DATA PROTECTION AGREEMENT
Last Updated: August 15, 2025
This Data Protection Agreement ("Addendum"),forms part of the Terms of Service ("Terms") between (i) Visdum TechInc. ("Visdum Tech") and (ii) You, each being a “Party” and together the “Parties”.
The Parties hereby agree that the terms and conditions set out below shall beadded as an Addendum to the Terms and references in this Addendum to the Termsare to the Terms as amended by, and including, this Addendum.
1. Definitions
1.1 In this Addendum, the following termsshall have the meanings set outbelow and cognate terms shall be construed accordingly:
"Addendum Effective Date"has the meaning given to it in section 2;
"Affiliate" means anentity that owns or controls, is owned or controlled by or is or under commoncontrol or ownership with either Client or Visdum Tech (as the context allows),where control is defined as the possession, directly or indirectly, of thepower to direct or cause the direction of the management and policies of anentity, whether through ownership of voting securities, by contract orotherwise;
"Client Personal Data"means any Personal Data Processed by Visdum Tech (i) on behalf of Client(including for the sake of clarity, any Client Affiliate), or (ii) otherwiseProcessed by Visdum Tech, in each case pursuant to or in connection withinstructions given by Client in writing, consistent with the Terms;
“Data Protection Laws” shall meanthe data protection laws of the country in which You are established and anydata protection laws applicable to You in connection with the Terms, includingbut not limited to (a) laws and regulations applicable to the GDPR, (b) inrespect of the UK, the GDPR as saved into United Kingdom by virtue of section 3of the United Kingdom European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act,2019 (c) the Swiss Federal Data Protection Act and its implementing regulations(“Swiss DPA”) in each case, as maybe amended, superseded or replaced.
"Services" means theservices to be supplied by Visdum Tech to Client or Client Affiliates pursuantto the Terms; and
“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies,the standard contractual clauses as approved by the European Commission(Implementing Decision (EU) 2021/914 of 04 June 2021) Implementing Decision(EU) 2021/914 of 04 June 2021) and available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914 (“EU SCCs”); (ii) where the UK GDPR applies, the International DataTransfer Addendum to the EU SCCs issued by the UK Information Commissioner,Version B1.0, in force from 21 March 2022 set forth as Appendix IV (“UK SCCs”) and (iii) where the Swiss DPAapplies, the applicable standard data protection clauses issued, approved orrecognized by the Swiss Federal Data Protection and Information Commissioner(the “Swiss SCCs”) (in each case, asupdated, amended or superseded from time to time).
1.2 The terms "Controller", "DataSubject", "Personal Data","Personal Data Breach","Process", "Processor"and “Supervisory Authority” have the same meanings as described in applicableData Protection Laws, and cognate terms shall be construed accordingly.
1.3 Capitalized terms not otherwisedefined in this Addendum shall have the meanings ascribed to them in the Terms.
2. Formation of this Addendum
This Addendum is deemed agreed by the Parties and comes into effect on the“Addendum Effective Date”,being thelater of (i) the date that this Addendum is accepted by Client; and(ii) VisdumTech.
3. Roles of the Parties
The Parties acknowledge and agree that with regard to the Processing ofClientPersonal Data, and as more fully described in APPENDIX 1 hereto, Clientacts as a Controller and Visdum Tech acts as a Processor (as defined in section5.2.4 below).
The Parties expressly agree that Client shall be solely responsible forensuring timely communications to Client’s Affiliates or the relevantController(s) who receive the Services, insofar as such communications may berequired or useful in light of applicable Data Protection Laws toenableClient’s Affiliates or the relevant Controller(s) to comply with suchLaws.
4. Description of Personal DataProcessing
In APPENDIX 1 to this Addendum, the Parties have mutually set out theirunderstanding of the details of the Processing of the Client Personal Data tobe Processed by VisdumTech pursuant to this Addendum, as required by Article28(3) of the GDPR. Either Party may make reasonable amendments to APPENDIX 1 bywritten notice to the other Party and as reasonably necessary to meet thoserequirements. APPENDIX 1 does not create any obligation or rights for anyParty.
5. Data Processing Terms
5.1 Client shall comply with all applicable Data Protection Laws inconnection with the performance of this Addendum. As between the Parties,Client shall be solely responsible for compliance with applicableDataProtection Laws regarding the collection of and transfer to Visdum Tech ofClientPersonal Data. Client agrees not to provide Visdum Tech with any dataconcerning a natural person’s health, religion, or any special categories ofdata as defined in Article 9 of the GDPR.
5.2 Visdum Tech shall comply withall applicable Data Protection Laws in the Processing of Client Personal at aand Visdum Tech shall:
5.2.1 process the Client PersonalData relating to the categories of Data Subjects for the purposes of the Termsand for the specific purposes in each case as set out in APPENDIX 1 to thisAddendum and otherwise solely on the documented instructions of Client, for thepurposes of providing the Services and as otherwise necessary to perform itsobligations under the Terms including with regard to transfers ofClientPersonal Data to a third country outside to an international organization;Visdum Tech shall immediately inform Client if, in Visdum Tech’s opinion, aninstruction infringes applicable Data Protection Laws;
5.2.2 ensure that personsauthorized to process the ClientPersonal Data have committed themselves toconfidentiality or are under an appropriate statutory obligation ofconfidentiality;
5.2.3 implement and maintain thetechnical and organizational measures set out in the Terms and, taking intoaccount the state of the art,the costs of implementation and the nature, scope,context and purposes ofProcessing as well as the risk of varying likelihood andseverity for the rights and freedoms of natural persons, implement any furtherappropriate technical and organizational measures necessary to ensure a levelof security appropriate to the risk of the Processing of Client Personal Dataas per following:(a) pseudonymization and encryption of Client PersonalData;(b) ensuring ongoing confidentiality, integrity, availability andresilience of processing systems and services that processClient PersonalData;(c) restoring availability and access to Client PersonalData in a timelymanner in the event of a physical or technical incident; and(d) regularlytesting, assessing and evaluating the effectiveness of technical andorganizational measures for ensuring the security of the processing of theClient Personal Data.Any amendment to such agreed measures that is necessitatedby Client shall be dealt with via an agreed change control process betweenVisdumTech and Client;
5.2.4 Client (on behalf of therelevant Controller(s), as applicable), hereby expressly and specificallyauthorizes Visdum Tech to engage another Processor to Process the ClientPersonal Data ("Other Processor"), and specifically the OtherProcessors listed in Appendix III hereto, subject to Visdum Tech's: (a)notifying Client of any intended changes to its use of Other Processors listedin Appendix III by emailing notice of the intended change to Client; (b)including data protection obligations in its contract with each Other Processorthat are materially the same as those set out in thisAddendum; and (c)remaining liable to the Client for any failure by each Other Processor tofulfill its obligations in relation to the Processing of theClient PersonalData.
The Client shall have a period of 30 (thirty) days from the date of the noticeto inform Visdum Tech in writing of any reasonable objection to the use of thatOther Processor. The parties will then, for a period of no more than 30(thirty) days from the date of the Client's objection, work together in goodfaith to attempt to find a commercially reasonable solution for the Clientwhich avoids the use of the objected-to Other Processor. Where no such solutioncan be found, either Party may (notwithstanding anything to the contrary in theTerms) terminate the relevant Services immediately on written notice totheother Party, without damages, penalty, or indemnification whatsoever;
5.2.5 to the extent legallypermissible, promptly notify Client of any communication from a Data Subjectregarding the Processing of Client Personal Data, or any other communication(including from a Supervisory Authority)relating to any obligation under the applicableData Protection Laws in respect of the Client Personal Data and, taking intoaccount the nature of theProcessing, assist Client (or the relevant Controller)by appropriate technical and organizational measures, insofar as this ispossible, for the fulfillment of Client’s, Client’s Affiliates’ or the relevantController(s)’ obligation to respond to requests for exercising the datasubject's rights laid down in Chapter III GDPR; Client agrees to pay VisdumTech for time and for out of pocket expenses incurred by Visdum Tech inconnection with the performance of its obligations under this Section 5.2.5;
5.2.6 upon Visdum Tech’s becomingaware of a Personal Data Breach involving Client Personal Data, notify Clientwithout undue delay, of anyPersonal Data Breach involving Client Personal Data,such notice to include all information reasonably required by Client (or therelevant Controller) tocomply with its obligations under the applicable DataProtection Laws;
5.2.7 to the extent required by theapplicable Data ProtectionLaws, provide reasonable assistance to Client,Client’s Affiliates’ or therelevant Controller(s)’ with its obligationspursuant to Articles 32 to 36 ofthe GDPR taking into account the nature of theProcessing and information available to Visdum Tech; Client agrees to payVisdum Tech for time and for outof pocket expenses incurred by Visdum Tech inconnection with any assistance provided in connection with Articles 35 and 36of the GDPR;
5.2.8 cease Processing the ClientPersonal Data upon the termination or expiry of the Terms, and at option ofClient, Client’sAffiliates or the relevant Controller(s) either return ordelete (including by ensuring such data is in non-readable format) all copiesof the Client PersonalData Processed by Visdum Tech, unless (and solely to theextent and for suchperiod as) Country law requires storage of the PersonalData. Notwithstanding the foregoing or anything to the contrary containedherein, Visdum Tech may retain Personal Data and shall have no obligation toreturn Personal Data to the extent required by applicable laws or regulationsobligations. Any suchPersonal Data retained shall remain subject to theobligations of confidentiality set forth in the Terms, and
5.2.9 make available to Client allinformation necessary to demonstrate compliance with this Addendum and allowfor and contribute to audits, including inspections, by Client, or an auditormandated by Client. For the purposes of demonstrating compliance with thisAddendum under section5.2.9, the Parties agree that once per year during theterm of the Terms, VisdumTech will provide to Client, on reasonable notice,responses to cybersecurityand other assessments. Client agrees to pay VisdumTech for time and for out-of-pocket expenses incurred by Visdum Tech inconnection with assistance provided in connection with such audits, responsesto cybersecurity, and other assessments.
6. Transfers
Visdum Tech is certified by Information Security Management as per SOC 2Type 2 and ISO 27001:2013 standards. Visdum Tech shall notify Client in writingwithout undue delay if it can no longer comply with its obligations under thePrivacy compliance, and, in such a case, Visdum Tech will have the option of(i)promptly taking reasonable steps to remediate any non-compliance withapplicable obligations under this Addendum, or (ii) engaging in a good faithdialogue with Client to determine a new data transfer mechanism to carry outthepurposes of the Terms.
Visdum Tech acts as a Processor with respect to Personal Data received pursuantto a data transfer.In the event the Privacy Compliance is invalidated, Clientand each Client Affiliate (on behalf of the relevant Controller(s), as the casemay be), if applicable (as "data exporter") and Visdum Tech(as"data importer"), with effect from the commencement of therelevant transfer, shall enter into the Controller to Processor SCCs (mutatismutandis, as the case may be) in respect of any transfer (or onward transfer)from Client or Client Affiliate to Visdum Tech, where such transfer wouldotherwise be prohibited by applicable Data Protection Laws or by the terms ofdata transfer agreements put in place to address applicable Data ProtectionLaws.
Appendix 1 to the Controller to Processor SCCs shall be deemed to bepre-populated with the relevant sections of Appendix III to this Addendum andthe processing operations are deemed to be those described in the Terms.Appendix 2 to the Controller to Processor SCCs shall be deemed to bepre-populated with the following "Takinginto account state of the art, the costs of implementation and the nature,scope, context, and purposes of processing as well as the risk of the varyinglikelihood for the rights and freedoms of natural persons, Visdum Tech shallimplement appropriate technical and organizational measures as set forth in theAddendum."
7. Precedence
The provisions of this Addendum are supplemental to the provisions of theTerms. In the event of any inconsistency between the provisions of thisAddendum and the provisions of the Terms, the provisions of this Addendum shallprevail.
8. Indemnity
To the extent permissible by law, Client shall indemnify and hold harmlessVisdum Tech against all (i) losses, (ii) third-party claims,(iii)administrative fines, and (iv) costs and expenses (including withoutlimitation, reasonable legal, investigatory and consultancy fees andexpenses)reasonably incurred in relation to (i), (ii) or iii), suffered byVisdum Tech and that arise from any breach by Client of this Addendum or of itsobligations under applicable Data Protection Laws.
9. Severability
The Parties agree that, if any section or sub-section of this Addendum isheld by any court or competent authority to be unlawful or unenforceable, itshall not invalidate or render unenforceable any other section of thisAddendum.
9. Others
The organization ensures that the contract to process PII addresses theorganization’s role in providing assistance with the customer'sobligations.TheAgreement considers the following and follows
a. Privacy by Design and default
b. Achieving Security of Processing
c. Notification of breaches involving PII to a Supervisory authority
d. Notification of breaches involving PII to Customers andPII Principals,
e. Conducting Privacy Impact Assessment
f. Assurance of Assistance by the PII Processors if prior consultations withrelevant PII Protection authorities are needed.
g. Visdum Tech shall inform the customer if, in its opinion, a processinginstruction infringes applicable legislation or regulation.
h. The organization does not use PII processed under a contract for thepurposes of Marketing and Advertising
i. Coordinate with Clients to help Audit the systems. The organization providesthe customer with the appropriate information so that it can demonstratecompliance with its obligations
j. Visdum Tech shall use AWS and PIPL as sub-processors withSecurity andPrivacy requirements full filled.
k. The organization shall comply with all statutory and regulatoryrequirements, ISO 27001:2013, ISO 27701:2019, and EU GDPR requirements.
l. The Data shall be deleted, or de-identified after the processing is complete(This is after the retention period selected is complete).
m. Visdum Tech shall inform 24 hours in advance to clients in case of anylegally binding requests for disclosure of PII.
n. For Access, Correction,and/or Erasure of the PII of Data subjects can bedone by contacting the Data Protection Officer (DPO) below. Also, raisingconcerns and/or any complaints related with PII that can be done by contactingthe Data Protection Officer.
Email ID: dpo@visdum.com
Contact Number: +1 312 586 8696
The following Appendices form an integral part of this DPA:
APPENDIX 1
A. LIST OF PARTIES UNDER THE SCCs
Data exporter(s): The Data Exporter is the entity that has subscribed tothe Terms and their contact details are as provided by them while subscribingto the Terms. Signature & Date: Byentering into the Agreement, the Data Exporter is deemed to have signed theseSCCs incorporated herein, including their Annexes, as of the Effective Date ofthe Agreement.
Role: Controller
Data importer(s):
Name: Visdum Tech Inc.
Address: 1007 N Orange Street Ste 683, Wilmington DE 19801, United States
Contact person’s name, position, and contact details: Prashant Kumar, CISO,dpo@visdum,.com
Activities relevant to the data transferred under these Clauses: As specifiedin Part B.
Signature and data: By entering into the Agreement, the Data Importer is deemedto have signed these SCCs incorporated herein, including their Annexes, as ofthe Effective Date of the Agreement.
Role (Controller / Processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whosepersonal data is transferred
Unless provided otherwise by the data exporter, transferred Personal Datarelates to the following categories of Data Subjects: employees, contractors,business partners or other individuals having Personal Data stored, transmittedto, made available to, accessed or otherwise processed by the data importer.
Categories of personal data transferred
The transferred Personal Data concerns the following categories of data:
Customer determines the categories of data and/or data fields which could betransferred per Visdum’s Services as stated in the relevant Agreement. Thetransferred Personal Data typically relates to the following categories ofdata: name, phone numbers, e-mail address, address data, system access / usage / authorization data,company name, contract data, invoice data, plus any application-specific datatransferred by authorised personnel.
Sensitive data transferred (ifapplicable) and applied restrictions or safeguards that fully take intoconsideration the nature of the data and the risks involved, such as forinstance strict purpose limitation, access restrictions (including access onlyfor staff having followed specialised training), keeping a record of access tothe data, restrictions for onward transfers or additional security measures.
No Sensitive Personal Information transferred. The data exporter shall notdisclose (and shall not permit any individual to disclose) any SensitivePersonal Data to the data importer for processing.
The frequency of the transfer (e.g.,whether the data is transferred on a one-off or continuous basis)
Data is transferred on a continuous basis
Nature of the processing
Collection, recording, organisation, structuring, storage, adaptation oralteration, retrieval, consultation, use, disclosure by transmission,dissemination or otherwise making available, alignment or combination,restriction, erasure or destruction of data (whether or not by automatedmeans).
Purpose(s) of the data transfer andfurther processing
Personal Data is transferred in the course of access and use of the dataexporter’s Service so that the data importer may provide, support, maintain andimprove the Service.
The data importer may further transfer personal data to third-party serviceproviders that host and maintain the data importer’s applications, backup,storage, payment processing, analytics and other services as specified in thesection on sub-processors below. These third-party service providers may haveaccess to or process personal data for the purpose of providing these servicesto the data importer.
The period for which the personal datawill be retained, or, if that is not possible, the criteria used to determinethat period
Upon termination or expiry of the Terms, Visdum shall delete all CustomerData including Personal Data in accordance with the procedure contained in theTerms. This requirement shall not apply to the extent that Visdum is requiredby applicable law to retain some or all of the Personal Data, in which eventVisdum shall isolate and protect the Personal Data from any further processingexcept to the extent required by such law.
For transfers to (sub-) processors, alsospecify subject matter, nature and duration of the processing
COMPETENT SUPERVISORY AUTHORITY
In respect of the SCCs:
Module 2: Transfer Controller to Processor
Where Customer is the data exporter, the supervisory authority shall be thecompetent supervisory authority that has supervision over the Customer inaccordance with Clause 13 of the SCCs.
Appendix II – Technical andOrganizational Security Measures
Visdum has implemented and shall maintain a security program in accordance withindustry standards. Visdum has implemented and will maintain appropriate TOMSto protect Service Data from a Personal Data Breach. Reach out to us atsecurity@visdum.com for our security policy document.
Appendix III – List of Sub-Processors
1. Name of Sub-Processor: Amazon Web Services
Description of Processing: Hosting theProduction Environment
Location of Sub-Processor: USA
2. Name of Sub-Processor: Google Workspace
Description of Processing: Email, FileRepository
Location of Sub-Processor: USA
3. Name of Sub-Processor: Slack
Description of Processing: Messaging
Location of Sub-Processor: USA
4. Name of Sub-Processor: Atlassian
Description of Processing: IssueManagement (Jira), Code Repository (BitBucket)
Location of Sub-Processor: USA
Appendix IV: UK SCCs
This UK SCCs shall stand included as an addendum to the EU SCCs setimplemented under Clause 12.1 (a) of this DPA.Part 1: Tables
For data transfers from the United Kingdom that are subject to the UK SCCs, theUK SCCs will be deemed entered into (and incorporated into this Data ProcessingAddendum by this reference) and completed as follows:
(a) In Table 1 of the UK SCCs, the Parties’ details and key contact informationshall be as set forth in Schedule A.A.
(b) In Table 2 of the UK SCCs, information about the version of the Approved EUSCCs, modules and selected clauses which this UK SCC is appended to shall be asset forth in Clauses 11.1 and 12.1(a)(i), (ii), (iii), (iv) of this DPA.
(c) In Table 3 of the UK SCCs:
i Annex 1A: List of Parties: Parties are as set forth in Appendix I.A.
ii Annex 1B: Description of Transfer: Description of Transfer is as set forthin Appendix I.B.
iii Annex II: Technical and organisational measures including technical andorganisational measures to ensure the security of the data: TOMs are as setforth in Appendix II.
iv Annex III: List of Sub processors: Sub processors are as set forth inAppendix I.B.
(d) In Table 4 of the UK SCCs, both the data importer and the data exporter mayend the UK SCCs in accordance with the terms of the UK SCCs.
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0issued by the ICO and laid before Parliament in accordance with s119A of theData Protection Act 2018 on 2 February 2022, as it is revised under Section18 of those Mandatory Clauses.