Data Processing Addendum
This Data Processing Addendum (“Addendum”) is an integral part of the Execue Terms and Conditions or any other agreement (the “Agreement”) between Execue GTM, Inc. (“Execue”) and the entity or individual identified as the Customer in the applicable account or Agreement referencing this Addendum (“Customer”), governing the use of the Platform located at https://execue.io and https://app.execue.io, and related Services.
For the purposes of this Addendum, Execue and the Customer may collectively be referred to as the “Parties” and individually as a “Party”.
This Addendum is entered into to ensure compliance with Applicable Privacy Laws and outlines the terms under which Execue processes Personal Data on behalf of the Customer.
1. Main Definitions
“Customer Personal Data” means any Personal Data provided by the Customer, its employees, agents, or representatives to Execue for processing under the Agreement.
“Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Applicable Privacy Laws” means:
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“EU GDPR”), and Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“EU e-Privacy Directive”) (collectively, “EU Privacy Laws”);
The Data Protection Act 2018 and the GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 (“UK GDPR”);
The Swiss Federal Act on Data Protection and its implementing regulations (“Swiss FADP”);
State laws in the United States relating to the protection and processing of Personal Data, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act; the Connecticut Data Privacy Act; the Utah Consumer Privacy Act; the Florida Digital Bill of Rights (“FDBR”); the Iowa Consumer Data Protection Act (“ICDPA”); the Delaware Personal Data Privacy Act (“DPDPA”); and any other applicable state law relating to the protection and processing of Personal Data (collectively “US State Privacy Laws”);
Any other applicable national or state laws, regulations, or legal frameworks concerning the protection and processing of Personal Data, as amended, superseded, or replaced from time to time.
“International Transfer” means:
For the EU GDPR: The transfer of Personal Data from the European Economic Area (EEA) to a non-EEA country that lacks an adequacy decision from the European Commission under Article 45 of the EU GDPR.
For the UK GDPR: The transfer of Personal Data from the United Kingdom to a third country or international organization that has not received an adequacy determination under Section 17A of the UK GDPR.
For the Swiss FADP: The transfer of Personal Data from Switzerland to a third country not recognized as providing adequate protection under the Swiss Federal Data Protection and Information Commissioner’s guidelines.
“Lawful Transfer Mechanism” means methods legally recognized for transferring Personal Data from one jurisdiction to another in compliance with the Applicable Privacy Laws. Such mechanisms ensure that data is transferred in a secure and compliant manner and may include, but are not limited to:
Standard Contractual Clauses, as annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to EU GDPR (“EU SCCs”)
The UK Addendum, which supplements the EU Standard Contractual Clauses for transfers of Personal Data under the UK GDPR, and is the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (Version B1.0, in force as of 21 March 2022) (“UK Addendum”).
Data Privacy Framework (DPF), where applicable, the Company and its U.S.-based Sub-Processors may rely on the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the DPF, and the Swiss-U.S. DPF for transfers of Personal Data from the European Union, United Kingdom, and Switzerland to the United States.
Other Legally Recognized Transfer Mechanisms, including, but not limited to, Binding Corporate Rules (BCRs), Adequacy Decisions, approved Codes of Conduct, or Certification Mechanisms, all of which are recognized by competent authorities under Applicable Privacy Laws.
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
“Processing” (and “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure, or destruction.
“Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, health data, data concerning a natural person's sex life or sexual orientation, or any other category of data considered sensitive under Applicable Privacy Laws.
“Sub-processor” means any natural or legal person, public authority, agency, or other body engaged by the Processor (or by any other Sub-processor) to Process Personal Data on behalf of the Controller in connection with the Agreement.
Any capitalized terms used but not defined in this Addendum shall have the meanings given to them in the Agreement and the Applicable Privacy Laws.
2. Relationship of the Parties
For the purposes of Applicable Privacy Laws, the roles of Controller and Processor are as follows:
The Customer is the Controller, determining the purposes and means of the Processing of Customer Personal Data.
Execue acts as the Processor, processing Customer Personal Data only on behalf of the Customer and in strict compliance with the Customer's documented instructions, as set forth in this Addendum, the Agreement, and any other written instructions issued by the Customer.
3. Description of Processing(s)
3.1. Customer Personal Data
Execue will process Customer Personal Data strictly as a Processor in accordance with the Customer’s documented instructions, as outlined in Section 4.1 (Processing Instructions). This includes Processing Customer Personal Data to provide the Platform and related Services as per the Agreement.
Execue shall not use, disclose, or otherwise Process Customer Personal Data for any purpose other than those explicitly specified by the Customer, unless required by Applicable Privacy Laws. In such cases, Execue shall notify the Customer unless prohibited by law.
The specific details of the Processing operations, including the categories of Customer Personal Data, types of Data Subjects, and the purposes for which Customer Personal Data is processed, are detailed in Annex I. These details form an integral part of this Addendum and define the scope and limitations of the Processing activities conducted by Execue.
3.2. Customer Account Data
Execue will process Customer Account Data as a Controller for the following purposes:
To provide, maintain, and improve the Platform and Services, including user account management, operational efficiency, and customer support.
To communicate with the Customer, including responding to inquiries, providing technical support, and sending service-related updates.
To ensure Platform security, fraud prevention, performance monitoring, and business continuity (e.g., backup, disaster recovery).
To manage billing, account administration, tax compliance, and other legitimate business functions necessary for contractual and regulatory compliance.
3.3. Platform Usage Data
Execue will process Platform Usage Data as a Controller for the following purposes:
To provide, optimize, secure, and maintain the Platform and Services for all users.
To analyze engagement patterns, monitor performance, and enhance the usability and effectiveness of the Platform.
To derive insights that inform business strategy, product development, and enhancements in the Platform’s offerings and features.
4. Obligations of the Parties
4.1. Processing Instructions
Compliance with Customer Instructions. Execue shall process Customer Personal Data strictly in accordance with the documented instructions provided by the Customer, as necessary to fulfill the Agreement. Any Processing outside these instructions shall require prior written authorization from the Customer, except where required by Applicable Privacy Laws. In such cases, Execue shall notify the Customer unless prohibited by law.
Additional Instructions. The Customer may issue additional written instructions concerning the Processing of Customer Personal Data. Execue shall comply with such instructions, provided they are lawful and technically feasible. Any requested modifications to Processing activities shall be agreed upon in writing by both Parties.
Notification of Non-Compliance. If Execue reasonably believes that any Customer instruction violates Applicable Privacy Laws, it shall promptly notify the Customer and suspend the relevant Processing until the Customer confirms or modifies its instructions.
Processing Limitations. Execue shall not process Customer Personal Data for any purpose other than as explicitly stated in Annex I or as otherwise instructed in writing by the Customer. Any Processing beyond the scope of the documented instructions shall require prior written agreement.
Duration of Processing. Execue shall process Customer Personal Data only for the duration specified in Annex I or as otherwise agreed upon by both Parties in writing. Upon expiration of the agreed processing period, Execue shall securely delete or return the Customer Personal Data, in accordance with Customer instructions.
4.2. Security of Processing
Implementation of Security Measures. Execue shall adopt and maintain industry-standard technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, damage, alteration, or disclosure. These measures shall be outlined in Annex II.
Access Restrictions. Execue shall ensure that only authorized personnel with a legitimate need to process Customer Personal Data have access to it. Access shall be subject to strict confidentiality obligations and role-based access controls.
Encryption and Data Integrity. Execue shall implement encryption, pseudonymization, or other security controls, where appropriate, to enhance the confidentiality and integrity of Customer Personal Data.
Incident Response. In the event of a Personal Data Breach, Execue shall follow its internal breach response protocol and notify the Customer without undue delay, as specified in Section 7.
4.3. Sensitive Data
Additional Safeguards. If Processing involves Sensitive Data (e.g., health, biometric, or criminal record data), Execue shall apply enhanced security measures, including stricter access controls, encryption, and secure storage.
Limited Processing. Execue shall not process Sensitive Data unless explicitly authorized in writing by the Customer or required by applicable law. In such cases, Execue shall promptly inform the Customer before Processing, unless prohibited by law.
4.4. Confidentiality
Obligation to Maintain Confidentiality. Execue shall treat Customer Personal Data as confidential and shall not disclose it to third parties except as permitted under this Addendum, the Agreement, or applicable law.
Personnel and Third Parties. Execue shall ensure that all personnel, contractors, and Sub-processors who access Customer Personal Data are bound by legally enforceable confidentiality obligations no less protective than those under this Addendum.
Survival of Confidentiality Obligations. The confidentiality obligations set forth in this Section shall survive the termination or expiration of this Addendum for as long as Execue retains Customer Personal Data.
4.5. Documentation and Compliance
Record-Keeping. Execue shall maintain accurate records of Processing activities performed on behalf of the Customer, including the categories of data processed, Processing purposes, and security measures implemented. These records shall be made available to the Customer upon request, as necessary to demonstrate compliance.
Assistance with Compliance. Execue shall provide reasonable assistance to the Customer in fulfilling its compliance obligations, including responding to regulatory inquiries, conducting risk assessments, and implementing necessary safeguards.
4.6. Audits
Independent Audits. Execue will undergo regular internal audits and assessments, as well as third-party evaluations, to ensure compliance with Applicable Privacy Laws, industry standards, and security controls. These audits will be conducted at Execue’s discretion, with the findings made available as required for regulatory purposes. Execue retains full discretion over the scope and timing of such audits and will make reasonable efforts to address any identified gaps in a timely manner.
Customer Audits. Upon reasonable notice (no less than thirty (30) days) and subject to the following terms, the Customer may conduct an audit of Execue to assess its compliance with this Addendum. Such audit shall be limited to once per calendar year and may include document reviews and security assessments.
The audit shall not interfere with Execue’s normal business operations and will be conducted during normal business hours.
Any audit shall be at the Customer’s expense, and the Customer shall bear the cost of any external auditors or additional resources required for the audit.
Execue reserves the right to review and approve the scope, methodology, and timeline of any audit in advance to ensure that it is reasonable and non-disruptive.
Confidentiality of Audit Information. Any information, documents, or findings obtained by the Customer during an audit shall be considered confidential and treated in accordance with the confidentiality obligations set forth in this Addendum. Such information shall be used solely for the purpose of verifying compliance with this Addendum and for no other purpose.
4.7. Use of Sub-Processors
Authorization to Engage Sub-Processors. The Customer authorizes Execue to engage Sub-Processors to assist in Processing Customer Personal Data, provided that such engagement complies with this Addendum and Applicable Privacy Laws. A list of current Sub-Processors is maintained in Annex III.
Notification of Changes. Execue shall notify the Customer at least 30 days in advance of any new Sub-Processor engagement or replacement, providing the Customer an opportunity to raise reasonable objections.
Objection Handling. If the Customer objects to a new Sub-Processor for legitimate reasons, the Parties shall cooperate in good faith to find a reasonable alternative. If no resolution is reached, the Customer may terminate the affected services.
Sub-Processor Contracts. Execue shall impose contractual obligations on all Sub-Processors that are at least as protective as those under this Addendum. Execue remains fully liable for its Sub-Processors’ compliance with applicable obligations.
4.8. Data Processing Responsibilities and Compliance
General Compliance. The Customer is solely responsible for ensuring that all Personal Data imported, processed, and used in connection with the Platform and Services complies with Applicable Privacy Laws. This includes, but is not limited to, obtaining all necessary consents and authorizations for the importation, processing, and use of Personal Data.
Data Import and Tracking Signals. The Customer acknowledges and agrees that it is their responsibility to ensure any Personal Data imported into the Platform, including data related to leads, prospects, and job change signals, is lawfully obtained and used in accordance with Applicable Privacy Laws. Execue’s role is to process this data as instructed by the Customer in providing the Services, including tracking signals like job changes and website visits to generate context-rich messages.
Integration with Third-Party Systems. While Execue facilitates integrations with third-party systems (e.g., CRM and outreach systems), both Execue and the Customer share joint responsibility for ensuring that Personal Data transferred through these integrations is processed in compliance with Applicable Privacy Laws. Execue will take reasonable steps to ensure that such integrations are secure and legally compliant, but the Customer is responsible for ensuring their own compliance in relation to the third-party systems they choose to integrate with.
Post-Service Compliance. The Customer remains solely responsible for compliance with Applicable Privacy Laws, including but not limited to the continued lawful processing, storage, and deletion of Personal Data post-service provision. Execue does not have responsibility for the data once it has been transferred back to the Customer’s systems or third-party systems, nor for any subsequent use of the data.
Limitation of Liability. Execue is not responsible for any unlawful processing, use, or retention of Personal Data by the Customer, their systems, or third-party systems to which the Personal Data may be transferred or integrated. The Customer indemnifies and holds Execue harmless from any claims, damages, or losses arising from their failure to comply with Applicable Privacy Laws.
5. General Principles for International Transfers
Transfers Based on Customer Instructions. Execue shall not transfer Customer Personal Data outside the jurisdiction of its origin except as necessary to perform its obligations under the Agreement, in accordance with the Customer’s documented instructions, or as required by Applicable Privacy Laws.
Intra-Group Transfers. The Customer acknowledges that Execue may transfer Customer Personal Data within its corporate group for operational efficiency, governance, and the global provision of services. Execue shall ensure that all intra-group transfers comply with Applicable Privacy Laws and are subject to appropriate safeguards.
Transfers to Authorized Sub-Processors. Execue is authorized to transfer Customer Personal Data to approved Sub-Processors as set forth in Section 4.7. Execue shall ensure that any such transfer is conducted under a valid legal mechanism and does not lower the level of protection afforded to Customer Personal Data.
Lawful Transfer Mechanisms. Where Customer Personal Data is transferred to a jurisdiction that does not provide an adequate level of data protection, Execue shall use the Lawful Transfer Mechanisms.
5.1. Transfers from the European Economic Area to a Third Country
Where Processing involves an International Transfer of Customer Personal Data from the Customer, established in the European Economic Area (“EEA”), to the Company, established in a third country outside of the EEA that does not have an adequacy decision, the EU SCCs shall be incorporated by reference into this Addendum. The following modifications to the EU SCCs apply:
The Customer shall be the “Data Exporter” and the Company shall be the “Data Importer.”
Applicable Module: Module Two (Controller to Processor) applies where the Customer is a Controller of Customer Personal Data, and the Company is Processing Customer Personal Data as a Processor. All other Modules are excluded.
Clause 7 (Docking Clause): Shall not apply.
Clause 9 (Use of Sub-Processors): The general prior authorization approach shall apply, with a notice period in accordance with Section 4.7.
Clause 11 (Optional Redress Mechanism): Shall not apply.
Clause 13 (Supervisory Authority): The competent supervisory authority shall be determined based on the Customer’s establishment in the EEA.
Clause 17 (Governing Law): The governing law shall be that of Ireland.
Clause 18 (Dispute Resolution): Disputes shall be subject to the jurisdiction of the courts of Ireland.
The Annexes shall be prepopulated with details from the Annexes of this Addendum.
5.2. Transfers from the UK to a Third Country
For transfers subject to the UK GDPR, the EU SCCs shall apply with the following modifications:
The SCCs shall be deemed amended by the UK Addendum issued by the UK Information Commissioner’s Office (ICO).
Tables 1-3 of Part 1 of the UK Addendum shall be prepopulated with information from the Annexes to this Addendum.
Either Party may terminate the UK Addendum in accordance with Table 4.
In the event of a conflict between the SCCs and the UK Addendum, the provisions of the UK Addendum shall govern.
5.3. Transfers from Switzerland to a Third Country
In relation to transfer of Customer Personal Data protected by the Swiss FADP, the EU SCCs as incorporated under Section 5.1. shall apply with the following modifications:
Any references to “Regulation (EU) 2016/679” shall be understood as references to the Swiss FADP.
Terms such as “European Union,” “EU,” and “Member State” shall be interpreted as “Switzerland.”
References to the “competent supervisory authority” shall be understood as the Swiss Federal Data Protection and Information Commissioner (FDPIC).
The governing law shall be Swiss law, and disputes shall be resolved before the competent Swiss courts.
6. Assistance and Cooperation
6.1. Data Subject Requests
Notification Obligation. Execue shall notify the Customer without undue delay upon receiving a request from a Data Subject concerning their rights under Applicable Privacy Laws (e.g., access, rectification, erasure, restriction, or data portability).
Prohibition on Direct Response: Execue shall not respond to such requests or take any action unless explicitly authorized in writing by the Customer, except as required by law.
Customer’s Responsibility. The Customer shall be responsible for fulfilling Data Subject requests. Execue shall provide reasonable assistance as necessary to facilitate compliance with applicable obligations.
Scope of Assistance. Execue’s support may include:
Providing relevant Customer Personal Data in a structured format.
Implementing technical measures to execute a Data Subject request.
Assisting in verifying Data Subject identities if required.
6.2. Third-Party and Government Requests
Third-Party Access Requests. If Execue receives a request for access to Customer Personal Data from a law enforcement agency, government authority, or other third party, Execue shall:
Promptly notify the Customer unless legally prohibited from doing so.
Provide only the minimum information necessary to comply with the request.
Consult with the Customer to determine a lawful response strategy.
Documentation and Records. Execue shall maintain a record of all such third-party requests and provide relevant details to the Customer upon request.
7. Personal Data Breach Management
Obligation to Notify. Execue shall notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and, in any event, no later than 48 hours after becoming aware of the breach.
Minimum Notification Requirements. The notification shall include, to the extent known at the time:
The nature of the breach, including, where possible, the categories and estimated number of affected Data Subjects and data records.
Contact details for further inquiries.
The likely consequences of the breach.
Steps taken or proposed to address and mitigate the breach.
Follow-Up Communication. If all required information is not available in the initial notification, Execue shall provide further updates without undue delay.
8. Obligations under US State Privacy Laws
8.1. Role of the Parties
The Customer is a “Business” under applicable U.S. State Privacy Laws.
Execue is a “Service Provider” and shall Process Customer Personal Data solely for the business purposes outlined in the Agreement, which does not constitute a “Sale” or “Sharing” of data.
Execue shall ensure that any Processing is strictly limited to necessary business purposes, such as service provision, security, debugging, and internal research.
8.2. General Compliance
Execue shall comply with all applicable U.S. State Privacy Laws when Processing Customer Personal Data and shall adhere strictly to the Customer’s documented Processing instructions as outlined in this Addendum and the Agreement.
Restrictions on Processing. Execue shall not:
Process Customer Personal Data for any purpose beyond what is necessary to provide the services under the Agreement or as permitted by applicable law.
"Sell" or "Share" Customer Personal Data, as defined under relevant U.S. State Privacy Laws.
Use Customer Personal Data outside the direct business relationship with the Customer or combine it with other data unless expressly permitted by law.
Notification of Non-Compliance. If Execue determines that it cannot meet its obligations under the U.S. State Privacy Laws, it shall notify the Customer without undue delay and within any legally required timeframe. The Customer may take appropriate action, including suspending or terminating Processing activities.
8.3. Deidentified Data
Use of Deidentified Data. For the purposes of this section, “Deidentified Data” refers to data that cannot reasonably be linked to an identified or identifiable individual. Execue may use Deidentified Data for permissible purposes, such as analytics, research, and statistical analysis, without re-identifying individuals.
Deidentification Measures. Execue shall:
Implement reasonable safeguards to prevent re-identification.
Maintain Deidentified Data in a de-identified state.
Not attempt to re-identify such data, except for testing the effectiveness of de-identification measures.
Ensure third parties, including Sub-Processors, contractually commit to maintaining de-identification standards before sharing Deidentified Data.
8.4. Consumer Rights Assistance
Execue shall assist the Customer in fulfilling Verifiable Consumer Requests, including access to Personal Data, deletion or correction of Personal Data, opt-out requests related to “Do Not Sell or Share My Personal Information” provisions.
8.5. Ongoing Compliance
Execue shall continuously update its Processing practices to remain compliant with newly enacted or amended U.S. State Privacy Laws and implement necessary adjustments to ensure continued adherence.
9. Termination
9.1. Termination of the Addendum
This Addendum shall automatically terminate upon termination of the Agreement. Upon termination, Execue shall cease Processing Customer Personal Data, except as required by law or explicitly authorized by the Customer.
9.2. Post-Termination Access
The Customer shall have limited access to its Personal Data stored within Execue’s systems for thirty (30) days following termination, solely for the purpose of retrieving such data. After this period, Execue shall proceed with data deletion or return as outlined in Section 10.
9.3. Survival of Obligations
The obligations related to confidentiality, data protection, and compliance with applicable laws shall survive the termination of this Addendum.
10. Return and Deletion of Personal Data
10.1. Return or Deletion
Upon termination of this Addendum or at the Customer’s written request, Execue shall, within ninety (90) days, either return all Customer Personal Data to the Customer or delete it, as directed.
If retention is required under applicable law, Execue shall ensure the confidentiality of the retained data and restrict Processing strictly to legally required purposes.
10.2. Continued Compliance
Until Customer Personal Data is fully deleted or returned, Execue shall:
Maintain compliance with this Addendum.
Ensure appropriate security and confidentiality measures remain in place.
11. Jurisdiction
11.1. Governing Law
This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction specified in the Agreement, unless otherwise required by Applicable Privacy Laws.
11.2. Dispute Resolution
The Parties agree to attempt good-faith negotiations to resolve any disputes arising from this Addendum. If unresolved within thirty (30) days, the dispute may proceed to mediation or arbitration, as specified in the Agreement. If still unresolved, the dispute shall be subject to the exclusive jurisdiction of the courts designated in the Agreement.
ANNEX I
A. LIST OF PARTIES
Customer | Execue |
Name: | Name: Execue GTM, Inc. |
Address: | Address: |
Contact person’s name, position and contact details: | Contact person’s name, position and contact details: |
Activities relevant to the data processed under this Addendum: The Customer orders and receives services as outlined in the Agreement, which may involve the processing of personal data as described in this Addendum. | Activities relevant to the data processed under this Addendum: Execue provides the services requested by the Customer in accordance with the Agreement, including processing personal data as necessary to deliver those services, in compliance with the terms outlined in this Addendum. |
Role: Controller | Role: Processor |
B. DESCRIPTION OF THE PROCESSING
Categories of Data Subjects whose personal data is processed and transferred | Customer’s Team Members and End Users. Individuals employed or engaged by the Customer, or authorized users accessing or utilizing the Platform Services on behalf of the Customer. Current and Former Clients. Individuals or entities who have interacted with or are associated with the Customer, including their representatives, employees, and business contacts. Leads and Prospects. Individuals or business entities identified as potential business opportunities by the Customer. As well as professional contacts derived from public sources, business intelligence tools, and job change tracking signals. |
Categories of personal data processed and transferred | Personal and Business Information. Personal and business data essential for providing Services, including:
Profile Data. Data used to build or enhance professional profiles and generate signals, including:
Other Categories of Personal Data. Any additional personal data that may be processed or transferred as necessary to fulfill the Agreement’s purposes, such as:
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures | Execue does not actively process sensitive personal data; however, it may be inadvertently collected when:
Applied Safeguards
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Customer Personal Data is processed and transferred continuously as part of ongoing provision of Services. |
Nature of the Processing | One or more of the following processing activities on Customer Personal Data: collection, recording, organization, structuring, storage, adaptation/alteration, retrieval, consultation, use, alignment / combination, restriction, erasure / destruction. |
Purpose(s) of the data transfer and further Processing | Provision of the Services under the Agreement. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | Customer Personal Data shall be retained only for as long as necessary for the purposes of the Agreement. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | Processing of Customer Personal Data as outlined above, for the duration of the services provided under the Agreement. |
C. COMPETENT SUPERVISORY AUTHORITY
Applicable Legislation | Competent Supervisory Authority |
EU Privacy Laws | The supervisory authority of the Customer, as determined in accordance with Clause 13 of the EU SCCs |
UK GDPR | The UK Information Commissioner’s Officer |
Swiss FADP | The Swiss Federal Data Protection and Information Commissioner |
SIGNATURES
Customer | Execue |
By: _____________________________ | By: _____________________________ |
Name: | Name: |
Title: | Title: |
Date: ________________ | Date: ________________ |
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES
The Company shall implement industry-standard security measures to protect Customer Personal Data, ensuring compliance with Applicable Privacy Laws. The following measures are in place:
1. Access Control
Access to Personal Data is granted strictly based on job roles and responsibilities.
Employees and contractors use individual, password-protected accounts with multi-factor authentication (MFA) where feasible.
Periodic access reviews ensure unnecessary permissions are revoked.
2. Awareness and Training
Employees undergo data protection and security training during onboarding and at regular intervals.
Security awareness campaigns and internal guidelines reinforce best practices for handling Personal Data.
3. Risk Management & Security Monitoring
Regular internal security reviews assess risks and identify potential vulnerabilities.
Automated monitoring tools track unauthorized access attempts, system anomalies, and potential threats.
4. System and Information Integrity
Regular updates and security patches are applied to operating systems, software, and applications.
Anti-malware and endpoint protection solutions help prevent unauthorized data access and cyber threats.
Logs of critical system activities are maintained and reviewed periodically.
5. Identification and Authentication
Strong password policies enforce complex, unique passwords.
MFA is implemented for administrative access and sensitive systems.
Failed login attempts are monitored to detect potential security breaches.
6. Data Protection by Design and Default
Privacy risks are assessed before launching new systems or processes that handle Personal Data.
Data minimization principles ensure only necessary Personal Data is collected and processed.
Where feasible, Personal Data is pseudonymized or encrypted automatically.
7. Encryption and Secure Storage
Data in transit is encrypted using TLS/SSL.
Personal Data at rest is encrypted using industry-standard encryption.
Encryption keys are stored securely and rotated periodically.
8. Configuration and Change Management
Default security settings are reviewed and hardened before deploying new systems.
Any changes to IT infrastructure or security settings follow an internal approval process.
9. Contingency and Disaster Recovery Planning
Daily encrypted backups are performed and stored securely.
Disaster recovery procedures ensure Personal Data can be restored within a reasonable timeframe.
10. Security Incident Response
A documented incident response plan ensures quick action in case of a security breach.
Employees are trained to recognize and report security incidents promptly.
Customers will be notified within required legal timeframes if a data breach occurs.
11. Personal Data Processing and Transparency
Personal Data is processed only as outlined in customer agreements and applicable laws.
Data minimization ensures only necessary Personal Data is collected and retained.
Customers can access, modify, or request deletion of their Personal Data in accordance with legal requirements.
12. System and Communications Protection
Data in transit is encrypted using TLS/SSL protocols.
Secure communication channels, such as VPNs, are used for remote access.
Internal networks and systems are protected with firewalls and intrusion detection mechanisms.
13. Personnel Security
Employees and contractors undergo background checks where permitted by law.
Confidentiality agreements and security policies are part of employment contracts.
Role-based access ensures employees handle only the data necessary for their duties.
14. Third-Party Security and Vendor Management
Third-party vendors with access to Personal Data undergo security and compliance evaluations.
Vendors handling Personal Data must meet contractual security obligations.
15. Logging and System Security
Security logs are retained for at least 12 months and monitored for unauthorized access.
Default system configurations are assessed and hardened before deployment.
16. Maintenance & Monitoring
Routine system maintenance ensures security and operational efficiency.
Logs of access and system changes are monitored for anomalies.
17. Data Retention and Secure Disposal
Personal Data is retained only as long as necessary for business and legal requirements.
Secure deletion processes ensure complete removal of data when no longer needed.
18. Data Subject Rights Enablement
Customers can export their data in a structured, commonly used format.
Requests for data erasure are processed securely, ensuring complete removal from active systems.
ANNEX III
LIST OF SUB-PROCESSORS
The Sub-Processors currently engaged by Execue and authorized by the Customer are listed below:
Sub-Processor | Data Processed | Purpose | Location | Additional Details |
Hetzner Online GmbH | All collected information | Hosting and data storage | EU | Provides cloud hosting services. |
OpenAI, L.L.C. | Client-submitted content, including personal data (e.g., text-based inputs, user-generated queries) | AI content creation, insights, and analytics | US | Assists in generating content and insights for customer usage, AI-based service enhancement. |
Salesforce, Inc. | Contact details (e.g., name, email address, phone number, business details) | Customer relationship management, communication tracking | US | Manages customer interactions and engagement across various touchpoints. |
Mixpanel, Inc. | User interaction data (e.g., clicks, page views, events), customer identifiers | Behavioral analytics, service optimization | US | Collects and analyzes user behavior on the platform. |
Outreach Corporation | Contact details, engagement data, customer interaction details | Sales analytics and engagement | US | Automates sales outreach, email campaigns, and engagement tracking. |
HubSpot, Inc. | Contact details, user interactions, service requests, marketing data | Communications and marketing automation | US | Automates marketing efforts, manages customer communications and interactions. |
Instantly, Inc. | Contact details, interaction data, user-generated content | Sales engagement and outreach automation | US | Provides tools for customer outreach and engagement. |
Zenleads Inc. (Apollo.io) | Contact details, business data, social profile information | Data enrichment and sales prospecting | US | Enhances customer profiles by enriching data with external sources. |
Anthropic, PBC (Claude.ai) | Client-submitted content (e.g., text, data entries, personal data) | AI content creation and analysis | US | Provides AI-based content generation and insights. |
Perplexity AI, Inc. | Client-submitted content, including personal data (e.g., questions, prompts) | AI-driven content creation and analytics | US | Offers generative AI-driven analysis and content creation. |
Clay Labs Inc. | Contact information, behavioral data, user-generated content | Customer relationship management and follow-ups | US | Manages customer relationships and automates follow-up tasks. |
Google LLC (Google Analytics) | Interaction data (e.g., page views, clicks, session duration), user identifiers | Web traffic analysis and service optimization | US | Collects data on web interactions to improve user experience. |
Hotjar Limited | Interaction data (e.g., clicks, scroll data, session recordings), cookies | User behavior analytics, website optimization | EU | Provides heatmaps, session recordings, and analytics to improve website functionality. |
Stripe, Inc. | Payment information, transaction details, billing contact information | Payment processing, subscription billing management | US | Handles payments, manages subscriptions, and processes transaction data. |