(UK GDPR & EU GDPR)
This current consolidated Data Protection Addendum was published on 1 August 2025. It is an addendum to and should be read with the Terms of Use Agreement between us (the “Main Agreement”).
In this Data Protection Addendum defined terms will have the same meaning, and the same rules of interpretation will apply as in the Main Agreement. The period of this Addendum will also run concurrent with the Main Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:
1.1 Controller: has the meaning given to that term in Data Protection Laws.
1.2 Customer Data: means all data, including Personal Data, provided by or on behalf of the Customer to the Supplier for processing in connection with the Services under the Main Agreement.
1.3 Data Protection Laws: means, as applicable to either party or the Services:
(a) the EU GDPR;
(b) the UK GDPR and the UK DPA 2018;
(c) any laws which implement or supplement any such laws; and
(d) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.
1.4 Data Protection Losses: means all liabilities arising directly or indirectly from any breach or alleged breach of any of the Data Protection Laws or of this Data Protection Addendum, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage);
(b) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(c) compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and/or
(d) costs of compliance with investigations by a Supervisory Authority.
1.5 Data Subject: has the meaning given to that term in Data Protection Laws.
1.6 Data Subject Request: means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR in relation to any Protected Data.
1.7 EEA Data Protection Laws: means Data Protection Laws applicable under the laws of the European Economic Area, the European Union or any of their member states.
1.8 EEA Protected Data: means Protected Data to which any EEA Data Protection Laws apply.
1.9 EU GDPR: means the General Data Protection Regulation, Regulation (EU) 2016/679.
1.10 GDPR: means the EU GDPR and the UK GDPR (as applicable in the circumstances).
1.11 International Recipient: means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under clause 7.1 without the Customer’s prior written authorisation.
1.12 Lawful Safeguards: means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time.
1.13 List of Sub-Processors: means the latest version of the list of Sub-Processors used by the Supplier, as updated from time to time, which as at Order Acceptance (as defined in the Main Agreement) is available from ram@clarity.eco. 1.14 Personal Data: has the meaning given to that term in Data Protection Laws.
1.15 Personal Data Breach: means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.
1.16 Processing: has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings).
1.17 Processing Instructions: has the meaning given to that term in clause 3.1(a).
1.18 Processor: has the meaning given to that term in Data Protection Laws.
1.19 Protected Data: means Personal Data in the Customer Data.
1.20 Relevant Law: means
(a) in respect of EEA Protected Data, all applicable law(s) of the European Economic Area and European Union and of the relevant member state(s) of either; and
(b) in respect of UK Protected Data, all applicable law(s) of the United Kingdom (or of any part of the United Kingdom).
1.21 Sub-Processor: means a Processor engaged by the Supplier or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer.
1.22 Supervisory Authority: means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
1.23 Transfer: has the same meaning as the word ‘transfer’ in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).
1.24 UK Data Protection Laws: means the Data Protection Laws applicable under the laws of the United Kingdom (or of any part of the United Kingdom), including the UK GDPR and UK DPA 2018.
1.25 UK DPA 2018: means the United Kingdom’s Data Protection Act 2018.
1.26 UK GDPR: has the meaning given to that term in the UK DPA 2018.
1.27 UK Protected Data: means Protected Data to which any UK Data Protection Laws apply.
2. Processor and Controller
2.1 The Parties agree that, for the Protected Data, the Customer will be the Controller and the Supplier will be the Processor. Nothing in the Main Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws. 2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier to process the Protected Data in accordance with the Main Agreement. 2.3 The Supplier will process Protected Data in compliance with: (a) the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under the Main Agreement; and (b) the terms of the Main Agreement. 2.4 The Customer will ensure that it, its Affiliates and each Authorised User will at all times comply with: (a) all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under the Main Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and (b) the terms of the Main Agreement. 2.5 The Customer warrants, represents and undertakes, that at all times: (a) the processing of all Protected Data (if processed in accordance with the Main Agreement) will comply in all respects with all Data Protection Laws, including in terms of its collection, use and storage; (b) fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by all Data Protection Laws in connection with all processing activities in respect of the Protected Data that may be undertaken by the Supplier and its Sub-Processors in accordance with the Main Agreement; (c) the Protected Data is accurate and up to date; (d) except to the extent resulting from Transfers to International Recipients made by the Supplier or any Sub-Processor, the Protected Data is not subject to the laws of any jurisdiction outside of the United Kingdom and European Economic Area; (e) it will establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person; (f) all instructions given by it to the Supplier in respect of Personal Data will at all times be in accordance with Data Protection Laws; and (g) it has undertaken due diligence in relation to the Supplier’s processing operations and commitments, and it is satisfied (and at all times it continues to use the Services remains satisfied) that: (i) the Supplier’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Supplier to process the Protected Data; (ii) the technical and organisational measures set out in the Information Security Addendum in Schedule 2 and the Main Agreement (each as updated from time to time) will (if the Supplier complies with its obligations under such Addendum and the Main Agreement) ensure a level of security appropriate to the risk in regard to the Protected Data as required by Data Protection Laws; and (iii) the Supplier has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws. 2.6 If the Supplier is subject to any applicable laws at any time that conflict with any of its obligations under this Data Protection Addendum it may immediately terminate the Main Agreement by notice unless the conflict has been resolved to the Supplier’s satisfaction prior to such notice of termination. 3. Instructions and details of processing
3.1 When the Supplier processes Protected Data on your behalf, the Supplier will: (a) follow your written instructions as set out in our Main Agreement (including any updates) unless required to do otherwise by Relevant Law, (and will take steps to ensure each person acting under its authority do so,) including Transfers of Protected Data to any International Recipient) (Processing Instructions);
(b) if Relevant Law requires the Supplier to process your data differently, the Supplier will tell you before doing so, (unless Relevant Law prohibits such information on important grounds of public interest; and
(c) let you know promptly if the Supplier thinks any of your instructions infringes Data Protection Laws, provided that:
(i) this will be without prejudice to clauses 2.4 and 2.5; and (ii) to the fullest extent permitted by applicable law, the Supplier will not be liable for any losses, costs, expenses or liabilities (including any Data Protection Losses arising from or related to any processing carried out according to the Processing Instructions after the Supplier has advised you, however arising whether in contract, tort (including negligence) or otherwise. 3.2 The Customer agrees that: (a) the Supplier (and each Sub-Processor) does not have to carry out any processing of Protected Data that it reasonably believes infringes any of the Data Protection Laws. If the Supplier or any Sub-Processor delays or fails to perform any part of the Main Agreement because of this, the Supplier will not be liable and you will not be entitled to reduce or withhold any Fees payable to the Supplier if the Supplier (or any Sub-Processor) is delayed or unable to perform any part of the Main Agreement because it refuses to carry out processing in such situations; and
(b) without affecting any other rights or remedies the Supplier has, if you do not remedy any Processing Instruction that the Supplier has told you about under clause 3.1(c) so that it is lawful in the Supplier’s reasonable opinion within 7 days of that notice, then this will be a material breach of the Main Agreement by you that cannot be rectified, and the Supplier may end the Main Agreement according to its terms.
3.3 The Customer will be responsible for ensuring all Authorised Affiliates and Authorised Users read and understand the Privacy Policy (as updated from time to time). 3.4 The Customer acknowledges and agrees that any command executed by an Authorised User to process or delete Protected Data while using the Services will be treated as an instruction from you. You must ensure that only authorised individuals issue such commands. You also accept that if any Protected Data is deleted following such a command, the Supplier is not obligated to restore it and not liable for its loss in any way.
3.5 Unless otherwise stated in the Main Agreement , the Supplier will process the Protected Data only for the subject matter, duration, nature, and purposes, and involving the types of Personal Data and categories of Data Subjects, set out in Schedule 1 .
3.6 The Supplier will process the Protected Data only as instructed by you and in accordance with the terms of the Main Agreement. It will be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Schedule 1. 4. Technical and organisational measures
4.1 The Supplier will implement and maintain technical and organisational measures: (a) in relation to the processing of Protected Data by the Supplier, as set out the Information Security Addendum; and (b) to assist the Customer as far as possible (taking into account the nature of the processing) in fulfilling the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, provided that the Customer will in each case cover all related costs on a time and materials basis according to the Supplier’s Standard Pricing Terms. The parties have agreed that (taking into account the nature of the processing) the Supplier’s compliance with clause 6.1 will constitute the Supplier’s sole obligations under this clause 4.1(b). 5. Using staff and other Processors
5.1 Subject to clause 5.2, the Supplier will not engage (nor allow any other Sub-Processor to engage) any Sub-Processor to carry out processing activities involving your Protected Data under the Main Agreement without your prior written consent. The Customer will not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors). (a) authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as at Order Acceptance; and (b) authorises the appointment of each Sub-Processor (or any change to any of the Sub-Processors) identified on the List of Sub-Processors as updated from time to time. The Customer’s right to object to the appointment of a new Sub-Processor (or any change to any of the Sub-Processors) after receiving the relevant Update Notice about the change, your only option to object is to terminate the Main Agreement in accordance with its terms before the Update takes effect. (a) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure (subject to clause 8.4) that each Sub-Processor is appointed under a written contract containing materially the same obligations as under clauses 2 to 12 (inclusive) of this Addendum (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures); 5.4 ensure each new Sub-Processor identified on the List of Sub-Processors further to clause 5.2 meets the following criteria at the time the addition of that Sub-Processor is first made:
(a) holds appropriate certifications or complies with recognised data protection standards, such as or similar to ISO 27001;
(b) maintains robust technical and organisational measures to protect Protected Data; and
(c) has a proven track record of reliability and expertise relevant to the processing activities to be performed and (d) remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own. 5.5 The Supplier will ensure that all natural persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential in a manner consistent with the Supplier’s confidentiality obligations under the Main Agreement, and that such confidentiality obligations will survive the termination or expiry of the Main Agreement. 6. Assistance with compliance and Data Subject rights
6.1 The Supplier will promptly forward any Data Subject Requests it receives to the Customer without undue delay. The Customer will pay the Supplier for all work, time, costs and expenses incurred by the Supplier or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at the Supplier’s rates set out in the Supplier’s Standard Pricing Terms. 6.2 The Supplier will provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to: (a) security of processing; (b) data protection impact assessments (as such term is defined in Data Protection Laws); (c) prior consultation with a Supervisory Authority regarding high-risk processing; and (d) notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach, provided the Customer will pay the Supplier for all work, time, costs and expenses incurred the Supplier or any Sub-Processor(s) in connection with providing the assistance in this clause 6.2 and/or clause 6.3
, calculated on a time and materials basis at the Supplier’s rates set out in the Supplier’s Standard Pricing Terms.
6.3 If the Supplier receives a legally binding request from a public authority (including law enforcement) for access to Personal Data, the Supplier will, to the extent permitted by law, promptly notify the Customer of the request and provide all relevant information. The Supplier will challenge the request if, in its reasonable opinion, there are grounds to do so, and will only disclose Personal Data to the minimum extent required by law. The Supplier will cooperate with the Customer in responding to such requests and in seeking to protect the confidentiality and security of the Personal Data.
7. International data transfers
7.1 Subject to clauses 7.2 and 7.5, the Supplier will not Transfer any Protected Data: (a) in or to any country or territory; and/or (b) to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries, without the Customer’s prior written authorisation except where required by Relevant Law (in which case the provisions of clause 3.1
will apply).
7.2 The Customer hereby authorises the Supplier (or any Sub-Processor) to Transfer any Protected Data for the purposes for which such data may be processed under the Main Agreement to any International Recipient(s) in accordance with clause 7.3, provided all such Transfers of Protected Data to an International Recipient will (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws and the Main Agreement. The provisions of the Main Agreement (including this Data Protection Addendum) will constitute the Customer’s instructions with respect to Transfers in accordance with clause3.1(a). 7.3 The Supplier (and its Sub-Processors) may only Transfer the Protected Data to (or process Protected Data in) the following countries: United Kingdom, the European Economic Area 7.4 The Lawful Safeguards employed in connection with Transfers in terms of clause 7.2 will be those appropriate to the standard services described in Schedule 1 of the Main Agreement. Until any service-specific terms are developed, the Supplier will implement Lawful Safeguards consistent with applicable Data Protection Laws, including but not limited to the use of Standard Contractual Clauses or other approved transfer mechanisms as required for the international transfer of Protected Data. 7.5 The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to recipients or other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that the Supplier does not control such processing, and the Customer will ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to recipients or other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all Relevant Laws. 7.6 The Supplier and each Sub-Processor is not obliged to undertake any unlawful Transfer of Protected Data and will not be liable to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under the Main Agreement due to it (or any Sub-Processor) being unable (or believing it is unable) to undertake any Transfer in a lawful manner. The Fees payable to the Supplier will not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this clause 7.6. 8.1 The Supplier will maintain, in accordance with Data Protection Laws binding on the Supplier, written records of all categories of processing activities carried out on behalf of the Customer. 8.2 On request, the Supplier will provide the Customer (or auditors mandated by the Customer) with a copy of the third-party certifications and audits to the extent made generally available to its customers (as updated from time to time). Such information will be confidential to the Supplier and will be Supplier’s Confidential Information as defined in the Main Agreement and will be treated in accordance with applicable terms. 8.3 If you reasonably consider the information provided under clause 8.2 insufficient to meet your obligations under Data Protection Laws, the Supplier will, on your request, provide such additional information as is reasonably necessary to demonstrate compliance with this Data Protection Addendum and Article 28 of the GDPR, and permit audits or inspections by you (or your appointed auditor) subject to the following conditions:
(a) Any audit, inspection, or information request must be reasonable in scope, limited to information within the Supplier’s possession or control, and you must provide the Supplier with at least 60 days’ prior written notice.
(b) The parties will mutually agree, acting reasonably, on the timing, scope, and duration of the audit or inspection, including any policies or procedures to protect the confidentiality and security of other customers and to avoid breaching other contractual obligations.
(c) Audits or inspections will occur during normal business hours and cause minimal disruption to the Supplier’s business.
(d) The duration of any audit or inspection will be limited to one Business Day.
(e) The Customer will bear all costs associated with the audit or inspection, including reimbursing the Supplier’s reasonable expenses and time on a time and materials basis according to the Supplier’s Standard Pricing Terms.
(f) The Customer’s rights to request audits under this clause may be exercised no more than once in any consecutive 12-month period, except where required by a Supervisory Authority or if you reasonably believe the Supplier is in breach of this Data Protection Addendum.
(g) The Customer will promptly report any non-compliance identified during the audit or inspection to the Supplier, and all information obtained will be treated as the Supplier’s Confidential Information under the Main Agreement.
(h) The Customer will ensure that all persons conducting the audit or inspection on your behalf do not cause or contribute to any damage, loss, or corruption of the Supplier’s systems, equipment, or data.
(i) This clause 8.3 is subject to clause 8.4. 8.4 The Customer acknowledges and accepts that relevant contractual terms agreed with Sub-Processor(s) may mean that the Supplier or Customer may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors In accordance with clause (i) and: (a) the Customer’s rights under clause (i) will not apply to the extent that it is inconsistent with relevant contractual terms agreed with Sub-Processor(s); (b) to the extent any information request, audit or inspection of any Sub-Processor are permitted in accordance with this clause 8.4, equivalent restrictions and obligations on the Customer to those in clauses 8.3(a)to 8.3(i)(inclusive), will apply, together with any additional or more extensive restrictions and obligations applicable in the circumstances; and (c) clauses 5.3(a) and (i) will be construed accordingly. 9.1 In respect of any Personal Data Breach, the Supplier will, without undue delay (and in any event within 72 hours): (a) notify the Customer of the Personal Data Breach; and (b) provide the Customer with details of the Personal Data Breach. 10. Deletion of protected data and copies
10.1 Following the end of the provision of the Services (or any part) relating to the processing of Protected Data, or at the written request of the Customer at any time, the Supplier will dispose of Protected Data in accordance with its obligations under the Main Agreement. The Supplier will have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with the Main Agreement.
11. Compensation and claims
11.1 The aggregate liability of the Supplier for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Data Protection Addendum will be subject to the liability caps and limitations set out in the Main Agreement and will : (a) only be to the extent caused by the processing of Protected Data under the Main Agreement and directly resulting from the Supplier’s breach of the Main Agreement; and (b) in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of the Main Agreement by the Customer (including in accordance with clause 3.1(b)). 11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with the Main Agreement or the Services, it will promptly provide the other party with notice and full details of such claim. 11.3 The parties agree that the Customer will not be entitled to claim back from the Supplier any part of any compensation paid by the Customer to the extent that the Customer is liable to indemnify or otherwise compensate the Supplier in accordance with the Main Agreement. 11.4 This clause 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except: (a) to the extent not permitted by Relevant Law (including Data Protection Laws); and (b) that it does not affect the liability of either party to any Data Subject. This Data Protection Addendum (as updated from time to time) will survive termination (for any reason) or expiry of the Main Agreement and continue until no Protected Data remains in the possession or control of the Supplier or any Sub-Processor, except that clauses 10 to 12
(inclusive) will continue indefinitely.
13. Governing Law
13.1 The governing law applicable to this Data Protection Addendum will be as set out in the Main Agreement.
The Supplier’s Data Protection Officer (DPO) is Natalie Rea who may be contacted at ram@clarity.eco.