Data Processing Agreement

    SalesRook Ltd
    Last Updated: September 2024

    The following Data Processing Agreement ("DPA") is made and entered into between you, the customer ("Customer", "Organisation", "You", "Your", "Client", or "Data Controller"), and SalesRook Ltd (together with our respective affiliates and subsidiaries, "SalesRook", "Us", "We", "Our", "Service Provider" or "Data Processor") with respect to the subject matter hereof.

    This DPA takes effect and becomes binding between SalesRook and Organisation to the extent that SalesRook processes Organisation's personal data for which Organisation is data controller, and, where a DPA is required under the applicable data protection legislation.

    By clicking "Sign," "Check Out," "Agree," "Set Up Payment," "Purchase," or any other phrase, entering your credit card information, and/or enrolling electronically, verbally, or otherwise, You agree that You have read and understood and agree to comply with this DPA, and are entering into a binding legal agreement with to reflect the parties' agreement with regard to the Processing of Personal Data (as such terms are defined below) of GDPR-protected individuals. Both parties shall be referred to as the "Parties" and each, a "Party."

    Furthermore, you represent and warrant that you are at least eighteen (18) years old and, if you are entering into this DPA on behalf of your employer or other legal entity, that you have full authority to bind said employer or other legal entity to this agreement. If you do not agree to this DPA, or do not have authority to bind your employer or other legal entity, please do not accept this DPA, nor access or use the Services. You hereby waive any applicable rights to require an original (non-electronic) signature or delivery or retention of non-electronic records, to the extent not prohibited under applicable law.

    WHEREAS, SalesRook shall provide the services set forth in the Agreement (collectively, the "Services") for Client, as described in the Agreement; and

    WHEREAS, in the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a "Data Processor"; and the Parties wish to set forth the arrangements concerning the processing of Personal Data (defined below) within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

    NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:

    1. Interpretation and Definitions

    The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.

    References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated.

    Words used in the singular include the plural and vice versa, as the context may require.

    Capitalised terms not defined herein shall have the meanings assigned to such terms in the Agreement.

    Definitions:

    • "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control", for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
    • "Authorised Affiliate" means any of Client's Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Client and SalesRook, but has not signed its own agreement with SalesRook and is not a "Client" as defined under the Agreement.
    • "Controller" or "Data Controller" means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term "Data Controller" shall include yourself, the Organisation and/or the Organisation's Authorised Affiliates.
    • "Data Protection Laws and Regulations" means all laws and regulations, including, without limitation, laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
    • "Data Subject" means the identified or identifiable person to whom the Personal Data relates.
    • "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    • "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    • "Process(ing)" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    • "Processor" or "Data Processor" means the entity which Processes Personal Data on behalf of the Controller.
    • "Sub-processor" means any Processor engaged by SalesRook.
    • "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR.

    2. Processing of Personal Data

    Roles of the Parties

    The Parties acknowledge and agree that with regard to the Processing of Personal Data, (i) Client is the Data Controller, (ii) SalesRook is the Data Processor and that (iii) SalesRook or members of the SalesRook Group may engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-processors" below.

    Client's Processing of Personal Data

    Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations and comply at all times with the obligations applicable to data controllers. For the avoidance of doubt, Client's instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the means by which Client acquired Personal Data. Without limitation, Client shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal bases in order to collect, Process and transfer to SalesRook the Personal Data and to authorise the Processing by SalesRook of the Personal Data which is authorised in this DPA. Client shall defend, hold harmless and indemnify SalesRook, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Client and/or its authorised users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.

    SalesRook's Processing of Personal Data

    Subject to the Agreement, SalesRook shall Process Personal Data in accordance with Client's documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this DPA and to provide the Services; (ii) Processing for Client to be able to use the Services; (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g. via email) where such instructions are consistent with the terms of the Agreement; (iv) Processing as required by Union or Member State law to which SalesRook is subject; in such a case, SalesRook shall inform the Client of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

    Details of the Processing

    The subject-matter of Processing of Personal Data by SalesRook is the performance of the Services pursuant to the Agreement. Where data is stored, the duration of the Processing, the nature and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified at Privacy Policy. SalesRook provides messaging Services where Client (a business) communicates with their own users and SalesRook stores this message data - to which Client is the owner and Data Controller - on behalf of Client without using or deciding how to use the data for its own purposes.

    3. Rights of Data Subjects

    Data Subject Request

    SalesRook shall, to the extent legally permitted, promptly notify Client if SalesRook receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, erasure ("right to be forgotten"), restriction of Processing, data portability, right to object, or its right not to be subject to automated individual decision making ("Data Subject Request"). Taking into account the nature of the Processing, SalesRook shall assist Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Client's obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, SalesRook shall upon Client's request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent SalesRook is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from SalesRook's provision of such assistance.

    4. SalesRook Personnel

    Confidentiality

    SalesRook shall ensure that its personnel engaged in the Processing of Personal Data have committed themselves to confidentiality and non-disclosure. SalesRook may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws and Regulations (in such a case, SalesRook shall inform the Client of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a "need-to-know" basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).

    5. Authorization Regarding Sub-processors

    Appointment of Sub-processors

    Client acknowledges and agrees that (a) SalesRook's Affiliates may be used as Sub-processors; and (b) SalesRook and/or SalesRook's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

    List of Current Sub-processors and Notification of New Sub-processors

    SalesRook shall make available to Client the current list of Sub-processors used by SalesRook by request to [email protected]. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location ("Sub-processor List"). The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorised by Client. In any event, the Sub-processor List shall be deemed authorised by Client unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Client may reasonably object for reasons related to the GDPR to SalesRook's use of an existing Sub-processor by providing a written objection to [email protected].

    6. Security

    Controls for the Protection of Personal Data

    SalesRook shall maintain all industry-standard technical and organisational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by Client. SalesRook regularly monitors compliance with these measures.

    7. Personal Data Incident Management and Notification

    SalesRook maintains security incident management policies and procedures specified in Security Documentation and, to the extent required under applicable Data Protection Laws and Regulations, shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by SalesRook or its Sub-processors of which SalesRook becomes aware (a "Personal Data Incident").

    8. Return and Deletion of Personal Data

    Subject to the Agreement, SalesRook shall, at the choice of Client, delete or return the Personal Data to Client after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, SalesRook may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations.

    9. Authorised Affiliates

    Contractual Relationship

    The Parties acknowledge and agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorised Affiliates, thereby establishing a separate DPA between SalesRook and each such Authorised Affiliate.

    10. Transfers of Data

    Transfers to countries that offer adequate level of data protection

    Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, "EEA") to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission ("Adequacy Decisions"), without any further safeguard being necessary.

    11. Termination

    This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided.

    12. Amendments

    This DPA may be amended at any time. Any changes to the DPA will be communicated to You via email or through notifications within our platform. Continued use of our services after such modifications will constitute acknowledgment and agreement of the modified terms.

    13. Legal Effect

    This DPA shall become legally binding between Client and SalesRook on completion of any Service Agreement between both Parties, which embeds our service terms available at Terms of Service.

    14. Governing Law and Severability

    This Agreement and any disputes arising out of or in connection with it shall be governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement.

    Force Majeure: Neither party shall be liable for any failure or delay in performing its obligations under this Agreement due to circumstances beyond its reasonable control, including but not limited to acts of God, natural disasters, war, civil disturbance, action by governmental entities, strikes, and other acts beyond the party's reasonable control.

    This Agreement shall be governed by and construed in accordance with the laws of the United Kingdom, regardless of the conflict of laws principles thereof. If any term, provision, covenant, or condition of this Agreement is held by an arbitrator or court of competent jurisdiction to be invalid, void, or unenforceable, the rest of the Agreement shall remain in full force and effect and shall in no way be affected, impaired, or invalidated.

    15. Entire Agreement

    This Agreement contains the entire agreement between the parties and supersedes all prior agreements between the parties, whether written or oral.

    16. Our Information

    This Website is owned and operated by:

    SALESROOK LTD

    Unit A, Cottonworks House, 111 Seven Sisters Road, London N7 7FN

    UNITED KINGDOM

    Company number: 14088341

    If you have any questions or concerns regarding this Data Processing Agreement, please email [email protected] or call +44 808 175 1795.