Couchdrop GDPR Data Processing Addendum
This Data Processing Addendum (the Addendum) forms part of the Couchdrop Terms and Conditions [https://couchdrop.io/privacy/tos
] (and any ancillary or related documentation), as updated or amended from time to time (the
Agreement), between you, the Customer (as defined below) and Couchdrop. All capitalized terms not
defined in this Addendum have the meaning set out in the Agreement.
This addendum only applies if and to the extent Couchdrop processes personal data on behalf of a
Customer that qualifies as a controller with respect to that personal data under Applicable Data
Protection Law (as defined below). If the Customer had entered earlier data processing terms with
Couchdrop, those terms are replaced by this Addendum.
1. Data Protection
In this Addendum, the following terms have the following meanings:
a) controller, processor, data subject, personal data, processing (and process) and special
categories of personal data have the meanings given in Applicable Data Protection Law
b) Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation
2016/679) (the GDPR) and any applicable national laws made under the GDPR
c) Customer has the same meaning as ‘you’ in the Couchdrop Terms and Conditions
1.2 Relationship of the parties
The Customer (the controller) appoints Couchdrop as a processor to process the personal data
described in Annex A (the Data) only on the controller’s documented instructions (and as per the
terms set out in this Addendum) for the purposes described in the Agreement or as otherwise agreed
in writing by the parties (the Permitted Purpose). Each party must comply with the obligations that
apply to it under Applicable Data Protection Law.
1.3 Prohibited data
Unless explicitly requested by Couchdrop to do so, the Customer will not disclose (and will not
permit any data subject to disclose) any special categories of personal data to Couchdrop for
1.4 International transfers
Couchdrop will not transfer the Data outside of the European Economic Area (EEA) unless it has taken
such measures as are necessary to ensure the transfer follows Applicable Data Protection Law. Such
measures may include (without limitation) transferring the Data to a recipient in a country that the
European Commission has decided provides adequate protection for personal data (e.g., United States
of America), to a recipient in the United States that has certified its compliance with the EU-US
Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved
by the European Commission.
1.5 Confidentiality of processing
Couchdrop will ensure that any person it authorizes to process the Data (an Authorized Person) will
protect the Data in accordance with Couchdrop’s confidentiality obligations under the Agreement.
Couchdrop will implement technical, organizational and governance measures which may be amended and
updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii)
loss, alteration, unauthorized disclosure of, or access to the Data (a Security Incident).
1.7 Third Parties
The Customer consents to Couchdrop engaging third-parties to process the Data for the Permitted
Purpose provided that:
a) Couchdrop maintains an up-to-date list of its third parties, which is available on its website at
under Couchdrop’s GDPR page, which it will update with details of any change in third parties at
least 7 days prior to the change;
b) Couchdrop levies data protection terms on any third party it appoints that rely on its own
standards to protect the Data to the standard required by Applicable Data Protection Law; and
c) Couchdrop remains liable for any breach of this Addendum that is caused by an act, error or
omission of its third party. The Customer may object to Couchdrop’s appointment or replacement of a
third party prior to its appointment or replacement, provided such objection is based on reasonable
grounds relating to data protection. In such an event, Couchdrop will either not appoint or replace
the third party or, if Couchdrop determines at its sole discretion that this is not reasonably
possible, the Customer may suspend or terminate the Agreement without penalty (without prejudice to
any fees incurred by the Customer up to and including the date of suspension or termination).
1.8 Cooperation and data subjects' rights
Couchdrop will provide reasonable and timely assistance to the Customer (at the Customer’s expense)
to enable the Customer to respond to:
a) any request from a data subject to exercise any of its rights under Applicable Data Protection
b) any other correspondence, enquiry or complaint received from a data subject, regulator or other
third party in connection with the processing of the Data. If any such request, correspondence,
enquiry or complaint is made directly to Couchdrop, Couchdrop will promptly inform the Customer,
providing full details.
1.9 Data Protection Impact Assessment
If Couchdrop believes or becomes aware that its processing of the Data is likely to result in a high
risk to the data protection rights and freedoms of data subjects, it will inform the Customer and
provide reasonable cooperation to the Customer in connection with any data protection impact
assessment that may be required under Applicable Data Protection Law.
1.10 Security incidents
If it becomes aware of a confirmed Security Incident, Couchdrop will inform the Customer without
undue delay and will provide reasonable information and cooperation to the Customer so that they can
fulfil any data breach reporting obligations they may have under (and in accordance with the
timescales required by) Applicable Data Protection Law. Couchdrop will further take reasonably
necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep
the Customer informed of all material developments in connection with the Security Incident.
1.11 Deletion or return of Data
Couchdrop will retain the Data for a period of 3 months after a subscription is terminated in case
the Customer later needs access to it. On expiry of this period or on the Customer’s earlier
request, Couchdrop will delete, with no charge, or return the Data, at a cost to the customer, in a
manner and form decided by Couchdrop, acting reasonably. This requirement will not apply to the
extent that Couchdrop is required by applicable law to retain some or all the Data, or to Data it
has archived on back-up systems, which Data Couchdrop shall securely isolate and protect from any
Annex A – Data Processing Schedule
1. Subject Matter and Duration of Processing of Personal Data
The subject matter of personal data to be processed is that of the contacts of the Customer entered
by or at the election of the Customer into the Couchdrop platform.
The duration of processing personal data shall be for as long as we have a business relationship
with the Customer, and at the end of that relationship, we will act in accordance with clause 1.11
regarding deletion or return of such personal data.
2. Nature and Purpose of Processing Personal Data
The nature and purpose of processing personal data is to enable the functionality of the Couchdrop
Platform as set out in the Agreement and related documentation.
3. Types of Personal Data Processed
The types of personal data processed include:
- contact details
- identification details (e.g., tax registration numbers)
- other personal data types for use on the Couchdrop platform
4. Categories of Data Subjects
The categories of data subjects include:
- suppliers / service providers of Customer
- customers / clients of Customer
- employees / contractors of Customer
- other contacts of the Customer