Datasert Data Processing Addendum (DPA)

Roles of the Parties

Scope of Processing

Datasert provides tools that primarily connect to Salesforce to query, export, and process data. Customer determines what data is accessed and how it is used. Processing details are described in Appendix A.

Customer Instructions

Customer instructs Datasert to process Personal Data solely as necessary to provide the Services under the Agreement, including to connect to Salesforce, run queries, generate exports, and perform processing actions initiated by Customer or Authorized Users. Customer may also direct exports to third-party services (see Section 12).

Datasert Obligations

• process Personal Data only on documented instructions from Customer;
• ensure persons authorized to process Personal Data are bound by confidentiality;
• take appropriate measures to help secure Personal Data (see Section 5);
• assist Customer, as reasonably requested and taking into account the nature of processing, in meeting Customer’s obligations under applicable data protection law;
• notify Customer if Datasert believes an instruction violates applicable law.

Security Measures

Datasert will maintain appropriate administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Personal Data. Measures may include access controls, logging/monitoring, encryption in transit where supported, vulnerability management, and secure development practices. Datasert will not materially reduce the overall security of the Services during the Subscription Period.

Sub-processors

Customer authorizes Datasert to engage Sub-processors as listed in Appendix B. Datasert will impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA.

Datasert may update its Sub-processor list from time to time. Where required by applicable law, Datasert will provide reasonable notice (posted in the DPA page) of material changes and Customer may object on reasonable data protection grounds.

Data Subject Requests

To the extent Customer receives a request from a data subject to exercise rights (access, deletion, rectification, etc.), Customer is responsible for responding. Datasert will provide reasonable assistance, as appropriate and legally permitted, taking into account the nature of processing and available information.

Security Incidents

Datasert will notify Customer without undue delay after becoming aware of a confirmed Personal Data breach (a “Security Incident”) affecting Customer Data. Datasert will provide information reasonably necessary to help Customer meet its notification obligations and will take reasonable steps to contain and remediate the incident.

International Transfers

If applicable law requires a lawful transfer mechanism for cross-border transfers of Personal Data (e.g., SCCs), the parties will implement such mechanism to the extent required for the Services.

Desktop Products

For Datasert desktop products, the Services are designed so that Salesforce data accessed via the product is processed locally on the user’s machine and is not sent to Datasert systems, except where Customer explicitly enables features that require network transmission (if any) or where required to provide support requested by Customer.

Online Products and Storage

For Datasert online products, Customer may choose to store Salesforce data within the Services through explicit Customer action (for example, saving exports, snapshots, or job outputs). Where stored, Datasert will retain such data only as necessary to provide the functionality selected by Customer and may periodically clean up stored data in accordance with product retention settings or published policies.

Customer remains responsible for deciding what Salesforce data to store and for configuring retention and access controls where such settings are available.

Customer-Directed Exports

Customer may direct the Services to export Salesforce data to third-party services (for example, Google Sheets or Microsoft Office 365). Such exports are initiated by Customer, and Customer is responsible for ensuring it has the necessary rights, consents, and agreements with the applicable third-party provider. Datasert is not responsible for third-party services’ security, privacy, or data practices.

Return and Deletion

Upon termination or expiration of the Agreement, Datasert will, upon Customer’s request and where applicable, make Customer Data available for export for a limited period (if supported by the Services). Thereafter, Datasert will delete or anonymize Customer Data from its systems in accordance with the retention periods set forth below, unless retention is required by law.

Audits and Compliance

Upon reasonable request, Datasert will provide Customer with information reasonably necessary to demonstrate compliance with this Data Processing Addendum, such as security documentation, policies, or third-party audit reports where available, subject to confidentiality obligations.

Any on-site audit must be mutually agreed in advance, limited in scope, conducted during normal business hours, and no more than once annually, unless otherwise required by applicable law or following a Security Incident.

Operational Impact. Any audit shall be conducted in a manner that does not unreasonably interfere with Datasert’s business operations, security, or obligations to other customers.

Priority and Terms

In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA will control. All other terms of the Agreement remain unchanged.

Appendix A — Processing Details

Contact

Appendix B — Sub-processors

The sub-processors listed below are authorized to process Customer Data (including Personal Data, if applicable) for the limited purposes described. Datasert will maintain written agreements with sub-processors that are no less protective than the obligations in the DPA.