Skip to content
English
Contact us
Go to Partful
  • There are no suggestions because the search field is empty.

Data Protection Addendum

This current Data Protection Addendum was published on 25th November 2025. 

Definitions

  1. In this Data Protection Addendum defined terms shall have the same meaning as and the same rules of interpretation shall apply as in the remainder of the Master SaaS Terms and Conditions and therefore the Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:

Applicable Law
  1. means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Subscribed Services:
    1. the common law and laws of equity as applicable to the parties from time to time;

    2. any binding court order, judgment or decree; or

    3. any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Controller
  1. has the meaning given to that term in Data Protection Laws;

Data Protection Laws
  1. means as applicable and binding on either party or the Subscribed Services:
    1. the UK GDPR;

    2. the Data Protection Act 2018;

    3. any laws which implement or supplement any such laws; and

    4. any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;

Data Protection Losses
  1. means all liabilities arising directly or indirectly from any breach or alleged breach of any of the Data Protection Laws or of this Data Protection Addendum, including all:
    1. costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage);

    2. administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;

    3. compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and/or

    4. costs of compliance with investigations by a Supervisory Authority;

Data Subject
  1. has the meaning given to that term in Data Protection Laws;

Data Subject Request
  1. means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR in relation to any Protected Data;

UK GDPR
  1. means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);

International Recipient
  1. means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Customer’s prior written authorisation;

Lawful Safeguards
  1. means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

List of Sub-Processors
  1. means the latest version of the list of Sub-Processors used by the Supplier, as Updated from time to time, which as at the date of Order Acceptance, is set out at clause 12.6 of the Master SaaS Terms;

Personal Data
  1. has the meaning given to that term in Data Protection Laws;

Personal Data Breach
  1. means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

processing
  1. has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);

Processing Instructions
  1. has the meaning given to that term in paragraph 3.1.1;

Processor
  1. has the meaning given to that term in Data Protection Laws;

Protected Data
  1. means Personal Data in the Customer Data;

Sub-Processor
  1. means a Processor engaged by the Supplier or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer;

Supervisory Authority
  1. means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; and

Transfer
  1. bears the same meaning as the word ‘transfer’ in Article 44 of the UK GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).
  • Processor and Controller
      1. The parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier shall be the Processor. Nothing in the Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.
      2. To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier to process the Protected Data in accordance with the Agreement.
      3. The Supplier shall process Protected Data in compliance with:
        1. the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under the Agreement; and
        2. the terms of the Agreement including the Data Protection Addendum and the Privacy Policy and the Cookie Policy.
      4. The Customer shall ensure that it, its Authorised Affiliates, and each Authorised User shall at all times comply with:
        1. all Data Protection Laws in connection with the processing of Protected Data, the use of the Subscribed Service and the exercise and performance of its respective rights and obligations under the Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
        2. the terms of the Agreement.
      5. The Customer (and it Authorised Affiliates) warrants, represents and undertakes, that at all times:
        1. the processing of all Protected Data (if processed in accordance with the Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;
        2. fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data and all necessary consents from such Data Subjects obtained and at all times maintained (and Data Subjects shall include as appropriate End-Users) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data that may be undertaken by the Supplier and its Sub-Processors in accordance with the Agreement; 
        3. the Protected Data is accurate and up to date;
        4. it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person;
        5. all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
        6. it has undertaken due diligence in relation to the Supplier’s processing operations and commitments and it is satisfied (and at all times it continues to use the Subscribed Services remains satisfied) that:
          1. the Supplier’s processing operations are suitable for the purposes for which the Customer proposes to use the Subscribed Service and engage the Supplier to process the Protected Data; 
          2. the technical and organisational measures set out in the Information Security Addendum and the Agreement (each as Updated from time to time) shall (if the Supplier complies with its obligations under such Addendum and the Agreement) ensure a level of security appropriate to the risk in regards to the Protected Data as required by Data Protection Laws; and
          3. the Supplier has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
  • Instructions and details of processing
      1. Insofar as the Supplier processes Protected Data on behalf of the Customer, the Supplier:
        1. unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in the Agreement (including with regard to Transfers of Protected Data to any International Recipient), as Updated from time to time (Processing Instructions);
        2. if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
        3. shall promptly inform the Customer if the Supplier becomes aware of a Processing Instruction that, in the Supplier’s opinion, infringes Data Protection Laws or is unlawful in any other way, provided that:
          1. this shall be without prejudice to paragraphs 2.4 and 2.5; and
          2. to the maximum extent permitted by Applicable Law, the Supplier shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph 3.1.3.
      2. The Customer agrees that:
        1. the Supplier (and each Sub-Processor) is not obliged to undertake any processing of Protected Data that the Supplier believes infringes any of the Data Protection Laws and shall not be liable (or subject to any reduction or set-off of any Fees otherwise payable to the Supplier) to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under the Agreement as a result of not undertaking any processing in such circumstances; and
        2. without prejudice to any other right or remedy of the Supplier, in the event the Customer has not resolved any issue relating to a Processing Instruction notified to it by the Supplier under paragraph 3.1.3, such as to make the Processing Instruction lawful in the Supplier’s reasonable opinion within 3 days of such notification then such circumstances shall be a material breach of the Agreement by the Customer that cannot be remedied and the Supplier may terminate the Agreement in accordance with its terms.
      3. The Customer shall be responsible for ensuring all Authorised Affiliates, Authorised Users and End-Users read and understand the Privacy Policy and the Cookie Policy (as Updated from time to time and available at [insert link]). 
      4. The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of the Subscribed Service by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the Product Knowledge Base). The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command the Supplier is under no obligation to seek to restore it.
      5. Subject to applicable terms in the Master SaaS Terms or the Order Form, the processing of the Protected Data by the Supplier under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the schedule.
  • Technical and organisational measures

4.1 Taking into account the state of the art, the cost of implementation and the nature, the scope, context and purpose of the processing as well as the risk of varying likelihood and severity for the right and freedom of Data Subjects, Customer and Supplier will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in the Agreement and including inter alia as appropriate

  1. Where appropriate, the pseudonymisation and encryption of the Protected Data;
  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. The ability to restore the availability and access of the Customer Data in a timely manner in the event of physical and technical incident; and 
  4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing 
  1. in relation to the processing of Protected Data by the Supplier, as set out the Privacy Policy and as appropriate the Information Security Addendum; and
  2. to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with the Supplier’s Standard Pricing Terms or as otherwise stipulated by the Supplier. The parties have agreed that (taking into account the nature of the processing) the Supplier’s compliance with paragraph 6.1 shall constitute the Supplier’s sole obligations under this paragraph 4.1.3.
  • Using staff and other Processors
      1. Subject to paragraph 5.2, the Supplier shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data in connection with the Agreement without the Customer’s prior written authorisation. The Customer shall not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors).
      2. The Customer:
        1. authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as at Order Acceptance; and 
        2. authorises the appointment of each Sub-Processor (or any change to any of the Sub-Processors) identified on the List of Sub-Processors as Updated from time to time. The Customer’s right to object to the appointment of a new Sub-Processor (or any change to any of the Sub-Processors) following the relevant Update Notice introducing that change may be exclusively exercised by terminating the Agreement in accordance with its rights following the Update Notification introducing the change before that Update takes effect in accordance with the Agreement.
      3. The Supplier shall remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
      4. The Supplier shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Supplier shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).
  • Assistance with compliance and Data Subject rights
    1. The Supplier shall refer all Data Subject Requests it receives to the Customer without undue delay. 
    2. The Supplier shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
      1. security of processing;
      2. data protection impact assessments (as such term is defined in Data Protection Laws);
      3. prior consultation with a Supervisory Authority regarding high risk processing; and
      4. notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach.

6.3 Where the Data Subject Request is manifestly disproportionate or complex the Supplier shall be entitled to request a reasonable fee from the Customer for work, time, costs and expenses incurred by the Supplier or any Sub-Processor(s) in connection with such activity.

  • International data Transfers
      1. Subject to paragraphs 7.2 and 7.6, the Supplier shall not Transfer any Protected Data:
        1. to any country or territory outside the Subscribed Territory or the EEA without the Customer’s prior written authorisation except where required by Applicable Law (in which case the provisions of paragraph 3.1 shall apply) or when the consent has already been provided in accordance with clause 5.2 (Using Staff and other Processors) or in accordance with the remainder of this clause.
      2. The Customer hereby authorises the Supplier (or any Sub-Processor) to Transfer any Protected Data for the purposes referred to in paragraph 3.5 to any International Recipient(s) in accordance with this paragraph 7, provided all Transfers of Protected Data by the Supplier (or any Sub-Processor) to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws and the Agreement. The provisions of the Agreement (including this Data Protection Addendum) shall constitute the Customer’s instructions with respect to Transfers in accordance with paragraph 3.1.1.
      3. To the extent that the Supplier transfers the Protected Data to the US-based entities within the Supplier’s group of Sub-Processors, the transfer shall take place on the basis of the European Commission Decision of 10 July pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (Decision) or under the UK- US Data Bridge. 
      4. To the extent that Protected Data is transferred to a third country outside of the EEA and or the Subscribed Territory, unless the Supplier relied on an alternative transfer mechanism or a basis under the Data Protection Laws, including transfer to countries with an adequacy decision (meaning that they have the same level of protection of personal data as in the EEA or the Subscribed Territory), the Supplier will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing  Decision (EU) 2021/914 of 4 June 2021 available at Implementing decision - 2021/914 - EN - EUR-Lex or approved by the Information Commissioner Office available at International data transfer agreement and guidance | ICO.
      5. The Lawful Safeguards employed in connection with Transfers pursuant to paragraph 7.2 shall be as specified in this clause 7 above.
      6. The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Subscribed Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that the Supplier does not control such processing and the Customer shall ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.
  • Information and audit
      1. The Supplier shall maintain, in accordance with Data Protection Laws binding on the Supplier, written records of all categories of processing activities carried out on behalf of the Customer.
      2. On request, the Supplier shall provide the Customer (or auditors mandated by the Customer) with a copy of written records referred to in clause 8.1. Such information shall be confidential to the Supplier and shall be the Supplier’s Confidential Information as defined in the Agreement, and shall be treated in accordance with applicable terms.
      3. In the event that the Customer, acting reasonably, deems the information provided in accordance with paragraph 8.2 insufficient to satisfy its obligations under Data Protection Laws, the Supplier shall, on request by the Customer make available to the Customer such information as is reasonably necessary to demonstrate the Supplier’s compliance with its obligations under this Data Protection Addendum and Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose provided:
        1. such audit, inspection or information request is reasonable, limited to information in the Supplier’s possession or control and is subject to the Customer giving the Supplier reasonable (and in any event at least 60 days’) prior notice of such audit, inspection or information request;
        2. the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Customer or third party auditor shall comply (including to protect the security and confidentiality of other customers, to ensure the Supplier is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.3);
        3. the Customer shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of the Supplier;
        4. the duration of any audit or inspection shall be limited to one Business Day;
        5. all costs of such audit or inspection or responding to such information request shall be borne by the Customer, and the Supplier’s costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by the Customer on a time and materials basis in accordance with the Supplier’s Standard Pricing Terms or as otherwise stipulated by the Supplier;
        6. the Customer’s rights under this paragraph 8.3 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority; 
        7. the Customer shall promptly (and in any event within one Business Day) report any non-compliance identified by the audit, inspection or release of information to the Supplier;
        8. the Customer agrees that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits shall be Supplier’s Confidential Information as defined in the Agreement, and shall be treated in accordance with applicable terms;
        9. the Customer shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of the Supplier while conducting any such audit or inspection; and
        10. this paragraph 8.3 is subject to paragraph 8.4.
      4. The Customer acknowledges and accepts that relevant contractual terms agreed with Sub-Processor(s) may mean that the Supplier or Customer may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors pursuant to paragraph 8.3 and:
        1. the Customer’s rights under paragraph 8.3 shall not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s);
        2. to the extent any information request, audit or inspection of any Sub-Processor are permitted in accordance with this paragraph 8.4, equivalent restrictions and obligations on the Customer to those in paragraphs 8.3.1 to 8.3.10 (inclusive) shall apply together with any additional or more extensive restrictions and obligations applicable in the circumstances; and paragraph 8.3 shall be construed accordingly.
  • Breach notification
      1. In respect of any Personal Data Breach, the Supplier shall, without undue delay (and in any event within 72 hours):
        1. notify the Customer of the Personal Data Breach; and
        2. provide the Customer with details of the Personal Data Breach.
  • Deletion of Protected Data and copies

Following the end of the provision of the Subscribed Service relating to the processing of Protected Data the Supplier shall dispose of Protected Data in accordance with its obligations under the Agreement. The Supplier shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with the Agreement. To the extent permitted by Applicable Law, the Supplier shall have the right to keep a copy of any Customer’s data including some Protected Data for the purpose of complying with its own legal and regulatory obligations, including accounting, audit, tax or potential litigation. 

  • Compensation and claims
      1. The Supplier shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with the Agreement:
        1. Only in accordance with clause 17 of the Agreement (Limitation of liability); and
        2. only to the extent caused by the processing of Protected Data under the Agreement and directly resulting from the Supplier’s breach of the Agreement; and
        3. in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of the Agreement  or any breach of Data Protection Laws by the Customer (including in accordance with paragraph 3.1.3(b)).
      2. If a party receives a compensation claim from a person relating to processing of Protected Data in connection with the Agreement or the Subscribed Service, it shall promptly provide the other party with notice and full details of such claim. 
      3. The parties agree that the Customer shall not be entitled to claim back from the Supplier any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify or otherwise compensate the Supplier in accordance with the Agreement.
      4. This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
        1. to the extent not permitted by Applicable Law (including Data Protection Laws); and
        2. that it does not affect the liability of either party to any Data Subject.
  • Survival

This Data Protection Addendum (as Updated from time to time) shall survive termination (for any reason) or expiry of the Agreement and continue until no Protected Data remains in the possession or control of the Supplier, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.

  • Contacting us regarding a data protection matter

The Customer should contact the Supplier in the event of any query concern or complaint regarding data processing under the Agreement. The Supplier may be contacted for this purpose by email: privacy@partful.io and/ or by post: 3rd Floor, 24 Lever St, Manchester, England, M1 1DZ. 


  1. DATA PROCESSING DETAILS

Subject-matter of processing:

The performance of obligations and enjoyment of rights of the Parties under the Agreement in connection with Subscribed Service and any connected matters (such as the Support Service) referred to in more detail within the Order Form and the Master SaaS Terms and Conditions and the Privacy Policy and Cookie Policy. 

Duration of the processing:

Until the earlier of final termination or final expiry of the Agreement, except as otherwise expressly stated in the Agreement;

Nature and purpose of the processing:

Processing in accordance with the rights and obligations of the parties under the Agreement;

Processing as reasonably required to provide the Subscribed Services;

Processing as initiated, requested or instructed by Authorised Users and/ or End-Users in connection with their use of the Subscribed Services, or by the Customer or its Affiliates, in each case in a manner consistent with the Agreement; and/or

In relation to the Subscribed Service and the Support Service, otherwise in accordance with the nature and purpose identified in the Order Form, Master SaaS Terms and Conditions, Privacy Policy and Cookie Policy.

Type of Personal Data:

Depending on which user and what activity they pursue in connection with the Subscribed Service:

Identity and contact information, such as: 

name, title, email address, physical address, telephone number, and other similar contact information; information about the Data Subject’s organisation and people within the Data Subject organisation; usernames, aliases, roles, other authentication and security credential information; account details for Authorised Users including log in details, password, user contact details, Customer reference number; account details for End Users including log in details (email, password); order details for End Users including customer contact details (name, email address, telephone number, delivery address), order reference, order history, customer discounts. 

Technical information, such as: 

the Data Subject’s version of web browser, IP address, platform URL, time zone, language choice, cookie consent information, search terms, the Data Subject contact history, how the Data Subject interacts with the website and what activities the Data Subject undertakes on it. network and connection information (eg IP address); computer and device information, such as device, application, or browser type and version, browser plug-in type and version, operating system, or time zone setting; the location of the Data Subject’s device or computer; authentication and security credential information; content interaction information (eg content downloads, streams, and playback details); metrics (eg usage, occurrences of technical errors, diagnostic reports, the Data Subject’s settings preferences, backup information, API calls, and other logs); identifiers and information contained in the Cookie Policy.

Categories of Data Subjects:

Authorised Users – being individuals within Customer and Affiliate organisations (officers, employees, agents) and individuals within Customer vendors, suppliers and contractors who have permission to access and use the Subscribed Service.

The Customer (and Affiliate) customers – End- Users of the Subscribed Service.