Data Processing Addendum

/ 01

Definitions

Capitalized terms not defined here have the meanings given in the Master Subscription Agreement (the “Agreement”).

• “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection, and U.S. state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”).
• “Controller,” “Processor,” “Data Subject,” “Processing,” and “Personal Data Breach” have the meanings given in the GDPR; “Business,” “Service Provider,” “Sell,” “Share,” and “Consumer” have the meanings given in the CCPA.
• “Customer Personal Data” means Personal Data contained in Customer Data that NorthernPlus processes on Customer’s behalf under the Agreement.
• “Subprocessor” means a third party engaged by NorthernPlus to process Customer Personal Data.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Decision 2021/914, and, for the United Kingdom, the UK International Data Transfer Addendum issued by the Information Commissioner (“UK Addendum”).

/ 02

Roles and scope

This DPA applies where NorthernPlus processes Customer Personal Data on behalf of Customer in providing the Service. With respect to End-User intake data and other Customer Personal Data, Customer is the Controller (or a Processor acting for a third-party controller) and NorthernPlus is the Processor (or Subprocessor). With respect to account registration data and Usage Data that NorthernPlus processes for its own purposes (such as billing, security, and product improvement), NorthernPlus acts as an independent Controller, and that processing is governed by the Privacy Policy.

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex I.

/ 03

Customer obligations

Customer is responsible for the lawfulness of its collection and processing of Customer Personal Data, including having a valid legal basis and providing required notices to and obtaining required consents from Data Subjects. Customer’s complete and documented instructions for the processing are this DPA, the Agreement, and Customer’s configuration and use of the Service. Customer will not provide Customer Personal Data to NorthernPlus except through the Service and in accordance with the Agreement.

/ 04

NorthernPlus processing obligations

NorthernPlus will process Customer Personal Data only on Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case NorthernPlus will, where legally permitted, inform Customer first). NorthernPlus will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

With respect to the CCPA, NorthernPlus acts as a Service Provider and will not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than performing the Service or as otherwise permitted by the CCPA; (c) retain, use, or disclose it outside the direct business relationship with Customer; or (d) combine it with personal information from other sources except as permitted by the CCPA. NorthernPlus certifies that it understands and will comply with these restrictions.

/ 05

Confidentiality

NorthernPlus will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and are trained on their data protection responsibilities, and will limit access to those who need it to provide the Service.

/ 06

Security

NorthernPlus will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, taking into account the state of the art, costs of implementation, and the nature and risk of the processing. Those measures are described in Annex II and on our Security page.

/ 07

Subprocessors

Customer provides general authorization for NorthernPlus to engage Subprocessors to process Customer Personal Data. NorthernPlus imposes data protection obligations on each Subprocessor that are substantially the same as those in this DPA and remains responsible for each Subprocessor’s performance.

The current categories of Subprocessors are listed in Annex III, and a current list of specific Subprocessors is available on request. NorthernPlus will give Customer notice (by email or in-product notice) before adding or replacing a Subprocessor that processes Customer Personal Data. Customer may object on reasonable data protection grounds within ten (10) days, and the parties will work in good faith to resolve the objection; if they cannot, Customer may terminate the affected subscription for the affected portion of the Service.

/ 08

Data subject rights

Taking into account the nature of the processing, NorthernPlus will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If NorthernPlus receives a request directly from a Data Subject relating to Customer Personal Data, it will, where permitted, refer the Data Subject to Customer and promptly notify Customer. The Service also provides self-service tools that allow Customer to access, correct, export, and delete or redact Customer Personal Data.

/ 09

Personal Data Breach notification

NorthernPlus will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its notification obligations. NorthernPlus will take reasonable steps to contain and remediate the breach. NorthernPlus’s notification is not an acknowledgment of fault or liability.

/ 10

Assistance with DPIAs

Taking into account the nature of the processing and the information available to it, NorthernPlus will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Data Protection Laws and related to the processing of Customer Personal Data by NorthernPlus.

/ 11

International transfers

NorthernPlus processes Customer Personal Data primarily in the United States. To the extent NorthernPlus processes Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the SCCs are incorporated into this DPA by reference and apply to that transfer, with Customer as data exporter and NorthernPlus as data importer.

For these purposes: Module Two (Controller to Processor) applies; the optional docking clause applies; the optional language in the clause on subprocessor authorization reflects Section 07 of this DPA; the supervisory authority and governing law are as set out in Annex I; and Annexes I and II of this DPA populate the corresponding annexes of the SCCs. The UK Addendum applies to UK transfers, and the SCCs are deemed amended as necessary for Swiss transfers. If there is a conflict between the SCCs and this DPA, the SCCs control as to the relevant transfer.

/ 12

Return and deletion

On termination or expiration of the Agreement, NorthernPlus will, at Customer’s choice, delete or return Customer Personal Data, and delete existing copies, except to the extent retention is required by law. Customer may export Customer Personal Data during the wind-down period described in the Agreement. Deletion timelines, including for backups, are described in the Privacy Policy.

/ 13

Audits

NorthernPlus will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports and certifications where available (such as a SOC 2 report, subject to NDA). Where Data Protection Laws require an audit right that cannot be satisfied by that information, Customer may, no more than once per year and on reasonable prior written notice, conduct an audit limited in scope to the processing of Customer Personal Data, during business hours, without unreasonably disrupting NorthernPlus’s operations and subject to confidentiality.

/ 14

Liability and precedence

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA forms part of the Agreement. With respect to the processing of Customer Personal Data, this DPA controls over any conflicting term of the Agreement, and the SCCs control over this DPA as to transfers governed by them.

/ A1

Annex I — Description of processing

A. Parties. Data exporter: Customer (the Controller identified in the Order Form). Data importer: NorthernPlus Inc., 323 Washington Ave N, #200, Minneapolis, MN 55401, USA, acting as Processor. Contact: hello@northernplus.com.

B. Description of processing.

• Categories of Data Subjects: Customer’s prospects, clients, and other contacts (End Users), and Customer’s personnel (Authorized Users).
• Categories of Personal Data: identifiers and contact details (name, email, phone, address), intake content and correspondence, uploaded documents, voice call audio and transcripts, messaging content, and technical identifiers.
• Special categories / sensitive data: depending on Customer’s configuration and use case, may include health information, financial information, government identifiers, and data relating to minors. Such data is processed only as needed to provide the Service and is subject to the safeguards in Annex II.
• Nature and purpose: hosting, capturing, qualifying, scoring, routing, storing, and following up on leads and records, and conducting voice, SMS, and email communications, in each case to provide the Service.
• Frequency: continuous, for the duration of the Subscription Term.
• Duration: for the term of the Agreement plus the retention and deletion periods described in the Privacy Policy.

C. Competent supervisory authority. Where the GDPR applies, the supervisory authority of the EEA member state in which the Customer (data exporter) is established, or its EU representative; governing law and forum for the SCCs are as provided in the SCCs and, absent a selection, Ireland.

/ A2

Annex II — Technical and organizational measures

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using AES-256 or equivalent.
• Field-level encryption for designated sensitive fields such as government identifiers and financial account numbers.
• Access controls based on least privilege, with multi-factor authentication for administrative and engineering access.
• Logical isolation of customer workspaces, with automated isolation tests on each release.
• Audit logging of access and changes, with timestamps and actor identity.
• Secure development practices, code review, and dependency monitoring.
• Encrypted, tested backups with defined retention and restore procedures.
• Vendor and subprocessor security review, and regular third-party security assessments.
• Incident response procedures, including breach detection and notification.

/ A3

Annex III — Subprocessor categories

NorthernPlus engages Subprocessors in the following categories to provide the Service. A current list of specific Subprocessors is available on request from hello@northernplus.com.

• Cloud hosting and infrastructure.
• Voice telephony and call recording or transcription.
• Email and SMS message delivery.
• Payment processing.
• Authentication and identity.
• Product analytics and error monitoring.
• Customer support tooling.