Cookie Policy

Data Processing Addendum

Effective February 2026

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the CEOfriend’s Consulting Terms or other agreement between Customer and CEOfriend that references this DPA and governs Customer’s use of the Services (the “Agreement”), and applies to CEOfriend’s processing of Customer Data (defined below). Capitalized terms used but not otherwise defined in this DPA will have the meaning set forth in the Agreement. CEOfriend may amend this DPA from time to time on reasonable notice to Customer to the extent such changes are required due to changes in Applicable Data Protection Laws. If there is any conflict between the terms of this DPA and the Agreement, the conflicting terms in this DPA will govern.


A. Definitions

  • "Applicable Data Protection Laws" means as may be amended from time to time “UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and the general consumer (non-industry specific) data privacy laws of the United States and its states including, where applicable, the CCPA), and in each case only to the extent applicable to the performance of either Party’s obligations under this DPA.
  • "Customer Personal Data" means personal data submitted through the Services by or for Customer or a Customer Affiliate.
  • "Customer Affiliate" means an affiliate of Customer that (a) is permitted to use the Services pursuant to the Agreement between CEOfriends and Customer, and (b) directly or indirectly controls, is controlled by, or is under common control with the subject entity.
  • “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of voting interests.
  • “Customer Data” means all data or other information submitted through the Services by or for Customer or a Customer Affiliate.
  • “Data Subject Request” means a request from a data subject to exercise their personal data-related rights under Applicable Data Protection Laws, such as rights to access, correct, or delete their personal data.
  • "GDPR" means Regulation (EU) 2016/679.
  • "Security Breach" means a breach of CEOfriends’ security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data.
  • "Standard Contractual Clauses" or “SCCs” means Module Two (controller to processor) or Module Three (processor to processor) of the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available athttps://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
  • "Subprocessor" means an entity engaged by CEOfriends to process Customer Personal Data.
  • “UK Addendum” means the International Data Transfer Addendum to the SCCs, issued by the Information Commissioner under S119A(1) Data Protection Act 2018,availableathttps://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).

The terms “personal data”, “data subject”, “processing”, “controller”, and “processor” as used in this DPA have the meanings given by Applicable Data Protection Laws or, absent any such meaning or law, by GDPR. The terms “controller” and “processor” include “business”, and “service provider”, respectively, as required by Applicable Data Protection Laws.


B. Processing of Customer Data

  1. With respect to Customer Personal Data, Customer is the controller and CEOfriend is Customer’s processor.
  2. Each party will comply with its respective obligations under Applicable Data Protection Laws in connection with the Services and the Customer Personal Data.
  3. Unless required by applicable law to which CEOfriend is subject, CEOfriend will only process Customer Personal Data to provide or maintain the Services, and in compliance with Customer’s documented instructions (including as set out in the Agreement and this DPA).
  4. Without limiting the foregoing, CEOfriend will not:
    • “sell” or “share” Customer Personal Data, as defined by Applicable Data Protection Laws;
    • retain, use, or disclose Customer Personal Data outside of the direct business relationship and for any purpose other than for the business purposes specified in Part B of Schedule 1 or as otherwise permitted by Applicable Data Protection Laws; and
    • except as otherwise permitted by Applicable Data Protection Laws, combine Customer Personal Data with personal data that CEOfriend receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.
  6. As required under Applicable Data Protection Laws, CEOfriend will promptly inform Customer if it makes a determination that it can no longer comply with its processing obligations under this DPA, in which case Customer may take reasonable and appropriate steps in accordance with the Agreement to stop or remediate any unauthorized processing of Customer Personal Data.
  7. CEOfriend will promptly inform Customer if, in its opinion, an instruction from Customer relating to the processing of Customer Personal Data violates Applicable Data Protection Law.
  8. CEOfriend will cooperate with and provide reasonable assistance to Customer for: (a) Customer’s performance of any data protection impact assessment of the processing of Customer Personal Data by CEOfriend, and (b) related consultation with supervisory authorities, either or both of which Customer reasonably considers to be required by Applicable Data Protection Laws.
  9. CEOfriend will ensure that each person it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.

C. Subprocessors

  1. Customer grants CEOfriend general authorization to engage the Subprocessors listed in Schedule 4, and any additional Subprocessors in accordance with Section C.3. below.
  2. CEOfriend will: (a) enter into a contractual agreement with each Subprocessor imposing data protection obligations that are substantially as protective as CEOfriend’s obligations under this DPA to the extent applicable to the nature of the services provided by Subprocessor; and (b) remain liable to Customer for each Subprocessors’ acts and omissions related to this DPA to the extent CEOfriend is liable for its own, consistent with the limitation of liability provided in the Agreement.
  3. In the event that CEOfriend wishes to appoint an additional Subprocessor: (a) CEOfriend will provide Customer reasonable notice of the new Subprocessor prior to giving the Subprocessor access to Customer Personal Data; and (b) Customer may, on the basis of reasonable data privacy or data security concerns, object to CEOfriend’s use of such Subprocessor by providing CEOfriend with written notice of the objection within fifteen (15) days of the date of such notice, or Customer is deemed to consent to the new Subprocessor.
  4. In the event Customer objects to CEOfriend’s use of a new Subprocessor, Customer and CEOfriend will work together in good faith to find a mutually acceptable resolution to address any objection raised by Customer.

D. Data Subject Requests

  1. CEOfriend will forward to Customer promptly any Data Subject Request received by CEOfriend relating to the Customer Personal Data and may advise the Data Subject to submit their request directly to Customer.
  2. CEOfriend will, taking into account the nature of the processing, provide Customer with reasonable and timely assistance as necessary for Customer to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

E. Security

CEOfriend will comply with the data security obligations of Applicable Data Protection Laws, and will implement and maintain reasonable and appropriate technical and organizational data protection and security measures designed to ensure a level of security for the Customer Data (including the Customer Personal Data) appropriate to the risk of the relevant processing, as summarized in Schedule 2. CEOfriend may update these measures from time to time, provided that such updates do not materially reduce the overall security of the Services. The parties agree that the measures set out in Schedule 2 provide an appropriate level of security for the Customer Data (including the Customer Personal Data Data), accounting for the risks presented by the processing outlined in the Agreement and this DPA.


F. Security Breaches

  1. CEOfriend will notify Customer in writing without undue delay, after becoming aware of any Security Breach, and will assist Customer in complying with Customer’s obligations under Applicable Data Protection laws by reasonably cooperating with Customer’s investigation of the Security Breach.
  2. CEOfriend’s notification of, or response to, a Security Breach will not be construed as an acknowledgement by CEOfriend of any fault or liability with respect to the Security Breach.
  3. Upon becoming aware of a Security Breach, CEOfriend will (a) investigate the Security Breach, and (b) provide timely information relating to the nature of the Security Breach, such as, where reasonably possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned, the likely consequences of the Security Breach, and the measures taken or proposed to be taken by CEOfriend to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

G. Deletion and Return

Within thirty (30) days of the date of termination or expiration of the Agreement, CEOfriend will delete all copies of Customer Data (including Customer Personal Data) processed by CEOfriend or any Subprocessors, except to the extent (i) Applicable Data Protection Laws or other applicable legal or regulatory requirements requires storage of the Customer Data, (ii) retention of the Customer Data by CEOfriend is necessary to resolve a dispute between the parties, or (iii) retention of the Customer Data is necessary to combat harmful use of the Services.


H. Standard Contractual Clauses

  1. The parties agree that, to the extent required by Applicable Data Protection Laws, the terms of the SCCs Module Two (controller to processor) and/or Module Three (processor to processor), as completed as described in Schedule 3 of this DPA, are hereby incorporated by reference and will be deemed to have been executed by the parties.
  2. To the extent required by Applicable Data Protection Laws, the jurisdiction-specific addenda to the SCCs set out in Schedule 3 are also incorporated herein by reference and will be deemed to have been executed by the parties.
  3. To the extent that there is any conflict between the terms of this DPA, the Agreement, and the terms of the SCCs, the terms of the following documents will prevail (in order of precedence): (i) the SCCs; (ii) this DPA; and (iii) the Agreement.
  4. CEOfriend will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on international transfers of Customer Personal Data.
  5. CEOfriend will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment to the extent required under Applicable Data Protection Laws.

Schedule 1 - Details of Processing and Transfers

A. List of Parties


  • Data Exporter: The data exporter is the Customer and/or Customer Affiliates exporting Customer Personal Data to which GDPR applies. Contact details are included in the Agreement or will be disclosed upon request.
  • Data Importer: The data importer is the CEOfriend entity that executed the Agreement. Contact details are included in the Agreement or will be disclosed upon request.

B. Description of Processing


  • Categories of data subjects: Determined by Customer (in accordance with the Agreement).
  • Categories of personal data: Determined by the Customer (in accordance with the Agreement).
  • Special categories of personal data: None.
  • Duration and Frequency: Continuous basis for the duration of the Agreement.
  • Subject matter and nature: Performing Services involving processing (collection, storage, organization, structuring) as part of a natural language-based machine-learning tool; verifying quality/security; debugging.
  • Purpose: To provide Services to Customer pursuant to the Agreement.
  • Storage Limitation: The term of the Agreement.
  • Subprocessors: May be used as detailed in Schedule 4.

C. Competent Supervisory Authority


  • Exporter in EU: Supervisory authority of the country of establishment.
  • Exporter not in EU (Article 3(2) with representative): Member State where the representative is established.
  • Exporter not in EU (Article 3(2) without representative): Supervisory authority of Ireland.

Schedule 2 - Technical and Organizational Measures

A. Security Program and Policies


  • CEOfriend maintains organizational management processes to ensure DPA compliance.
  • Business resiliency and continuity plans are tested annually.

B. Personnel Management


  • Personnel are trained and obligated to confidentiality and security requirements.

C. Encryption Standards


  • CEOfriend utilizes industry standard encryption methods.

D. Vulnerability Management


  • Multi-faceted approach including automated/manual code review, endpoint detection, and log analysis.
  • Annual penetration testing by external assessors; summaries available upon request.
  • Risk-based updates applied in alignment with industry timelines.

Schedule 3 - International Data Transfers

A. EU SCCs


  • Clause 7 (Docking): Does not apply.
  • Clause 11 (Redress): Optional wording does not apply.
  • Clause 17 (Governing Law): Option 1; Laws of England.
  • Clause 18 (Jurisdiction): England.
  • Clause 9 (Subprocessors): Option 2 (General written authorization) applies; time period as per Section C.3.

B. UK Addendum


  • Applies to processing subject to UK GDPR.
  • Table 1 (Parties): Details in Schedule 1, Part A.
  • Table 2 (SCCs): Selected version as set out in EU SCCs of Schedule 3.
  • Table 4: CEOfriend (data importer) may end the Approved Addendum.

Schedule 4 - Subprocessors

CEOfriend’s list of subprocessors is available athttps://www.CEOFriends.com/subprocessors.