Perceptyx Data Processing Addendum

Last updated: April 23, 2025

This Data Processing Addendum (“DPA”) by and between Perceptyx (as defined below) and Customer (as defined below) (each a “Party,” and collectively the “Parties”) on behalf of itself and as agent for its Authorized Affiliates (defined below), and forms part of the Agreement (defined below) between Perceptyx and Customer.

This DPA was last updated April 23, 2025. Perceptyx reserves the right to periodically modify this DPA upon written notice to Customer, and such modification will become effective upon renewal. Archived versions of the DPA are available here.

NOW, THEREFORE, in consideration of the mutual obligations hereto, the Parties enter into this DPA and agree that the terms of this DPA amends and supplements the Agreement, which shall remain in full force and effect except to the extent modified below.

1. DEFINITIONS

   The capitalized terms set forth in this Section will apply to this DPA. Capitalized terms used but not otherwise defined in this DPA will have the meanings as otherwise set forth in the Agreement.

   “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.

   “Agreement” means the Master Services Agreement or other written or electronic agreement between the Parties for the purchase of the Software Services, and any Order Form(s), exhibits, schedules and amendments to any of the foregoing documents.

   “Authorized Affiliate” means an Affiliate of Customer that is authorized to use the Software Services pursuant to the Agreement (if any).

   “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, or as otherwise defined under applicable Data Protection Laws.

   “Customer” means the purchasing entity identified in the applicable Order Form(s).

   “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Perceptyx.

   “Data Protection Laws” means applicable data protection laws and regulations governing Perceptyx’s Processing of the Personal Data under the Agreement, including the General Data Protection Regulation (EU) 2016/679 and the implementing legislation of each EU member state, as amended (“GDPR”), the UK General Data Protection Regulation, as amended by the Data Protection Act 2018 (“UK GDPR”), the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et seq., and its implementing regulations, as amended by the California Privacy Rights Act of 2020 (“CCPA”), the Swiss Federal Act on Data Protection of 1992, as amended (“FADP”), and Lei Geral de Proteção de Dados (Brazil’s General Data Protection Law),.

   “Data Subject” means an identified or identifiable natural person about whom certain Personal Data relates, or as otherwise defined under applicable Data Protection Laws.

   “Data Subject Access Request” means a request from or on behalf of a Data Subject regarding the Personal Data processed pursuant to the Software Services, including a request to exercise rights under the Data Protection Laws.

   “EU-US Data Privacy Framework,” “Data Privacy Framework,” or “DPF” means the data protection framework established between the European Union and the United States to allow U.S. entities to receive Personal Data from the European Union while ensuring that adequate privacy protections are in place, in accordance with European Union data protection laws.

   “Order Form(s)” means the document that sets forth the Software Services Customer is purchasing.

   “Perceptyx” means: (i) Perceptyx, Inc., a California corporation, if Customer’s contracting entity is located within North or South America, or (ii) Perceptyx BV, a Netherlands private limited company, if Customer’s contracting entity is located outside of North or South America.

   “Personal Data” means the following information, to the extent Processed by Perceptyx on behalf of Customer and any Authorized Affiliate, in order to perform the Software Services pursuant to the Agreement: (i) any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, and (ii) other information defined as “personal data,” “personal information,” or other similar terms under applicable Data Protection Laws. “Personal Data” does not include anonymous data derived from the use of the Software Services, which does not directly or indirectly identify, and is not otherwise linked or linkable, to a particular Data Subject, or as otherwise defined under applicable Data Protection Laws.

   “Process(es)(ed)(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, or as otherwise defined under applicable Data Protection Laws.

   “Processor” means the entity that Processes Personal Data on behalf and under the instructions of the Controller, or as otherwise defined under applicable Data Protection Laws.

   “Restricted Transfer” means a transfer of Personal Data to or by Perceptyx or a Subprocessor, to a jurisdiction that is not recognized as providing an adequate level of protection for Personal Data by applicable Data Protection Laws, where such transfer would be prohibited by Data Protection Laws in the absence of registration with the Data Privacy Framework, or the execution of the Standard Contractual Clauses or UK Addendum, respectively, as applicable.

   “Software Services” means any solution hosted, supported, and licensed by Perceptyx as set forth in the applicable Order Form, including any related application programming interface (API).

   “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection of data subjects, which have been approved by the European Commission as adducing adequate safeguards for Restricted Transfers, or any successor clauses thereto or alternative data transfer mechanisms recognized by the European Commission pursuant to Article 46 of the GDPR, or by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under other relevant Data Protection Laws and Regulations.

   “Subprocessor” means Perceptyx Affiliates and a third person or entity (excluding an employee of Perceptyx) appointed by Perceptyx or Perceptyx Affiliates that Process the Personal Data in accordance with this DPA.

   “Supervisory Authority” means (a) an independent public authority established by a Member State pursuant to Article 51 of the GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.

   “Swiss Restricted Transfer” means a transfer of Personal Data by Customer or any Customer Affiliate to Perceptyx or any Perceptyx Affiliate (or any onward transfer), in each case, where such transfer would be prohibited by the FADP in the absence of the protection for the transferred Personal Data provided by the SCCs, provided that such SCCs are subject to the Swiss Addendum set out in Annex 5 to this DPA.

   “Third Party Request” means any request, inquiry, or complaint received by Perceptyx from a Supervisory Authority or other third party regarding Personal Data, including any request to exercise rights under the Data Protection Laws, but not a Data Subject Access Request.

   "UK Addendum" means the International Data Transfer Addendum (Version B1.0 in force 21 March 2022) to the Standard Contractual Clauses, issued by the UK Information Commissioner’s Office (“ICO”) to provide appropriate safeguards for a UK Restricted Transfers, as set out in Annex 4 to this DPA.

   "UK Restricted Transfer” means a transfer of Personal Data by Customer or any Customer Affiliate to Perceptyx or any Perceptyx Affiliate (or any onward transfer), in each case, where such transfer would be prohibited by the UK GDPR in the absence of the protection for the transferred Personal Data provided by the SCCs, provided that such SCCs are subject to the UK Addendum set out in Annex 4 to this DPA.

2. PROCESSING OF PERSONAL DATA

   1. Scope and role of the Parties. This DPA applies to the processing of Personal Data by Perceptyx in the course of providing the Software Services under the Agreement. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer and/or the Authorized Affiliate(s) are the Controller(s), and Perceptyx is the Processor (or subprocessor where Customer and/or the Authorized Affiliate(s) are Processors(s)). Annex 1 to this DPA sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, and the categories of Personal Data and Data Subjects, as required by Article 28(3) of the GDPR.

   2. Perceptyx. Perceptyx will only Process Personal Data in accordance with the documented instructions of Customer and as set forth herein, or as otherwise required by applicable Data Protection Laws, in which case Perceptyx will, to the extent permitted by applicable law, inform Customer of the legal requirement before such Processing of Personal Data. Perceptyx will not Process the Personal Data for any purposes other than as specified in the Agreement and this DPA and will not sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate Personal Data to any third party for monetary or other valuable consideration. Perceptyx certifies that that it understands the foregoing restrictions and will comply with them.

   3. Customer. Customer, on its own behalf and as agent for any Authorized Affiliate, hereby instructs Perceptyx and authorizes Perceptyx to instruct each approved Subprocessor to Process the Personal Data in order to provide the Software Services and perform Perceptyx’s obligations under the Agreement, including to respond to, complete, carry out or apply account settings and actions requested or initiated by Customer or Authorized Affiliates via the Software Services, to respond to customer service and support requests, to perform any necessary technical support, and as otherwise set forth in the Agreement, this DPA or other documented instructions of Customer.

   4. Compliance. The Parties will comply with their respective obligations under applicable Data Protection Laws. Without limiting the foregoing, Customer agrees that (a) Customer is solely responsible for providing the necessary notices to Data Subjects related to the Processing of Personal Data under this DPA and the Agreement; (b) Customer is solely responsible for obtaining, and providing evidence that it has obtained, any required consents from Data Subjects related to the Processing of Personal Data as contemplated in this DPA and the Agreement; and (c) Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. With respect to the instructions set forth in this Section 2, Customer represents and warrants that it is, and at all relevant times will remain, duly and effectively authorized to give such instruction and that such the instruction to Process the Personal Data will not violate applicable laws including the Data Protection Laws, or the instructions of any third party. Notwithstanding any other provision in the Agreement or herein to the contrary, Customer will indemnify, defend and hold harmless Perceptyx, its Affiliates and Subprocessors, from and against any and all liability or third party claims arising out of or relating to Customer or its Affiliate’s breach of this Section 2.

3. SUBPROCESSORS

   1. Use of Subprocessors. Perceptyx and Perceptyx Affiliates may appoint Subprocessors to Process Personal Data in accordance with this Section, and Perceptyx may engage any Perceptyx Affiliate as a Subprocessor to deliver some or all of the Software Services provided to Customer. Perceptyx and/or its Affiliates may (i) continue to use those Subprocessors currently in use as of the effective date of this DPA (as identified in Annex 1 to this DPA); and (ii) may engage other third parties and Subprocessors where Customer has requested Software Services that require the engagement of such third party or Subprocessor. Prior to any Processing by Subprocessor of Personal Data, Perceptyx will exercise appropriate care in appointing and overseeing authorized Subprocessors and will enter into contractual terms with authorized Subprocessors that include equivalent terms as applicable to Perceptyx under this DPA. Perceptyx will remain liable to Customer for the performance of the Subprocessors’ obligations.

   2. Appointment of New Subprocessors. Prior to Perceptyx and Perceptyx Affiliates appointing any Subprocessor not included in Annex 1, Perceptyx will provide Customer with notice and the opportunity to object based on reasonable grounds related to the protection of Personal Data; if within thirty (30) days of such notice, Customer has not notified Perceptyx in writing of its objection via the Perceptyx Subprocessor webpage below, Customer will be deemed to have agreed to the appointment of the new Subprocessor. Customer may access Perceptyx and/or Perceptyx Affiliates’ up-to-date list of Subprocessors and submit objections by visiting https://go.perceptyx.com/legal-perceptyx-sub-processors. If the Parties cannot reach a resolution within ninety (90) days from the date of Perceptyx’s receipt of Customer’s written objection, either Party may suspend or terminate, in accordance with the Agreement, the applicable portion of the Software Services that cannot be provided by Perceptyx without use of the objected-to Subprocessor and without prejudice to any fees incurred by Customer prior to such suspension or termination.

   3. Emergency Appointment. Perceptyx and Perceptyx Affiliates may replace or appoint a Subprocessor without advance notice where prompt replacement is required for security or other urgent reasons. In such case, Perceptyx will inform Customer of the replacement Subprocessor as soon as possible following its appointment. Section 3.2 applies accordingly.

4. COOPERATION BY PERCEPTYX

   1. Data Subject Access Requests. If Perceptyx receives a Data Subject Access Request Perceptyx will, unless prohibited from doing so by applicable laws: (a) promptly notify Customer of such Data Subject Access Request; and (b) not respond to such Data Subject Access Request, except on the documented instructions of Customer or as required by applicable Data Protection Laws. For the avoidance of doubt, Customer is responsible for responding to Data Subject Access Requests. Upon request, Perceptyx will provide reasonable assistance as necessary to enable Customer to respond to a Data Subject Access Request as required by applicable Data Protection Laws.

   2. Third Party or Government Requests. If Perceptyx receives a Third Party Request, Perceptyx will, unless prohibited from doing so by applicable laws: (a) promptly notify Customer of such Third Party Request and (b) not respond to such Third Party Request, except on the documented instructions of Customer or as required by applicable laws, in which case Perceptyx will to the extent permitted by such applicable laws provide prior notice to Customer of such legal requirement prior to responding to such Third Party Request. Upon request, Perceptyx will provide reasonable assistance to enable Customer to seek to limit, quash or respond to such Third Party Request.

   3. Consultations and Data Protection Impact Assessments. Upon request and subject to the information available to Perceptyx, Perceptyx will cooperate and provide commercially reasonable efforts to assist Customer with any data protection impact assessments and any prior consultations with any Supervisory Authority, which are required under applicable Data Protection Laws.

   4. Reimbursement. Customer will reimburse Perceptyx in full for all extraordinary costs, as reasonably determined by Perceptyx, reasonably and properly incurred by Perceptyx in fulfilling Customer’s discretionary requests related to Perceptyx’s performance under this Section 4, including internal costs and third-party costs, including legal fees. For the avoidance of doubt, costs incurred by Perceptyx in complying with applicable law are not subject to reimbursement.

5. COOPERATION BY PERCEPTYX

   1. Customer is responsible to ensure that the transfer of personal data out of the jurisdiction it originated to Perceptyx complies with applicable Data Protection Law (“Legal Basis for Transfer”). Perceptyx maintains registration with the EU-US Data Privacy Framework. The Parties agree that the Data Privacy Framework will apply to any Personal Data that is transferred outside the EEA, UK, or Swiss territories. Each Party agrees to comply with the principles of the Data Privacy Framework as may be further outlined in Annex 3. Should the Data Privacy Framework not apply or ever be invalidated, the Parties agree the Standard Contractual Clauses, as further outlined this section and in Annex 3, will apply to Personal Data that is transferred outside the EEA, UK, or Swiss territories, either directly or via onward transfer, to any country not recognized by the European Commission as providing as adequate level of protection for personal data (as described by the GDPR).

   2. Customer for itself and each Authorized Affiliate as relevant (each a “Data Exporter”) and Perceptyx for itself and its Affiliates as relevant, (each a “Data Importer”) hereby enter into the:

      1. SCCs as set forth in Annex 3 to this DPA, in respect of any Restricted Transfer, which will take effect upon the commencement of a Restricted Transfer by the Data Importer and Data Exporter. Appendix 1 to the SCCs shall be deemed to be pre-populated with the relevant sections of Annex 1 to this DPA and the processing operations are deemed to be those described in the Agreement. Annex 2 to the SCCs shall be deemed to be pre-populated with the relevant sections of Annex 2 to this DPA; and

      2. UK Addendum as set forth in Annex 4 to this DPA, in respect of any UK Restricted Transfer, which will take effect upon the commencement of a UK Restricted Transfer by the Data Importer and Data Exporter. By accepting the SCCs, the Parties agree and accept the UK Addendum, as applicable.

      3. Swiss Addendum as set forth in Annex 5 to this DPA, in respect of any Swiss Restricted Transfer, which will take effect upon the commencement of a Swiss Restricted Transfer by the Data Importer and Data Exporter. By accepting the SCCs, the Parties agree and accept the Swiss Addendum, as applicable.

   3. To the extent Data Protection Laws other than the GDPR or UK GDPR apply to a Restricted Transfer, the Data Importer(s) will comply mutatis mutandis with terms of the Standard Contractual Clauses, as applicable to the Data Importer, the terms ‘Member State’ and ‘State’ are replaced throughout by the word “jurisdiction,” and “supervisory authority” will mean the relevant data protection regulator or other government body with authority to enforce Data Protection Laws.

6. COOPERATION BY PERCEPTYX

   1. Notification Term. Perceptyx will notify the Customer without undue delay after becoming aware of a Data Breach of Personal Data.

   2. Breach Information. Perceptyx will, at the time of the notification or as soon as reasonably possible thereafter, provide the Customer with available information to reasonably assist Customer to meet any obligations to report a Data Breach under applicable Data Protection Laws. Perceptyx will co-operate with Customer and take such reasonable steps as are agreed in good faith by the Parties to assist in the investigation, mitigation and remediation of each Data Breach. To the extent that Customer is responsible for a Data Breach, Customer will reimburse Perceptyx for all costs reasonably and properly incurred by Perceptyx performing its obligations under this Section, including internal costs and third-party costs, including legal fees.

7. SECURITY

   1. Perceptyx will take appropriate steps to ensure the reliability of any employee, agent, contractor or any other person who may have access to the Personal Data, ensuring that such individuals are subject to confidentiality obligations or professional or statutory obligations of confidentiality.

   2. Perceptyx will implement and maintain appropriate technical and organizational measures, as set forth in Annex 2 to this DPA, which are designated to provide a level of security appropriate to the risks presented by the Processing of the Personal Data, in particular from a Data Breach, and meet the requirements set forth in this DPA and by Data Protection Laws applicable to Perceptyx.

8. DELETION OF PERSONAL DATA

   1. Except to the extent prohibited by applicable laws, Perceptyx will securely delete the Personal Data (a) as set forth in the Agreement, or (b) to the extent not otherwise set out in the Agreement, within 90 days after the termination or expiration of the Agreement. Upon request, Perceptyx will confirm in writing to Customer that the Personal Data has been deleted in accordance with this DPA.

   2. If Perceptyx is required by applicable laws to retain any Personal Data, Perceptyx will take steps to (a) ensure the continued confidentiality and security of the Personal Data; (b) securely delete or destroy the Personal Data when the legal retention period has expired; and (c) not actively Process the Personal Data other than as needed for to comply with such applicable laws.

9. AUDIT

   1. Audit Reports. Customer agrees that Perceptyx’s then-current SOC 2 Type 2 audit reports (or comparable industry standard reports) and/or Perceptyx’s ISO 27001 Certification will be used to satisfy any audit or inspection request by or on behalf of Customer. Upon Customer’s written request and at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Perceptyx will make available a copy of the most recent certifications and reports, as applicable.

   2. Regulator Assistance. In the event that Customer, a regulator, or data protection or Supervisory Authority requires additional assistance or information, including information or an audit related to the Services necessary to demonstrate compliance with this DPA, such information, contribution and/or audit will be made available, provided Parties reach prior written agreement on scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit Perceptyx to unreasonably delay performance of the audit in accordance with applicable Data Protection Laws.

10. AUTHORIZED AFFILIATES

    1. Authorized Affiliates. Parties acknowledge and agree that, by entering into an agreement incorporating this DPA, (i) Customer enters into this DPA on behalf of itself and as agent for any Authorized Affiliate and (ii) the Parties are deemed to be signing and executing the applicable Standard Contractual Clauses and applicable appendices and annexes in their entirety as of the same date hereof. Customer represents and warrants that it has the authority and right to enter into this DPA and to instruct Perceptyx to Process the Personal Data as set forth hereunder, on behalf of itself and the Authorized Affiliate(s). All access to and use of the Software Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA, and any violation of the terms and conditions of the Agreement by an Authorized Affiliate will be deemed a violation by Customer.

    2. Communication. Customer is responsible for coordinating all communication with Perceptyx on behalf of its Authorized Affiliates with regard to this DPA. Customer represents that it is authorized to issue instructions as well as make and receive any communications or notifications in relation to this DPA on behalf of its Authorized Affiliates.

11. AUTHORIZED AFFILIATES

    1. Termination. The term of this DPA will end simultaneously and automatically with the termination of the Agreement, unless renewed or otherwise extended by the Parties in writing, provided that termination or expiration of this DPA shall not discharge the Parties from their obligations meant to survive the termination or expiration of this DPA.

    2. Conflict. This DPA supersedes any prior data processing agreements, data processing addenda or other terms addressing the subject matter of this DPA, between the Parties. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA will prevail with regard to the Parties’ data protection obligations or the subject matter herein. In the event of inconsistencies between the provisions of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

    3. Governing Law. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses, the Parties hereby agree to submit to the choice of jurisdiction and venue set forth in the Agreement, with respect to any disputes or claims arising under this DPA.

    4. Limitation of Liability. Notwithstanding anything to the contrary, the aggregate liability of Perceptyx arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations on liability in the Agreement.

    5. Changes in Data Protection Law. If any variation is required to this DPA (including the Standard Contractual Clauses) as a result of a change in Data Protection Laws, either Party may provide written notice to the other Party of that change in Data Protection Law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes. The Parties acknowledge that substantial changes to a Party’s obligations may be subject to changes in Fees for the Services or may not be able to be provided. For example, a data protection law in a country that would require Customer Data to be stored physically separate from other third-party data, or to be stored and processed solely on servers physically located in such country.

    6. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Download PDF