Data Protection Regulation Addendum
Customers trust Conexa with their data, and we take that responsibility seriously. Security, privacy, and compliance are fundamental to the trust our customers place in our Service.
Conexa is committed to protecting customer data, reducing system vulnerabilities, and ensuring continuity of service. We apply industry-standard technologies, security practices, and operational controls to safeguard personal data from unauthorized access, disclosure, use, or loss.
This Data Protection Addendum (“Data Protection Addendum”) forms part of the Terms of Service available at myconexa.com, or any other written agreement entered into between Conexipro Ltd. (“Company”) and the customer (“Customer”) governing the use of Conexa (the “Services Agreement”).
This Data Protection Addendum supplements the Services Agreement and sets out the terms under which Company processes personal data on behalf of Customer in connection with the Services.
1. DEFINITIONS
1.1 “Data Protection Laws” means all applicable privacy and data protection laws and regulations in jurisdictions where Company operates, including where applicable:
• The General Data Protection Regulation (EU) 2016/679 (“GDPR”)
• The UK GDPR and UK Data Protection Act 2018
• The Swiss Federal Data Protection Act
• The California Consumer Privacy Act (“CCPA”)
• Other applicable national or regional privacy laws
1.2 “Personal Data,” “Processing,” “Data Controller,” “Data Processor,” “Data Subject,” and “Subprocessor” have the meanings given to them under applicable Data Protection Laws.
1.3 “Standard Contractual Clauses” means the controller-to-processor clauses approved by the European Commission under Article 46 of the GDPR, as updated or replaced from time to time.
2. SCOPE
2.1 Roles
For purposes of the Services, Customer acts as the Data Controller and Company acts as the Data Processor with respect to Personal Data processed on Customer’s behalf.
2.2 Subject Matter
Company processes Personal Data only as necessary to provide the Services, including contact management, enrichment, collaboration, analytics, and related features.
2.3 Duration
Processing continues for the duration of the Services Agreement, unless otherwise required by law.
3.DATA PROTECTION OBLIGATIONS
3.1 Processing Instructions
Company processes Personal Data only in accordance with Customer’s documented instructions and applicable Data Protection Laws. Company will not process Personal Data for its own purposes.
3.2 Scope of Processing
Company will process Personal Data only to the extent necessary to provide the Services and will not modify, delete, or restrict access to data except as instructed by Customer or required by law.
3.3 Security Measures
Company implements appropriate technical and organizational measures to protect Personal Data, including:
• Encryption in transit and at rest
• Access controls and authentication
• Secure cloud infrastructure
• Monitoring and incident detection
• Regular security reviews
These measures are designed to ensure confidentiality, integrity, availability, and resilience of processing systems.
3.4 Subprocessors
Company may engage trusted subprocessors to support the delivery of the Services. Company ensures that subprocessors are bound by data protection obligations equivalent to those set forth in this Addendum.
Company remains responsible for the performance of its subprocessors.
3.5 Personnel
Company ensures that personnel with access to Personal Data are subject to confidentiality obligations and receive appropriate security and privacy training.
3.6 Assistance
Company will reasonably assist Customer in meeting its obligations under Data Protection Laws, including responding to data subject requests, security incidents, and regulatory inquiries.
3.7 Data Retention
Company retains Personal Data only as long as necessary to provide the Services or comply with legal obligations. Upon termination of the Services, Personal Data will be deleted or returned at Customer’s request, subject to backup retention policies.
3.8 International Transfers
Personal Data may be processed in jurisdictions outside the Customer’s country. Where required, such transfers are governed by Standard Contractual Clauses or other lawful transfer mechanisms.
3.9 Audits
Upon reasonable request, Company will provide information necessary to demonstrate compliance with this Addendum.
4. SECURITY INCIDENTS
4.1 Notification
If Company becomes aware of a confirmed security incident involving Personal Data, Company will notify Customer without undue delay and provide relevant details, including:
• Nature of the incident
• Categories of affected data
• Mitigation steps taken
4.2 Mitigation
Company will investigate, contain, and remediate any security incident promptly and in accordance with applicable laws.
5. APPENDIX 1 – DATA PROCESSING DETAILS
Data Exporter: Customer
Data Importer: Conexipro Ltd.
Data Subjects:
• Customer users
• Customer contacts
• Individuals whose data is uploaded or captured through the Service
Categories of Personal Data may include:
• Name
• Email address
• Phone number
• Company name
• Job title
• Social profile links
• Contact notes and tags
• IP address and device data
Processing Activities:
• Contact capture and organization
• Data enrichment
• Collaboration and analytics
• System operations and support
6. APPENDIX 2 – TECHNICAL & ORGANIZATIONAL MEASURES
Company maintains an Information Security Management framework, including:
• Security policies and access controls
• Secure development practices
• Logging and monitoring
• Incident response procedures
• Encrypted infrastructure
• Backup and disaster recovery systems
Security practices are reviewed periodically and improved continuously.
7. APPENDIX 3 – SUBPROCESSORS
Company uses selected subprocessors to support infrastructure, analytics, communications, and service operations.
An up-to-date list of subprocessors is available upon request or published on the Company website.