the UK-US Data Bridge adequacy framework (see Section 11 for international transfer provisions).

2.5 Special Category Data and Criminal Offence Data

SalesRook shall not Process Special Category Data or Personal Data relating to criminal convictions and offences (Article 10 UK GDPR) unless Customer provides specific prior written instruction to [email protected] and confirms that:

(a) Customer has an appropriate legal basis under Articles 9 or 10 of the UK GDPR;

(b) Appropriate safeguards are in place for such Processing; and

(c) Customer accepts full responsibility for the lawfulness of such Processing.

In the absence of such written instruction, SalesRook may refuse to Process such data or may immediately cease Processing and notify Customer.

2.6 Article 28 UK GDPR Compliance

SalesRook confirms that it shall comply with all obligations of a processor under Article 28(3) of the UK GDPR, including:

(a) Processing Personal Data only on documented instructions from Customer (Section 2.3);

(b) Ensuring persons authorised to Process Personal Data are subject to confidentiality (Section 4);

(c) Implementing appropriate technical and organisational security measures (Section 6);

(d) Engaging Sub-processors only with Customer's authorisation (Section 5);

(e) Assisting Customer with Data Subject Rights requests (Section 3);

(f) Assisting Customer with security obligations and Personal Data Incident notifications (Sections 6 and 7);

(g) Deleting or returning Personal Data at the end of Services (Section 9);

(h) Making available to Customer all information necessary to demonstrate compliance with Article 28 obligations and allowing for audits and inspections (Section 8).

3. DATA SUBJECT RIGHTS

3.1 Data Subject Requests

SalesRook shall, to the extent legally permitted, promptly notify Customer if SalesRook receives a request from a Data Subject to exercise their rights under Data Protection Laws and Regulations, including rights of access, rectification, erasure ("right to be forgotten"), restriction of Processing, data portability, objection to Processing, or rights related to automated decision-making (a "Data Subject Request").

3.2 Customer's Responsibility

Customer is primarily responsible for responding to Data Subject Requests. To the extent Customer does not have direct ability through the Services to respond to a Data Subject Request, SalesRook shall provide reasonable assistance to Customer in responding to such requests, taking into account the nature of the Processing.

3.3 Assistance with Data Subject Requests

Upon Customer's written request to [email protected], SalesRook shall provide commercially reasonable assistance to enable Customer to respond to Data Subject Requests, including:

(a) Providing access to Personal Data held by SalesRook;

(b) Facilitating correction or deletion of Personal Data;

(c) Providing Personal Data in a portable format where technically feasible;

(d) Implementing restrictions on Processing where required; and

(e) Providing information necessary for Customer to respond to the Data Subject.

SalesRook shall respond to Customer's request for assistance within a reasonable timeframe to enable Customer to comply with the one-month response deadline under Data Protection Laws and Regulations (or such shorter period as may be required by applicable law).

3.4 Cost of Assistance

Reasonable assistance with Data Subject Requests in accordance with this Section 3 is included in the Services. To the extent Customer's request requires extensive work beyond SalesRook's standard procedures, Customer shall be responsible for SalesRook's reasonable costs in providing such assistance, which shall be agreed in advance.

4. PERSONNEL AND CONFIDENTIALITY

4.1 Confidentiality

SalesRook shall ensure that all personnel engaged in the Processing of Personal Data:

(a) Are bound by appropriate confidentiality obligations (whether contractual or statutory);

(b) Have received appropriate training on data protection requirements;

(c) Process Personal Data only as instructed by Customer or as required by applicable law; and

(d) Are subject to disciplinary action for unauthorised Processing of Personal Data.

4.2 Permitted Disclosures

SalesRook may disclose Personal Data:

(a) As expressly permitted under this DPA;

(b) To the extent required by a court of competent jurisdiction, Supervisory Authority, or other legal requirement (in which case SalesRook shall inform Customer before disclosure unless prohibited by law on grounds of public interest); or

(c) On a need-to-know basis and under confidentiality obligations to SalesRook's legal counsel, data protection advisors, and auditors.

5. SUB-PROCESSORS

5.1 General Authorisation

Customer provides general authorisation for SalesRook to engage Sub-processors to assist in providing the Services, subject to the requirements of this Section 5.

5.2 Current Sub-Processor List

Upon written request to [email protected], SalesRook shall provide Customer with a current list of Material Sub-processors engaged in the Processing of Personal Data, including:

(a) The Sub-processor's name and location;

(b) A description of the Processing activities performed; and

(c) The legal basis for international data transfers (where applicable).

5.3 Notification of Changes to Material Sub-Processors

SalesRook shall notify Customer at least thirty (30) days in advance via email to Customer's registered contact address before:

(a) Engaging any new Material Sub-processor; or

(b) Replacing an existing Material Sub-processor.

For avoidance of doubt, SalesRook is not required to notify Customer of changes to infrastructure providers (where data is encrypted at rest), professional service providers bound by confidentiality, or service providers with no access to Personal Data.

5.4 Objection Rights

Customer may object to SalesRook's appointment or replacement of a Material Sub-processor on reasonable data protection grounds by providing written notice to [email protected] within thirty (30) days of receiving notification under Section 5.3.

If Customer reasonably objects and SalesRook cannot:

(a) Accommodate Customer's objection; or

(b) Provide a commercially reasonable alternative solution,

then either party may terminate the affected Services upon written notice. Upon such termination, Customer shall be entitled to a pro-rata refund of any prepaid fees for the terminated Services for the remainder of the then-current subscription term.

5.5 Sub-Processor Obligations

SalesRook shall:

(a) Impose data protection obligations on each Sub-processor that are materially equivalent to those set out in this DPA;

(b) Ensure Sub-processors Process Personal Data only in accordance with Customer's instructions (as communicated through SalesRook);

(c) Remain fully liable to Customer for the performance of each Sub-processor's obligations; and

(d) Monitor Sub-processor compliance with data protection obligations.

6. SECURITY MEASURES

6.1 Technical and Organisational Measures

SalesRook has implemented and maintains appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as required by Article 32 of the UK GDPR and EU GDPR.

Such measures are designed to include, but are not limited to:

(a) Encryption: Personal Data is designed to be encrypted in transit using TLS 1.3 or higher and at rest using AES-256 encryption or equivalent;

(b) Access Controls: Role-based access controls, multi-factor authentication for system access, and least-privilege access principles;

(c) Security Monitoring: Continuous monitoring, logging, and alerting designed to detect security events;

(d) Vulnerability Management: Regular security testing, vulnerability scanning, and timely application of security patches;

(e) Secure Development: Following secure coding standards and conducting security reviews of code changes;

(f) Data Segregation: Logical segregation of Customer data designed to prevent unauthorised cross-customer access;

(g) Personnel Security: Background checks, security training, and confidentiality obligations for personnel; and

(h) Incident Response: Documented procedures for detecting, responding to, and recovering from security incidents.

6.2 Security Documentation

SalesRook maintains comprehensive Security Documentation detailing the technical and organisational measures implemented to protect Personal Data, as defined in Section 1.3.

Upon reasonable written request to [email protected] and subject to appropriate confidentiality undertakings, SalesRook shall make available to Customer relevant excerpts of the Security Documentation necessary to demonstrate compliance with this Section 6.

6.3 Regular Review and Updates

SalesRook regularly monitors and reviews the effectiveness of security measures and updates them as necessary to maintain appropriate levels of security, taking into account:

(a) The state of the art in security technology;

(b) The costs of implementation;

(c) The nature, scope, context, and purposes of Processing; and

(d) The risks to Data Subjects.

6.4 ICO Registration

SalesRook is registered with the UK Information Commissioner's Office (ICO) under registration number ZC045388 and maintains such registration in good standing.

7. PERSONAL DATA INCIDENTS

7.1 Incident Notification

Upon becoming aware of a Personal Data Incident affecting Customer's Personal Data, SalesRook shall notify Customer without undue delay, and where feasible within seventy-two (72) hours.

For the purposes of this Section, "becoming aware" means when SalesRook has a reasonable degree of certainty that a Personal Data Incident has occurred.

Notification shall be sent via email to the contact address registered in Customer's account and shall include, to the extent known at the time of initial notification:

(a) A description of the nature of the Personal Data Incident;

(b) The categories and approximate number of Data Subjects affected;

(c) The categories and approximate number of Personal Data records affected;

(d) The likely consequences of the Personal Data Incident;

(e) The measures taken or proposed to address the Personal Data Incident and mitigate its potential adverse effects; and

(f) Contact details for further information.

SalesRook acknowledges that initial notification may be incomplete and shall provide updates to Customer without undue delay as additional information becomes available.

7.2 Incident Investigation and Remediation

SalesRook shall:

(a) Investigate the Personal Data Incident promptly and take appropriate steps to remediate the cause;

(b) Provide Customer with reasonable updates on the investigation and remediation efforts;

(c) Cooperate with Customer and provide reasonable assistance to enable Customer to comply with its own notification obligations under Data Protection Laws and Regulations;

(d) Document Personal Data Incidents, including facts relating to the incident, its effects, and remedial actions taken; and

(e) Take reasonable steps to prevent recurrence of similar incidents.

7.3 Customer's Notification Obligations

Customer acknowledges that it is solely responsible for complying with its obligations under Data Protection Laws and Regulations regarding notification of Personal Data Incidents to Supervisory Authorities and Data Subjects. SalesRook's notification under Section 7.1 does not constitute an assessment of whether Customer is required to notify under applicable law.

8. AUDIT AND COMPLIANCE

8.1 Audit Rights

Upon reasonable advance written notice (not less than thirty (30) days) and subject to appropriate confidentiality obligations, Customer may audit SalesRook's compliance with this DPA up to once per calendar year during normal business hours, provided that such audit:

(a) Does not unreasonably interfere with SalesRook's business operations;

(b) Is conducted at Customer's expense (except where the audit reveals material non-compliance with this DPA, in which case SalesRook shall bear reasonable costs); and

(c) Is limited to matters relevant to SalesRook's Processing of Customer's Personal Data.

Customer may conduct such audits directly or through an independent third-party auditor appointed by Customer and acceptable to SalesRook (such acceptance not to be unreasonably withheld).

8.2 Alternative Compliance Verification

Customer's audit obligation under Section 8.1 may be satisfied by SalesRook providing any of the following:

(a) A recent third-party audit report (such as SOC 2 Type II or ISO 27001 certification);

(b) Completed responses to Customer's standard information security questionnaire; or

(c) Relevant excerpts from SalesRook's Security Documentation demonstrating compliance with this DPA.

Where Customer requires an on-site or virtual audit, the Parties shall cooperate in good faith to schedule such audit at a mutually convenient time, provided that SalesRook may require Customer to enter into additional confidentiality and non-disclosure undertakings.

8.3 Making Available Information for Compliance

In accordance with Article 28(3)(h) of the UK GDPR, SalesRook shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 and this DPA, including:

(a) Documentation of technical and organisational measures (Section 6.2);

(b) Security policies and procedures relevant to the Processing;

(c) Sub-processor information (Section 5.2);

(d) Personal Data Incident documentation (Section 7.2(d)); and

(e) Audit and assessment reports (Section 8.2).

8.4 Supervisory Authority Inspections

SalesRook shall reasonably cooperate with and allow for inspections by Customer or another auditor mandated by Customer, including inspections by Supervisory Authorities where Customer is required to facilitate such inspections under Data Protection Laws and Regulations.

SalesRook shall provide reasonable assistance to enable such inspections, subject to appropriate protections for confidential and proprietary information and reasonable advance notice.

9. DATA RETENTION AND DELETION

9.1 Retention During Service Term

During the term of the Agreement, SalesRook shall retain Personal Data in accordance with the data retention schedule set out in Section 9.5 and as necessary to provide the Services.

9.2 Return or Deletion Upon Termination

Upon termination or expiration of the Agreement, SalesRook shall, at Customer's choice and written instruction:

(a) Return: Provide Customer with a copy of all Personal Data in a commonly used, machine-readable format; and/or

(b) Delete: Securely delete all Personal Data, including all existing copies (except as described in Section 9.3).

Customer must make its election by providing written notice to [email protected] within thirty (30) days following termination. If Customer does not provide timely instruction, SalesRook shall securely delete all Personal Data in accordance with Section 9.2(b).

9.3 Retention for Legal Compliance

Notwithstanding Section 9.2, SalesRook may retain Personal Data to the extent and for the period required or permitted by applicable law, including for:

(a) Compliance with legal obligations or regulatory requirements;

(b) Establishment, exercise, or defence of legal claims; or

(c) Resolution of disputes.

Any Personal Data retained under this Section 9.3 shall remain subject to the confidentiality and security provisions of this DPA and shall be securely deleted when no longer required for such purposes.

9.4 Certification of Deletion

Upon Customer's written request, SalesRook shall provide written certification that Personal Data has been returned and/or deleted in accordance with this Section 9.

9.5 Data Retention Schedule

SalesRook shall retain different categories of Personal Data for the following periods:

"Duration of service" means the period during which Customer actively uses the Services under the Agreement.

10. AUTHORISED AFFILIATES

10.1 Contractual Relationship

By accepting this DPA, Customer may enter into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorised Affiliates, thereby establishing separate DPA obligations between SalesRook and each such Authorised Affiliate subject to the terms of this Section 10.

10.2 Authorised Affiliate Obligations

Each Authorised Affiliate shall be bound by the obligations of "Customer" under this DPA as if it were an original party hereto. Customer shall remain primarily liable for ensuring each Authorised Affiliate's compliance with this DPA.

10.3 Exercise of Rights

The rights of Authorised Affiliates under this DPA may be exercised by Customer on behalf of such Authorised Affiliates. Communications, notices, and requests may be provided by Customer on behalf of its Authorised Affiliates to [email protected].

11. INTERNATIONAL DATA TRANSFERS

11.1 Data Locations

All Personal Data Processed by SalesRook is stored on Google Cloud Platform servers located in Belgium (europe-west1 region). Personal Data may be accessed for Processing purposes from the United Kingdom and other locations where SalesRook personnel are located.

11.2 Transfers to Countries with Adequacy Decisions

Personal Data may be transferred from the United Kingdom and the European Economic Area ("EEA") to countries that provide an adequate level of data protection as determined by adequacy decisions issued by:

(a) The UK Secretary of State under Section 17A of the UK Data Protection Act 2018; or

(b) The European Commission under Article 45 of the EU GDPR.

No additional safeguards are required for such transfers. As of the date of this DPA, adequacy decisions include transfers between the UK and EEA, and transfers to United States organisations certified under the UK-US Data Bridge extension to the EU-US Data Privacy Framework.

11.3 UK-US Data Bridge

SalesRook relies on the UK-US Data Bridge adequacy framework (which came into force on 12 October 2023) for transfers of Personal Data from the UK to certain US-based Sub-processors, including:

(a) Meta Platforms Inc. (WhatsApp Business API services)

(b) OpenAI Inc. (AI language model services)

(c) Other US-based service providers certified under the EU-US Data Privacy Framework

SalesRook shall ensure that any US-based Sub-processor processing UK Personal Data under the UK-US Data Bridge maintains current certification and complies with the framework's requirements.

11.4 Standard Contractual Clauses and UK IDTA

Where Personal Data is transferred to countries that do not benefit from an adequacy decision, or where Customer reasonably requires additional safeguards, SalesRook shall implement appropriate transfer mechanisms, including:

(a) Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914; and/or

(b) The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

Upon request or when such mechanisms become necessary, SalesRook shall:

(i) Execute the applicable SCCs or UK IDTA with Customer within thirty (30) days;

(ii) Complete Annex I (Parties and Processing Details), Annex II (Technical and Organisational Measures), and where applicable Annex III (Sub-processor List) using information from this DPA; and

(iii) Provide completed documentation to Customer for signature.

SalesRook maintains template SCCs and UK IDTA documentation and shall provide these to Customer upon written request to [email protected].

11.5 Transfer Impact Assessment Assistance

Upon Customer's reasonable written request to [email protected], SalesRook shall provide information reasonably necessary for Customer to conduct a transfer impact assessment, including:

(a) Details of the countries to which Personal Data is transferred;

(b) Information about Sub-processors located in non-adequate countries;

(c) Information about security measures protecting Personal Data during transfer and in the destination country; and

(d) Information about legal protections available in the destination country.

11.6 Changes to Transfer Mechanisms

If a relevant Supervisory Authority or court determines that a transfer mechanism relied upon by SalesRook is invalid, SalesRook shall promptly notify Customer and work in good faith to implement alternative lawful transfer mechanisms or, if not feasible, suspend the affected transfers.

12. LIABILITY AND INDEMNIFICATION

12.1 Liability Caps

The liability of each Party under or in connection with this DPA (whether in contract, tort, or otherwise) shall be subject to the limitations and exclusions of liability set out in Section 15 (Limitation of Liability) of the Terms of Service.

12.2 Allocation of Liability to Data Subjects

Where Customer or SalesRook is required to pay compensation to a Data Subject for damage caused by a breach of this DPA or Data Protection Laws and Regulations:

(a) If the damage was caused solely by SalesRook's breach, SalesRook shall be liable for the full amount of compensation;

(b) If the damage was caused solely by Customer's breach, Customer shall be liable for the full amount of compensation;

(c) If the damage was caused by the breach of both Parties, liability shall be allocated in proportion to each Party's degree of responsibility for the damage;

(d) If one Party pays more than its proportionate share, it shall be entitled to recover the excess from the other Party.

12.3 Customer Indemnification

Customer shall indemnify, defend, and hold harmless SalesRook from and against any claims, liabilities, damages, or expenses (including reasonable attorneys' fees) arising from or related to:

(a) Customer's breach of its obligations under Section 2.2 of this DPA;

(b) Customer's violation of Data Protection Laws and Regulations;

(c) Customer's Processing instructions that violate Data Protection Laws and Regulations; or

(d) Claims by Data Subjects arising from Customer's unlawful Processing of Personal Data.

13. TERM AND TERMINATION

13.1 Term

This DPA shall commence on the date Customer accepts the Terms of Service and shall continue for so long as SalesRook Processes Personal Data on behalf of Customer under the Agreement.

13.2 Termination

This DPA shall automatically terminate upon the termination or expiration of the Terms of Service, provided that:

(a) The obligations under Section 9 (Data Retention and Deletion) shall survive for the period necessary to fulfill those obligations; and

(b) The confidentiality, indemnification, and liability provisions shall survive termination.

13.3 Effect of Termination

Upon termination of this DPA:

(a) SalesRook shall cease Processing Personal Data on behalf of Customer (except as required to fulfill obligations under Section 9);

(b) Customer's obligation to pay for Services rendered prior to termination shall survive; and

(c) Any data retained in accordance with Section 9.3 shall remain subject to the terms of this DPA until securely deleted.

14. AMENDMENTS

14.1 Material Amendments

SalesRook may amend this DPA from time to time to reflect:

(a) Changes in Data Protection Laws and Regulations;

(b) Guidance or requirements from Supervisory Authorities;

(c) Changes to SalesRook's data processing practices necessary to maintain compliance; or

(d) Changes to SalesRook's Services that affect data Processing.

14.2 Notice of Material Amendments

For material amendments that significantly affect the Processing of Personal Data or Customer's rights and obligations under this DPA, SalesRook shall:

(a) Provide Customer with at least thirty (30) days' advance notice via email to Customer's registered contact address; and

(b) Publish the updated DPA at https://salesrook.com/dpa.

14.3 Termination for Material Amendments

If Customer reasonably objects to a material amendment on data protection grounds, Customer may terminate the Agreement by providing written notice to [email protected] within thirty (30) days of receiving notice of the amendment. Upon such termination:

(a) Customer shall be entitled to a pro-rata refund of any prepaid fees for the unused portion of the then-current subscription term; and

(b) SalesRook shall return or delete Personal Data in accordance with Section 9.

14.4 Non-Material Amendments

Non-material amendments (such as clarifications, corrections to typographical errors, updates to contact information, or administrative changes) shall be effective upon publication at https://salesrook.com/dpa without advance notice or termination rights. SalesRook may notify Customer of such changes via email as a courtesy.

14.5 Continued Use

Customer's continued use of the Services following the effective date of an amendment (after expiry of any applicable notice period) shall constitute acceptance of the amended DPA, except where Customer has exercised its termination right under Section 14.3.

15. GOVERNING LAW AND DISPUTE RESOLUTION

15.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without regard to conflicts of law principles.

15.2 Dispute Resolution

Any dispute, controversy, or claim arising out of or relating to this DPA, including any question regarding its existence, validity, or termination, shall be resolved in accordance with the dispute resolution procedures set out in Section 16 (Dispute Resolution) of the Terms of Service.

For the avoidance of doubt, where the Terms of Service provides for arbitration under the LCIA Rules in accordance with the Arbitration Act 1996, such arbitration provisions shall apply to disputes arising under this DPA.

15.3 Severability

If any provision of this DPA is held by a court or arbitrator of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions shall continue in full force and effect and shall not be affected, impaired, or invalidated.

15.4 Force Majeure

Neither Party shall be liable for any failure or delay in performing its obligations under this DPA (other than payment obligations) to the extent such failure or delay is caused by circumstances beyond its reasonable control, including acts of God, natural disasters, war, terrorism, civil disturbance, government action, strikes, and other events of force majeure. The affected Party shall promptly notify the other Party and use reasonable efforts to mitigate the impact.

16. GENERAL PROVISIONS

16.1 Entire Agreement

This DPA, together with the Terms of Service and any Order Forms, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous agreements, whether written or oral, relating to such subject matter.

16.2 No Third-Party Beneficiaries

This DPA is for the sole benefit of the Parties and their respective Authorised Affiliates. Except as expressly provided in Section 10 (Authorised Affiliates), nothing in this DPA shall create any right or benefit for any third party, including Data Subjects.

16.3 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the Party against whom the waiver is sought to be enforced. No failure or delay by either Party in exercising any right, power, or remedy shall operate as a waiver thereof.

16.4 Assignment

Customer may not assign or transfer this DPA without SalesRook's prior written consent. SalesRook may assign this DPA in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all of its assets, provided that the assignee agrees to be bound by the terms of this DPA.

16.5 Notices

All notices under this DPA shall be in writing and shall be deemed given when:

(a) Delivered personally;

(b) Sent by confirmed email to the address specified in Section 17; or

(c) Three (3) business days after being sent by registered or certified mail, return receipt requested.

16.6 Counterparts and Electronic Signatures

This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures and digitally signed documents shall have the same legal effect as original signatures.

17. CONTACT INFORMATION

17.1 SalesRook's Data Protection Contact

For any questions, concerns, or requests relating to this DPA, Personal Data, or data protection matters, please contact:

Email: [email protected]
Phone: +44 808 175 1795
Data Protection Contact: Max Hardy
Data Protection Contact Email: [email protected]

Address:

SalesRook Ltd
Unit A, Cottonworks House
111 Seven Sisters Road
London N7 7FN
United Kingdom

Company Registration Number: 14088341
ICO Registration Number: ZC045388

17.2 Customer's Data Protection Contact

Customer shall maintain current contact information with SalesRook to ensure proper delivery of notices under this DPA. Customer may update contact information by logging into the Services or by contacting [email protected].