Data Processor Agreement in place from 31 July 2024 to 14 October 2024
Approved Jurisdiction | as defined at clause 2.7 of this Data Processor Agreement and as supplemented by any territory or territories where Sub Processors are based. |
Data Processing Details | means the information set out at Appendix 1 of this Data Processor Agreement which applies to all Dext Products being procured by You in any Order Confirmation. |
Data Protection Legislation | shall mean the Data Protection Act 2018, the Retained Regulation (EU) 2016/679 (UK GDPR) as incorporated under the European Union (Withdrawal Act) 2018 and as amended by The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019, and any other laws or regulations applicable in the United Kingdom, and where applicable to Us in the performance of the Agreement to You, the General Data Protection Regulation (Regulation (EU) 2016/679 (EU GDPR)), in each case as amended or repealed from time to time. “personal data”, “data subject”, “controller”, “processor”, “process” and “supervisory authority” shall be interpreted in accordance with the GDPR applicable to the laws of England and Wales. “Your personal data” shall mean the personal data in Your Customer Data that is processed by Us pursuant to the Agreement. |
End Date | as defined at clause 2.15 of this Data Processor Agreement. |
GDPR | |
Personal Data Breach | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. |
Revised Instruction | a request for information sent by Us to You pertaining to whether Your instruction post the End Date remains to delete Your personal data. |
Sub Processor | shall mean a processor appointed by Us, as described at clause 2.11 of this Data Processor Agreement. |
UK Addendum | means Addendum B.1.0 issued by the UK Information Commissioner's Office in accordance with s119A of the Data Protection Act 2018 set out in Appendix 3 of this Data Processor Agreement as amended from time to time. |
This Appendix 1 to Data Processor Agreement includes certain details of the Processing of Your personal data: as required by Article 28(3) GDPR.
Data Exporter: You
Contact Details: Provided in the Order Confirmation.
Data Exporter Role: you are a controller.
Data Importer: Dext Software Limited.
Contact Details: Data Protection Officer c/o Legal Department, dpo@dext.com cc legal@dext.com
Data Importer Role: We are a processor
The subject matter of the Processing of Your Personal Data is in order to provide the Dext Products under the Agreement including the Order Confirmation.
The subject duration of the Processing of Your Personal Data is for the Licence Term plus the period until We delete Your Personal Data in accordance with our retention policy, which is set out in our privacy policy available on our website.
In order to fulfil Our obligations to You under the Agreement, provide the Dext product(s) as set forth in the Agreement including the Order Confirmation.
The personal data processed relates to the following categories of data subjects:
We operate internationally, and as a result, may transfer the information we collect about you across international borders, including from the EEA or UK to the United States, for processing and storage. To the extent that the information we collect about you is transferred from the EEA or UK to territories/countries for which the EU Commission or UK Secretary of State (as applicable) has not made a finding that the legal framework in that territory/country provides adequate protection for individuals' rights and freedoms for their personal data, we may transfer such data consistent with applicable data protection laws based on prior assessment of the level of data protection afforded in the context of the transfer, including through the use of the EU Commission-approved or UK Secretary of State-approved (as applicable) Standard Contractual Clauses, if necessary in combination with additional safeguards
A list of Sub Processors We use can be found below. This list may be amended from time to time:
Name | Purpose | Jurisdiction | SCCs |
---|---|---|---|
Aircall | This provider allows us to make calls to customers | EU: AWS Germany, Frankfurt active location for call recordings and voicemails US: Other personal data |
Yes |
AWS | Cloud services platform that is used for our database storage & to run all of our apps. We also use AWS Bedrock, a large language model hosting/ training provider that allows us to more effectively provide services to you leveraging generative AI technology. |
EU: AWS Ireland – active location; AWS Germany, Frankfurt – backup location. | N.A. |
BillingPlatform | Billing system that is used to generate customer invoices | EU (AWS Ireland, AWS Germany) and US (AWS) | Yes |
Cognism | Lead generation software | UK, EU | N.A. |
Fino | Provides integrated screen-scrapping technology to fetch invoice and bill data from a customer’s account on other platforms. Through Fino, customers can connect to over 2,000 possible providers, such as Amazon, BT, Spotify, Thames Water and EE. | EU (AWS Ireland) | N.A. |
Fivetran | Syncs Netsuite invoice data to Looker. | EU | N.A. |
FullStory | UX usage data collection and visualisation | EU,US | Yes, if data is held outside of EU |
Google Cloud Platform (Cloud Vision) | This is used for our OCR data extraction service. No data is stored because it is a transient service, the data is processed in order to be extracted and then the files are immediately returned to us once processed. Google cloud does not keep copies of this data. | US (Google Cloud) | Yes |
Google Workspace | Emails, document storage and office suite including a calendar within Dext | US | Yes |
Hightouch | Data Syncing | US | Yes |
Honeybadger | This is the tool we use to report on errors on our website – e.g. if there is fault when logging in. | US (AWS us-east-1 region)) | Yes |
Hubspot | This is the tool used for marketing automated nurtures | US | Yes |
Intercom | This is the tool we use to help us with support queries | Dublin, Ireland (eu-west-1) | Yes |
Looker | Business intelligence tool and big data analytics platform that helps with analysing and sharing real-time business analytics using dashboards. | EU | N.A. |
Mailchimp / Mandrill | Allows us to send one-to-one transactional emails triggered by user actions, like requesting a password or placing an order. | EU: AWS Ireland | N.A. |
Microsoft Azure (Open AI) | Cloud infrastructure generative AI tool provider that allows us to run some features of our services more efficiently. | UK , EU, US | Yes if data is held outside of EU |
Mixpanel | Usage data visualisation | US | Yes |
MongoDB | Dext Precision. A dedicated database hosting data for BDO only, as a part of an enterprise agreement between Xavier and BDO. | IrelandUK | N.A |
Netsuite | Cloud based accounting system that helps us manage business finance and operations. | UK (London) | N.A. |
OwnBackup | Backup tool for Salesforce. | UK | N.A. |
PostmarkApp | Dext Commerce. Outgoing transactional emails. | US | Yes |
PubNub, Inc. | Dext Prepare Desktop connector: real-time push notifications. Users' email address is shared with PubNub upon connection establishment. | US | Yes |
Salesforce | Integrated Customer Relationship Management (CRM) platform used to manage interactions with customers and potential customers. | UK (London) | N.A. |
Salesloft | Sales Engagement platform | EU, US (AWS and Google Cloud Platform) | Yes |
Scalability | Uses third party apps to import data, and update prospect activities in Salesforce | EU | Yes for subprocessors as needed |
Segment | Usage data collection & processing. | US | Yes |
Sentry | Application monitoring and error tracking | US | Yes |
Sinch Email (Mailgun) | Dext Precision. Transactional outgoing emails. | US | Yes |
Slack | Internal communication within Dext | US | Yes (as are Binding Corporate Rules where applicable) |
Snowflake | Cloud data warehouse that offers a data storage and analytics service. | EU (AWS Ireland) | N.A. |
Storecove | Provides e-invoicing capability | EU | N.A. |
Stripe | Processes customer payments | US | Yes |
Twililo | Software that sends SMS on our behalf for features. | US | Yes |
Twilio SendGrid | 1tap. Outgoing transactional emails. | US | Yes |
UserVoice | User ideas and feature requests collection. | US | Yes |
Vertex | Tax automation software | US | Yes |
Voucherify PSA | Dext Prepare: discount codes generator. Collects PII (user names and email addresses). | EEA | N.A. |
WorkRamp | Learning Management System (LMS) that serves as a comprehensive platform for employee onboarding and customer training | EU and US | Yes if data transferred outside the UK or EU |
Zendesk | 1tap help and support portal | US, EEA, AU or JP | Yes (where applicable) |
Zoom | Video conferencing solution | US, EEA, globally | Yes (as are Binding Corporate Rules where applicable) |
Zoominfo | Lead generation software | US | Yes |
The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) of the EU SCC's are those established and maintained under clause 4 of this Data Processor Agreement and includes without limitation those found at https://dext.com/uk/security as amended from time to time
Table 1: Parties
Start Date | Data Processing Agreement Effective Date | |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties' details | Full legal name: As listed in the Order Confirmation | Full legal name: Dext Software Limited |
Trading name (if different): n/a | Trading name (if different): | |
Main address (if a company registered address): As listed in the Order Confirmation | Main address (if a company registered address): Unit 1.2, Techspace Shoreditch. 25 Luke Street, London, EC2A 4DS | |
Official registration number (if any) (company number or similar identifier): As listed in the Order Confirmation | Official registration number (if any) (company number or similar identifier): 07361080 | |
Key contacts | Full name (optional): Legal Department | Full name (optional): |
Job title: As listed in the Order Confirmation | Job title: Legal Department | |
Contact details including email: As listed in the Order Confirmation | Contact details including email: dpo@dext.com cc legal@dext.com | |
Signature (if required for the purposes of Section 2) |
Addendum EU SCCs | ☐The version of the Approved EU SCCs, which this Addendum is appended to, detailed below, including the Appendix Information. Date: Reference (if any): Other identifier (if any): OR ☒ The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum. | |||||
Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
1 | - | - | - | |||
2 | x | x | General authorisation | 10 days | - | |
3 | - | |||||
4 | - | - |
"Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Appendix 1 of this Data Processor Agreement |
Annex 1B: Description of Transfer: See Appendix 1 of this Data Processor Agreement |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Appendix 2 of this Data Processor Agreement |
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ☐ Importer ☒ Exporter ☐ Neither Party |
Entering into this Addendum
Interpretation of this Addendum
Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
This policy was last updated on 15th October 2024.
Approved Jurisdiction | as defined at clause 2.7 of this Data Processor Agreement and as supplemented by any territory or territories where Sub Processors are based. |
Data Processing Details | means the information set out at Appendix 1 of this Data Processor Agreement which applies to all Dext Products being procured by You in any Order Confirmation. |
Data Protection Legislation | shall mean the Data Protection Act 2018, the Retained Regulation (EU) 2016/679 (UK GDPR) as incorporated under the European Union (Withdrawal Act) 2018 and as amended by The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019, and any other laws or regulations applicable in the United Kingdom, and where applicable to Us in the performance of the Agreement to You, the General Data Protection Regulation (Regulation (EU) 2016/679 (EU GDPR)), in each case as amended or repealed from time to time. “personal data”, “data subject”, “controller”, “processor”, “process” and “supervisory authority” shall be interpreted in accordance with the GDPR applicable to the laws of England and Wales. “Your personal data” shall mean the personal data in Your Customer Data that is processed by Us pursuant to the Agreement. |
End Date | as defined at clause 2.15 of this Data Processor Agreement. |
GDPR | means, as appropriate, the UK GDPR or EU GDPR |
Personal Data Breach | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. |
Revised Instruction | a request for information sent by Us to You pertaining to whether Your instruction post the End Date remains to delete Your personal data. |
Sub Processor | shall mean a processor appointed by Us, as described at clause 2.11 of this Data Processor Agreement. |
UK Addendum | means Addendum B.1.0 issued by the UK Information Commissioner's Office in accordance with s119A of the Data Protection Act 2018 set out in Appendix 3 of this Data Processor Agreement as amended from time to time. |
This Appendix 1 to Data Processor Agreement includes certain details of the Processing of Your personal data: as required by Article 28(3) GDPR.
Data Exporter: You
Contact Details: Provided in the Order Confirmation.
Data Exporter Role: you are a controller.
Data Importer: Dext Software Limited.
Contact Details: Data Protection Officer c/o Legal Department, dpo@dext.com cc legal@dext.com
Data Importer Role: We are a processor
The subject matter of the Processing of Your Personal Data is in order to provide the Dext Products under the Agreement including the Order Confirmation.
The subject duration of the Processing of Your Personal Data is for the Licence Term plus the period until We delete Your Personal Data in accordance with our retention policy, which is set out in our privacy policy available on our website.
In order to fulfil Our obligations to You under the Agreement, provide the Dext product(s) as set forth in the Agreement including the Order Confirmation.
The personal data processed relates to the following categories of data subjects:
We operate internationally, and as a result, may transfer the information we collect about you across international borders, including from the EEA or UK to the United States, for processing and storage. To the extent that the information we collect about you is transferred from the EEA or UK to territories/countries for which the EU Commission or UK Secretary of State (as applicable) has not made a finding that the legal framework in that territory/country provides adequate protection for individuals' rights and freedoms for their personal data, we may transfer such data consistent with applicable data protection laws based on prior assessment of the level of data protection afforded in the context of the transfer, including through the use of the EU Commission-approved or UK Secretary of State-approved (as applicable) Standard Contractual Clauses, if necessary in combination with additional safeguards
A list of Sub Processors We use can be found below. This list may be amended from time to time:
Name | Purpose | Jurisdiction | SCCs |
---|---|---|---|
Aircall | This provider allows us to make calls to customers | EU: AWS Germany, Frankfurt active location for call recordings and voicemails US: Other personal data |
Yes |
AWS | Cloud services platform that is used for our database storage & to run all of our apps. We also use AWS Bedrock, a large language model hosting/ training provider that allows us to more effectively provide services to you leveraging generative AI technology. |
EU: AWS Ireland – active location; AWS Germany, Frankfurt – backup location. | N.A. |
BillingPlatform | Billing system that is used to generate customer invoices | EU (AWS Ireland, AWS Germany) and US (AWS) | Yes |
Cognism | Lead generation software | UK, EU | N.A. |
Fino | Provides integrated screen-scrapping technology to fetch invoice and bill data from a customer’s account on other platforms. Through Fino, customers can connect to over 2,000 possible providers, such as Amazon, BT, Spotify, Thames Water and EE. | EU (AWS Ireland) | N.A. |
Fivetran | Syncs Netsuite invoice data to Looker. | EU | N.A. |
FullStory | UX usage data collection and visualisation | EU,US | Yes, if data is held outside of EU |
Google Cloud Platform (Cloud Vision) | This is used for our OCR data extraction service. No data is stored because it is a transient service, the data is processed in order to be extracted and then the files are immediately returned to us once processed. Google cloud does not keep copies of this data. | US (Google Cloud) | Yes |
Google Workspace | Emails, document storage and office suite including a calendar within Dext | US | Yes |
Hightouch | Data Syncing | US | Yes |
Honeybadger | This is the tool we use to report on errors on our website – e.g. if there is fault when logging in. | US (AWS us-east-1 region)) | Yes |
Hubspot | This is the tool used for marketing automated nurtures | US | Yes |
Intercom | This is the tool we use to help us with support queries | Dublin, Ireland (eu-west-1) | Yes |
Looker | Business intelligence tool and big data analytics platform that helps with analysing and sharing real-time business analytics using dashboards. | EU | N.A. |
Mailchimp / Mandrill | Allows us to send one-to-one transactional emails triggered by user actions, like requesting a password or placing an order. | EU: AWS Ireland | N.A. |
Microsoft Azure (Open AI) | Cloud infrastructure generative AI tool provider that allows us to run some features of our services more efficiently. | UK , EU, US | Yes if data is held outside of EU |
Mixpanel | Usage data visualisation | US | Yes |
MongoDB | Dext Precision. A dedicated database hosting data for BDO only, as a part of an enterprise agreement between Xavier and BDO. | Ireland | N.A |
Netsuite | Cloud based accounting system that helps us manage business finance and operations. | UK (London) | N.A. |
OwnBackup | Backup tool for Salesforce. | UK | N.A. |
PostmarkApp | Dext Commerce. Outgoing transactional emails. | US | Yes |
PubNub, Inc. | Dext Prepare Desktop connector: real-time push notifications. Users' email address is shared with PubNub upon connection establishment. | US | Yes |
Salesforce | Integrated Customer Relationship Management (CRM) platform used to manage interactions with customers and potential customers. | UK (London) | N.A. |
Salesloft | Sales Engagement platform | EU, US (AWS and Google Cloud Platform) | Yes |
Scalability | Uses third party apps to import data, and update prospect activities in Salesforce | EU | Yes for subprocessors as needed |
Segment | Usage data collection & processing. | US | Yes |
Sentry | Application monitoring and error tracking | US | Yes |
Sinch Email (Mailgun) | Dext Precision. Transactional outgoing emails. | US | Yes |
Slack | Internal communication within Dext | US | Yes (as are Binding Corporate Rules where applicable) |
Snowflake | Cloud data warehouse that offers a data storage and analytics service. | EU (AWS Ireland) | N.A. |
Storecove | Provides e-invoicing capability | EU | N.A. |
Stripe | Processes customer payments | US | Yes |
Twililo | Software that sends SMS on our behalf for features. | US | Yes |
Twilio SendGrid | 1tap. Outgoing transactional emails. | US | Yes |
UserVoice | User ideas and feature requests collection. | US | Yes |
Vertex | Tax automation software | US | Yes |
Voucherify PSA | Dext Prepare: discount codes generator. Collects PII (user names and email addresses). | EEA | N.A. |
WorkRamp | Learning Management System (LMS) that serves as a comprehensive platform for employee onboarding and customer training | EU and US | Yes if data transferred outside the UK or EU |
Zendesk | 1tap help and support portal | US, EEA, AU or JP | Yes (where applicable) |
Zoom | Video conferencing solution | US, EEA, globally | Yes (as are Binding Corporate Rules where applicable) |
Zoominfo | Lead generation software | US | Yes |
The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) of the EU SCC's are those established and maintained under clause 4 of this Data Processor Agreement and includes without limitation those found at https://dext.com/uk/security as amended from time to time
Table 1: Parties
Start Date | Data Processing Agreement Effective Date | |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties' details | Full legal name: As listed in the Order Confirmation | Full legal name: Dext Software Limited |
Trading name (if different): n/a | Trading name (if different): | |
Main address (if a company registered address): As listed in the Order Confirmation | Main address (if a company registered address): Unit 1.2, Techspace Shoreditch. 25 Luke Street, London, EC2A 4DS | |
Official registration number (if any) (company number or similar identifier): As listed in the Order Confirmation | Official registration number (if any) (company number or similar identifier): 07361080 | |
Key contacts | Full name (optional): Legal Department | Full name (optional): |
Job title: As listed in the Order Confirmation | Job title: Legal Department | |
Contact details including email: As listed in the Order Confirmation | Contact details including email: dpo@dext.com cc legal@dext.com | |
Signature (if required for the purposes of Section 2) |
Addendum EU SCCs | ☐The version of the Approved EU SCCs, which this Addendum is appended to, detailed below, including the Appendix Information. Date: Reference (if any): Other identifier (if any): OR ☒ The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum. | |||||
Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
1 | - | - | - | |||
2 | x | x | General authorisation | 10 days | - | |
3 | - | |||||
4 | - | - |
"Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Appendix 1 of this Data Processor Agreement |
Annex 1B: Description of Transfer: See Appendix 1 of this Data Processor Agreement |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Appendix 2 of this Data Processor Agreement |
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ☐ Importer ☒ Exporter ☐ Neither Party |
Entering into this Addendum
Interpretation of this Addendum
Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |