PATCH DATA PROCESSING ADDENDUM (DPA)

Last Updated: May 2025

This Patch Data Processing Addendum (“DPA”) applies to the extent Patch Processes any Covered Data as Processor in connection with Patch services and digital products as directed by You (or “Client”) and in incorporated as an Addendum to the Terms of Service.

In case of any conflict or inconsistency with Patch’s Terms of Service or any other agreement, this DPA will take precedence to the extent of such conflict or inconsistency.

2. DEFINITIONS.

“Agreement” means this Terms of Service Agreement, consisting of the terms and conditions stated herein as well as all, policies, addenda, exhibits, attachments and amendments (if any).

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Client Personal Data” means Client-owned or controlled personal data, where Indeed acts as the Processor or Service Provider of such Data.

“Patch” means Patch Retention, Inc. a Utah Corporation.

“Covered Data” means any Personal Data, Personal Information, or Customer Information pertaining to a Consumer or Data Subject that is provided to Patch by Client or otherwise Processed by Patch as a Processor or Service Provider in in connection with Patch’s services and digital products. Covered Data excludes Client Account Data.

“Data Subject” means the individual to whom Personal Data relates.

“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to the California Consumer Privacy Act (“CCPA”), General Data Protection Regulation (EU) and the United Kingdom General Data Protection (Collectively referred to as (“GDPR”), and Regulation Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA).

“DPF” or “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, or where applicable, the UK Extension to the EU-U.S. Data Privacy Framework.

“EEA” means the European Economic Area;

“Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Client Personal Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws and Regulations.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

“Pseudonymise” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

“Services” means the online services technical support services owned or operated by Patch, including mobile applications, Software, websites or other properties.

“Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

In addition, “Business,” “Business Purpose,” “Consumer,” “Personal Information,” “Process,” “Processing,” “Processing of,” “Sale,” “Share,” and “Service Provider” and their respective derivative terms as used in this DPA shall be interpreted in accordance with Data Protection Laws and Regulations. All other capitalized terms used in this DPA have the meanings ascribed to them in the Underlying Agreement.

3. Scope.

3.1 Roles of the Parties. You and Patch are referred to collectively as the “Parties,” and individually each as a “Party”. The Parties hereby acknowledge and agree that with respect to the Covered Data, Client is the Controller and Patch is the Processor for, and on behalf of, Client and conducts its Processing operations in accordance with Client’s instructions. Client hereby instructs Patch to Process Covered Data on Client’s behalf pursuant to this DPA and the Agreement.

3.2 Data Pseudonymization Details. Notwithstanding anything to the contrary in this DPA, Patch may Pseudonymize all or portions of Covered Data so that it no longer constitutes Personal Data or Personal Information under Data Protection Laws and Regulations, at which point such data will no longer constitute Covered Data under this DPA.

3.3 Details of Data Processing. The details of data processing are described in the agreement between the Client and Patch and in Schedule 1.

3. Representations and Warranties

3.1 Each Party represents and warrants that it will comply with the requirements of Data Protection Laws and Regulation as applicable to such Party with respect to the processing of the Client Personal Data.

3.2 Each Party warrants and represents it has no reason to believe that the Data Protection Law prevents it from providing or receiving any services under the Agreement; and

3.3 Each Party warrants and represents it has the corporate power and capacity to perform its obligations under this Addendum

4. CLIENT AS A CONTROLLER OF COVERED DATA.

4.1 Client’s Obligations. Client as the Controller determines the purposes for and means by which Covered Data is being or will be Processed, and the manner in which Covered Data is or will be Processed. Client represents and warrants that:

(a) Client as Controller shall, in its use of the Patch’s Services, Process Client Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirements to provide notice to Consumers of the use of Patch as Processor.

(b) For the avoidance of doubt, Client's instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations.

(c) Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges and agrees that its use of Patch’s Services will not violate the rights of any Consumers, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under any applicable Data Protection Laws and Regulations; and

(d) Client will promptly notify Patch of any Consumer or Data Subject request made pursuant to any Data Protection Laws and Regulations with which Client must comply that requires Patch to take any action with respect to Covered Data being Processed, and will provide the information necessary for Patch to comply with such request.

5. PATCH AS A PROCESSOR OF COVERED DATA.

5.1 Patch’s Obligations. Unless otherwise permitted or required by applicable Law, Patch will Process Covered Data in accordance with Client's instructions as a Processor to provide Patch’s Services, and Client hereby instructs Patch to do so. Patch will ensure that any person authorized to Process Covered Data under this DPA is bound by appropriate obligations of confidentiality. Patch represents and warrants that:

5.2 Data Protection Policy. Patch has developed and implemented, and will maintain, a comprehensive written Data Protection Policy that outlines Patch’s activities and the Covered Data at issue. In addition, the Data Protection Policy contains polices and procedures covering the practices, processes, controls, and training that Patch will implement to protect the security and confidentiality of Covered Data, protect against any anticipated threats or hazards to the security or integrity of Covered Data, and protect against unauthorized access to or use of Covered Data that could result in substantial harm or inconvenience to any Consumer, Data Subject, or Client.

5.3 Compliance. Upon written request, Patch will take reasonable and appropriate steps to make available to Client information to demonstrate Patch’s compliance with provisions of Data Protection Laws and Regulations applicable to Processors/Service Providers, and will allow Client to verify Patch’s compliance with Patch’s obligations under this DPA.

5.4 Audit Report. Upon Client’s written request no more than once per year, Patch will provide a copy of Patch’s then-current audit report to Client. Such audit report refers to an industry standard audit that may be deemed appropriate by Patch which relates to Patch’s Processing of Covered Data and is conducted by an independent third-party auditor. The audit report shall be deemed to be Patch’s Confidential Information.

5.5 Patch’s Cooperation and Assistance. Taking into account the nature of the Processing and the information available to Patch, Patch will provide Client with reasonable cooperation and assistance to enable Client as a Business or Controller to fulfill Client’s binding obligations with respect to the Covered Data, if any, under Data Protection Laws and Regulations to:

(a) respond to requests from Data Subjects or Consumers for the exercise of their rights; and

(b) provide notification of a Covered Data breach (or analogous concept) as required under Data Protection Laws and Regulations.

6. Term.

6.1 Duration. The DPA is considered in effect until disposal of the Personal Data in accordance with Patch’s Services.

6.2 Patch’s Data Storage of Data. Upon termination of Patch’s Services under the Agreement and relating to the processing of Client Personal Data, Patch shall promptly and securely delete all Client Personal Data (including existing copies) pursuant to its data retention schedule and as required by applicable laws. Notwithstanding the data retention schedule, upon Your written request following the termination of services, Patch shall destroy all Client Personal Data in our possession, unless otherwise required or permitted by applicable laws. 

6.3 Archiving Service. Patch does not provide an archiving service. Additionally, Client understands and agrees that following termination, Patch may delete all of Client’s Data in Patch’s possession.

7. CCPA-SPECIFIC TERMS.

In addition to the general terms, this Section applies to the extent that Client is a Business under the CCPA and Patch Processes Personal Information subject to the CCPA as a Service Provider in connection with its provision of the Patch 's services and digital products to Client. Patch will:

(a) not Sell or Share such Personal Information, nor retain, use, or disclose such Personal Information for any purpose other than the Business Purposes specified in the Underlying Agreement, unless otherwise permitted by the CCPA;

(b) except to perform the specific Business Purposes or as otherwise permitted by the CCPA, not combine such Personal Information with Personal Information received from or on behalf of another person or source;

(c) otherwise comply with provisions of the CCPA applicable to Service Providers, providing the same level of privacy protection required of Businesses by the CCPA, and notify Client if Patch can no longer meet these obligations; and

(d) upon receipt of written notice that Client reasonably believes Patch is using Personal Information in an unauthorized manner, take reasonable and appropriate steps to work with Client to remediate the allegedly unauthorized use, if necessary. Patch will notify Client in the event Patch determines it can no longer meet its obligations under the CCPA.

8. PATCH SERVICE PARTNERS.

8.1 Sub-Processor List. Client specifically authorizes Patch to engage Amazon Web Services as a Sub-Processor/Service Provider.

8.2 Notice of Additional Service Providers. In the event that Patch seeks to use additional Sub-Processors/Service Providers and update the Patch Service Partner List, Patch will provide notice of such update to Client (which may be via email, an online posting or notification, or other reasonable means). Client may reasonably object to a change to the Patch's Service Partner List on legitimate grounds within 30 days of notice of this change by emailing info@patchretention.com

Notwithstanding the foregoing, Client acknowledges that Patch’s Sub-Processors/Service Providers are essential to provide Patch’s services and digital products and if Client objects to Patch’s use of a sub-Processor/Service Provider, then notwithstanding anything to the contrary in the Underlying Agreement (including this DPA), Patch will not be obligated to provide to Client, Patch’s services and digital products for which Patch uses that sub-Processor/Service Provider.

9. PATCH AS A CONTROLLER OF CLIENT ACCOUNT DATA.

9.1 Independent Contractor. Client acknowledges that, with regard to the Processing of Client Account Data, Client is a Controller and Patch is an independent Controller/Business, not a joint Controller with Client. Patch will Process Client Account Data as a Controller in order to:

(a) manage the relationship with Client;

(b) carry out Patch’s core business operations, such as billing and accounting;

(c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of Patch 's services and digital products;

(d) perform identity verification; and

(e) as otherwise permitted under Data Protection Laws and Regulations and in accordance with this DPA, Patch 's Terms and Services and Patch’s Privacy Policy

10. CONFLICTS.

To the extent there is a conflict or inconsistency between this DPA and the Terms and Conditions this DPA will control.

11. CROSS-BORDER DATA TRANSFERS.

11.1 Standard Contractual Clauses

The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Client Personal Data falling within the scope of the GDPR from Client (as data exporter) to Patch (as data importer) to the extent and for as long as Patch cannot rely on the DPF according to clause 11.2.

11.2 Data Privacy Framework

Patch is self-certified under the DPF and complies with the data privacy principles thereunder.  To the extent and for as long as the DPF is acknowledged as a valid transfer mechanism in the relevant country/region, Personal Data originating from the EEA, UK, or otherwise being subject to the GDPR shall be transferred on the basis of the DPF.  

11.3 Support for Cross-Border Data Transfers

Patch will provide Client reasonable support to enable Client’s compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA and UK. Patch will, upon Client’s request, provide information to Client which is reasonably necessary for Client to complete a transfer impact assessment (“TIA”). Patch further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Client’s compliance with requirements imposed on the transfer of personal data to third countries. Patch may charge Client, and Client shall reimburse Patch, for any assistance provided by Patch with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Client.

11. Amendments.

Patch reserves the right to update or modify the DPA from time to time as its business evolves by posting an updated version of this DPA on its website. If, in Patch’s sole discretion, it believes that the modifications being made are material, Patch will notify Client prior to the change taking effect. By continuing to utilize the Services after the effective date of any update to this DPA, Client will be deemed to have accepted such update.

Schedule 1

DETAILS OF PROCESSING 

PART 1

LIST OF PARTIES

1. Data Exporter: Client and/or the Client Affiliates operating in the countries which comprise the EEA and/or UK  and/or – to the extent agreed by the Parties – Client and/or the Client Affiliates in any other country to the extent the GDPR applies.

Client and Client Affiliate’s contact person’s position and contact details as well as (if appointed) the data protection officer’s and (if relevant) the representative’s contact details will be notified to Patch prior to the processing of personal data via email to info@patchretention.com or an available form provided by Patch in Client’s account in the Services.

 

The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the processing of personal data in connection with the Services further described in this Schedule 1 and in the Agreement.

2. Data Importer

Patch Retention, Inc.

P.O. Box 376

Kaysville, UT 94036

The data importer’s contact person can be contacted at info@patchretention.com

The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in this Schedule 1 and in the Agreement.

Part 2
DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data are transferred: Client and Client Affiliate subscribers who are recipients of marketing communications and other individuals being targets of other marketing activities of the Client and/or Client Affiliates’ or their customers.
2. Categories of personal data Transferred: Determined by Client’s configuration of the Services, and may include name, phone number, email address, address data, IP address, device identifiers, usage data (such as interactions between a user and Patch’s online system, website or email, used browser, used operating system, referrer URL). Moreover, Client and Client Affiliate may include further personal data of data subjects as specified above (in particular in unstructured form) in connection with their use of the Services according to the Agreement.
3. Frequency of the transfer: The frequency of the transfer is: The transfer is performed on a continuous basis and is determined by Client’s configuration of the Services.
4. Subject matter and nature of the processing: to provide a data analytics and marketing automation platform to Client.
5. The purpose/s of the data transfer and further processing is: to provide the Services to Client pursuant to the Agreement so that Client can analyze customer data, enhance its customer relationships and send marketing and other communications to its customers.
6. Duration: The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: the duration is defined in Section 6 of the DPA.
7. Sub-processor (if applicable)

For transfers to sub-processors, specify subject matter, nature, and duration of the processing: as stipulated in clause 8.1 of the DPA. The sub-processors may have access to the Personal Data for the term of this DPA or until the service contract with the respective sub-processor is terminated or the access by the sub-processor has been excluded as agreed between Patch and Client.

Part 3
COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

 

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority in Ireland, namely the Data Protection Commission (https://www.dataprotection.ie/).

 

Schedule 2
TECHNICAL AND ORGANIZATIONAL MEASURES 

Patch has implemented technical and organizational measures to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

Schedule 3
STANDARD CONTRACTUAL CLAUSES

For the purposes of the Standard Contractual Clauses:

1. Module Two shall apply in the case of the processing under clause 3.1 of the DPA and Module Three shall apply in the case of processing under clause 3.1 of the DPA.
2. Clause 9(a) Option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 8.2 of the DPA.
3. The option in clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
4. With regard to clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option one shall apply. The parties agree that the governing law shall be the law of the Republic of Ireland.
5. In clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
6. For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
7. For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.
8. The specifications for Annex III of the Standard Contractual Clauses, are determined by clause 8.1 of the DPA. The Sub-Processor’s contact person’s name, position and contact details will be provided by Patch upon request via email to info@patchretention.com

Schedule 4
ADDITIONAL SUPPLEMENTARY MEASURES 

Patch further commits to implementing supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Personal Data in relation to the processing in a third country, as described in this Schedule 4.

1. Additional Technical Measures (Encryption)

1.1. The personal data is transmitted (between the Parties and by Patch between data centers as well as to a sub-processor and back) using strong encryption.

1.2. The personal data at rest is stored by Patch using strong encryption

2. Additional Organizational Measures

2.1. Internal policies for governance of transfers especially with groups of enterprises

(a) Adoption of adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of formal or informal requests from public authorities to access the data.

(b) Development of specific training procedures for personnel in charge of managing requests for access to personal data from public authorities, which should be periodically updated to reflect new legislative and jurisprudential developments in the third country and in the EEA.

2.2. Transparency and accountability measures

Regular publication of transparency reports or summaries regarding governmental requests for access to data and the kind of reply provided, insofar publication is allowed by local law.

2.3. Organizational methods and data minimization measures

Development and implementation of best practices by both Parties to appropriately and timely involve and provide access of information to their respective data protection officers, if existent, and to their legal and internal auditing services on matters related to international transfers of personal data transfers.

2.4. Others

Adoption and regular review by Patch of internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary, to ensure that an essentially equivalent level of protection to that guaranteed within the EEA of the personal data transferred is maintained.

3. Additional Contractual Measures

3.1. Transparency obligations

(a) Patch declares that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data, (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that national law or government policy does not require Patch to create or maintain back doors or to facilitate access to personal data or systems or for Patch to be in possession or to hand over the encryption key.

(b) Patch will verify the validity of the information provided for the TIA questionnaire on a regular basis and provide notice to Customer in case of any changes without delay. Clause 14(e) of the SCCs shall remain unaffected.

3.2. Obligations to take specific actions

In case of any order to disclose or to grant access to the personal data, Patch commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 GDPR transfer tool and the resulting conflict of obligations for Patch.

3.3. Empowering data subjects to exercise their rights

(a) Patch commits to fairly compensate the data subject for any material and non-material damage suffered because of the disclosure of his/her personal data transferred under the chosen transfer tool in violation of the commitments it contains.

(b) Notwithstanding the foregoing, Patch shall have no obligation to indemnify the data subject to the extent the data subject has already received compensation for the same damage.

(c) Compensation is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Patch’s infringement of the GDPR.

4. Additional obligations in case of requests or access by public authorities

4.1. Patch shall promptly inform Client:

(a) Of any legally binding requests from a law enforcement or other government authority (“Public Authority”) to disclose the Personal Data shared by Client; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided. Such notification shall occur prior to the disclosure of any personal data in response to such requests.

(b) If it becomes aware of any direct access by public authorities to transfer personal data in accordance with the laws of the country of destination, such notification shall include all information available to Patch.

(c) If Patch is prohibited from notifying Customer and/or the data subject, Patch agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information and as soon as possible. Patch agrees to document its best efforts in order to be able to demonstrate them upon request of the data exporter.

4.2. Patch agrees to review, under the laws of the country of destination, the legality of the public authority’s request, notably whether it remains within the powers granted to the requesting public authority and exhaust all available remedies to challenge the request if, after a careful assessment, Patch concludes that there are grounds under the laws of the country of destination to do so. This includes requests under section 702 of the United States Foreign Intelligence Surveillance Court or Executive Order 12333. When challenging a request, Patch shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. Patch shall not disclose or provide access to the personal data requested until required to do so under the applicable procedural rules and, at such time, shall provide only the minimum amount of information required to comply with the request, based on a reasonable interpretation of the request.

4.3. Patch agrees to preserve the information required to comply with this Schedule 4 for the duration of the Agreement and, unless prohibited by applicable law, make it available to the competent supervisory authority upon request and when required by applicable law.

 

 

Schedule 5
UK ADDENDUM

1. UK ADDENDUM

With respect to any transfers of Personal Data falling within the scope of the UK GDPR from Client (as data exporter) to Patch (as data importer):

1.1. The Approved Addendum as further specified in this Schedule 5 shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to clause 12 of the Mandatory Clauses.

1.2. In deviation to Table 1 of the Approved Addendum and in accordance with clause 17 of the Mandatory Clauses, the parties are further specified in Schedule 1 Part 1 of this DPA.

1.3. The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in Schedule 3 of this DPA as amended by the Mandatory Clauses.

1.4. Annex 1 A and B of Table 3 to the Approved Addendum are specified by Schedule 1 of this DPA, Annex II of the Approved Addendum is further specified by Schedule 2 of this DPA, and Annex III of the Approved Addendum is further specified by Schedule 1 clause B.10 of this DPA.

1.5. Patch (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause ‎19 of the Mandatory Clauses.

1.6. Clause 16 of the Mandatory Clauses shall not apply.

 

 

Schedule 6
U.S. ADDENDUM

As stipulated in clause 14 of the DPA, this U.S. Addendum shall apply to any processing of Personal Data subject to US Data Protection Laws. 

To the extent required by US Data Protection Laws, Patch is prohibited from: 

(a) selling Customer Personal Data or otherwise making Personal Data available to any third party for monetary or other valuable consideration;

(b) sharing Customer Personal Data with any third party for cross-behavioral advertising;

(c) retaining, using, or disclosing Personal Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by US Data Protection Laws;

(d) retaining, using or disclosing Personal Data outside of the direct business relationship between the Parties; and 

(e) except as otherwise permitted by US Data Protection Laws, combining Personal Data with Personal Data that Patch receives from or on behalf of another person or persons, or collects from its own interaction with the data subject. 

Patch Privacy Policy: https://patchretention.com/privacy-policy

Patch Terms and Conditions: https://patchretention.com/terms-and-conditions

Patch Data Protection Policy: https://patchretention.com/data-protection-policy