Definitions

Processing of Personal Data

Data Subject Rights

Sub-processors

Security

Data Protection Impact Assessments

Return or Deletion of Data

Audits

International Transfers

General Provisions

Salesfinity Data Processing Addendum

1. Definitions

Unless otherwise defined herein, capitalized terms have the meanings set forth in applicable Data Protection Laws.
 1.1 “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by Company as part of providing the Services.
 1.2 “Controller” means the entity that determines the purposes and means of Processing Personal Data.
 1.3 “Processor” means the entity that Processes Personal Data on behalf of the Controller.
 1.4 “Data Subject” means the identified or identifiable person to whom Personal Data relates.
 1.5 “Processing” means any operation performed on Personal Data, whether automated or not.

1.6 "Personal Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach shall be regarded as a personal data breach as defined in the GDPR.

1.7 "Data Protection Laws" means any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or federal or national level, pertaining to data privacy, data security or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR")

  1. Processing of Personal Data

2.1 Roles. Customer is the Controller and Company is the Processor. Company may engage Sub-processors as described in Section 4.
 2.2 Customer Responsibilities. Customer shall Process Personal Data in compliance with Data Protection Laws, including ensuring the lawfulness of Personal Data provided to Company.



 2.3 Company Responsibilities. Company shall only Process Personal Data:

  • (i) as necessary to provide the Services under the Agreement;

  • (ii) in accordance with Customer’s documented instructions (including configuration of optional features); and

  • (iii) as required by law.
     2.4 Optional Features. Customer acknowledges that certain features (e.g., call recording, transcription, AI summaries) are optional. If a Customer elects not to enable a feature, no associated data will be transmitted to relevant Sub-processors.

  1. Data Subject Rights

Company shall, to the extent legally permitted, notify Customer of requests from Data Subjects to exercise rights (e.g., access, deletion). Company shall assist Customer in fulfilling such requests where possible.

  1. Sub-processors

4.1 Use of Sub-processors. Company may engage third-party Sub-processors subject to written agreements imposing data protection obligations no less protective than those in this Addendum.
 4.2 Authorized Sub-processors. As of the Effective Date, Customer authorizes the following Sub-processors:

  • MongoDB (United States of America) – Data storage

  • Cloudflare (United States of America) – Hosting Providers

  • Intercom (United States of America) – Customer Service

  • Google Analytics (United States of America) – Analytics

  • Amazon Web Services (United States of America, Germany) – IT Infrastructure

  • Eleven Labs (United States of America) – Artificial Intelligence for voice (Optional)

  • Twilio (United States of America) – Telecom partner

  • HubSpot (United States of America) – CRM

  • Sentry (United States of America) – Development Software

  • PostHog (United States of America) – Analytics

  • Microsoft Clarity (United States of America) – Analytics

  • Slack (United States of America) – Collaboration & Productivity

  • Daily (United States of America) – Video Communication Platform for Salesfloor (optional)

  • Deepgram – Audio transcription (only if Customer enables transcription).

  • OpenAI – Natural language processing (e.g., summaries, account insights, task automation; only if Customer enables recording/transcription).

    4.3 PII Personal Data Handling. Company employs secure hashing and minimization techniques to reduce exposure of sensitive PII Personal Data before transmitting to Sub-processors.

    4.4 Notice of New Sub-processors. Company shall notify Customer in writing of changes to the Sub-processor list at least thirty (30) days in advance and provide Customer an opportunity to object for legitimate reasons.


4.5 Company shall be fully liable for the acts or omissions of Sub-processors to the same extent it is liable for its own actions or omissions under this DPA and Data Protection Laws

  1. Security

5.1 Company maintains industry-standard administrative, physical, and technical safeguards to protect Personal Data. These safeguards will include, without limitation, ensuring that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
 5.2 Company shall notify Customer without undue delay and in any event within 72 hours, upon becoming aware of a Personal Data Breach.

  1. Data Protection Impact Assessments

Company shall reasonably assist Customer with data protection impact assessments and consultations with supervisory authorities, as required by law.

  1. Return or Deletion of Data

Upon termination or expiration of the Agreement, Company shall, at Customer’s choice and subject to technical feasibility, return or securely delete all Personal Data, unless retention is required by law. If such retention is required, the Company shall continue to process the Personal Data in accordance with the other provisions of this DPA. 

  1. Audits

Upon reasonable written request, Company shall make available information necessary to demonstrate compliance with the provisions of this DPA and data protection law. Customer may conduct audits, including inspections, in accordance with Data Protection Laws, on at least thirty (30) days’ notice (unless otherwise required by law), at Customer’s cost, unless a material breach is identified.

  1. International Transfers

Any transfers of Personal Data outside the European Economic Area (EEA), UK, or Switzerland shall be conducted in compliance with applicable Data Protection Laws (e.g., Standard Contractual Clauses, UK Addendum, Swiss Addendum).

  1. . General Provisions

10.1 This Addendum supplements the Agreement. In case of conflict, this Addendum prevails.
 10.2 Governing law shall be the same as that in the Agreement.

Last Updated: December 29, 2025

Request a free trial today.

Try Salesfinity risk free.

Get a demo

Get a demo

Get a demo

Get a demo

Get a demo

Get a demo