Data Processing Addendum

Last Updated: November 08, 2022



This Data Processing Addendum (“DPA”) forms part of the Dealtale Terms of Service (“Agreement”) between you and Dealtale. This DPA applies to the extent that Dealtale Processes Personal Data on your behalf in providing the Dealtale Platform.


Capitalized terms used but not defined in this DPA will have the meanings set forth in the Agreement.

  1. Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  2. Data Protection Laws” means all laws applicable to the Processing of Personal Data under this DPA.
  3. Data Subject” means the individual to whom Personal Data relates.
  4. Personal Data” means Customer Data that relates to an identified or identifiable natural person.
  5. Personal Data Breach” means a breach of security of the Dealtale Platform leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data.
  6. Processor” means the entity which Processes Personal Data on behalf of the Controller.
  7. Process” or “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.


You will act as the Controller and Dealtale will act as the Processor with respect to the Processing of Personal Data pursuant to this DPA. You will be solely responsible for complying with your obligations under Data Protection Laws with respect to the Processing of Personal Data, including with respect to providing any necessary notices to, and obtaining any necessary consents from, Data Subjects or other persons with respect to the Processing of Personal Data.


Dealtale will Process Personal Data solely in accordance with the Agreement or other documented instructions that you may provide (whether in written or electronic form) in accordance with the Agreement, or as otherwise required by applicable law. For clarity, Dealtale will not (a) retain, use, or disclose Personal Data for any purpose other than providing Dealtale Platform to you pursuant to the Agreement, or as required by applicable law; or (b) sell such Personal Data to any third party, as “sale” is defined under applicable Data Protection Laws. Dealtale certifies that it understands and will comply with the foregoing restrictions. The duration, scope, and details of the Processing are described in the Agreement.


Dealtale will require its personnel to protect the confidentiality of Personal Data.


Dealtale maintains administrative, physical, and technical safeguards for the Dealtale Platform which are designed to protect Personal Data against unauthorized loss, destruction, alteration, access, or disclosure, as further described in the Data Security Addendum.


Dealtale will notify you without undue delay in the event Dealtale discovers that a Personal Data Breach has occurred, unless otherwise prohibited by law or otherwise instructed by a law enforcement agency or regulator. At your request, and taking into account the nature of the Processing and the information available to Dealtale, Dealtale will provide you with reasonable assistance and cooperation with respect to any notifications that you are required to provide to affected Data Subjects or regulators under applicable Data Protection Laws with respect to the Personal Data Breach.


Dealtale will promptly notify you, unless prohibited by applicable law, if Dealtale receives: (a) any requests from a Data Subject with respect to Personal Data Processed by Dealtale pursuant to the Agreement, including but not limited to opt-out requests, requests for access and/or rectification, blocking, erasure, requests for data portability, and similar requests under Data Protection Laws; or (b) any complaint related to the Processing of Personal Data by Dealtale pursuant to the Agreement, including any allegations that such Processing infringes on a Data Subject’s rights. You will be responsible for responding to any such requests or complaints. At your request and taking into account the nature of the Processing, Dealtale will assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of obligations you may have under applicable Data Protection Laws to respond to such Data Subject requests.


You agree that Dealtale may disclose Personal Data to its subcontractors for purposes of providing the Dealtale Platform to you (“Subprocessors”), provided that Dealtale will impose obligations on its Subprocessors that are substantially as protective of Personal Data as those set forth in this DPA. Dealtale will (a) make available a list of its Subprocessors and provide you with a mechanism to receive thirty (30) days prior notice of any changes to this list and (b) provide thirty (30) days prior notice to you of the intended addition of any new Subprocessor, to allow you an opportunity to object to the addition. If you have not provided a written objection within thirty (30) days of such notice, such Subprocessor will be deemed to be accepted by you. If you make such an objection, and the parties have failed to agree upon an alternative arrangement within thirty days of your objection, either party may (and Customer may, as its sole and exclusive remedy) terminate for convenience the Agreement in relation to the Dealtale Platform that involve use of the new Subprocessor. Dealtale will be liable for any acts or omissions by its Subprocessors in breach of this DPA to the same extent as if such breach was committed directly by Dealtale.

For clarity, nothing in this DPA limits Dealtale from transmitting Customer Data to and among Sources and Destinations as directed by Customer through the Dealtale Platform. The parties agree that neither Sources nor Destinations are Subprocessors of Dealtale and that, between the parties, Customer is solely responsible for the Processing of Customer Personal Data by, and other acts and omissions of, Sources and Destinations or parties associated therewith.


In connection with the performance of the Agreement, Dealtale may transfer Personal Data to any jurisdiction, subject to Dealtale’s compliance with this DPA and relevant data protection regulations. To the extent such transfer involves a transfer by you of Personal Data from the European Economic Area (“EEA”), the UK, or Switzerland, to Dealtale in a jurisdiction outside of the EEA, the UK, or Switzerland that has not been recognized by the applicable supervisory authority as providing an adequate level of protection for Personal Data, the parties agree that Module Two (Controller to Processor) of the Standard Contractual Clauses for the transfer of Personal Data to third countries ((EU) 2021/914), which is hereby incorporated into this DPA by reference, will apply to such transfer, and such transfer is further described in Appendix 1. For purposes of the EU Standard Contractual Clauses, the parties agree that (a) in Clause 7, the docking clause is incorporated; (b) in Clause 9, Option 2 is incorporated with a specified time period of thirty (30) days; (c) in Clause 11(a), the Optional clause is not incorporated; (d) in Clause 17, Option 1 is incorporated and the governing law is the law of the Netherlands; (e) in Clause 18, the courts will be those of the Member State identified for Clause 17; and (f) the Annexes set forth in Appendix 1 will apply to those EU Standard Contractual Clauses. Upon your request, Dealtale also will enter into a UK equivalent of the EU Standard Contractual Clauses with you to the extent necessary to facilitate such transfers from the UK.

10. AUDIT.

Upon your request, Dealtale will make available to you up to once per calendar year (a) a summary of the most recent applicable ISO 27001, ISO 27017 or ISO 27018 certifications, or similar third-party assessment or comparable report of the Dealtale Platform (“Third Party Report”) or (b) if Dealtale has not obtained a Written Report, responses to any written questions that you may reasonably submit for purposes of verifying Dealtale’s compliance with this DPA (“Written Responses”). Any such Third-Party Reports and Written Responses will be subject to the confidentiality obligations in the Agreement. If Dealtale responds to your request by providing Written Responses rather than a Third-Party Report, and you reasonably determine that further assessment is required, Dealtale will enable you upon your request, no more than annually and with at least thirty (30) days’ prior written notice, to review Dealtale’s relevant policies, procedures, and systems as reasonably appropriate to audit Dealtale’s compliance with its obligations under this DPA, to the extent that such review does not compromise confidentiality obligations to any of Dealtale’s other customers. Dealtale may object to the auditor if the auditor is, in Dealtale’s reasonable opinion, not independent, a competitor of Dealtale or otherwise unqualified. Such objection by Dealtale will require Customer to appoint another auditor or conduct the audit itself.


To the extent required by applicable Data Protection Laws, upon reasonable notice and at your sole cost and expense, Dealtale will provide reasonably requested information regarding the Dealtale Platform to enable you to carry out data protection impact assessments (“DPIAs”) and/or prior consultations with supervisory authorities.


Following Customer’s request upon termination or expiration of the Agreement for any reason, Dealtale will promptly (within 60 days) return or delete Personal Data from its systems, except to the extent applicable law requires storage of the Personal Data.





Data Exporter(s)

Data Importer(s)


The customer identified in the Order.Dealtale, Inc.


As set forth in the Order.As set forth in the Agreement.

Contact person’s name, position and contact details:

As set forth in the Order.[email protected]

Activities relevant to the data transferred under these Clauses:

Data exporter has engaged data importer to perform services in accordance with the Agreement, which may involve processing of personal data.Data importer has been engaged by data exporter to perform services in accordance with the Agreement, which may involve processing of personal data by data importer on behalf of data exporter.




Categories of data subjects whose personal data is transferred: The personal data relates to the following categories of data subjects: Customer’s customers, end users or other individuals to whom Customer Personal Data pertains.
Categories of personal data transferred: The personal data transferred includes the following categories of personal data: such categories as Customer has authorized Dealtale to process pursuant to the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous unless otherwise specified in the Agreement.
Nature of the processing: Data importer will process the personal data in connection with its provision of services to data exporter in accordance with the Agreement.
Purpose(s) of the data transfer and further processing: Data importer will process the personal data for the purpose of providing services to data exporter in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Term of the Agreement or as otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Data importer may transfer personal data to subprocessors in connection with its provision of services to data exporter, in accordance with the Data Processing Addendum.


The competent supervisory authority in the EU Member State in which the data exporter is established and, in the event that the data exporter is not established in an EU Member State, the data protection authority of the Netherlands.



Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. Security measures set forth in the Data Security Addendum.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter. Subprocessors are required to safeguard personal data consistent with the level of protection provided in the Data Processing Addendum, and to provide assistance to data importer consistent with applicable law.