Data Processing Addendum
Last Updated: August 2025
This Data Processing Addendum (“Addendum”) is entered into by and between Deeto, Inc.
(“Deeto”) and the organization identified in the Enrollment (“Customer”).
WHEREAS, Customer and Deeto have engage in an agreement (the “Agreement”) pursuant to
which Deeto provides Customer access to Deeto’s software as a service platform that helps
businesses to improve their selling process to prospects and connect between prospects and
references (the “Platform”);
WHEREAS, the Platform involves processing certain personal data and the parties wish to
regulate Deeto’s processing of such personal data, through this Addendum, which will be
attached to and become an integral part of the Agreement.
THEREFORE, the parties have agreed to this Addendum, consisting of two parts:
● Part One applies with respect to the California Consumer Privacy Act of 2018 (“CCPA”)
and other state privacy laws in the United States.
● Part Two applies with respect to the GDPR (Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and
supplementary GDPR legislations in EU member states).
● Part Three applies with respect to the UK Data Protection Act 2018, as well as the GDPR
as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue
of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data
Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit)
Regulations 2019 (SI 2019/419) (“UK GDPR”).
Parts One, Two, and Three apply only to Deeto’s processing personal data or personal
information as a Processor (as defined in the GDPR or state privacy laws in the U.S.), or a Service
Provider (as defined in the CCPA), acting on behalf of the Customer and under the Customer’s
instructions. Deeto is a Processor or Service Provider for the processing of the following
information about the representatives of Customer, representatives of Customer’s prospects and
representatives of Customer’s references: (a) the Platform’s fields of personal data or personal
information configurable by the Customer, (b) information of surveys submitted by
representatives of Customer’s prospects and references, (c) credit point earnings for users
engaging in certain activities on the Platform, as determined by the Customer, and (d) email
addresses and/or phone number regarding which Customer instructs Deeto to process for the
purpose of sending one time invitation messages to data subjects..
Parts One, Two, and Three do not apply to Deeto’s processing personal data or personal
information necessary for the operation of the Platform, for which Deeto is a Controller (as
defined in the GDPR). Deeto is a Controller for the processing of the information explained in
Deeto's privacy policy for the Platform.
In the event of any conflicting provisions between this Addendum and the terms or any other
agreement in place between the parties, the provisions of this Addendum prevail, except where
explicitly agreed otherwise in writing.
PART ONE
1. Scope. This Part One applies to the processing of personal information or personal data by
Deeto within the scope identified in the preamble of this Addendum.
2. Definitions
a. Capitalized terms used in this Part One but not defined in this Part One have the
meaning ascribed to them in the Agreement and the Addendum.
b. “Applicable State Privacy Laws” means the CPRA and in other applicable state
privacy laws in the United States, such as (but not limited to): Virginia Consumer
Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online
Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act.
c. “Consumer” means a natural person, including a natural person in their professional
or work capacity.
d. “CPRA” means Cal. Civ. Code §1798.100 et seq. and the regulations at 11 C.C.R.
§7000 et seq.
e. “Personal Information” means information that identifies, relates to, describes, is
reasonably capable of being associated with, or could reasonably be linked, directly
or indirectly, with a particular consumer or household.
f. “Collect” (and its cognate terms) means buying, renting, gathering, obtaining,
receiving, or accessing any Personal Information pertaining to a Consumer by any
means. This includes obtaining information from the Consumer, either actively or
passively, or by observing the Consumer’s behavior or interaction.
g. “Process” (and its cognate terms) means any operation or set of operations that are
performed on Personal Information or on sets of personal information, whether or
not by automated means.
h. “Sell” (and its cognate terms) means selling, renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise communicating orally, in
writing, or by electronic or other means, a Consumer’s Personal Information for
monetary or other valuable consideration.
i. "Share” (and its cognate terms) means sharing, renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise communicating orally, in
writing, or by electronic or other means, a Consumer’s Personal Information
for cross-context behavioral advertising, whether or not for monetary or other
valuable consideration, including transactions for cross-context behavioral
advertising in which no money is exchanged.
3. Deeto’s Obligations. The Parties acknowledge and agree that Deeto is a ‘service provider’
and ‘processor’ within the meaning of the terms in Applicable State Privacy Laws. To that
end, and unless otherwise requires by law:
a. Deeto must not Sell or Share any Personal Information it Collects.
b. The parties agree that Customer is disclosing the Personal Information to Deeto only
for the following limited and specified business purposes: to provide and support
the operation of the Platform.
c. Deeto is prohibited from retaining, using, or disclosing the Personal Information that
it Collects for any commercial purpose other than the foregoing business purposes,
unless expressly permitted by Applicable State Privacy Laws and this Part One.
Additionally, Deeto is prohibited from retaining, using, or disclosing the Personal
Information that it Collects pursuant to this Agreement outside the direct business
relationship between Deeto and Customer, unless expressly permitted by Applicable
State Privacy Laws and this Part One.
d. Deeto shall comply with all relevant sections of Applicable State Privacy Laws and
shall provide, with respect to Personal Information it Collects, the same level of
privacy protection as required by Applicable State Privacy Laws.
e. Deeto grants Customer the right to take reasonable and appropriate steps to ensure
that Deeto uses the Personal Information it Collects in a manner consistent with the
obligations under this Part One and the CPRA.
f. Deeto must promptly notify Customer when it makes a determination that it can no
longer meet its obligations under this Part One or Applicable State Privacy Laws.
g. Deeto grants Customer the right, upon notice, to take reasonable and appropriate
steps to stop and remediate Deeto’s unauthorized use of Personal Information.
h. If Deeto received a request from a Consumer about his or her Personal information,
Deeto shall not comply with the request itself, inform the Consumer that Deeto’s
basis for denying the request is that the Deeto is merely a service provider that
follows Customer’s instruction, and inform the consumer that they should submit
the request directly to the Customer and provide the Consumer with the Customer’s
contact information.
4. Subcontracting to suppliers. Customer authorizes Deeto to subcontract any of its
Platform-related activities which involve the Processing of Personal Information or requiring
Personal Information to be Processed by any third party supplier, provided that Deeto
ensures that the third party is bound by obligations consistent with this Part One.
5. Return or deletion of information. Upon Customer’s written request where no subsequent
further Processing is required, Deeto shall, at the instruction of Customer, either delete, or
return to Customer, some or all (however instructed) of the of the personal information that
it and its third party suppliers Process for Customer.
6. Assistance in responding to consumer requests. Deeto shall assist Customer by appropriate
technical and organizational measures, insofar as this is possible, for the fulfilment of
Customer’s obligation to respond to requests for exercising the Consumer rights under
Applicable State Privacy Laws.
7. Data security. Taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of Deeto’s Processing of Personal Information for
Customer, as well as the nature of personal information Processed for Customer, Deeto will
implement and maintain reasonable security procedures and practices appropriate to the
nature of the information, to protect the personal information from unauthorized access,
destruction, use, modification, or disclosure (including data breaches).
PART TWO
This Part Two only applies within the scope identified in the preamble of this Addendum.
1. Customer commissions, authorizes, and requests that Deeto provide Customer access to use
the Platform, which involves Processing Personal Data (as these capitalized terms are
defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU)
2016/679), and in applicable national law implementing the GDPR, or in any subsequent
superseding legislation; these shall collectively be referred to as “Data Protection Law”).
2. Customer shall: (a) establish, abide by, and communicate a privacy notice to its data
subjects, as may be necessary under Data Protection Law; (b) substantiate the legal basis
under Data Protection Law for obtaining and Processing the Personal Data as carried out by
Deeto on behalf of the Customer; and (c) credit point earnings for users engaging in certain
activities on the Platform, as determined by the Customer.
3. Customer and Deeto hereby assent to the Annex to Commission Implementing Decision (EU)
2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to
third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the
Council (“SCCs”), in its MODULE TWO, as follows:
3.1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: Transfer
controller to processor: The data importer has the data exporter’s general authorisation
for the engagement of sub-processor(s) from an agreed list. The data importer shall
specifically inform the data exporter in writing of any intended changes to that list
through the addition or replacement of sub-processors at least 10 days in advance,
thereby giving the data exporter sufficient time to be able to object to such changes
prior to the engagement of the sub-processor(s). The data importer shall provide the
data exporter with the information necessary to enable the data exporter to exercise its
right to object.
3.2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to
processor: The Parties agree that this shall be the EU member state in which the
Customer is established, or, if the Customer is not established in any EU member state,
then the law of the Republic of Ireland.
3.3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to
processor: The Parties agree that those shall be the courts of the EU member state’s
town in which the Customer is established, or, if the Customer is not established in any
EU member state, then the courts of Dublin, Ireland.
3.4. In Annex I, for MODULE TWO: Transfer controller to processor:
3.4.1.Data Exporter: Customer.
3.4.1.1. Activities relevant to the data transferred under these Clauses: a company
using the Platform.
3.4.1.2. Role: Controller.
3.4.2.Data Importer: Deeto
3.4.2.1. Activities relevant to the data transferred under these Clauses: Developer,
operator and provider of the Platform.
3.4.2.2. Role: Processor.
3.5. Description of Transfer:
3.5.1.Categories of data subjects whose personal data is transferred: representatives of
the data exporter, representatives of data exporter’s prospects and representatives
of data exporter’s references.
3.5.2.Categories of personal data is transferred: (a) the Platform’s fields of personal data
or personal information configurable by the data exporter, (b) information of
surveys submitted by representatives of data exporter’s prospects and references,
(c) credit point earnings for users engaging in certain activities on the Platform, as
determined by the Customer, and (d) email addresses and/or phone number
regarding which Customer instructs Deeto to process for the purpose of sending
one time invitation messages to data subjects.
3.5.3.Sensitive data transferred: None.
3.5.4.The frequency of the transfer: on a continuous basis.
3.5.5.Nature of the processing: uploading data to the Platform, storage on the Platform,
retrieval, analytics reporting and derived insights.
3.5.6.Purpose(s) of the data transfer and further processing: the provision of a
technology platform that that helps businesses to improve their selling process to
prospects and connect between prospects and references.
3.5.7.The period for which the personal data will be retained: the period set out in the
Agreement.
3.5.8.Transfers to (sub-) processors:
Name Subject matter and
nature of Processing
Activities
Location of
processing and EU
Safeguard
Mechanism
AWS - Amazon Web
Services, Inc.
Data and cloud storage
solution
United States (SCCs),
Adequacy Decision
(US-EU Data Privacy
Framework)
Twilio, Inc. Email messages and
notifications
United States (SCCs),
Adequacy Decision
(US-EU Data Privacy
Framework)
3.5.9.Competent Supervisory Authority: the data protection authority in the EU member
state in which the Customer is established, or the Customer’s lead supervisory
authority for GDPR purposes, but if the Customer is not established in any EU
member state, then the supervisory authority of the EU member state in which the
Customer’s EU representative pursuant to Article 27 of the GDPR is located.
3.6. In Annex II, for MODULE TWO (TECHNICAL AND ORGANIZATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY
OF THE DATA): Transfer controller to processor – See appendix below.
4. The Customer will comply with its obligations under the GDPR, in particular in the Processing
instructions it issues to Deeto as per Clause 8.1 of the SCCs.
5. If Deeto’s assistance to Customer under Clause 10 of the SCCs entails material costs,
expenses, or resources to Deeto, then the parties shall first discuss and agree on the fees
payable to Deeto for such assistance.
6. Audit and inspections conducted under Clause 8.9 of the SCCs shall be conducted during
ordinary business hours of Deeto and with minimal disruption to Deeto’s ordinary course of
business, shall not extend to any activities of Deeto with other customers or parties, and if
conducted by an independent auditor, such auditor shall be made subject to appropriate
confidentiality undertakings satisfactory to Deeto. If such inspections or audits entail
material costs, expenses or resources to Deeto, then the parties shall first discuss in good
faith and agree on the fees payable to Deeto for such inspections or audits.
APPENDIX
Description of the technical and organizational security measures implemented by Deeto
1. Risk Management:
1.1. Deeto maintains a formal risk management program to continually discover, research,
plan, resolve, monitor, and optimize information security risks that impact Deeto's
business objectives, regulatory requirements, and customers.
1.2. Deeto identifies, classifies and manages the inventory of information assets. The assets
inventory is reviewed by the CISO on an annual basis.
1.3. IT vendors that engage in business with Deeto are subject to information security,
confidentiality, and privacy commitments as part of their agreements with Deeto.
1.4. Deeto reviews the critical vendors' SOC2 report on an annual basis. The review includes
identifying and documenting the controls in place at Deeto to address the CUECs, noted
deviations, and the auditor's opinion.
1.5. Deeto has procedures in place to dispose of confidential information according to
Deeto's data retention and disposal policy.
1.6. Deeto enforces segregation between development, staging and production
environments to enforce confidentiality and privacy on customers data.
2. Vulnerabilities, PTs, Incidents
2.1. An external web application penetration test is conducted annually. Critical and High
issues are investigated and resolved in a timely manner.
2.2. Production networks undergo vulnerability scans continuously. When an incident is
detected, alerts are sent to relevant stakeholders for investigation and resolution in a
timely manner.
2.3. Vulnerability scans for the source code are performed to identify security issues as part
of the SDLC. High/critical issues are remediated in a timely manner.
2.4. Intrusion detection system scans continuously for potential security issues and alerts
the administrator upon discovering unexpected and potentially malicious activity in the
production environment, with a high/critical risk rating.
2.5. Deeto has developed a Security Incident Response Policy in order to respond to security
incidents and personal data breaches in accordance with applicable laws and
regulations.
3. Availability, BCP and DR
3.1. Deeto's application uptime is continuously monitored for availability.
3.2. Deeto has developed a Disaster Recovery Plan to continue to provide critical services in
the event of a disaster. The DRP is reviewed on an annual basis. Deeto conducts disaster
recovery (DR) testing on an annual basis to provide a coordinated venue for
infrastructure and application teams to test communication plans, fail-over scenarios,
operational transition, and other emergency responses. All teams that participate in the
DR exercise develop testing plans and post mortems which document the results and
lessons learned from the tests.
3.3. Deeto conducts pre-employment screening checks of candidates commensurate with
the employee’s position and level, in accordance with local laws and the HR policy.
3.4. New employees go through an onboarding process to be informed of their role
responsibilities, organizational policies, and provisioning of relevant access.
3.5. Deeto has established a Security Awareness Training program and requires all
employees to complete this training every year.
4. Access Control
4.1. User accounts are disabled or deleted on the production and other organizational
information assets timely upon notification of job termination.
4.2. Deeto has established a formal standard for passwords to govern the management and
use of authentication mechanisms. Strong password configuration settings, where
applicable, are enabled and including: (1) Use a minimum of characters (2) Use upper
case, lower case, numeric, and special character values (3) Enforced password history
policy with at least 5 previous passwords remembered.
4.3. User access and permissions in restricted environments are reviewed and approved by
Deeto's management on a quarterly basis.
4.4. Access to the identity management tool is performed using two-factor authentication
and is restricted to authorized personnel. Access to the production environment
console is restricted to authorized personnel and performed using a two-factor
authentication method. Access to the source control tool is performed using two-factor
authentication and is restricted to authorized personnel.
4.5. Access to alter and delete backups is restricted to authorized users and uses two-factor
authentication.
4.6. Access to PII in databases is restricted to authorized Deeto personnel including help
desk personnel.
4.7. Audit trail (security logs) are deployed on the production environment continuously to
capture actions made directly by the user or a cloud service.
5. Network and Device Security, Encryption
5.1. Deeto has enabled multiple network security controls, such as VPC security, cloud
firewall, and port restriction.
5.2. Restricted information assets containing sensitive customer data hosted on databases
and backups are at least disk-level encrypted.
5.3. Encrypted communication between Deeto's customers and Deeto's assets is enabled
using a valid HTTPS TLS 1.2 authenticated certificate.
5.4. Deeto secures and controls its employees' laptops to enforce its security settings,
including hard-disk encryption and auto patching.
5.5. Anti Malware software detection is installed on employees' devices (i.e., workstations
and laptops) and configured to receive updates regularly.
5.6. Deeto has an established key management process in place to support the
organization’s use of cryptographic techniques.
PART THREE
1. Customer and Deeto hereby assent to the Annex to the International Data Transfer
Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 issued
under Section 119A of the UK Data Protection Act 2018, available at
https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf
(“UK SCCs”), as follows:
Section of the UK SCCs Content
Table 1 – Start Date The Effective Date of the Agreement
Table 1 – Parties’
details
Exporter (who sends the
Restricted Transfer)
Importer (who receives the
Restricted Transfer)
Full legal name: As set forth in the
Agreement.
Main address (if a company
registered address): As set forth in
the Enrollment.
Full legal name: Deeto, Inc.
Main address (if a company
registered address): As set forth in
the Agreement.
Table 1 – Key Contact
As set forth in the Enrollment. Email address: support@deeto.ai
Table 2 - Addendum EU
SCCs
The version of the Approved EU SCCs in Part Two above, including the
Appendix Information.
Date: The Effective Date of the Agreement
Reference (if any): Part Two
Table 3 – Appendix
Information
Annex 1A: List of Parties: see Part Two
Annex 1B: Description of Transfer: see Part Two
Annex II: Technical and organizational measures including technical and
organizational measures to ensure the security of the data: see Appendix to
Part Two.
Table 4 – Table 4:
Ending this Addendum
when the Approved
Addendum Changes
Which Parties may end this Addendum:
☐ Importer
☒ Exporter
☐ neither Party
