Data processing addendum.

Our contractual data protection terms with clients. Forms part of the engagement and is designed to satisfy Article 28 of the UK and EU GDPR.

Version 1.0Effective 1 January 2026Last updated [DATE]

1. Definitions

Capitalised terms not defined here have the meanings given to them in the UK GDPR and the EU GDPR. “Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the EU GDPR (Regulation (EU) 2016/679), PECR, the ePrivacy Directive as implemented, the Maltese Data Protection Act, and any other equivalent law applicable to the processing.

2. Roles & scope

• Where Tackt processes Personal Data on the Client’s behalf (for example, Client staff contact details, or Client-supplied data about identifiable individuals), the Client is the Controller and Tackt is the Processor.
• Where Tackt independently collects Personal Data about prospects from public and licensed sources in order to identify firms to approach, Tackt is a Controller for that data and its own legitimate interests analysis, privacy notice and retention schedule apply.
• The subject-matter, duration, nature, purpose, types of Personal Data and categories of data subjects are set out in Annex 1.

3. Processor obligations

When acting as Processor, Tackt will:

• Process Personal Data only on the Client’s documented instructions, including as set out in the order form, this addendum, and any written updates from the Client, except where we are required by law to do otherwise (in which case we will tell the Client, unless the law prohibits it);
• Ensure anyone authorised to process the Personal Data is under a duty of confidentiality;
• Implement the technical and organisational measures set out in Annex 2;
• Only engage sub-processors in accordance with section 4;
• Assist the Client, taking into account the nature of the processing, in responding to data subject rights requests;
• Assist the Client in complying with its obligations under Articles 32 to 36 of the UK/EU GDPR (security, breach notification, DPIAs, prior consultation);
• At the Client’s choice, delete or return all Personal Data at the end of the engagement (see section 10);
• Make available to the Client the information necessary to demonstrate compliance, and allow for audits in accordance with section 9;
• Tell the Client without delay if, in our opinion, an instruction infringes Applicable Data Protection Law.

4. Sub-processors

• The Client gives Tackt general authorisation to engage sub-processors, subject to this section.
• Our current sub-processors are listed in Annex 3.
• We will give the Client at least 30 days’ notice before adding or replacing a sub-processor, by email to the contact on file and/or a published update to the list. The Client may object on reasonable data-protection grounds within that period; the parties will discuss in good faith, and if no resolution is reached the Client may terminate the part of the service affected.
• We flow down equivalent data protection obligations to every sub-processor and remain liable to the Client for their acts and omissions.

5. International transfers

• Tackt is established in Malta. Personal Data may be processed in Malta, the United Kingdom, the European Economic Area, or by sub-processors in the United States and elsewhere.
• For any restricted transfer, we rely on an adequacy decision where available, or on Standard Contractual Clauses (in the European Commission’s 2021 form) and the UK International Data Transfer Addendum, backed by a transfer impact assessment and appropriate supplementary measures.
• The Client mandates Tackt to conclude SCCs with sub-processors on its behalf for this purpose.

6. Security

Tackt will implement and maintain the measures set out in Annex 2, which are appropriate to the risk, and will keep them under review as threats and technology evolve.

7. Breach notification

Tackt will notify the Client without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data breach affecting the Client’s data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

8. Data subject rights

Tackt will assist the Client with requests from data subjects to exercise their rights, including by (a) promptly forwarding any request we receive that relates to the Client’s Controller role, and (b) providing reasonable technical assistance to the Client in responding.

9. Audits

• Tackt will make available to the Client information necessary to demonstrate compliance with this addendum, including summary reports of our security posture.
• On written request no more than once per year (or more often if required by a supervisory authority or following a confirmed incident), the Client may carry out a reasonable audit, by itself or through an independent auditor bound by confidentiality.
• The Client will provide reasonable notice, conduct audits during business hours, and take reasonable steps to avoid disruption. The Client will bear its own audit costs.

10. Term & end-of-engagement

This addendum applies for as long as Tackt processes Personal Data on the Client’s behalf. Within 30 days of the end of the engagement, Tackt will, at the Client’s written choice, delete or return all Personal Data it processes as Processor, and delete existing copies, except to the extent retention is required by law. Where deletion from backup media is not technically possible, we will keep the data isolated and protected and delete it on the next backup cycle.

Annex 1 — details of processing

Subject matter

Provision of a human-reviewed new-client introduction service.

Duration

For the term of the engagement plus a limited period for reporting, billing and legal obligations.

Nature & purpose

Storing Client-supplied contact details; sending messages at the Client’s instruction; handling replies; producing reports.

Categories of data subject

Client’s staff; Client’s billing contacts; if Client provides existing contact lists, individuals on those lists (business contacts only).

Types of Personal Data

Name, work email, work phone, job title, employer, business correspondence, interaction records. No special category data, no children’s data, no financial account data.

Frequency of transfer

Continuous, for the duration of the engagement.

Retention

As set out in section 10 and the Tackt privacy policy.

Annex 2 — technical & organisational measures

• Encryption: TLS 1.2+ in transit; AES-256 at rest for production data stores.
• Access control: role-based, least-privilege, individual accounts, MFA on all admin systems, audit logging retained for at least 12 months.
• Network & endpoint: production isolated from general office network; endpoint management with full-disk encryption on all staff devices.
• Software supply chain: dependency scanning, quarterly penetration testing by a reputable third party once we exceed [N] clients.
• Backups: encrypted daily, tested quarterly, geographically separated.
• Personnel: background checks; written confidentiality undertakings; annual data protection training.
• Vendor management: written due diligence and DPA before onboarding any processor.
• Incident response: documented playbook, on-call rota, 48-hour client notification SLA.
• Business continuity: infrastructure-as-code, documented recovery procedures, RPO 24h, RTO 48h.

Annex 3 — sub-processors (current)

Hosting / compute

[HOSTING PROVIDER] — [COUNTRY/REGION] — application and database hosting.

Email sending infrastructure

[ESP] — [COUNTRY/REGION] — transactional and outbound email delivery.

CRM / workflow

[CRM] — [COUNTRY/REGION] — reply handling and client reporting.

Analytics

[ANALYTICS] — [COUNTRY/REGION] — website analytics, no tracking cookies.

Business productivity

[GOOGLE WORKSPACE / M365] — [COUNTRY/REGION] — email, documents, calendars.

Accounting / billing

[ACCOUNTING TOOL] — [COUNTRY/REGION] — invoicing and bookkeeping.

Professional advisers

Legal, accounting and data protection advisers, under professional duties of confidentiality.

An up-to-date version of this list is available on request from privacy@tackthq.com.