Data Processing Addendum

Last updated: August 2025

This Data Processing Addendum (this “Addendum”) supplements and forms part of the terms and conditions between the Customer and the Provider (the “Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as at the Effective Date of the Agreement and will remain in effect until termination of the Agreement; or the last Processing of Customer Personal Data carried out by or on behalf of the Customer under the Agreement.

1. Definitions

In this Addendum, the following words and expressions have the following meanings:

Customer Personal Data means Personal Data Processed by the Provider as Processor on behalf of the Customer pursuant to the performance of the Agreement.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Supervisory Authority” and “Processing” all have the meanings given to those terms in Data Protection Laws (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings); and

Data Protection Laws means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under the Agreement, including without limitation, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the Data Protection Act 2018, and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time.

EU Standard Contractual Clauses means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to third countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time).

Restricted Transfer means a transfer of Personal Data between either party to the Agreement in circumstances where in the absence of the obligations created by this Agreement the export of the Personal Data would be in breach of the applicable Data Protection Laws.

Sub-Processor means another Processor engaged by the Provider for carrying out Processing activities in respect of Customer Personal Data.

Supervisory Authority means a governmental or government chartered regulatory body having binding legal authority over a party.

Capitalized terms used but not defined in this Addendum shall have the meaning given to them in the Agreement and all rules of interpretation as set out in the Agreement shall apply in this Addendum.

2. Data Processing Details and Compliance

2.1. The Parties acknowledge that in respect of Customer Personal Data, the Provider is a Processor Processing Personal Data on behalf of the Customer, the Customer acting as either Controller or a Processor on the behalf of another Controller (in respect of the latter, the Provider shall act as its Sub-Processor). Each Party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.

2.2. Details of Customer Personal Data Processed by Provider under this Agreement are as follows:

a. Subject Matter, Nature and Purpose of Processing. The Provider’s provision of the Services under this Agreement. In particular, providing the Customer with access to the Provider’s customer service platform.

b. Duration of Processing. Processing of Customer Personal Data by the Provider shall be for the term of this Agreement and in accordance with the Provider’s retention obligations under this Agreement and Addendum, provided that Customer Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).

c. Personal Data in Scope. Names, Communication details (Email, etc.), Contact details, Job role; Login data; Profile image; Technical details (Device information, IP addresses, cookies, etc.); Customer service-related data (such as not but not limited to account information, order information, subscriptions, chat and email messages); and

d. Category of Data Subjects. Customer’s end customers; Customer personnel (employee, contractors, etc) and Customer associated parties.

2.3. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents from end-users, and for the written processing instructions it gives to the Provider, as applicable.

2.4. Customer warrants and represents that it has the right to share the Customer Personal Data with the Provider and that it has been collected or otherwise obtained in compliance with the Data Protection Laws, and may be lawfully processed, disclosed and transferred as described in or in connection with this Addendum and this Agreement.

3. Data Processing Instructions

3.1 The Provider shall Process Customer Personal Data only on the written instructions of the Customer (including as set out in this Agreement) unless the Provider is required to otherwise Process Customer Personal Data by applicable laws. The Provider is hereby instructed to Process Customer Personal Data for the purposes of providing the Services. In the event the Provider is required by applicable laws to Process Customer Personal Data other than in accordance with the Customer’s instructions, prior to any such Processing and to the extent permitted by applicable laws, the Provider shall notify the Customer in writing of that legal requirement prior to Processing Customer Personal Data.

3.2 The Provider shall promptly inform the Customer if the Provider becomes aware of a written instruction given by the Customer under this Clause 3 that, in the Provider’s reasonable opinion, infringes Data Protection Laws.

4. Provider Personnel and Sub-Processors

4.1 The Provider shall ensure that all Provider personnel authorized to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.

4.2 The Customer authorizes the Provider to engage (including the disclosure of Customer Personal Data under this Agreement to such Sub-Processors):

a. the Sub-Processors included in the Sub-Processor list provided to the Customer and set out in our Sub Processor List within our Trust Center at https://trust.plain.com/ (“Sub-Processor List”); and

b. the Sub-Processors engaged in accordance with Clause 4.3 of this Addendum.

4.3 Where the Provider intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, the Provider shall notify the Customer of the proposed engagement of the Sub-Processor (and provide such information regarding the proposed Sub-Processor as the Customer may reasonably require) by way of updating the Sub-Processor List (such notice will be sent to individuals who have signed up to receive updates to the Subprocessor List via the mechanism(s) indicated on the Subprocessor List, giving the Customer the opportunity to object. If the Customer does not make a reasonable objection to the proposed engagement within 7 days of the Provider providing notice to the Customer under this Clause, the Customer is deemed to have authorized the engagement of such Sub-Processor. The Provider shall keep the Sub-Processor List updated.

4.4 Where the Customer raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with Clause 4.3 of this Addendum, the Provider may, at its option:

a. use its reasonable endeavors to remedy the situation giving rise to the reasonable objection; or

b. propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Clause 4.3 of this Addendum,

provided that, in the event that the Provider is unable to remedy the situation in accordance with Clause 4.4(a) of this Addendum and no alternative Sub-Processor is proposed in accordance with clause 4.4(b) of this Addendum, then the Provider shall be entitled to terminate the Agreement without penalty or liability effective immediately on written notice to the Customer and the Customer shall pay the Provider any fees due for the Services performed prior to termination.

4.5 The Provider shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data, the Sub-Processor has entered into a binding written agreement with the Provider that imposes obligations substantially equivalent to the obligations imposed on the Provider as a Processor under this Agreement. The Provider shall remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations concerning Customer Personal Data in the event the Sub-Processor fails to fulfil those obligations.

5. Transfers

5.1 The Provider shall not transfer Customer Personal Data to any party in a country not deemed adequate for the transfer of Personal Data by a relevant Supervisory Authority, including permitting access to Customer Personal Data from any party in such countries, without the prior written consent of the Customer, unless:

a. the transfer/access is to a Sub-Processor included in the Sub-Processor List or appointed in accordance with Clause 4 of this Addendum; and

b. the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).

5.2 In accordance with Clause 5.1(b) of this Agreement, each party agrees that, where the transfer of Personal Data (including Customer Personal Data) between the Parties is a Restricted Transfer, the following shall apply to the transfer and this Agreement:

5.2.1 Where the GDPR applies, and the transfer of Personal Data is from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission.

5.2.2 The parties agree that the EU Standard Contractual Clauses shall apply to Restricted Transfers from the EEA. The EU Standard Contractual Clauses shall be deemed entered into (and incorporated into this Agreement by reference) and completed as follows: Modules Two (Controller to Processor) and Four (Processor to Controller) shall apply when the Customer is Data Controller and the Provider is the Data Processor, and shall be completed with the following specifications where relevant to each Module; (ii) In Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will apply; (iii) In Clause 11 of the EU Standard Contractual Clauses, the optional language shall not apply; (iv) In Clause 13(a) of the EU Standard Contractual Clauses the Supervisory Authority shall be determined by the place of establishment of the data exporter, (v) In Clause 17 of the EU Standard Contractual Clauses, Option 1 applies and the EU Standard Contractual Clauses shall be governed by Irish law; (vi) In Clause 18(b) of the EU Standard Contractual Clauses, disputes shall be resolved by the courts of Ireland; (vii) Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Clause 2.2 of this Agreement; (viii) Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information and requirements as set out in Clause 6.1 of this Agreement. The frequency of the transfer shall be continuous, as necessary to deliver the Services, and retention shall be determined by the Customer in relation to the processing undertaken where Provider acts as a Processor, and each independent Controller otherwise.

5.2.3 Where the UK GDPR applies, and the transfer of Personal Data is from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

5.2.4 The parties agree that, with respect to Restricted Transfers subject to the UK GDPR, the EU Standard Contractual Clauses are hereby incorporated into this Agreement by reference as follows: incorporating the selections in 5.2.1 and shall be deemed amended by the provisions of Part 2 (Mandatory Clauses) of the UK IDTA and the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Clause 2.2 and Clause 6.1 of this Agreement, and shall be amended as follows:

5.2.4.1 For the purpose of Module 1 of the EU Standard Contractual Clauses where both Parties are Data Controllers (data importer and exporter): Appendices 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the data subjects, categories of personal data and processing operations set out in Clause 2.2 of this Agreement.

5.2.4.2 The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

5.2.4.3 The Parties agree that Annex I.A will be populated as follows: Data Exporter and Data Importer Contact details: as detailed in this Agreement (each Party being both Data Exporter and Data Importer). 

5.2.4.4 The Parties agree that Annex I.B of the IDTA shall be completed as described in Clause 2.2 of this Agreement.

5.2.4.5 The Parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

5.2.4.6 The Parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in Clause 6.1 of this Agreement.

5.2.4.7 For the purpose of Modules 2 and 4 of the EU Standard Contractual Clauses where the Provider acts as Data Processor (data importer): Appendices 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the data subjects, categories of personal data and processing operations set out in Clause 2.2 of this Agreement and the organizational and technical measures as described in Clause 6.1 of this Agreement.

5.3 The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

5.4 The Parties agree that Annex I.A will be populated as follows: With respect to Module 2: Data Exporter is Customer and Data Importer is the Provider as a Processor. With respect to Module 4: Data Exporter is the Provider as Processor and Data Importer is Customer as Controller. Data Exporter and Data Importer Contact details: as detailed in this Agreement. 

5.5 The Parties agree that Annex I.B of the IDTA shall be completed as described in Clause 2.2 of this Agreement.

5.6 The Parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

5.7 The Parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in Clause 6.1 of this Agreement.

5.8 The Parties agree that Annex III of the IDTA shall be completed with the Sub-Processors listed in the Sub-Processors List in accordance with Clause 4 of this Agreement.

6. Security and Personal Data Breach Notification

6.1 The Provider shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, which shall include the controls listed in our Trust Center at https://trust.plain.com

6.2 The Provider shall notify the Customer without undue delay on becoming aware of a Personal Data Breach and provide the Customer with details of the Personal Data Breach as required under Data Protection Laws. To the extent available, these details shall include:

a. the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned

b. the name and contact details of the data protection officer or other contact point of the Provider, where more information can be obtained

c. description of the likely consequences of the Personal Data Breach; and

d. description of the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach.

7. Assistance

7.1 To the extent related to its Processing of Customer Personal Data (taking into account the nature of Processing and the information available to the Provider), the Provider shall promptly provide the Customer with reasonable assistance:

a. using appropriate technical and organizational measures, in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject rights under Data Protection Laws;

b. to enable the Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where the Customer is required to do so under Data Protection Laws, in connection with data protection impact assessments; 

c. in assisting the Customer in meetings its obligations to notify personal data breaches to Supervisory Authorities and Data Subjects;

d. in complying with its obligation to implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data.

8. Deletion or Return of Data

8.1 The Provider shall, at the choice of the Customer, delete or return all Customer Personal Data to the Customer once Processing by the Provider of any Customer Personal Data is no longer required for the purposes of this Agreement, and delete all existing copies unless required by applicable laws to store Customer Personal Data.

9. Information Requests and Audits

9.1 The Provider shall, on request from the Customer, make available to the Customer and/or its appropriately qualified third-party representative, access to reasonably requested documentation evidencing the Provider’s compliance with its obligations under this Agreement. The Provider performs audits (i) at least once annually; (b) according to SOC2 standards or such other alternative standards that are substantially equivalent to SOC2; and (c) by independent third party security professionals selected by the Provider. Such audits result in the generation of a confidential audit report (“Audit Report”). Only to the extent the Customer cannot reasonably satisfy the Provider’s compliance with this Agreement through the Audit Reports, or where required by applicable Data Protection Laws, the Customer may send a written request for it, or another auditor on its behalf (subject to such being bound by commitments of confidentiality), to conduct an audit of the Provider’s applicable controls on an annual basis.

For the avoidance of doubt such audits shall be limited to once per calendar year. Any additional audit under this Clause 9.1 (in excess of the once per calendar year limitation) shall be at the cost of the Customer, and the Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 9.1.

9.2 The Provider’s obligations under Clause 9.1 of this Addendum are subject to the Customer:

a. giving the Provider reasonable prior notice of such information requests, audits and/or inspections being required by the Customer;

b. ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests (including the Audit Report), inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and

c. ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to the Provider’s business and the business of other customers of the Provider.

Last updated: August 2025

This Data Processing Addendum (this “Addendum”) supplements and forms part of the terms and conditions between the Customer and the Provider (the “Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as at the Effective Date of the Agreement and will remain in effect until termination of the Agreement; or the last Processing of Customer Personal Data carried out by or on behalf of the Customer under the Agreement.

1. Definitions

In this Addendum, the following words and expressions have the following meanings:

Customer Personal Data means Personal Data Processed by the Provider as Processor on behalf of the Customer pursuant to the performance of the Agreement.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Supervisory Authority” and “Processing” all have the meanings given to those terms in Data Protection Laws (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings); and

Data Protection Laws means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under the Agreement, including without limitation, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the Data Protection Act 2018, and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time.

EU Standard Contractual Clauses means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to third countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time).

Restricted Transfer means a transfer of Personal Data between either party to the Agreement in circumstances where in the absence of the obligations created by this Agreement the export of the Personal Data would be in breach of the applicable Data Protection Laws.

Sub-Processor means another Processor engaged by the Provider for carrying out Processing activities in respect of Customer Personal Data.

Supervisory Authority means a governmental or government chartered regulatory body having binding legal authority over a party.

Capitalized terms used but not defined in this Addendum shall have the meaning given to them in the Agreement and all rules of interpretation as set out in the Agreement shall apply in this Addendum.

2. Data Processing Details and Compliance

2.1. The Parties acknowledge that in respect of Customer Personal Data, the Provider is a Processor Processing Personal Data on behalf of the Customer, the Customer acting as either Controller or a Processor on the behalf of another Controller (in respect of the latter, the Provider shall act as its Sub-Processor). Each Party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.

2.2. Details of Customer Personal Data Processed by Provider under this Agreement are as follows:

a. Subject Matter, Nature and Purpose of Processing. The Provider’s provision of the Services under this Agreement. In particular, providing the Customer with access to the Provider’s customer service platform.

b. Duration of Processing. Processing of Customer Personal Data by the Provider shall be for the term of this Agreement and in accordance with the Provider’s retention obligations under this Agreement and Addendum, provided that Customer Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).

c. Personal Data in Scope. Names, Communication details (Email, etc.), Contact details, Job role; Login data; Profile image; Technical details (Device information, IP addresses, cookies, etc.); Customer service-related data (such as not but not limited to account information, order information, subscriptions, chat and email messages); and

d. Category of Data Subjects. Customer’s end customers; Customer personnel (employee, contractors, etc) and Customer associated parties.

2.3. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents from end-users, and for the written processing instructions it gives to the Provider, as applicable.

2.4. Customer warrants and represents that it has the right to share the Customer Personal Data with the Provider and that it has been collected or otherwise obtained in compliance with the Data Protection Laws, and may be lawfully processed, disclosed and transferred as described in or in connection with this Addendum and this Agreement.

3. Data Processing Instructions

3.1 The Provider shall Process Customer Personal Data only on the written instructions of the Customer (including as set out in this Agreement) unless the Provider is required to otherwise Process Customer Personal Data by applicable laws. The Provider is hereby instructed to Process Customer Personal Data for the purposes of providing the Services. In the event the Provider is required by applicable laws to Process Customer Personal Data other than in accordance with the Customer’s instructions, prior to any such Processing and to the extent permitted by applicable laws, the Provider shall notify the Customer in writing of that legal requirement prior to Processing Customer Personal Data.

3.2 The Provider shall promptly inform the Customer if the Provider becomes aware of a written instruction given by the Customer under this Clause 3 that, in the Provider’s reasonable opinion, infringes Data Protection Laws.

4. Provider Personnel and Sub-Processors

4.1 The Provider shall ensure that all Provider personnel authorized to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.

4.2 The Customer authorizes the Provider to engage (including the disclosure of Customer Personal Data under this Agreement to such Sub-Processors):

a. the Sub-Processors included in the Sub-Processor list provided to the Customer and set out in our Sub Processor List within our Trust Center at https://trust.plain.com/ (“Sub-Processor List”); and

b. the Sub-Processors engaged in accordance with Clause 4.3 of this Addendum.

4.3 Where the Provider intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, the Provider shall notify the Customer of the proposed engagement of the Sub-Processor (and provide such information regarding the proposed Sub-Processor as the Customer may reasonably require) by way of updating the Sub-Processor List (such notice will be sent to individuals who have signed up to receive updates to the Subprocessor List via the mechanism(s) indicated on the Subprocessor List, giving the Customer the opportunity to object. If the Customer does not make a reasonable objection to the proposed engagement within 7 days of the Provider providing notice to the Customer under this Clause, the Customer is deemed to have authorized the engagement of such Sub-Processor. The Provider shall keep the Sub-Processor List updated.

4.4 Where the Customer raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with Clause 4.3 of this Addendum, the Provider may, at its option:

a. use its reasonable endeavors to remedy the situation giving rise to the reasonable objection; or

b. propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Clause 4.3 of this Addendum,

provided that, in the event that the Provider is unable to remedy the situation in accordance with Clause 4.4(a) of this Addendum and no alternative Sub-Processor is proposed in accordance with clause 4.4(b) of this Addendum, then the Provider shall be entitled to terminate the Agreement without penalty or liability effective immediately on written notice to the Customer and the Customer shall pay the Provider any fees due for the Services performed prior to termination.

4.5 The Provider shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data, the Sub-Processor has entered into a binding written agreement with the Provider that imposes obligations substantially equivalent to the obligations imposed on the Provider as a Processor under this Agreement. The Provider shall remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations concerning Customer Personal Data in the event the Sub-Processor fails to fulfil those obligations.

5. Transfers

5.1 The Provider shall not transfer Customer Personal Data to any party in a country not deemed adequate for the transfer of Personal Data by a relevant Supervisory Authority, including permitting access to Customer Personal Data from any party in such countries, without the prior written consent of the Customer, unless:

a. the transfer/access is to a Sub-Processor included in the Sub-Processor List or appointed in accordance with Clause 4 of this Addendum; and

b. the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).

5.2 In accordance with Clause 5.1(b) of this Agreement, each party agrees that, where the transfer of Personal Data (including Customer Personal Data) between the Parties is a Restricted Transfer, the following shall apply to the transfer and this Agreement:

5.2.1 Where the GDPR applies, and the transfer of Personal Data is from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission.

5.2.2 The parties agree that the EU Standard Contractual Clauses shall apply to Restricted Transfers from the EEA. The EU Standard Contractual Clauses shall be deemed entered into (and incorporated into this Agreement by reference) and completed as follows: Modules Two (Controller to Processor) and Four (Processor to Controller) shall apply when the Customer is Data Controller and the Provider is the Data Processor, and shall be completed with the following specifications where relevant to each Module; (ii) In Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will apply; (iii) In Clause 11 of the EU Standard Contractual Clauses, the optional language shall not apply; (iv) In Clause 13(a) of the EU Standard Contractual Clauses the Supervisory Authority shall be determined by the place of establishment of the data exporter, (v) In Clause 17 of the EU Standard Contractual Clauses, Option 1 applies and the EU Standard Contractual Clauses shall be governed by Irish law; (vi) In Clause 18(b) of the EU Standard Contractual Clauses, disputes shall be resolved by the courts of Ireland; (vii) Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Clause 2.2 of this Agreement; (viii) Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information and requirements as set out in Clause 6.1 of this Agreement. The frequency of the transfer shall be continuous, as necessary to deliver the Services, and retention shall be determined by the Customer in relation to the processing undertaken where Provider acts as a Processor, and each independent Controller otherwise.

5.2.3 Where the UK GDPR applies, and the transfer of Personal Data is from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

5.2.4 The parties agree that, with respect to Restricted Transfers subject to the UK GDPR, the EU Standard Contractual Clauses are hereby incorporated into this Agreement by reference as follows: incorporating the selections in 5.2.1 and shall be deemed amended by the provisions of Part 2 (Mandatory Clauses) of the UK IDTA and the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Clause 2.2 and Clause 6.1 of this Agreement, and shall be amended as follows:

5.2.4.1 For the purpose of Module 1 of the EU Standard Contractual Clauses where both Parties are Data Controllers (data importer and exporter): Appendices 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the data subjects, categories of personal data and processing operations set out in Clause 2.2 of this Agreement.

5.2.4.2 The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

5.2.4.3 The Parties agree that Annex I.A will be populated as follows: Data Exporter and Data Importer Contact details: as detailed in this Agreement (each Party being both Data Exporter and Data Importer). 

5.2.4.4 The Parties agree that Annex I.B of the IDTA shall be completed as described in Clause 2.2 of this Agreement.

5.2.4.5 The Parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

5.2.4.6 The Parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in Clause 6.1 of this Agreement.

5.2.4.7 For the purpose of Modules 2 and 4 of the EU Standard Contractual Clauses where the Provider acts as Data Processor (data importer): Appendices 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the data subjects, categories of personal data and processing operations set out in Clause 2.2 of this Agreement and the organizational and technical measures as described in Clause 6.1 of this Agreement.

5.3 The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

5.4 The Parties agree that Annex I.A will be populated as follows: With respect to Module 2: Data Exporter is Customer and Data Importer is the Provider as a Processor. With respect to Module 4: Data Exporter is the Provider as Processor and Data Importer is Customer as Controller. Data Exporter and Data Importer Contact details: as detailed in this Agreement. 

5.5 The Parties agree that Annex I.B of the IDTA shall be completed as described in Clause 2.2 of this Agreement.

5.6 The Parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

5.7 The Parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in Clause 6.1 of this Agreement.

5.8 The Parties agree that Annex III of the IDTA shall be completed with the Sub-Processors listed in the Sub-Processors List in accordance with Clause 4 of this Agreement.

6. Security and Personal Data Breach Notification

6.1 The Provider shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, which shall include the controls listed in our Trust Center at https://trust.plain.com

6.2 The Provider shall notify the Customer without undue delay on becoming aware of a Personal Data Breach and provide the Customer with details of the Personal Data Breach as required under Data Protection Laws. To the extent available, these details shall include:

a. the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned

b. the name and contact details of the data protection officer or other contact point of the Provider, where more information can be obtained

c. description of the likely consequences of the Personal Data Breach; and

d. description of the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach.

7. Assistance

7.1 To the extent related to its Processing of Customer Personal Data (taking into account the nature of Processing and the information available to the Provider), the Provider shall promptly provide the Customer with reasonable assistance:

a. using appropriate technical and organizational measures, in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject rights under Data Protection Laws;

b. to enable the Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where the Customer is required to do so under Data Protection Laws, in connection with data protection impact assessments; 

c. in assisting the Customer in meetings its obligations to notify personal data breaches to Supervisory Authorities and Data Subjects;

d. in complying with its obligation to implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data.

8. Deletion or Return of Data

8.1 The Provider shall, at the choice of the Customer, delete or return all Customer Personal Data to the Customer once Processing by the Provider of any Customer Personal Data is no longer required for the purposes of this Agreement, and delete all existing copies unless required by applicable laws to store Customer Personal Data.

9. Information Requests and Audits

9.1 The Provider shall, on request from the Customer, make available to the Customer and/or its appropriately qualified third-party representative, access to reasonably requested documentation evidencing the Provider’s compliance with its obligations under this Agreement. The Provider performs audits (i) at least once annually; (b) according to SOC2 standards or such other alternative standards that are substantially equivalent to SOC2; and (c) by independent third party security professionals selected by the Provider. Such audits result in the generation of a confidential audit report (“Audit Report”). Only to the extent the Customer cannot reasonably satisfy the Provider’s compliance with this Agreement through the Audit Reports, or where required by applicable Data Protection Laws, the Customer may send a written request for it, or another auditor on its behalf (subject to such being bound by commitments of confidentiality), to conduct an audit of the Provider’s applicable controls on an annual basis.

For the avoidance of doubt such audits shall be limited to once per calendar year. Any additional audit under this Clause 9.1 (in excess of the once per calendar year limitation) shall be at the cost of the Customer, and the Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 9.1.

9.2 The Provider’s obligations under Clause 9.1 of this Addendum are subject to the Customer:

a. giving the Provider reasonable prior notice of such information requests, audits and/or inspections being required by the Customer;

b. ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests (including the Audit Report), inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and

c. ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to the Provider’s business and the business of other customers of the Provider.

Last updated: August 2025

This Data Processing Addendum (this “Addendum”) supplements and forms part of the terms and conditions between the Customer and the Provider (the “Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as at the Effective Date of the Agreement and will remain in effect until termination of the Agreement; or the last Processing of Customer Personal Data carried out by or on behalf of the Customer under the Agreement.

1. Definitions

In this Addendum, the following words and expressions have the following meanings:

Customer Personal Data means Personal Data Processed by the Provider as Processor on behalf of the Customer pursuant to the performance of the Agreement.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Supervisory Authority” and “Processing” all have the meanings given to those terms in Data Protection Laws (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings); and

Data Protection Laws means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under the Agreement, including without limitation, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the Data Protection Act 2018, and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time.

EU Standard Contractual Clauses means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to third countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time).

Restricted Transfer means a transfer of Personal Data between either party to the Agreement in circumstances where in the absence of the obligations created by this Agreement the export of the Personal Data would be in breach of the applicable Data Protection Laws.

Sub-Processor means another Processor engaged by the Provider for carrying out Processing activities in respect of Customer Personal Data.

Supervisory Authority means a governmental or government chartered regulatory body having binding legal authority over a party.

Capitalized terms used but not defined in this Addendum shall have the meaning given to them in the Agreement and all rules of interpretation as set out in the Agreement shall apply in this Addendum.

2. Data Processing Details and Compliance

2.1. The Parties acknowledge that in respect of Customer Personal Data, the Provider is a Processor Processing Personal Data on behalf of the Customer, the Customer acting as either Controller or a Processor on the behalf of another Controller (in respect of the latter, the Provider shall act as its Sub-Processor). Each Party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.

2.2. Details of Customer Personal Data Processed by Provider under this Agreement are as follows:

a. Subject Matter, Nature and Purpose of Processing. The Provider’s provision of the Services under this Agreement. In particular, providing the Customer with access to the Provider’s customer service platform.

b. Duration of Processing. Processing of Customer Personal Data by the Provider shall be for the term of this Agreement and in accordance with the Provider’s retention obligations under this Agreement and Addendum, provided that Customer Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).

c. Personal Data in Scope. Names, Communication details (Email, etc.), Contact details, Job role; Login data; Profile image; Technical details (Device information, IP addresses, cookies, etc.); Customer service-related data (such as not but not limited to account information, order information, subscriptions, chat and email messages); and

d. Category of Data Subjects. Customer’s end customers; Customer personnel (employee, contractors, etc) and Customer associated parties.

2.3. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents from end-users, and for the written processing instructions it gives to the Provider, as applicable.

2.4. Customer warrants and represents that it has the right to share the Customer Personal Data with the Provider and that it has been collected or otherwise obtained in compliance with the Data Protection Laws, and may be lawfully processed, disclosed and transferred as described in or in connection with this Addendum and this Agreement.

3. Data Processing Instructions

3.1 The Provider shall Process Customer Personal Data only on the written instructions of the Customer (including as set out in this Agreement) unless the Provider is required to otherwise Process Customer Personal Data by applicable laws. The Provider is hereby instructed to Process Customer Personal Data for the purposes of providing the Services. In the event the Provider is required by applicable laws to Process Customer Personal Data other than in accordance with the Customer’s instructions, prior to any such Processing and to the extent permitted by applicable laws, the Provider shall notify the Customer in writing of that legal requirement prior to Processing Customer Personal Data.

3.2 The Provider shall promptly inform the Customer if the Provider becomes aware of a written instruction given by the Customer under this Clause 3 that, in the Provider’s reasonable opinion, infringes Data Protection Laws.

4. Provider Personnel and Sub-Processors

4.1 The Provider shall ensure that all Provider personnel authorized to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.

4.2 The Customer authorizes the Provider to engage (including the disclosure of Customer Personal Data under this Agreement to such Sub-Processors):

a. the Sub-Processors included in the Sub-Processor list provided to the Customer and set out in our Sub Processor List within our Trust Center at https://trust.plain.com/ (“Sub-Processor List”); and

b. the Sub-Processors engaged in accordance with Clause 4.3 of this Addendum.

4.3 Where the Provider intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, the Provider shall notify the Customer of the proposed engagement of the Sub-Processor (and provide such information regarding the proposed Sub-Processor as the Customer may reasonably require) by way of updating the Sub-Processor List (such notice will be sent to individuals who have signed up to receive updates to the Subprocessor List via the mechanism(s) indicated on the Subprocessor List, giving the Customer the opportunity to object. If the Customer does not make a reasonable objection to the proposed engagement within 7 days of the Provider providing notice to the Customer under this Clause, the Customer is deemed to have authorized the engagement of such Sub-Processor. The Provider shall keep the Sub-Processor List updated.

4.4 Where the Customer raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with Clause 4.3 of this Addendum, the Provider may, at its option:

a. use its reasonable endeavors to remedy the situation giving rise to the reasonable objection; or

b. propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Clause 4.3 of this Addendum,

provided that, in the event that the Provider is unable to remedy the situation in accordance with Clause 4.4(a) of this Addendum and no alternative Sub-Processor is proposed in accordance with clause 4.4(b) of this Addendum, then the Provider shall be entitled to terminate the Agreement without penalty or liability effective immediately on written notice to the Customer and the Customer shall pay the Provider any fees due for the Services performed prior to termination.

4.5 The Provider shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data, the Sub-Processor has entered into a binding written agreement with the Provider that imposes obligations substantially equivalent to the obligations imposed on the Provider as a Processor under this Agreement. The Provider shall remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations concerning Customer Personal Data in the event the Sub-Processor fails to fulfil those obligations.

5. Transfers

5.1 The Provider shall not transfer Customer Personal Data to any party in a country not deemed adequate for the transfer of Personal Data by a relevant Supervisory Authority, including permitting access to Customer Personal Data from any party in such countries, without the prior written consent of the Customer, unless:

a. the transfer/access is to a Sub-Processor included in the Sub-Processor List or appointed in accordance with Clause 4 of this Addendum; and

b. the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).

5.2 In accordance with Clause 5.1(b) of this Agreement, each party agrees that, where the transfer of Personal Data (including Customer Personal Data) between the Parties is a Restricted Transfer, the following shall apply to the transfer and this Agreement:

5.2.1 Where the GDPR applies, and the transfer of Personal Data is from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission.

5.2.2 The parties agree that the EU Standard Contractual Clauses shall apply to Restricted Transfers from the EEA. The EU Standard Contractual Clauses shall be deemed entered into (and incorporated into this Agreement by reference) and completed as follows: Modules Two (Controller to Processor) and Four (Processor to Controller) shall apply when the Customer is Data Controller and the Provider is the Data Processor, and shall be completed with the following specifications where relevant to each Module; (ii) In Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will apply; (iii) In Clause 11 of the EU Standard Contractual Clauses, the optional language shall not apply; (iv) In Clause 13(a) of the EU Standard Contractual Clauses the Supervisory Authority shall be determined by the place of establishment of the data exporter, (v) In Clause 17 of the EU Standard Contractual Clauses, Option 1 applies and the EU Standard Contractual Clauses shall be governed by Irish law; (vi) In Clause 18(b) of the EU Standard Contractual Clauses, disputes shall be resolved by the courts of Ireland; (vii) Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Clause 2.2 of this Agreement; (viii) Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information and requirements as set out in Clause 6.1 of this Agreement. The frequency of the transfer shall be continuous, as necessary to deliver the Services, and retention shall be determined by the Customer in relation to the processing undertaken where Provider acts as a Processor, and each independent Controller otherwise.

5.2.3 Where the UK GDPR applies, and the transfer of Personal Data is from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

5.2.4 The parties agree that, with respect to Restricted Transfers subject to the UK GDPR, the EU Standard Contractual Clauses are hereby incorporated into this Agreement by reference as follows: incorporating the selections in 5.2.1 and shall be deemed amended by the provisions of Part 2 (Mandatory Clauses) of the UK IDTA and the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Clause 2.2 and Clause 6.1 of this Agreement, and shall be amended as follows:

5.2.4.1 For the purpose of Module 1 of the EU Standard Contractual Clauses where both Parties are Data Controllers (data importer and exporter): Appendices 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the data subjects, categories of personal data and processing operations set out in Clause 2.2 of this Agreement.

5.2.4.2 The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

5.2.4.3 The Parties agree that Annex I.A will be populated as follows: Data Exporter and Data Importer Contact details: as detailed in this Agreement (each Party being both Data Exporter and Data Importer). 

5.2.4.4 The Parties agree that Annex I.B of the IDTA shall be completed as described in Clause 2.2 of this Agreement.

5.2.4.5 The Parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

5.2.4.6 The Parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in Clause 6.1 of this Agreement.

5.2.4.7 For the purpose of Modules 2 and 4 of the EU Standard Contractual Clauses where the Provider acts as Data Processor (data importer): Appendices 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the data subjects, categories of personal data and processing operations set out in Clause 2.2 of this Agreement and the organizational and technical measures as described in Clause 6.1 of this Agreement.

5.3 The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

5.4 The Parties agree that Annex I.A will be populated as follows: With respect to Module 2: Data Exporter is Customer and Data Importer is the Provider as a Processor. With respect to Module 4: Data Exporter is the Provider as Processor and Data Importer is Customer as Controller. Data Exporter and Data Importer Contact details: as detailed in this Agreement. 

5.5 The Parties agree that Annex I.B of the IDTA shall be completed as described in Clause 2.2 of this Agreement.

5.6 The Parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

5.7 The Parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in Clause 6.1 of this Agreement.

5.8 The Parties agree that Annex III of the IDTA shall be completed with the Sub-Processors listed in the Sub-Processors List in accordance with Clause 4 of this Agreement.

6. Security and Personal Data Breach Notification

6.1 The Provider shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, which shall include the controls listed in our Trust Center at https://trust.plain.com

6.2 The Provider shall notify the Customer without undue delay on becoming aware of a Personal Data Breach and provide the Customer with details of the Personal Data Breach as required under Data Protection Laws. To the extent available, these details shall include:

a. the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned

b. the name and contact details of the data protection officer or other contact point of the Provider, where more information can be obtained

c. description of the likely consequences of the Personal Data Breach; and

d. description of the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach.

7. Assistance

7.1 To the extent related to its Processing of Customer Personal Data (taking into account the nature of Processing and the information available to the Provider), the Provider shall promptly provide the Customer with reasonable assistance:

a. using appropriate technical and organizational measures, in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject rights under Data Protection Laws;

b. to enable the Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where the Customer is required to do so under Data Protection Laws, in connection with data protection impact assessments; 

c. in assisting the Customer in meetings its obligations to notify personal data breaches to Supervisory Authorities and Data Subjects;

d. in complying with its obligation to implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data.

8. Deletion or Return of Data

8.1 The Provider shall, at the choice of the Customer, delete or return all Customer Personal Data to the Customer once Processing by the Provider of any Customer Personal Data is no longer required for the purposes of this Agreement, and delete all existing copies unless required by applicable laws to store Customer Personal Data.

9. Information Requests and Audits

9.1 The Provider shall, on request from the Customer, make available to the Customer and/or its appropriately qualified third-party representative, access to reasonably requested documentation evidencing the Provider’s compliance with its obligations under this Agreement. The Provider performs audits (i) at least once annually; (b) according to SOC2 standards or such other alternative standards that are substantially equivalent to SOC2; and (c) by independent third party security professionals selected by the Provider. Such audits result in the generation of a confidential audit report (“Audit Report”). Only to the extent the Customer cannot reasonably satisfy the Provider’s compliance with this Agreement through the Audit Reports, or where required by applicable Data Protection Laws, the Customer may send a written request for it, or another auditor on its behalf (subject to such being bound by commitments of confidentiality), to conduct an audit of the Provider’s applicable controls on an annual basis.

For the avoidance of doubt such audits shall be limited to once per calendar year. Any additional audit under this Clause 9.1 (in excess of the once per calendar year limitation) shall be at the cost of the Customer, and the Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 9.1.

9.2 The Provider’s obligations under Clause 9.1 of this Addendum are subject to the Customer:

a. giving the Provider reasonable prior notice of such information requests, audits and/or inspections being required by the Customer;

b. ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests (including the Audit Report), inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and

c. ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to the Provider’s business and the business of other customers of the Provider.

© 2024 Not Just Tickets Limited

Plain and the Plain logo are trademarks and tradenames of Not Just Tickets Limited and may not be used or reproduced without consent.

© 2024 Not Just Tickets Limited

Plain and the Plain logo are trademarks and tradenames of Not Just Tickets Limited and may not be used or reproduced without consent.

© 2024 Not Just Tickets Limited

Plain and the Plain logo are trademarks and tradenames of Not Just Tickets Limited and may not be used or reproduced without consent.