Skip to main content
Product Video Library
Book a Demo

Data Processing Addendum

Download PDF

 

Terms and Conditions Version: 7

Publish Date: 16th September 2025

PARTIES

This Agreement is between Customer and Claromentis. "Customer" is defined as the legal entity for which this agreement is being signed. If the agreement is not for a legal entity, then the "Customer" is the individual who accepts the terms.

AGREED TERMS

1. Definitions and interpretation

The following definitions and rules of interpretation apply in this agreement.

Definitions:

Data Subject: as defined under Article 4 of the UK GDPR.

Data Protection Legislation: (i) the Data Protection Act 2018 (DPA); (ii) the UK GDPR as defined in section 3(1) (as supplemented by section 205(4)) of the DPA (UK GDPR); and (iii) any and all guidance and codes of practice issued by the relevant data protection supervisory authority (being, in the United Kingdom, the Information Commissioner) and applicable to a party.

Personal Data: as defined under Article 4 of the UK GDPR.

Processing, processes and process: as defined under Article 4 of the UK GDPR.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Protected Data transmitted, stored or otherwise processed.

Protected Data: the Personal Data processed by Claromentis received from the Controller, or otherwise obtained in connection with the performance of the obligations of Claromentis under this agreement, the details of which are described in Annex A.

Standard Contractual Clauses (SCCs): the ICO's International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO's International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.

Intranet Software: this refers to the ‘Claromentis’ software which is available via a web browser or mobile application.

  • This agreement is subject to the terms of the Customer Agreement and is incorporated into the Customer Agreement . Interpretations and defined terms set forth in the Customer Agreement apply to the interpretation of this agreement.
  • The Annexes form part of this agreement and will have effect as if set out in full in the body of this agreement. Any reference to this agreement includes the Annexes.
  • A reference to writing or written includes faxes and email. In the case of conflict or ambiguity between:
    • any provision contained in the body of this agreement and any provision contained in the Annexes, the provision in the body of this agreement will prevail;
    • the terms of any accompanying invoice or other documents annexed to this agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail;
    • any of the provisions of this agreement and the provisions of the Customer Agreement , the provisions of this agreement will prevail; and
    • any of the provisions of this agreement and any executed, the provisions of the executed SCC will prevail.
  1. Protected Data types and processing purposes
    • Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
    • The parties acknowledge that for the purposes of the Data Protection Legislation, Annex A sets out the scope, nature and purpose of processing by the Processor, the duration of the processing and the types of Protected Data and categories of Data Subject.
    • Without prejudice to the generality of clause 1, the Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Protected Data to the Processor for the duration and purposes of this agreement.
  2. Processor obligations
    • Without prejudice to the generality of clause 1, the Processor shall, in relation to any Protected Data processed in connection with the performance by the Processor of its obligations under this agreement:
      • process the Protected Data only on the written instructions of the Controller except where otherwise required by applicable law and in any such case the Processor shall promptly inform the Controller in writing of that legal requirement before performing the processing of the Protected Data, unless applicable law prevents it doing so on important grounds of public interest. The Processor shall immediately inform the Controller if the Processor believes any instruction relating to the Protected Data infringes or may infringe any Data Protection Legislation;
      • Claromentis will implement and maintain appropriate technical and organizational measures to protect the security, confidentiality, integrity, and availability of Customer Data and to prevent Security Incidents. Claromentis’s current security measures are described at claromentis.com/legal/security. The Customer is responsible for properly configuring the Claromentis Products and using the available security features to maintain an appropriate level of security for its Customer Data. Claromentis may update these security measures from time to time, as long as such changes do not materially decrease the overall security of the Cloud Products during a Subscription Term. ensure that all personnel who have access to and/or process Protected Data are obliged to keep the Protected Data confidential;
      • not transfer any Protected Data outside of the European Economic Area unless the transfer is made to an adequate jurisdiction (within the meaning of Article 45(1) of the UK GDPR) or prior written consent of the Controller has been obtained and the following conditions are fulfilled:
        • the Controller or the Processor has provided appropriate safeguards in relation to the transfer;
        • the Data Subject has enforceable rights and effective legal remedies;
        • the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Protected Data that is transferred; and
        • the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the Protected Data;
      • assist the Controller, at the Controller’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
      • notify the Controller without undue delay on becoming aware of a Personal Data Breach;
      • at the written direction of the Controller, delete or return Personal Data and copies thereof to the Controller on termination of the agreement unless required by applicable law to store the Protected Data; and
      • maintain complete and accurate records and information to demonstrate its compliance with this clause 1.
  1. Sub-processors & Subcontractors
    • The Controller consents to the Processor appointing reputable third party domestic and international carriage partners as a third-party processor of Personal Data under this agreement. The Processor confirms that it has entered or (as the case may be) will enter with the third-party processor(s) into a written agreement incorporating terms which are substantially similar to those set out in clause 1. As between the Controller and the Processor, the Processor shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 4.
    • Claromentis maintains a list of the sub-processors currently instructed by the Processor at the following link: www.claromentis.com/legal/sub-processors
  2. Term and termination
    • This agreement will immediately take effect upon entering into the Customer Agreement .
    • The provisions of this agreement shall survive the term of this agreement and the Customer Agreement , and in order to protect Protected Data shall remain in full force and effect.
  3. Notice
    • Any notice or other communication given to a party under or in connection with this agreement must be in writing and shall be:
      • delivered by hand or by recorded delivery service at its registered office; or
      • sent by email to data-protection@claromentis.com and sales@claromentis.com
      • Any notice shall be deemed to have been received:
        • if delivered by hand, at the time the notice is left at the proper address;
        • if sent by recorded delivery at the time and date registered by the recorded delivery service; or
        • if sent by email, on the next business day after transmission, provided always that no error message, out-of-office or other automated reply, bounce-back, or other notification of a failure of or delay to transmission is received by the party sending such notice within forty-eight (48) hours of attempted transmission.
      • Clause 1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

 

Annex A - Description of Processing

Subject matter of processing:

Claromentis will process personal data to provide our software and product related support in accordance with the Customer Agreement and this DPA. The nature of this processing, including collection, structuring, storage, and transmission, is as described in Annex A and other relevant documentation.

Duration of Processing:

For the duration of this Agreement.

Nature of Processing:

We process personal information by hosting and accessing the controllers intranet site in order to deploy, maintain and support intranet software.

Personal Data Categories:

The data categories are unknown and it is the responsibility of the controller to decide what personal data categories are uploaded to the intranet software. It’s possible that the personal data categories could include personal details, family details, lifestyle and social circumstances, goods and services, employment and education details, financial details.

Data Subject Types:

The data subjects are unknown and it is the responsibility of the controller to decide the nature of the personal data that is uploaded to the intranet software. Its likely that the personal data subject types include the controller’s clients, employees, suppliers and individuals.

Sensitive data transferred: The Customer is solely responsible for determining and controlling any Sensitive Data it or its Users upload to the Cloud Products. This includes special categories of personal data, as defined by applicable laws, such as data concerning racial or ethnic origin, health information, or criminal convictions.

Transfers to Sub-processors: Claromentis will transfer Customer Personal Data to Sub-processors as permitted in Section 4 (Sub-proccessors & Subcontractors).