img not found!

Eredox Customer Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (this “DPA”) supplements and forms part of the Subscription Services Agreement or other agreement between Customer and Eredox about the provision of Services by Eredox to Customer (“Agreement”) when Data Protection Law applies to Customer’s access and use of the Services to Process Customer Personal Data (defined below).

Customer enters into this DPA on behalf of itself and, to the extent required under applicable law, in the name of and on behalf of its Data Controller Affiliates (defined below) (“Customer”). For the purposes of this DPA only, and except as otherwise indicated, the term “Customer” shall include Customer and Data Controller Affiliates.

Data Processing

Scope and Roles. This DPA applies when Customer Personal Data is processed by Eredox under applicable Data Protection Law. In this context, where the law provides for the roles of “controller” and “processor,” Customer is the Controller of the Customer Personal Data covered by this DPA, and Eredox shall be a Processor Processing Customer Personal Data on behalf of Customer and this DPA shall apply accordingly.

Details of Data Processing.

Subject matter. The subject matter of the data Processing under this DPA is Customer Personal Data.

Duration. The duration of the Processing under this DPA is determined by the Agreement. Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Eredox deletes or anonymizes all Customer Personal Data as described in the Agreement.

Purpose. The purpose of the processing under the DPA is the provision of the Services by Eredox to Customer as specified in the Agreement.

Nature of the Processing. Customer Personal data is processed by Eredox in connection with the Services under the Agreement and/or any applicable Order.

Categories of Data Subjects. The Data Subjects of Customer which may include Customers’ Authorized Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Customer for use in connection with the Services.

Categories of data. Identifiers (contact detail including name, email, phone number and addresses); Employment Data (professional data, contact details, hours worked, site access); Internet and Network Activity Data (such as IP addresses, log files, and login information); Geolocation Data (such as region, country, state, postal code, or location information derived from IP addresses); and other Personal Data that Customer or its Authorized Users elect to submit to the Services.

Special categories of data (if appropriate). Eredox and/or its Sub processors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements. However, Customer or its Affiliates may choose to include this type of data within content that the Customer instructs Eredox to process on its behalf.

Compliance with the laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.

Jurisdiction specific terms. Certain jurisdictions require other specific terms. Where required under applicable Data Protection Law, this DPA fully incorporates the applicable Jurisdiction Specific Terms available at

Documented Instructions.

Customer Instructions. Customer shall, in its use of the Services, at all times provide documented instructions to Eredox for the Processing of Customer Personal Data, in compliance with applicable Data Protection Law. The Parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Eredox’s Processing of Customer Personal Data (“Documented Instructions”).  Eredox will Process Customer Personal Data in accordance with Customer’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Eredox and Customer, including agreement on any additional fees payable by Customer to Eredox for carrying out such instructions.

Obligations and Indemnity. Customer shall ensure that its Documented Instructions comply with all laws, rules and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer’s Documented Instructions will not cause Eredox to be in breach of applicable Data Protection Law.  Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to Eredox by or on behalf of Customer; (b) how Customer acquired any such Customer Personal Data (e.g., appropriate notice and/or consent); and (c) the Documented Instructions it provides to Eredox regarding the Processing of such Personal Data. Customer shall not provide or make available to Eredox any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services and shall indemnify Eredox from all claims and losses in connection therewith.

Confidentiality of Customer Personal Data. Eredox will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Eredox a demand for Customer Personal Data, Eredox will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Eredox may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, then Eredox will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Eredox is legally prohibited from doing so.

Authorised persons. Eredox shall ensure that all persons authorized to Process Customer Personal Data on behalf of Eredox are made aware of the confidential nature of the Customer Personal Data, and have committed themselves to confidentiality (e.g. by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.

Authorised Sub processors. Customer hereby generally authorizes Eredox to engage Sub processors in accordance with this Section 5. Customer approves the Sub processors currently disclosed in Appendix A. Eredox may remove, replace, or appoint suitable and reliable Sub processors, provided that Eredox shall maintain an up-to-date list of its Sub processors on Eredox’s website at processors, which allows Customer to subscribe to notifications of any updates. Eredox will provide Customer with an opportunity to object to any change in its Sub processors where required under applicable Data Protection Law.

Objections. If the Customer reasonably objects to the engagement of a new sub processor, Eredox shall have the right to cure the objection through one of the following options (to be selected at Eredox’s sole discretion): (a) Eredox cancels its plans to use the Sub processor with regard to Customer Personal Data; (b) Eredox will take the corrective steps requested by Customer in its objection (which removes Customer’s objection) and proceed to use the Sub processor with regard to Customer Personal Data; (c) Eredox may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such Sub processor with regard to Customer Personal Data; and (d) Eredox provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Eredox, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Eredox and Customer may terminate this DPA with prior written notice, or suspend the affected Services. Termination shall not relieve Customer of any fees or charges owed to Eredox for Services provided up to the effective date of the termination under the Agreement. In the event that Eredox elects to suspend Customer’s access to and use of affected Services, such suspension shall relieve Customer of any fees or charges owed to Eredox for such Services after the effective date of the suspension. If Customer does not object to a new Sub processor’s engagement within ten (10) days of notice by Eredox, that new Sub processor shall be deemed accepted.

Sub processor Obligations. Where Eredox authorizes a Sub processor as described in Section 5.1:

Eredox will restrict the Sub processor’s access to Customer Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Eredox will prohibit the Sub processor from accessing Customer Personal Data for any other purpose;

Eredox will enter into a written agreement with the Sub processor and, to the extent that the Sub processor performs the same data processing services provided by Eredox under this DPA, Eredox will impose on the Sub processor the same contractual obligations that Eredox has under this DPA; and

Eredox will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub processor that cause Eredox to breach any of Eredox obligations under this DPA.

Security; Audits; Personal Data Breach; Impact Assessments.

Security. Eredox’s provision of the Services will be consistent with the measures described in

Appendix B.

Updates to Eredox Security Controls. Customer is responsible for reviewing the information made available by Eredox relating to data security and making an independent determination as to whether the Security Controls set forth in Section 6.1, above, meet Customer’s requirements and legal obligations under applicable law. Customer acknowledges that the Security Controls are subject to technical progress and development and that Eredox may update or modify the Security Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term.

Confidential Security Reports and Audits. For the duration of its processing of Customer Personal Data, Eredox will maintain compliance with appropriate security standards for its industry Upon request, Eredox shall, no more than once per calendar year make available for Customer’s review, a summary copy of an audit report(s) (“Report”) that reflects such compliance, a request may be made by emailing Customer acknowledges and agrees that such Reports are Eredox’s Confidential Information Eredox shall also provide a requesting Customer with a Report and/or confirmation of Eredox’s own audits and/or a report of third  party auditors’ audits of its Sub processors that have been provided by those Sub processors to Eredox, to the extent such reports or evidence may be shared with Customer (“Third-party Sub processor Audit Reports”). Customer acknowledges that (a) Reports and Third-party Sub processor Audit Reports shall be considered Confidential Information as well as confidential information of the third-party Sub processor and (b) certain third-party Sub processors to Eredox may require Customer to execute a non-disclosure agreement with them to view a Third-party Sub processor Audit Report.

Personal Data Breach. In the event of a Personal Data Breach, except were prohibited by law, Eredox shall notify Customer without undue delay and otherwise respond as described in 6.3.1 below. In addition, Eredox shall, taking into account the nature of the Processing and the information available to Eredox assist Customer in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required.

Practices. Eredox does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Eredox becomes aware, and, within the scope of the Services, and take such steps as Eredox in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Customer without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by Eredox to affect Customer Personal Data, and provide Customer with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein shall not apply to a Personal Data Breach caused by Customer, Customer’s Authorized Users or misuse of Customer’s Access Credentials. Eredox’s obligation to report or respond to a Personal Data Breach under this Section 6 is not and will not be construed as an acknowledgement by Eredox of any fault or liability of Eredox with respect to the Personal Data Breach.

Eredox Assistance with Data Subject Requests. Eredox will inform Customer of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Eredox regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Upon a written request for assistance by Customer, Eredox will reasonably assist Customer with handling such Data Subject requests. Eredox may charge Customer no more than a reasonable charge to perform such assistance, and such charges will be set forth in a quote and agreed in writing by the Parties, or as set forth in the Agreement. If Customer does not agree to the quote, the Parties agree to reasonably cooperate to find a feasible solution.

International Transfers of Personal Data

U.S. Based Processing; Notification of Changes. Customer acknowledges and agrees that Eredox may transfer and process Customer Personal Data to and in the United States and anywhere else in the world where Eredox, its Affiliates, or its Sub processors maintain data processing operations. Eredox shall ensure that such transfers are made in compliance with applicable Data Protection Law and this DPA.

Data Transfers from the European Economic Area. Eredox complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK-US Data Bridge Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Eredox has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK-US Data Bridge.  Eredox has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this DPA and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit

Alternative Transfer Mechanisms. If necessary, Eredox may designate a valid Alternative Transfer Mechanism to any mechanism designated in this DPA, such as when necessary for the performance of Services pursuant to the Agreement or on Customer’s Documented Instructions.

Explicit Consent and Notice. Customer shall bear sole responsibility for obtaining its Authorized User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Customer Personal Data to Eredox in a manner consistent with the applicable Data Protection Law. If, at any time, an Authorized User and/or Data Subject withdraws any consent given pursuant to this Subsection, Customer shall immediately inform Eredox in writing at and cease use and collection of Customer Personal Data related to such objecting Authorized User and/or Data Subject. Customer shall keep an electronic record of all consents given, and any consents withdrawn, by Authorized Users and/or Data Subjects and shall make such records available to Eredox upon request as required by law.

Effect of Termination.

Upon termination or expiration of the Agreement, Eredox shall (at Customer’s written request) anonymize all Customer Personal Data in its possession or control. This requirement shall not apply to the extent Eredox is required by applicable law to retain some or all of the Customer Personal Data.

Customer acknowledges that the Services are used as a system of record and that data uploaded to the Services is required to be retained under applicable laws for the establishment, exercise or defence of legal claims. As an equivalent to deletion, Eredox shall permanently and securely anonymise Customer Personal Data to the extent no individual could be identified.

Indemnification by Customer. To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Customer agrees to defend, indemnify and hold harmless Eredox, its Affiliates and Eredox’s Sub processors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a “Eredox Indemnitee”) from and against any and all Losses resulting from Customer’s violation of this DPA and/or the infringement or violation by Customer, its Authorized Users or any other user of Customer’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law.

Limitation of Liability


Limitation of Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and its Data Controller Affiliates and Eredox, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, the Eredox Indemnitees’ total liability for all Actions by Customer and all of Customers Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Customer Affiliate that is a contractual party to any such DPA. To the extent required by applicable law, (a) this section is not intended to modify or limit the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability under Data Protection Law, or (b) limit either Party’s responsibility to pay penalties imposed on such Party by a regulatory authority.

Survival of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date”), provided that the data protection obligations of this DPA and the SCCs shall continue to apply for so long as Eredox processes Customer Personal Data.

Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Entire Agreement; Order of Precedence. Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement.

Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

“Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.

“Action” means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.

“Affiliates”, “Customer Data”, “Eredox”, and “Services” shall each have the meaning ascribed to it in the Agreement.

“Alternative Transfer Mechanism” means an alternative Personal Data export solution that has been approved pursuant to applicable Data Protection Law. This can include Binding Corporate Rules, any new version of or successor to the SCCs, or an existing certification mechanism adopted pursuant to applicable Data Protection Law for the international transfer of Personal Data.

“Competent Supervisory Authority” means (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioner’s Office. With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

“Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or “data exporter” refers to Customer.

“Customer”, as used on this DPA, shall include Customer (as defined in the Agreement) and its Data Controller Affiliates.

“Customer Personal Data” means Customer Data submitted to Eredox for Processing in connection with the Services pursuant to the Agreement, which contains Personal Data.

“Data Controller Affiliates” means any of Customer’s Affiliates that have not signed or otherwise accepted their own Order with Eredox and therefore would not be a “customer” as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Eredox Services pursuant to the Agreement between Customer and Eredox. For the avoidance of doubt, no third-party beneficiaries are intended.

“Data Protection Law” means any data protection and privacy laws and regulations that are applicable to the processing of Customer Personal Data by Eredox, including, where applicable, the laws listed in Eredox’s Jurisdiction Specific Terms, as may be amended, superseded or replaced from time to time.

“Data Subject” means the identified or identifiable person to whom Customer Personal Data relates.

“Documented Instructions” has the meaning ascribed in Subsection 2.1 of this DPA.

“Europe” means the European Economic Area and Switzerland.

“GDPR ” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation).

“including” and its derivatives mean “including but not limited to.”

“Losses” means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.

“Personal Data” means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.

“Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Eredox or Eredox’s Sub processors.

“Eredox Indemnitee” shall have the meaning ascribed to it in Section 11, above.

“Processing” (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor” means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or “data importer” in this DPA refers to Eredox.

“Public Authority Request” means a government agency or law enforcement authority, including a judicial authority request for information.

“Services” means Eredox’s Services as set forth in the Agreement.

“Standard Contractual Clauses” or “SCCs” means : (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs”).

“Sub processors” means any Processor engaged by Eredox to assist in processing Customer Personal Data in connection with the Services per Customer’s Documented Instructions under the terms of the Agreement and this DPA. Sub processors may include Eredox’s Affiliates, but shall exclude Eredox employees, contractors, and consultants.

“UK GDPR” means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the UK’s Data Protection Act 2018.

Appendix A – List of Eredox Sub processors

A current list of Eredox’s Sub processors is available at processors.

Appendix B – Technical and Organizational Security Measures

Information on Eredox’s technical and organization security measures is available at

Our Office Time


Do you have any question?