Data Processing Agreement

This policy is effective as of 31 January 2025.

This Data Processing Addendum (including its Attachments, collectively “DPA”) forms part of the agreement between Salesmotion Limited (“Salesmotion” or “Processor”) and the customer entity identified in the principal agreement (“Customer” or “Controller”). All capitalized terms not defined in this DPA have the meanings set forth in the principal agreement (“Agreement”).

1. Subject Matter & Duration

1.1 Purpose. This DPA reflects the parties’ commitment to comply with applicable data protection laws (“Data Protection Laws”) in the context of Salesmotion’s provision of Services under the Agreement.

1.2 Duration. This DPA is effective as of the Effective Date of the Agreement and shall remain in effect until Salesmotion ceases to Process Customer Personal Data (as defined below). Provisions intended by their nature to survive will remain in force.

2. Definitions

“Customer Personal Data” means any Personal Data that Salesmotion Processes on behalf of Customer under the Agreement.
“Data Protection Laws” means all data protection laws and regulations applicable to the Processing of Customer Personal Data, including (as applicable) the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection, and any U.S. state privacy laws (including but not limited to CCPA/CPRA and similar laws other states).
“Personal Data” means any information relating to an identified or identifiable natural person (or “personal information” under applicable U.S. law).
“Process” or “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
“Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Personal Data.
“Subprocessor” means any third party appointed by Salesmotion to Process Customer Personal Data on behalf of Salesmotion.

3. Processing Terms

3.1 Documented Instructions.

Salesmotion will Process Customer Personal Data only in accordance with Customer’s documented instructions (including those in the Agreement and this DPA) and for the purpose of providing the Services. If Salesmotion believes an instruction violates any Data Protection Law, Salesmotion will inform Customer.

3.2 Compliance & Data Minimization.

Each party will comply with Data Protection Laws applicable to it.
Customer is responsible for ensuring the accuracy, legality, and consent basis (where required) for Customer Personal Data that it shares with Salesmotion.
Salesmotion will Process Customer Personal Data only as necessary for the Services or as required by law, and will not retain such data longer than is necessary under the Agreement or Data Protection Laws.

3.2.1 Records of Processing.

Salesmotion will maintain adequate records of its processing activities involving Customer Personal Data to the extent required by Article 30 of the GDPR (and any equivalent obligations under other applicable Data Protection Laws). Upon Customer’s written request, and where legally required, Salesmotion will make such records available to Customer for review.

3.3 Data Subject Requests.

Taking into account the nature of the Processing, Salesmotion will provide reasonable assistance (at Customer’s request and expense) to help Customer respond to requests from individuals exercising their rights under Data Protection Laws (e.g., access, correction, deletion).
Salesmotion will notify Customer (unless legally prohibited) if it receives a direct request from a data subject and will not respond to such request except on Customer’s documented instructions or where legally required.
Salesmotion will use commercially reasonable efforts to assist Customer in meeting any deadlines imposed by Data Protection Laws.

3.4 No Sale or Sharing of Personal Data.

Salesmotion will not “Sell” or “Share” (as defined under applicable U.S. state privacy laws) Customer Personal Data.
Salesmotion will not retain, use, or disclose Customer Personal Data for any purpose other than to perform the Services, unless otherwise permitted by law or this DPA. Salesmotion certifies it understands these restrictions and will comply with them under U.S. state privacy laws.

3.5 Service Improvement.

Where permitted by Data Protection Laws, Salesmotion may Process aggregated, de-identified, or anonymized data (i) to maintain and improve the Services, (ii) to detect or prevent security incidents, or (iii) to protect against fraudulent or illegal activity.
Salesmotion will ensure such Processing is not identifiable to any data subject and does not conflict with its obligations as a Processor.

3.6 Data Protection Impact Assessments.

If required, Salesmotion will reasonably assist Customer with conducting data protection impact assessments or consultations with supervisory authorities, taking into account the nature of the Processing and information available to Salesmotion.

4. Subprocessing

4.1 Appointment of Subprocessors.

Customer authorizes Salesmotion to engage Subprocessors to help provide the Services. Salesmotion is responsible for ensuring Subprocessors are bound by written agreements with data protection terms no less protective than this DPA.

4.2 Notice & Objection.

Where required by Data Protection Laws, Salesmotion shall inform Customer before appointing any new Subprocessor that will Process Customer Personal Data. Customer may object on legitimate data protection grounds within ten (10) days of notice.

The parties will cooperate in good faith to address objections. If no resolution is found, Customer may, as its sole remedy, terminate the portion of the Services that cannot be performed without the objected-to Subprocessor.

4.3 Liability.

Salesmotion remains liable for any Subprocessor’s acts or omissions regarding Customer Personal Data.

5. International Data Transfers

5.1 Cross-Border Transfers.

If Salesmotion or its Subprocessors transfer Customer Personal Data from the European Economic Area (EEA), Switzerland, or the UK to a jurisdiction without an adequacy decision, the parties will rely on a valid transfer mechanism recognized by Data Protection Laws (e.g., Standard Contractual Clauses).

5.2 Standard Contractual Clauses & UK Addendum.

The parties incorporate by reference the EU 2021 SCCs (Module 2 for Controller-to-Processor and, where applicable, Module 3 for Processor-to-Processor), together with any necessary UK Addendum or Swiss-specific modifications. Each party’s signature to the Agreement constitutes signature to the SCCs, if applicable.

5.3 Supplemental Measures.

Salesmotion will implement supplementary measures if required by Data Protection Laws to ensure an essentially equivalent level of data protection for Restricted Transfers.

6. Confidentiality and Security

6.1 Confidentiality.

Salesmotion will ensure that all personnel and Subprocessors authorized to Process Customer Personal Data are subject to confidentiality obligations or under a statutory obligation of confidentiality.

6.2 Security Measures.

Salesmotion shall implement and maintain commercially reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, disclosure, or access.

Upon Customer’s written request, Salesmotion will provide additional documentation or information regarding these security measures to the extent necessary for Customer to assess compliance with applicable Data Protection Laws, subject to reasonable confidentiality obligations.

6.3 Government or Law Enforcement Requests.

If Salesmotion receives a legally binding request from a public authority (including law enforcement) for Customer Personal Data, Salesmotion will (i) notify Customer promptly (unless legally prohibited), (ii) seek to limit the data disclosed, and (iii) disclose only the minimum amount of Customer Personal Data necessary to comply with the request.

7. Security Incidents

7.1 Notification.

In the event of a Security Incident, Salesmotion will notify Customer without undue delay and in any event no later than seventy-two (72) hours after becoming aware of such Security Incident (or within any shorter timeframe required by Data Protection Laws). Where possible, the notification will include sufficient information for Customer to meet any legal obligations, including the nature of the breach and steps taken to mitigate potential harm.

7.2 Cooperation.

Salesmotion will promptly take steps to contain, investigate, and remediate any Security Incident. Salesmotion will reasonably assist Customer in fulfilling data breach reporting obligations.

8. Audits

8.1 Audit Rights.

Where Data Protection Laws grant Customer an audit right, Customer (or its appointed representative) may audit Salesmotion’s compliance with this DPA once per year (or more frequently if required by law or post-Security Incident).

8.2 Conditions.

Customer must provide at least thirty (30) days’ prior written notice (unless legally required otherwise).
Audits must be conducted during normal business hours without unreasonably disrupting Salesmotion’s operations.
Auditors must be subject to confidentiality obligations.

8.3 Remediation.

Salesmotion will address in good faith any material findings resulting from the audit.

9. Return and Deletion of Data

9.1 Deletion or Return.

Upon termination or expiration of the Agreement (or earlier upon written request), Salesmotion will securely delete or return all Customer Personal Data. Such return will be in a commonly used, machine-readable format, unless otherwise agreed. Salesmotion may retain minimal data strictly necessary for compliance with legal obligations or legitimate business needs (e.g., for billing or dispute resolution), subject to this DPA’s confidentiality and security obligations.

9.2 Certification.

Upon Customer’s request, Salesmotion will provide written certification that it has deleted or returned Customer Personal Data in accordance with this Section.

10. Liability and Indemnities

The limitations of liability in the Agreement apply to this DPA. Nothing in this DPA limits any data subject rights or any liability that cannot be limited under applicable law.

11. General

11.1 Governing Law.

This DPA is governed by the same law and jurisdiction as set forth in the Agreement, except to the extent required otherwise by the SCCs or applicable Data Protection Laws.

11.2 Entire Agreement and Updates.

This DPA, together with the Agreement and its referenced attachments (including SCCs), constitutes the entire understanding of the parties related to the Processing of Customer Personal Data, superseding any prior or contemporaneous agreements on the subject.

11.3 Severability.

If any provision of this DPA is held invalid by a court of competent jurisdiction, the remainder of the DPA will remain in full force and effect.

11.4 Contact for Data Protection Inquiries & DPO Appointment.

For general data protection inquiries, please reference the Agreement for contact information. Salesmotion has appointed its CEO, Mr. Semir Jahic, as the Data Protection Officer, who can be contacted at semir@salesmotion.io.

11.5 Conflict with SCCs or UK Addendum.

In the event of a conflict between this DPA (or the Agreement) and the SCCs (or UK Addendum), the SCCs (or UK Addendum) shall prevail.

Attachment 1

Details of Processing

Subject Matter: Processing of Customer Personal Data for purposes of providing the Services under the Agreement.
Duration: For the term of the Agreement plus any lawful retention period required by applicable law or this DPA.
Nature and Purpose of Processing: (i) Collecting, storing, organizing, analyzing, and otherwise using data as necessary to provide or improve the Services. (i) Performing any steps necessary to maintain and secure the Services.
Types of Personal Data: May include contact information (name, email, phone), job title, IP addresses, or other data Customer chooses to provide in using the Services. Special category data is not intentionally collected.
Categories of Data Subjects: Customer employees or authorized users; prospects, leads, or end users about whom Customer uploads data; other individuals whose data Customer shares with Salesmotion.

Attachment 2

Subprocessors

Subprocessor	Purpose	Location	Website
Amazon Web Services	Cloud Hosting/Infrastructure	EU (DE)	https://aws.amazon.com/
Google Cloud	Cloud Infrastructure/Data Storage	EU (DE)	https://cloud.google.com/
HubSpot	CRM / Marketing Platform	EU	https://www.hubspot.com/
Supabase	Database Hosting/Backend Services	EU	https://supabase.com/
Amplitude	Analytics Platform	EU	https://analytics.eu.amplitude.com/
Avoma	Meeting Intelligence Services	US	https://avoma.com/
Hotjar	User Behavior Analytics	US	https://www.hotjar.com/
OpenAI	Language Model Services	US	https://openai.com/

Salesmotion may update this subprocessor list as needed. Where required by Data Protection Laws, Salesmotion will notify Customer before adding or replacing Subprocessors, and Customer may object under the process described in Section 4.

Attachment 3

International Transfers (SCCs and UK Addendum)

Standard Contractual Clauses (SCCs): The parties incorporate by reference the 2021 EU Commission Standard Contractual Clauses, Module Two (Controller-to-Processor) and Module Three (Processor-to-Processor), for relevant transfers of personal data from the EEA. Each party’s execution of the Agreement constitutes signature to the SCCs as required for transfers of personal data outside the EEA.
UK Addendum and Swiss Modifications:
- For transfers originating in the UK, the parties incorporate the International Data Transfer Addendum issued by the UK Information Commissioner.
- For transfers originating in Switzerland, references in the SCCs to “Member State” include Switzerland, and Swiss data subjects may enforce their rights.
Priority: In the event of a conflict between this DPA (or the Agreement) and the SCCs (or UK Addendum), the SCCs (or UK Addendum) will prevail with respect to the Restricted Transfer.