DealCloud Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Master Subscription Agreement (the “Agreement”) between DealCloud, Inc. (“DealCloud”) and Customer (“Customer”).

The terms used in this Addendum shall have the meanings set forth in the Agreement unless otherwise provided. Except as modified below, the terms of the Agreement remain in effect.   

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.

  1. Definitions
    1. In this Addendum, the following terms shall have the meanings set out below:
      1. 1.1.1.“Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which the Customer is subject to EU Data Protection Laws; (b) the laws of the United States.
      2. 1.1.2.Customer Personal Data” means any Personal Data Processed by DealCloud on behalf of the Customer pursuant to or in connection with the Agreement.
      3. 1.1.3.Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of the United States.
      4. 1.1.4.EEA” means the European Economic Area.
      5. 1.1.5.EU Data Protection Laws” means EU Directive 95/46/EC, as implemented into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
      6. 1.1.6.GDPR” means the EU General Data Protection Regulation 2016/679.
      7. 1.1.7.Restricted Transfer” means a transfer of Customer Personal Data from the Customer to DealCloud outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).
      8. 1.1.8.Services” means, for the purposes of this Addendum, provision of the DealCloud Platform as well as Support (as applicable).
      9. 1.1.9.Standard Contractual Clauses” means the contractual clauses set out in Annex 2 found at
      10. 1.1.10. .
      11. 1.1.11.Subprocessor” means any third party (including an DealCloud affiliate) appointed by or on behalf of DealCloud to Process Customer Personal Data.
    2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, Processing”, “Processor” and “Supervisory Authority” have the same meaning as defined in the GDPR.
  2. Processing of Customer Personal Data
    1. This Addendum applies to DealCloud’s Processing of Customer Personal Data in the course of DealCloud providing Services to the Customer. As such, DealCloud is the Processor and the Customer is the Controller.
    2. DealCloud will only Process Customer Personal Data in accordance with the Customer’s documented instructions unless Processing is required by Applicable Laws to which DealCloud is subject, in which case DealCloud will, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before Processing the Personal Data.
    3. The Customer (i) instructs DealCloud and (and authorises DealCloud to instruct each Subprocessor) to Process Customer Personal Data and transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement; and (ii) represents and warrants that (a) it is and will at all relevant times remain authorised to give such instructions, and (b) all such instructions comply with Applicable Laws.
    4. DealCloud will promptly notify the Customer if, in DealCloud’s reasonable opinion, any instructions violate Applicable Laws.
    5. Annex 1 to this Addendum sets out certain information regarding DealCloud’s Processing of the Customer Personal Data as required by Article 28(3) of the GDPR. Customer may make reasonable amendments to Annex 1 by written notice to DealCloud from time to time as Customer reasonably considers necessary to meet those requirements.
  3. DealCloud Personnel

DealCloud will ensure that any DealCloud employee, agent or contractor who may have access to the Customer Personal Data is subject to confidentiality undertakings in respect of the Customer Personal Data.

  1. Security
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DealCloud will implement appropriate technical and organisational measures in respect of Customer Personal Data to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    2. In assessing the appropriate level of security, DealCloud will take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
  2. Subprocessing
    1. Customer authorises DealCloud to appoint (and permit each Subprocessor appointed in accordance with this Clause 5 to appoint) Subprocessors in accordance with this Clause 5 and any restrictions in the Agreement.
    2. DealCloud may continue to use those Subprocessors it has engaged as at the date of this Addendum.   
    3. DealCloud will post a notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor, on its website.  Provided that Customer subscribes to notifications from DealCloud, Customer will receive notice of such posting.  If, within 10 business days of receiving the notice, Customer notifies DealCloud in writing of any reasonable objections to the proposed appointment, DealCloud will not appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken.
    4. With respect to each Subprocessor, DealCloud will:
      1. 5.4.1.Ensure that the arrangement between DealCloud and the Subprocessor is governed by a written contract including terms offering at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR; and
      2. 5.4.2.If that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between DealCloud and the Subprocessor, or before the Subprocessor first Processes Customer Personal Data, procure that it enters into an agreement incorporating the Standard Contractual Clauses with the Customer.
    5. DealCloud will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of any Subprocessor that cause DealCloud to breach any of its obligations under this Addendum.
  3. Data Subject Rights
    1. The Services provide the Customer with a number of means by which the Customer may retrieve, correct, delete or restrict Customer Personal Data. Customer may use these means as technical and organizational measures to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from Data Subjects.
    2. DealCloud will (i) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and (ii) not respond to that request except as required by Applicable Laws to which DealCloud is subject, in which case DealCloud will, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before DealCloud responds to the request.
  4. Personal Data Breach
    1. DealCloud will notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
    2. DealCloud will cooperate with Customer and take such reasonable commercial steps as requested by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
  5. Deletion or Return of Customer Personal Data
    1. Subject to Clause 8.2, within 90 days of the expiration or termination of the Agreement (the “Termination Date”), DealCloud will delete permanently the Customer Personal Data unless the Customer has previously deleted all such Customer Personal Data before the Termination Date.
    2. Notwithstanding the foregoing, DealCloud may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws (and DealCloud may retain business contact information for Customer’s staff); provided, however, that DealCloud will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its retention, and for no other purpose.
  6. Data Protection Impact Assessments and Audit Rights
    1. DealCloud will provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of it by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, DealCloud. The information made available in Clauses 9.2 through 9.4 is provided to assist the Customer in its compliance with those obligations.
    2. DealCloud is certified under ISO 27001 and agrees to maintain an information security program for the Services that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001.
    3. DealCloud uses external auditors to verify the adequacy of its security measures. This audit (i) will be performed at least annually; (ii) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; and (iii) will be performed by independent third-party security auditors. At the conclusion of the audit the auditor will prepare an audit report (“Report”). Upon the Customer’s request, DealCloud will provide Customer with the Report so that Customer can reasonably verify DealCloud’s compliance with its obligations under this Addendum. The Report will be deemed DealCloud Confidential Information.
    4. Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by instructing DealCloud to carry out the audit described in Clause 9.3. If the Standard Contractual Clauses apply, nothing in this Clause 9 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses.
  7. Restricted Transfers
    1. If DealCloud does not have, at the time of a Restricted Transfer, certification under the Privacy Shield programme, DealCloud will enter into the Standard Contractual Clauses in respect of any Restricted Transfer.
    2. DealCloud will notify the Customer if it ceases to maintain or anticipates the revocation or withdrawal of its Privacy Shield certification.
  8. General Terms
    1. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
      1. 11.1.1.the Parties agree to submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
      2. 11.1.2.this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
    2. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses prevail. In the event of inconsistencies between this Addendum and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum prevail.
    3. This Addendum remains in effect until termination or expiration of the Agreement.
    4. The liability of each Party under this Addendum is subject to the exclusions and limitations of liability set out in the Agreement.
    5. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.


This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Customer Personal Data

The subject matter concerns DealCloud’s processing of Customer Data in connection with DealCloud providing to Customer a CRM software solution to manage Customer’s contacts and business relationships. DealCloud may provide additional related software solutions to Customer in the future.

The nature and purpose of the Processing of Customer Personal Data

Customer wants to use the DealCloud CRM platform to help manage its general operations and maintain a database of contacts and companies that have made or may make investments or financings. 

The types of Customer Personal Data to be Processed

DealCloud may process Personal Data which may include but is not limited to the following categories of Personal Data: name, address, employer, phone, email address, information related to current job title and functions, tax identification information, level of finances, asset allocation needs, financial goals, interest in specific products or services.

The categories of Data Subjects to whom the Customer Personal Data relates

Processing concerns the following categories of data subjects: Individuals to whom marketing efforts are directed (including Customer’s current clients who are being marketed additional products and services),  individuals who are currently receiving products or services from Customer,  all individuals, including those who may be prospective employees, contractors or clients, or current employees, contractors or clients, who visit the Customer’s website, all others including: business contacts at institutional clients, business contacts at vendors working on behalf of or for the benefit of Customer, event sponsors and attendees, and individuals whose personal data is included in Customer’s correspondence.

The obligations and rights of Customer and Customer affiliates

The obligations and rights of the Customer are set out in the Agreement and this Addendum.

Schedule a Demo