Sign InSchedule a Demo

Data Processing Addendum

Effective May 01, 2025

This Data Processing Addendum (the “Addendum” or “DPA”) is by and between PepperMill and the Customer, and is incorporated by reference into that certain Master Platform Agreement (“Agreement”) between PepperMill and Customer for the purpose of setting forth the terms and conditions under which Customer may process Personal Data on the Platform, or otherwise disclose to PepperMill Personal Data for processing on Customer’s behalf, to ensure compliance with Data Protection Laws.

  1. Definitions. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement or the relevant Data Protection Law.
    1. Controller” has the meaning given to it or the equivalent term in the Data Protection Laws, and, for the purposes of this DPA, refers to the Customer.
    2. Data Protection Laws” means all applicable laws, regulations, and rules promulgated thereunder pertaining to the Processing of Personal Data, including without limitation: Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”) and any member state implementing legislation or regulation, including as retained in United Kingdom law and any successor legislation thereto (“UK GDPR”), and the California Consumer Privacy Act, as amended (“CCPA”), each as may be amended or superseded from time to time.
    3. Data Subject” means a “data subject” as defined in the EU/UK GDPR.
    4. Personal Data” has the meaning given such term under the Data Protection Laws, and means the same as “Personal Information” as defined in Data Protection Laws and the Agreement.
    5. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, or alteration, unauthorized disclosure or Processing of, or access to, Personal Data.
    6. Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
    7. Processor” has the meaning given to it or the equivalent term in the Data Protection Laws, and for the purposes of this DPA, refers to the Company.
    8. Standard Contractual Clauses” or “SCCs” means, (i) where the EU GDPR applies, the terms described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021 (“EU SCCs”), and (ii) where the UK GDPR applies, the terms issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 and in force 21 March 2022 (“UK SCCs”).

  2. Scope and Application. This DPA shall apply when Personal Data is disclosed or made available to PepperMill by the Customer, for the purpose of Customer processing such Personal Data on the Platform or for PepperMill to otherwise process on behalf of Customer.

  3. Compliance With Laws. In its performance of the Agreement and this DPA, each Party will comply with the Data Protection Laws as applicable to it.

  4. Data Processing.
    1. Customer Obligations. The Customer, as Controller, undertakes that all instructions for the Processing of Personal Data under the Agreement and this DPA will comply with the Data Protection Laws, and such instructions will not in any way cause the Company to be in breach of any Data Protection Laws.
    2. Company Obligations. The Company will Process the Personal Data for the sole purpose of providing the services to the Customer as described in the Agreement (the “Service”), and only in accordance with the Customer’s lawful instructions as documented in the Agreement and this DPA for the term of the Agreement.
      1. The generality of the foregoing notwithstanding, the Company shall not sell or share Customer Personal Data, nor shall it retain, use or disclose Customer Personal Data, (i) except as necessary to perform the Service, or for any commercial purpose other than to perform the Service; or (ii) outside the direct business relationship between the Parties (in each instance of (i) and (ii), unless expressly required by applicable law and permitted by Data Protection Laws).
      2. The Company will notify the Customer promptly if, in its good faith opinion, any instruction infringes any Data Protection Laws to which the Company is subject, in which case the Company will be entitled to suspend performance of such instruction until the Customer confirms in writing that such instruction is valid under Data Protection Laws.
  • The Company will not disclose Customer Personal Data to any government authority, except as necessary to comply with applicable law or a valid and binding order of a court of competent jurisdiction, law enforcement agency, or regulator (such as a subpoena or court order). If the Company receives a binding order to which Customer Personal Data is responsive, the Company will notify the Customer of the request it has received without undue delay, so that the Customer can object to the production of Customer Personal Data, so long as the Company is not legally prohibited from so notifying the Customer.
    1. Ensure that the Company has in place appropriate technical and organizational measures to protect against unauthorized or unlawful Processing of, and against accidental loss or destruction of, or damage to, Personal Data made available to it subject to the Agreement and this DPA, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental, loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
    2. The Company will (i) restrict access by the Company personnel to Customer Personal Data to only those personnel who need to access the Customer Personal Data in order to provide the Service subject to the Agreement and this DPA; and (ii) ensure that personnel who have access to and/or process Personal Data subject to the Agreement and this DPA are obliged to keep it confidential.
  1. Technical and Organizational Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company will, in relation to the Customer Personal Data, implement and maintain appropriate physical, technical, and organizational measures to ensure a level of security of the Customer Personal Data appropriate to the risk presented by Processing (the “Security Measures”). In assessing the appropriate level of security, the Company will take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise Processed.

  2. Audit of Technical and Organizational Measures. The Company will maintain relevant policies, procedures, or records with respect to the Security Measures and shall, upon written request and not more than once annually, make available to the Customer all such policies, procedures, records, assessments and/or audit reports necessary to demonstrate the Company’s compliance with the Agreement and this DPA. All information disclosed by the Company under this Section 6 will be deemed the Company’s Confidential Information, subject to such relevant provisions of the Agreement, and the Customer will not disclose any such information to any third party except as obligated by law, court order or administrative order by a government agency of competent jurisdiction. the Company will remediate or mitigate without undue delay any material deficiencies in its technical and organizational measures identified by the audit process described in this Section 6.

  3. Cooperation.
    1. The Company will assist the Customer in responding to Data Subjects’ requests to exercise their rights under the Data Protection Laws. To that effect, the Company will (i) to the extent permitted by applicable law, promptly notify the Customer of any request received directly from any Data Subject to access, correct or delete the Personal Data pertaining to such Data Subject without responding to that request, and (ii) upon written request from the Customer, provide the Customer with information that the Company has available to it to reasonably assist the Customer in fulfilling its obligations to respond to the Data Subject’s request(s). For the avoidance of doubt, the Company will not respond directly to any Data Subject regarding such request(s) without written approval from the Customer.
    2. To the extent required under the Data Protection Laws, (i) upon written request from the Customer, the Company will provide all reasonable assistance to the Customer to conduct a data protection impact assessment; and (ii) the Company will provide all reasonable assistance to the Customer in the cooperation or prior consultation with supervisory or data protection authorities in relation to any applicable data protection impact assessment.

  4. Breach Notification. If the Company becomes aware of an actual or reasonably suspected Personal Data Breach potentially involving Customer Personal Data, the Company will notify the Customer in writing without undue delay, and in no event later than forty-eight (48) hours, after becoming aware of such Personal Data Breach. The Company will cooperate with the Customer and take such commercially reasonable steps as agreed with the Customer to assist in the investigation, mitigation and remediation of such Personal Data Breach. The Company will provide all reasonably required support and cooperation necessary to enable the Customer to comply with any applicable legal obligations in case of a Personal Data Breach pursuant to Data Protection Laws.

  5. Cross-border Data Transfers. This Section 9 shall only apply to the Company’s Processing of Personal Data subject to the EU GDPR or the UK GDPR, to the extent permitted by the Agreement and this DPA. Personal Data originating from inside the European Economic Area or UK shall not be transferred to or Processed in other jurisdictions (“Third Countries”), except when undertaken pursuant to the execution of a lawful data transfer mechanism, such as via an European Commission or UK Information Commissioner’s Office adequacy decision.  As appropriate or necessary, the Parties agree that the SCCs shall be deemed executed and incorporated herein, as follows:
    1. EU SCCs. In relation to Personal Data protected by the EU GDPR, the EU SCCs will apply, incorporating the following terms:
      1. Module Two (Transfer Controller to Processor) will apply;
      2. Roles of the Parties: the Customer is the “data exporter” and the Company is the “data importer”;
  • In Clause 7, the optional docking clause will not apply;
  1. In Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be set as thirty (30) days;
  2. In Clause 11, the optional language will not apply;
  3. In Clause 13(a), the data exporter is established in an EU Member State;
  • In Clause 17, Option 2 will apply;
  • In Clause 18(b), disputes shall be resolved before the courts of Ireland; and
  1. Annexes I, II, and III are attached hereto as Appendix 1.
  1. UK SCCs. In relation to Personal Data protected by the UK GDPR, the UK SCCs will apply, incorporating the following terms:
    1. The EU SCCs, completed as set out in Clause 9(a) of this DPA shall also apply to transfers of such Personal Data, subject to this Clause 9(b);
    2. In Table 1, the Customer is the Exporter and the Company is the Importer, and their respective party details and Key Contact information are as described in Appendix 1;
  • In Table 2, the EU SCCs as set out in Clause 9(a) of this DPA apply;
  1. In Table 3, the information as described in Appendix 1 applies;
  2. In Table 4, neither party may end this addendum; and
  3. The UK Addendum shall be deemed executed between the Parties, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data.
  1. Subprocessing. The Customer agrees that the Company may appoint either its affiliated companies or third party providers as sub-processors under the Agreement and this DPA, and hereby authorizes the Company to engage such sub-processors subject to this Section 10 in the provision of the Service under the Agreement and this DPA. The Company may add or replace sub-processors at any time provided that the Customer provides not less than [thirty (30) days’] advanced notice to the Customer of such addition or replacement prior to a new sub-processor Processing Personal Data subject to the Agreement and this DPA. The Customer may reasonably object to a new sub-processor by notifying the Company in writing the reasons of its objection.  In such instance, the Company will work in good faith to address the Customer’s objections.

  2. Order of Precedence. If there is a conflict between the Agreement and this DPA with respect to the Processing of Personal Data, the terms of this DPA will control. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

 

 

APPENDIX 1 (Annexes to the EU SCCs)

 

I. ANNEX I

1.  LIST OF PARTIES

Data importer(s):

Name: PepperMill

Address: As described in the Agreement.

Contact person’s name, position and contact details:  As described in the Agreement.

Activities relevant to the data transferred under these Clauses: See Description of Transfer below.

Signature and date: The parties agree that execution of the Agreement and disclosure of relevant Personal Data shall constitute execution of these Clauses by both parties.

Role (controller/processor): Processor

 

Data exporter(s):

Name: As described in the Agreement.

Address: As described in the Agreement.

Contact person’s name, position and contact details:  As described in the Agreement.

Activities relevant to the data transferred under these Clauses: See Description of Transfer below.

Signature and date: The parties agree that execution of the Agreement and disclosure of relevant Personal Data shall constitute execution of these Clauses by both parties.

Role (controller/processor): Controller

 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Data subjects include the Customer’s representatives and end-users, including employees, contractors, collaborators, and customers of the Customer. Customer may elect to include personal data from any of the following types of data subjects in the personal data:

  • Employees, contractors and temporary workers (current, former, prospective) of Customer;
  • Dependents of the above;
  • Customer's collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);
  • Users (e.g., customers, clients, patients, etc.) and other data subjects that are users of Customer's services;
  • Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the Customer and/or use communication tools such as apps and websites provided by the Customer;
  • Stakeholders or individuals who passively interact with Customer (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the Customer);
  • Minors; or
  • Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).

Categories of personal data transferred:

The personal data that is included in e-mail, documents and other data in an electronic form in the context of the Services.  PepperMill acknowledges that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the following categories in the personal data:

  • Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;
  • Authentication data (for example user name, password or PIN code, security question, audit trail);
  • Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);
  • Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology);
  • Pseudonymous identifiers;
  • Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);
  • Commercial Information (for example history of purchases, special offers, subscription information, payment history);
  • Biometric Information (for example DNA, fingerprints and iris scans);
  • Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points);
  • Photos, video and audio;
  • Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);
  • Device identification (for example IMEI-number, SIM card number, MAC address);
  • Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);
  • HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location and organizations);
  • Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);
  • Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);
  • Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;
  • Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or
  • Any other personal data identified in Article 4 of the GDPR.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The frequency of the transfer shall be ongoing as initiated by Customer in and through its use, or use on its behalf, of the Services.

Nature of the processing.

Processing operations required in order to provide the Services in accordance with the Agreement.

Purpose(s) of the data transfer and further processing.

Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

Ongoing as initiated by Customer in and through its use, or use on its behalf, of the Services.

 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:  Ireland

 

II. ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

PepperMill will maintain reasonable administrative, technical, and physical safeguards to protect Customer Data in accordance with its standard data security practices at peppermilltools.com/dsp

 

III. ANNEX III

LIST OF SUB-PROCESSORS

 

PepperMill will maintain a complete list of current subprocessors at ([INSERT URL]).

 

 

© Copyright 2025, PepperMill. All rights reserved.
crossmenu