0%
Skip to main content
logo-gravity-global-green
Contact
  • Work
  • Services
    Services
    Brand Strategy
    Intel
    Go to Market
    Media
    Creative & Content
    Public Relations
    Digital Experience
    Social Media
    Brand Strategy - Banner Intel Go to Market Media Creative & Content Public Relations Digital Experience-1 Social Media
  • Innovation
    Innovation

    F.A.B.

    Accelerate your growth in the most complex markets.
    Learn more

    Signals

    Gravity Signals is our latest thinking in AI and innovation
  • About
    About
    About Us
    Leadership
    Locations
    Partnerships
    Awards
  • Careers
  • Latest
  • Search
  • Contact

DATA PROCESSING ADDENDUM


This Data Processing Addendum (including its Exhibits) ("Addendum") forms part of and is subject to the Agreement agreed to by and between Gravity London Limited a company registered in England and Wales ("Company") and You ("Supplier").

1. Subject Matter and Duration

    1. Subject Matter: This Addendum reflects the parties' commitment to abide by Data Privacy Laws concerning the Processing of Company Personal Data in connection with Supplier's execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

    2. Duration and Survival: This Addendum will become legally binding upon the effective date of the Agreement. Supplier will Process Company Personal Data until the relationship terminates as specified in the Agreement.

2. Definitions

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

    1. "Company Personal Data" means Personal Data Processed by Supplier on behalf of Company to provide the Services, including Personal Data belonging to Company's clients, customers, and other data subjects whose data Company shares with Supplier.

    2. "Data Privacy Laws" means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Company Personal Data are subject. "Data Privacy Laws" may include, but are not limited to, the EU General Data Protection Regulation 2016/679 ("GDPR") and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the “UK GDPR”) and the Data Protection Act of 2018; the California Consumer Privacy Act of 2018 ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Connecticut's Act Concerning Data Privacy and Online Monitoring, and the Utah Consumer Privacy Act (in each case as supplemented by implementing regulations and as amended, adopted, or superseded from time to time).

    3. "Personal Data" has the meaning assigned to the term "personal data" or "personal information" under applicable Data Privacy Laws.

    4. "Process" or "Processing" means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

    5. "Security Incident(s)" means the breach of security leading to the unauthorized acquisition or compromise of Company Personal Data attributable to Supplier.

    6. "Services" means the services that Supplier performs under the Agreement.

    7. "Sub-processor(s)" means Supplier's authorized vendors and third-party service providers that Process Company Personal Data.

3. Processing Terms for Company Personal Data

    1. Documented Instructions: Supplier shall Process Company Personal Data only on Company's documented instructions, including as set out in this Addendum, the Agreement, and any applicable Statement of Work. Supplier will, unless legally prohibited from doing so, inform Company in writing if it reasonably believes that there is a conflict between Company's instructions and applicable law or otherwise seeks to Process Company Personal Data in a manner that is inconsistent with Company's instructions. Each party will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply) with Data Protection Laws applicable to such party in the processing of Personal Data. As between the parties, Supplier shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired.

    2. Authorization to Use Sub-processors: Supplier must obtain Company's prior written authorization before engaging any Sub-processor. Supplier shall provide Company with ten (10) days' advance written notice of any new Sub-processor that will Process Company Personal Data. Company retains the right to object to the appointment of any new Sub-processor on reasonable grounds. If Company has legitimate objections to the appointment of any new Sub-processor, the parties will work together in good faith to resolve the grounds for the objection.

    3. Sub-processor Compliance: Supplier shall (i) enter into a written agreement with Sub-processors regarding such Sub-processors' Processing of Company Personal Data that imposes on such Sub-processors data protection requirements for Company Personal Data that are consistent with this Addendum; and (ii) remain fully responsible and liable to Company for any Sub-processor's failure to perform its obligations with respect to the Processing of Company Personal Data.

    4. Confidentiality: Any person authorized to Process Company Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

    5. Personal Data Inquiries and Requests: Supplier shall promptly assist Company in responding to requests from individuals exercising their rights in Company Personal Data granted to them under Data Privacy Laws. Supplier agrees to provide reasonable assistance and comply with reasonable instructions from Company related to any such requests and shall cooperate fully with Company to ensure timely and accurate responses.

    6. Prohibited Uses of Personal Data: Supplier shall not (i) sell or share Company Personal Data as the terms "sell" or "share" are defined by the CCPA or similar state privacy laws; (ii) retain, use, combine, or disclose Company Personal Data for any purpose other than performing the Services or as permitted under Data Privacy Laws; or (iii) use Company Personal Data to build, improve, or optimize its own products or services without Company's express prior written consent.

    7. Data Protection Impact Assessment and Prior Consultation: Where required by Data Privacy Laws, Supplier agrees to provide reasonable assistance to Company where, in Company's judgment, the type of Processing performed by Supplier requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities. Supplier shall cooperate fully with Company's efforts to conduct such assessments or consultations.

    8. Demonstrable Compliance: Upon Company's reasonable request, Supplier agrees to provide information reasonably necessary to demonstrate compliance with this Addendum and permit Company to take reasonable steps to stop and remediate any unauthorized Processing or use of Company Personal Data. Supplier shall make available to Company all documentation, records, and certifications necessary to evidence compliance with data protection obligations.

    9. Permitted Processing: Notwithstanding Section 3(f), Supplier may Process Company Personal Data: (i) to detect Security Incidents; (ii) to protect against fraudulent or illegal activity; and (iii) as otherwise permitted by Data Privacy Laws. Supplier shall not use Company Personal Data for any other internal business purposes, including building or improving the quality of its services, without Company's express prior written consent.

4. Information Security Program

    1. Security Measures: Supplier shall implement and maintain appropriate administrative, technical, and physical safeguards designed to protect Company Personal Data. Such safeguards shall be commensurate with the risk presented by the Processing and shall be consistent with industry standards and best practices for organizations processing similar categories of Personal Data.

5. Security Incidents

    1. Notice: Upon becoming aware of a Security Incident, Supplier agrees to provide written notice to Company without undue delay and in no event later than forty-eight (48) hours. Where possible, such notice will include all available details required under Data Privacy Laws for Company to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

    2. Cooperation: Supplier shall cooperate fully with Company in investigating, remediating, and notifying affected individuals and regulatory authorities regarding any Security Incident. Supplier shall provide all information and assistance reasonably requested by Company and shall take all necessary remedial measures to prevent recurrence of similar incidents.

6. Cross-Border Transfers of Company Personal Data

    1. Authorization for Cross-Border Transfers: Supplier and its Sub-processors may only transfer Company Personal Data across international borders with Company's prior written authorization. Supplier shall not transfer Company Personal Data to any country or jurisdiction without Company's express permission and confirmation that appropriate safeguards are in place.

    2. Appropriate Transfer Mechanism: If Company Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred to a country that has not been found to provide an adequate level of protection under applicable Data Privacy Laws, the parties agree that the transfer shall be governed by an appropriate legal mechanism providing adequate safeguards. Such mechanisms shall include the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce, or if the US DPF is not available as an appropriate safeguard, the Standard Contractual Clauses Module Two as set forth in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("Standard Contractual Clauses"), as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. Each party's signature to the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

7. Audits

    1. Company Audit Right: Where Data Privacy Laws afford Company an audit right, Company (or its appointed representative) may carry out an audit of Supplier's policies, procedures, and records relevant to the Processing of Company Personal Data. Any audit must be: (i) conducted during Supplier's regular business hours; (ii) with reasonable advance notice to Supplier; (iii) carried out in a manner that prevents unnecessary disruption to Supplier's operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per calendar year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.

8. Company Personal Data Deletion or Return

    1. Data Deletion: At the expiry or termination of the Agreement, Supplier will delete or return all Company Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Supplier's standard data retention schedule), except where Supplier is required to retain copies under applicable law, in which case Supplier will isolate and protect that Company Personal Data from any further Processing except to the extent required by applicable law. Supplier shall provide written certification of deletion or return upon Company's written request.

9. Supplier's Obligations and Representations

Supplier represents and warrants that: (i) it will comply with all applicable Data Privacy Laws in its Processing of Company Personal Data; (ii) it has implemented and maintains appropriate technical and organizational measures to protect Company Personal Data, consistent with the requirements of this Addendum and applicable Data Privacy Laws; (iii) it will Process Company Personal Data only in accordance with Company's documented instructions as set forth in this Addendum, the Agreement, and any applicable Statement of Work; (iv) it will not transfer Company Personal Data to any Sub-processor or third party without Company's prior written authorization, except as expressly permitted by this Addendum; and (v) it shall immediately notify Company if it becomes aware of any violation of Data Privacy Laws or any unauthorized Processing of Company Personal Data.

10. Processing Details

    1. Subject Matter and Business Purpose: The subject matter and business purpose of the Processing is the Services pursuant to the Agreement and the applicable Statement of Work entered thereunder.

    2. Duration: The Processing will continue until the expiration or termination of the Agreement.

    3. Categories of Data Subjects: Data subjects whose Company Personal Data will be Processed pursuant to the Agreement include: Company employees and contractors; Company's clients, customers, and potential customers; and other individuals whose data Company shares with Supplier for purposes of the Services.

    4. Nature and Purpose of the Processing: The purpose of the Processing of Company Personal Data by Supplier is the performance of the Services under the Agreement.

    5. Types of Company Personal Data: Company Personal Data that is Processed pursuant to the Agreement to enable the performance of the Services includes: Contact information such as name, email address, account number, physical address, and phone number; online identifiers such as IP address, device ID, and advertising ID; and such other Personal Data as agreed in the applicable Statement of Work or as necessary for Supplier to perform the Services.

    6. Sensitive Data: The parties agree that no sensitive or special categories of Personal Data will be transferred under the Agreement unless separately agreed upon in writing by both parties with appropriate additional safeguards.



EXHIBIT A TO THE DATA PROCESSING ADDENDUM


This Exhibit A forms part of the Addendum and supplements the Standard Contractual Clauses (SCCs). The SCCs are a standardized legal mechanism that allows personal data to be lawfully transferred from the EU/EEA, UK, or Switzerland to countries that don't have an "adequate" level of data protection.

Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

1. Supplemental Terms

The parties agree that: (i) a new Clause 1(e) is added to the Standard Contractual Clauses which shall read: "To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties' processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection."; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: "To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties' processing of personal data that is subject to UK Data Privacy Laws (as defined in Annex III)."; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must submit the request for specific authorization in accordance with Section 3(b) of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

2. Annex I – List of Parties and Description of Transfer

Annex I to the Standard Contractual Clauses shall read as follows:

A. List of Parties

Data Exporter: Company

Address: As set forth in the Notices section of the Agreement.

Contact person's name, position, and contact details: Company's Account Management Contact under the Agreement.

Activities relevant to the data transferred under these Clauses: The Services.

Role: Controller.

Data Importer: Supplier

Address: As set forth in the Notices section of the Agreement.

Contact person's name, position, and contact details: Supplier's Account Management Contact under the Agreement.

Activities relevant to the data transferred under these Clauses: The Services.

Role: Processor.

B. Description of the Transfer

Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses include, but are not limited to, Company's employees, Company's customers and potential customers, and other individuals whose data Company shares with Supplier.

Categories of personal data transferred: The categories of personal data transferred under the Clauses include, but are not limited to, Contact Information such as name, email, account number, address, phone number; online identifiers such as IP address, device ID, advertising ID, and other identifiers as specified in the applicable Statement of Work.

Sensitive data transferred (if applicable) and applied restrictions or safeguards: The parties agree that no sensitive or special categories of personal data will be transferred under the Agreement unless separately agreed upon in writing. Where sensitive data is transferred with prior written consent, Supplier shall implement strict purpose limitation, access restrictions (including access only for staff having followed specialized training), record-keeping of access to the data, restrictions for onward transfers, and additional security measures appropriate to the nature and sensitivity of the data.

Frequency of the transfer: Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

Nature of the processing: The Services.

Purpose(s) of the data transfer and further processing: The Services.

Period for which the personal data will be retained: Data importer will retain personal data in accordance with the Addendum and the Agreement, or as required by applicable law.

For transfers to (sub-) processors: Data importer will provide its list of Sub-processors upon data exporter's written request and shall notify data exporter of any new Sub-processors in accordance with Section 3(b) of the Addendum.

C. Competent Supervisory Authority

The supervisory authority mandated by Clause 13 of the Standard Contractual Clauses. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC) shall serve as the competent supervisory authority for EEA transfers; the Swiss Federal Data Protection and Information Commissioner (FDPIC) for Swiss transfers; and the United Kingdom Information Commissioner's Office (ICO) for UK transfers.

3. Annex II – Technical and Organizational Measures

Data importer shall implement and maintain appropriate technical and organizational measures designed to protect personal data in accordance with the Addendum. Such measures shall be commensurate with the risk presented by the Processing and shall include, at minimum: (i) encryption of personal data in transit and at rest; (ii) access controls limiting access to personal data to authorized personnel on a need-to-know basis; (iii) regular security assessments and vulnerability testing; (iv) incident response and breach notification procedures; (v) employee training and confidentiality obligations; (vi) audit trails and logging of access to personal data; (vii) business continuity and disaster recovery plans; and (viii) regular backup and recovery procedures.

4. Clarifying Terms

The parties further agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Standard Contractual Clauses will be provided upon data exporter's written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Standard Contractual Clauses will only cover data importer's impacted systems; (iii) the audit described in Clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 7 of the Addendum; (iv) where permitted by applicable Data Privacy Laws, data importer may engage existing Sub-processors using the European Commission Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors, and such use of Sub-processors shall be deemed to comply with Clause 9 of the Standard Contractual Clauses, provided that data importer has obtained data exporter's prior written authorization as required by Section 3(b) of the Addendum; (v) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Standard Contractual Clauses will be limited to the termination of the Standard Contractual Clauses themselves; (vi) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Standard Contractual Clauses; (vii) the information required under Clause 15.1(c) of the Standard Contractual Clauses will be provided upon data exporter's written request; and (viii) notwithstanding anything to the contrary in the Agreement, data exporter will reimburse data importer for all reasonable costs and expenses incurred by data importer in connection with the performance of data importer's obligations under Clause 15.1(b) and Clause 15.2 of the Standard Contractual Clauses, provided that such costs are not duplicative of obligations data importer would otherwise have under the Agreement.

How can we help you?

Select the topics you’re interested in talking to our team about. Or email newbusiness@gravityglobal.com

How can we reach you?

Topics

We'll reach out shortly.

Have a great day!

Get in touch
1 | 2
gravity-global-logo-footer
© 2026 Gravity Global. All Rights Reserved.

Terms of Use

Privacy Policy

Artificial Intelligence Statement

Modern Slavery Statement

  • facebook
  • instagram
  • linkedin
  • x