This Data Processing Addendum (DPA) forms part of the Attio Customer Agreement and sets out the terms on which Attio may Process (as a Processor) Customer Personal Data on behalf of the Customer (as a Controller).
Definitions
1.1. Capitalised terms used but not defined have the meaning set out in the Attio Customer Agreement. The following additional definitions shall apply in this DPA:
(a) Account Data: Personal Data collected by Attio to provide and control access to the Attio Services, including email address, name, IP address, and profile photo.
(b) Appropriate Safeguards: such legally enforceable mechanism(s) for transfers of Personal Data as may be recognised under Data Protection Laws from time to time, including the UK IDTA, the UK Addendum and the EU SCCs.
(c) Business Purposes: the Attio Services to be provided by Attio to the Customer as described in the Attio Customer Agreement and any other purpose identified in ANNEX A.
(d) Customer Personal Data: Personal Data comprised in the Customer Data. Account Data is not Customer Personal Data.
(e) Controller, Processor, Data Subject or Consumer, Personal Data, Personal Data Breach, Processing, Process or Processed, Sale, Share, and Supervisory Authority: have the meanings given to them or to similar terms in the Data Protection Laws.
(f) Data Protection Laws: the General Data Protection Regulation 2016/679; European Directive 2002/58/EC; the UK GDPR; the UK Privacy and Electronic Communications Regulations 2003; the UK Data Protection Act 2018 (the DPA 2018); the U.S. Privacy Laws, and any other legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of Personal Data and privacy that may exist in any relevant jurisdiction.
(g) EEA: the European Economic Area.
(h) EU AI Act: Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence.
(i) EU Standard Contractual Clauses or EU SCCs: the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021 (as amended and updated from time to time).
(j) Sub-processor: a Processor engaged by Attio to Process Customer Personal Data.
(k) Third Country: a country or territory that is not part of the United Kingdom or the EEA.
(l) UK Addendum: the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, Version B1.0, in force as of 21 March 2022.
(m) UK GDPR: has the meaning set out in Section 3(10), as amended by Section 205(4), of the DPA 2018.
(n) UK IDTA: the International Data Transfer Agreement issued by the Information Commissioner for Parties making Restricted Transfers, Version A1.0, in force as of 21 March 2022.
(o) U.S. Privacy Laws: all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health information). U.S. Privacy Laws include, but are not limited to, the following: California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA); Colorado Privacy Act; Connecticut Personal Data Privacy and Online Monitoring Act; Delaware Personal Data Privacy Act; Indiana Consumer Data Protection Act; Iowa Consumer Data Protection Act; Kentucky Consumer Data Protection Act; Maryland Online Data Privacy Act; Minnesota Consumer Data Privacy Act; Montana Consumer Data Privacy Act; Nebraska Data Privacy Act; New Hampshire Act Relative to the Expectation of Privacy; New Jersey Act Concerning Online Services, Consumers, and Personal Data; Oregon Consumer Privacy Act; Rhode Island Data Transparency and Privacy Protection Act; Tennessee Information Privacy Act; Texas Data Privacy and Security Act; Utah Consumer Privacy Act; and Virginia Consumer Data Protection Act. In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
2. Personal Data types and Processing purposes
2.1. This DPA applies to the Processing of Customer Personal Data by Attio for the purposes of providing the Attio Services where such Processing is subject to Data Protection Laws.
2.2. Excluding Section 2.3, this DPA applies to the Processing of Customer Personal Data for the Business Purposes by Attio as a Processor on behalf of Customer as the Controller. For the avoidance of doubt, where the CCPA applies, Attio acts as a service provider to the Customer's business for the limited and specific purposes set out in ANNEX A.
2.3. Notwithstanding this DPA, Customer acknowledges that Attio is a Controller when Attio (i) Processes Account Data, and (ii) Processes or aggregates Personal Data relating to the operation, support, or use of the Attio Services for its own legitimate business purposes, such as billing, account management, technical support, feedback, product development, and compliance with laws.
2.4. Customer remains responsible for its compliance obligations under the Data Protection Laws, including providing any required notices and obtaining any required consents for Attio's processing of Customer Personal Data, and for the written Processing instructions it gives to Attio.
2.5. ANNEX A describes the subject matter, duration, nature and purpose of the Processing, the Personal Data categories and Data Subject types in respect of which Attio may Process the Personal Data to fulfil the Business Purposes.
3. Right to disclose data
3.1. Customer warrants and represents that it has the right to disclose Customer Personal Data to Attio for the purpose of receiving the Attio Services.
4. Attio's obligations
4.1. To the extent that Attio Processes Customer Personal Data, Attio will:
(a) Process the Customer Personal Data only for the purpose of providing the Attio Services or otherwise based on the Customer's written instructions;
(b) not, except as expressly permitted by U.S. Privacy Laws (i) Sell or Share Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the services specified in ANNEX A; (iii) retain, use, or disclose Customer Personal Data outside of the direct business relationship between the Parties; or (iv) combine Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable Data Protection Laws;
(c) comply with the obligations of the U.S. Privacy Laws, provide the level of privacy protection required by the U.S. Privacy Laws, provide Customer with all reasonably-requested assistance to enable Customer to fulfil its own obligations under the U.S. Privacy Laws, understand and comply with this DPA, and, upon the reasonable request of Customer, make available to Customer information in Attio's possession necessary to demonstrate Attio's compliance with this subsection;
(d) implement and maintain appropriate technical and organizational measures, as set out in ANNEX B, to protect Customer Personal Data against unauthorized or unlawful Processing and accidental loss, destruction, damage, theft or disclosure, having regard to the harm which might result from the same and the nature of the Customer Personal Data;
(e) during the Term of the Attio Customer Agreement and for a period of thirty (30) days following its termination, allow Customer to export Customer Personal Data in a manner consistent with the functionality of the Attio Services and/or to request the deletion of such Customer Personal Data;
(f) take reasonable steps to ensure that personnel Processing the Customer Personal Data are subject to a duty of confidence in relation to the Customer Personal Data and understand the obligations under this DPA;
(g) provide commercially reasonable assistance to Customer in meeting its legal obligations in relation to the security of Processing of Personal Data and in undertaking data protection impact assessments and prior consultations with Supervisory Authorities;
(h) notify the Customer without undue delay upon becoming aware of any Personal Data Breach and provide information when known as to its source and nature, the type of data subject to the breach, and the identity of the affected Data Subjects;
(i) maintain adequate records of Processing activities;
(j) on the Customer's written request, make available information reasonably requested by the Customer to demonstrate compliance with Data Protection Laws and this Section 4.1, and allow for reasonable audits and inspections, provided that (i) the audits and inspections are conducted by an independent auditor agreed upon by the Parties; (ii) the Customer provides a minimum of thirty (30) days' written notice of the audit or inspection; (iii) the audit or inspection is limited to documents and facilities relevant and material to the Processing of Customer Personal Data; and (iv) such audits or inspections are conducted at Customer's cost, during Attio's usual business hours, in a manner that causes minimal disruption, and are not carried out more frequently than once in any twelve (12) month period;
(k) notify the Customer if, in Attio's reasonable opinion, the Customer's instructions in respect of any Processing of Customer Personal Data by Attio are unlawful;
(l) allow the Customer to take reasonable and appropriate steps to ensure that Attio uses Customer Personal Data consistent with the Customer's obligations under applicable Data Protection Laws and this DPA; and
(m) promptly notify Customer if it determines that it can no longer meet its obligations under Data Protection Laws and take reasonable and appropriate steps to stop and remediate any such unauthorized use of Customer Personal Data if instructed by Customer.
4.2. The assistance provided by Attio to Customer as set out in Section 4.1(g) or Section 6.1 will be subject to reasonable costs agreed in good faith between the Parties.
5. Sale of Data
5.1. The Parties acknowledge and agree that the disclosure or making available of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement.
6. Data Subject and Consumer Rights
6.1. The Parties shall use reasonable efforts to assist each other to meet their obligations to respond to Data Subjects or Consumers exercising their rights under Data Protection Laws.
6.2. Where Attio receives a request from a Consumer or Data Subject to exercise their rights in respect of Customer Personal Data, Attio shall notify Customer promptly of this request and not act upon such request without Customer's instruction.
6.3. Where Customer receives a request from a Consumer or Data Subject made pursuant to Data Protection Laws that Attio must comply with, Customer shall provide Attio with the information necessary for Attio to comply with the request.
6.4. Attio shall not be required to delete any Customer Personal Data to comply with a Consumer's request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws, provided, however, that in such case, Attio will promptly inform Customer of the exceptions relied upon under applicable U.S. Privacy Laws and Attio shall not use Customer Personal Data retained for any purpose other than provided for by that exception.
7. Transfers of data
7.1. Subject to Section 9 of this DPA, the Customer gives Attio its general written consent to transfer Customer Personal Data to a Third Country where the relevant Sub-processor:
(a) is in a Third Country that has been recognised as providing an adequate level of protection for Personal Data for the purposes of the Data Protection Laws;
(b) is an affiliate of Attio;
(c) is a Sub-processor set out in ANNEX A at the date of the Attio Customer Agreement; or
(d) has Appropriate Safeguards in place with Attio.
8. Location of Customer and Attio
8.1. Where the Customer is located in a Third Country that the United Kingdom or EU has not recognised as providing adequate protection, any transfer of Personal Data from Attio to the Customer shall be subject to the terms set forth in ANNEX C of this DPA.
8.2. Where Attio is located in a Third Country that the United Kingdom or EU has not recognised as providing adequate protection, and the Customer is not, any transfer of Personal Data from the Customer to Attio shall be subject to the terms set forth in ANNEX C of this DPA.
9. Sub-processors
9.1. Subject to the terms of this Section 9, Customer authorizes Attio to appoint Sub-processors for the purpose of Processing Customer Personal Data in connection with the Agreement. The Sub-processors approved by the Customer as at the date of the Agreement are Attio's affiliates and the third-party Sub-processors listed in ANNEX A.
9.2. Where required by the Data Protection Laws, Attio will notify Customer prior to appointing a new Sub-processor, provided always that Customer subscribes to receive such notifications by email by completing the form available here. If Customer subscribes, Customer will be sent an email notification thirty (30) days prior to the proposed appointment of the Sub-processor to provide Customer with the opportunity to object to the appointment. Such objection must be made in writing within fourteen (14) days following Attio's notification and must be based on reasonable grounds relating to a potential or actual violation of Data Protection Laws. If Customer objects to an appointment, Attio shall use reasonable efforts to make available to the Customer a change in the services to avoid the potential or actual violation of Data Protection Laws identified by Customer. If Attio is unable to make such change within a reasonable period of time, or the Customer does not reasonably approve any such changes proposed by Attio, Customer may terminate the relevant portion of the Attio Services provided that the Customer promptly pays all correctly due sums to the point of termination to Attio.
9.3. Attio must enter into a written contract with each Sub-processor that contains terms substantially similar and no less protective to those set out in this DPA.
9.4. Where any Sub-processor fails to fulfil its obligations under the written agreement with Attio, Attio remains fully liable to the Customer for the Sub-processor's performance of its obligations.
10. Artificial Intelligence
10.1. To the extent Customer accesses or uses any component of the Attio Services that incorporates, relies upon, or enables artificial intelligence, Customer shall not engage in any activity that constitutes a prohibited practice under the EU AI Act as amended, supplemented, or replaced from time to time. Customer shall ensure that all such use is fully compliant with the EU AI Act and any related implementing or delegated acts.
11. Term and termination
11.1. This DPA will remain in full force and effect so long as the Attio Customer Agreement remains in effect.
12. Liability
12.1. Liability for breach of this DPA shall be subject to the relevant clauses of the Attio Customer Agreement.
13. General
13.1. If a change in any Data Protection Laws prevents either party from fulfilling all or part of its obligations under the Attio Customer Agreement, the Parties may agree to suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the Parties are unable to bring the Personal Data Processing into compliance with the Data Protection Laws within sixty (60) calendar days, either party may terminate the Attio Customer Agreement by providing at least thirty (30) calendar days' written notice to the other party. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations, or other laws pertaining to privacy and information security, including, where applicable, Data Protection Laws.
13.2. Any notice or other communication given to a party under or in connection with this DPA shall comply with the relevant terms of the Attio Customer Agreement.
ANNEX A – Personal Data Processing purposes and details
Subject matter of Processing: Personal Data of Users, being employees, contractors or prospective employees or contractors of the Customer and/or such persons with whom Customer uses the Attio Services in order to contact, understand, analyse, receive communications from or otherwise whom information is uploaded to the Attio Applications about.
Duration of Processing: the period of time in which the Customer receives the Attio Services and/or until such time Customer requests deletion of the relevant Personal Data.
Nature of Processing: collecting, displaying, using, analysing, publishing and/or presenting the Personal Data in the Attio Applications.
Business Purposes: Attio Services and the provision of the Attio Applications to the Customer and its Users.
Personal Data Categories: name, email address, contact information, image, IP addresses, information relating to work history, experiences, personal opinions, call recordings, and/or location data.
Sensitive Data Transferred: Such data as Customer may cause to be uploaded to the Attio Services.
Data Subject Types: employees, contractors, consultants, prospective employees, contractors and consultants, clients, customers and suppliers and prospective clients, customers, suppliers and contacts.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations, and Data Protection Laws.
Approved Sub-processors:
Sub-processor | Transfer Mechanism | Purpose/service |
|---|---|---|
Cloudflare, 101 Townsend St, San Francisco, CA 94107, USA | SCCs and UK Addendum | Web infrastructure and website security |
Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Dublin D02 R296, Ireland | SCCs with framework covering UK | Hosting provider; Large language model for platform functionality |
Ably Realtime Ltd, 9th Floor 107 Cheapside, London, United Kingdom, EC2V 6DN | SCCs and UK Addendum | Notifications |
Full Contact, 580 N. Logan St., Ste 660, PMB 45057, Denver, CO 80203 | SCCs and UK Addendum | Sending data for enrichment |
APIHub, Inc (Clearbit), 548 Market St #95879, San Francisco, CA 94104-5401, US | SCCs and UK Addendum | Sending data for enrichment |
Postmark, 2400 Market Street, Suite 235B, Philadelphia, PA 19103, USA | SCCs and UK Addendum | Email delivery |
Recall.ai (Hyperdoc Inc), 2261 Market Street #4339, San Francisco, CA | SCCs and UK Addendum | Call recording |
Gladia SAS, 38 Rue de la Tremblaie 35510 CESSON-SEVIGNE | SCCs and UK Addendum | Transcribing call recording |
OpenAI, LLC, 1455 3rd Street, San Francisco, CA 94158 | SCCs and UK Addendum | Large language model for platform functionality |
Anthropic Ireland, Limited, 6th Floor South Bank House, Barrow Street, Dublin 4, Dublin, Ireland | SCCs and UK Addendum | Large language model for platform functionality |
Parallel Web Systems Inc., 2261 Market Street #5578, San Francisco, CA 94114 | SCCs and UK Addendum | Research tool |
Mapbox, Inc., 1133 15th St NW, Suite 825, Washington, D.C. 20005, USA | SCCs and UK Addendum | Map provider |
Intercom R&D Unlimited Company, 124 St Stephen's Green, Dublin 2, DC02 C628, Republic of Ireland | SCCs and UK Addendum | Bespoke workspace support |
ANNEX B – Security measures
Attio has developed the Attio Services with IT security and the Data Protection Laws in mind.
Attio has, and will maintain, appropriate technical and organisational measures to ensure the security, integrity, availability and confidentiality of the Personal Data and to protect against unauthorised or unlawful Processing of the Personal Data and the accidental loss or destruction of, or damage to, the Personal Data, such measures to be appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction of, or damage to, the Personal Data and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
Attio has the following measures in place:
Access Controls
(a) Physical Access Controls. The Attio platform is hosted on Google Cloud Platform. Data centres used by Google Cloud Platform include extensive physical security measures built around a layered security model. More information about the physical security of these data centres can be found on Google Cloud Platform's website.
(b) Logical Access Controls. Attio maintains a documented information security policy that requires employees to comply with strict access control measures. All employee access to environments hosting customer data is restricted in accordance with the principle of least privilege. Access is granted on a time-bound basis and requires mandatory Multi-Factor Authentication.
(c) Encryption. All data is encrypted at rest and in transit using well known symmetric encryption algorithms.
(d) Monitoring and Testing. Attio maintains automated monitoring and testing systems to ensure the performance and security of the platform. Attio ensures its security controls are independently verified by third-party penetration testers at least once a year.
(e) Data Backup. Attio maintains automated backup systems that routinely backup customer data to a different geographical region.
(f) Availability. Attio ensures the availability and resilience of its services by deploying systems across multiple physically independent Cloud Availability Zones, providing redundancy and fault tolerance.
Attio has and will maintain adequate data Processing, disaster recovery, business continuity and IT security policies and procedures in relation to the Processing of Personal Data that meet the requirements under the Data Protection Laws including in the event of any cyber security incidents.
Attio shall ensure that all Attio personnel involved in the Processing of Personal Data are appropriately trained to handle and Process the Personal Data in accordance with the technical and organisational security measures set out in this ANNEX B together with any applicable Data Protection Laws and guidance.
Attio personnel are subject to written confidentiality obligations which cover their Processing of any Personal Data.
ANNEX C – Cross Border Data Transfer Mechanisms
Where either the Customer or Attio is located in a Third Country that the United Kingdom or EU has not recognised as providing adequate protection, and the other is not, any transfer of Personal Data from Customer to Attio or from Attio to the Customer as the case may be shall be subject to the (i) EU SCCs, and (ii) UK Addendum, which the Parties will be deemed to have entered into, and which will be incorporated into the Attio Customer Agreement by this reference, and completed as follows:
EU Standard Contractual Clauses
(a) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is the Controller and Attio is the Processor pursuant the DPA;
(b) Module Four (Processor to Controller) of the EU Standard Contractual Clauses will apply where Customer is the Controller and Attio is the Processor pursuant the DPA; and
(c) For each Module, where applicable:
(i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;
(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of Sub-processor changes will be as set out in Section 9.2 of the DPA (Module Two only);
(iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(vi) in Annex I, Part A of the EU Standard Contractual Clauses:
Data Exporter: Customer as a Controller when Module Two applies; Attio as a Processor when Module Four applies, the details of which are set out in the Attio Customer Agreement.
Contact details of Attio: [email protected]
Contact details of Customer: As provided in Customer's account details.
Activities relevant to the data transferred under these Clauses: Customer receives the Attio Services as described in the Attio Customer Agreement and Customer provides Personal Data to Attio in that context. Attio Processes Personal Data on behalf of Customer in that context.
Signature and Date: By entering into the Attio Customer Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Attio Customer Agreement.
Data Importer: Customer as a Controller when Module Four applies; Attio as a Processor when Module Two applies, the details of which are set out in the Attio Customer Agreement.
Contact details: as set out above.
Signature and Date: By entering into the Attio Customer Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Attio Customer Agreement;
(vii) in Annex I, Part B of the EU Standard Contractual Clauses:
The categories of Data Subjects and any sensitive data transferred are set out in Attio's Privacy Policy and ANNEX A of the DPA (as applicable);
The frequency of the transfer is on a continuous basis for the duration of the Attio Customer Agreement;
The nature and purpose of the Processing and the period for which the Personal Data will be retained are set out in Attio's Privacy Policy and ANNEX A of the DPA (as applicable); and
(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
ANNEX B of the DPA serves as Annex II of the EU Standard Contractual Clauses.
UK Addendum
(a) In Table 1 of the UK Addendum, Customer's and Attio's details and key contact information are set out in ANNEX C clause (c)(vi) above;
(b) In Table 2 of the UK Addendum, information about the version of the EU SCCs, modules, and selected clauses, which the UK Addendum is appended to, are set out in ANNEX C clause (c) above;
(c) in Table 3 of the UK Addendum:
(i) the list of Parties is set out in ANNEX C clause (c)(vi) above;
(ii) the description of the transfer is set out in Section 2 of the DPA;
(iii) Annex II is located in ANNEX B of the DPA;
(iv) the list of Sub-processors is at ANNEX A of the DPA (Module Two only); and
(d) in Table 4 of the UK Addendum, both the Data Importer and the Data Exporter may end the UK Addendum in accordance with the terms of the UK Addendum.
To the extent there is any conflict or inconsistency between (i) the EU SCCs or UK Addendum and (ii) any other terms in the Attio Customer Agreement or the DPA, the provisions of the EU SCCs or UK Addendum, as applicable, will prevail.