2025 Rev 2 - May 2025
1. Background
1.1 In the course of performance of the Services, Natterbox will process Relevant Personal Data and the Parties agree that the terms of this Addendum shall govern such Processing.
1.2 This Addendum forms part of and is incorporated into the Master Agreement (as defined below) entered into between Natterbox and the Client on the Effective Date.
1.3 The terms of the Master Agreement apply in full to this Addendum, however in case of any conflict or inconsistency between the terms of this Addendum and the Master Agreement, the terms of this Addendum shall take precedence.
2. Definitions
2.1 In this Addendum, unless the context otherwise requires, the following terms shall have the following meanings:
2.2 Any other capitalised terms used in this Addendum shall have the same meaning as defined in the Master Agreement.
3. General
3.1 In respect of Relevant Personal Data, each Party shall (and shall ensure that their personnel shall) cooperate with the other Party and provide such information and assistance as the other Party may reasonably require to enable that Party:
3.1.1 to comply with their obligations under Data Protection Laws;
3.1.2 to deal with and respond to any Enquiry; and
3.1.3 to demonstrate the Party's compliance with this Addendum and clause 7 of the Master Agreement.
3.2 If a Party receives an Enquiry which relates directly to its sharing of Relevant Personal Data pursuant to this Agreement, or to the other Party’s compliance with any Data Protection Laws, it shall notify the other Party if legally permissible as soon as reasonably practicable.
3.3 Subject to paragraph 3.2, no Party shall take any action in relation to any Enquiry where it relates to the other Party’s Processing of Relevant Personal Data as a Data Controller without prior written notice to the other Party and providing the other Party with a reasonable opportunity to contribute to the response to mitigate the impact of the action on the other Party.
3.4 Except as provided otherwise in this Addendum, any request to Natterbox under this Addendum shall be made to privacy@natterbox.com.
4. Data Processor obligations
4.1 To the extent that Natterbox Processes any Client Personal Data on behalf of Client, each Party shall comply with its respective obligations set out in this paragraph 4.
4.2 Natterbox shall process Client Personal Data only upon Client’s lawful written instructions exclusively set out in the Master Agreement unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, Natterbox shall notify Client of the relevant legal requirement before processing the relevant Client Personal Data). Such Processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes and durations set out in Annex A of this Addendum.
4.3 Client provides Natterbox general authorisation for the engagement of sub-processors from an agreed list. Sub-processors perform the Services as defined in Annex A to this Addendum including any suppliers, advisors, contractors and auditors. Natterbox shall maintain a list of all current Sub-processors at https://docs.natterbox.com/docs/natterbox-sub-processors. If Client supplies a relevant nominated email address, Natterbox will also notify Client of proposed changes by email to the Client-nominated email address twenty-one (21) days prior to the engagement of a new or replacement Sub-processor. Client can inform Natterbox of such email addresses to compliance@natterbox.com. If a change of Sub-processor is likely to cause material detriment to Client, Client may object (in writing to the relevant address for notices set out in the Master Agreement or email to legal@natterbox.com) within ten (10) business days with documented reasons, provided that such objection must be on reasonable, substantial grounds, directly related to such new Sub-Processor's ability to comply with substantially similar obligations to those set out in this Addendum. If the Parties are unable to come to a resolution within thirty (30) days after such notice of objection, then Client may, by thirty (30) days' notice in writing to Natterbox, terminate those Services which cannot be provided by Natterbox without the use of the new or replacement Sub-processor in accordance with the Master Agreement. If Client does not so object, the engagement of the new Sub-Processor shall be deemed accepted by Client.
4.4 Natterbox shall only share Client Personal Data with Sub-processors or transfer Client Personal Data to any country outside the European Economic Area and/or the United Kingdom, provided that:
4.4.1 Natterbox procures that GDPR requirements applicable in respect of any such transfer are complied with including, where applicable, that such transfer is subject to International Data Transfer Agreements approved by the UK Information Commissioner's Office, and EU Standard Contractual Clauses, for the transfer of Personal Data to Data Processors established in third countries; and
4.4.2 Natterbox ensures that any Sub-processor is under substantially similar data protection obligations as between Natterbox and Client as set out in this Addendum.
4.5 Client acknowledges and agrees that for compliance with paragraph 4.4.1, Natterbox will enter into UK Information Commissioner's Office International Data Transfer Agreements and EU Standard Contractual Clauses with sub-processors when required.
4.6 Appointment of any Sub-processor by Natterbox shall not relieve Natterbox of any of its liabilities, responsibilities or obligations to Client under this Addendum and Natterbox shall remain liable for the acts and omissions of its Sub-processors.
4.7 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, Natterbox shall implement technical and organisational measures and procedures to ensure a level of security for Client Personal Data appropriate to the risk as required by the GDPR, in particular to safeguard Client Personal Data against any unlawful or unauthorised: access, loss, destruction, theft, use or disclosure.
4.8 Natterbox shall take reasonable steps to ensure that its employees who are authorised to have access to Client Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when Processing Client Personal Data.
4.9 Natterbox shall make available to Client information necessary to demonstrate compliance with its obligations under this Addendum, and allow Client to conduct an audit of Natterbox's compliance with its obligations under this Addendum, subject to the following requirements:
4.9.1 Client may perform such audits once per year, or more frequently if required by the Data Protection Laws applicable to the Client;
4.9.2 Client may use a third party to perform the audit on its behalf, provided that such third party executes a confidentiality agreement acceptable to Natterbox before the audit;
4.9.3 audits must be conducted during regular business hours, subject to Natterbox's policies, and may not unreasonably interfere with Natterbox's business activities;
4.9.4 Client must provide Natterbox with any audit reports generated in connection with any audit at no charge unless prohibited by law. Client may use the audit reports only for the purposes of meeting its audit requirements under applicable Data Protection Laws and/or confirming compliance with the requirements of this Addendum. The audit reports shall be confidential;
4.9.5 to request an audit, Client must first submit a detailed audit plan to Natterbox at least 6 weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, requirements, form and start date of the audit. Natterbox will review the audit plan and inform Client of any concerns or questions (for example, any request for information that could compromise Natterbox's confidentiality obligations or its security, privacy, employment or other relevant policies). Natterbox will work cooperatively with Client to agree a final audit plan;
4.9.6 nothing in this clause 4.9 shall require Natterbox to breach any duties of confidentiality owed to any of its clients or employees; and
4.9.7 all audits are at Client's sole cost and expense.
4.10 Natterbox shall inform Client without undue delay upon becoming aware of any Personal Data Breach in respect of Client Personal Data whilst within Natterbox’s or any of its Sub-processors' possession or control.
4.11 Subject to paragraph 4.12, and except as required by applicable law or in order to defend any actual or possible legal claims, on termination of the Master Agreement, Natterbox shall, as Client so directs, either return to Client all Client Personal Data and copies thereof in its possession; or delete applicable Client Personal Data as soon as practicable.
4.12 Natterbox will cooperate with all valid and lawful requests by a Data Subject to exercise its rights as detailed in the GDPR or other applicable Data Protection Laws in respect of Client Personal Data and where such requests are sent directly to Natterbox rather than Client, Natterbox shall redirect the Data Subject to submit their request to Client as soon as reasonably practicable.
4.13 Notwithstanding any other provision of the Master Agreement or this Addendum, Client acknowledges and agrees that: (a) as a registered telecommunications operator, Natterbox is subject to national and international telecommunications laws and regulations that require certain Relevant Personal Data such as Client records and Call Logs to be maintained for security and regulatory purposes; and (b) accordingly Natterbox shall not be obliged to comply with Client or Data Subject deletion requests in these circumstances.
5. Artificial Intelligence
5.1 Natterbox processes AI Data to provide AI Services as described in the Master Agreement or any applicable service-specific terms.
5.2 Client grants Natterbox the right to process AI Data for the purpose of providing AI Services.
5.3 Responses, feedback and data derived from the use of the AI Services is used to reinforce and enhance Natterbox’s AI models and technologies, provided such data is anonymised, aggregated and unidentifiable.
5.4 Natterbox will design products to comply with the EU AI Act and other AI Regulations where applicable.
5.4.1 Applicability of the AI Act depends on the use case and the geographical location of the Client's users.
5.4.2 Natterbox will take reasonable steps to ensure that AI Services comply with the AI Act when used in the European Union.
5.4.3 Client agrees that their use of Natterbox AI products must be in line with applicable AI Regulations, depending on geographical locations of use and data types processed across the platform.
5.5 Client is responsible for ensuring that it has the right to provide AI Data to Natterbox.
5.6 AI Output is provided "as is" and that Natterbox does not guarantee the accuracy, completeness, or suitability of AI Output for any particular purpose.
5.7 Due to the nature of AI technology, AI Services may generate unexpected or inaccurate results, Client is responsible for verifying the accuracy of AI Output before relying on it.
5.8 For further details on data processing and storage locations, and use of AI Data please see here:
https://docs.natterbox.com/docs/international-data-flows-and-transfers
Annex A - Data Processing Details
In this addendum, "Operational Call Logs" and "Client Call Logs" mean call data records containing the information referred to against each name in the "Types of Personal Data" section below.
Annex B – Optional
Agreement for Platform Integrations and the third party use of Natterbox-derived data
Natterbox Derived Data may be transferred by Client out of the Natterbox platform to other platforms for Processing by or on behalf of Client for use in operational metrics, machine learning or statistical call analysis.
Derived Data by definition does not normally contain Personal Information. Parties acknowledge and agree that Natterbox is the Data Controller of Natterbox Derived Data and Client is the Data Controller of any Personal Data.
This Annex to the Data Processing Addendum outlines Client’s responsibilities when it transfers, integrates or stores (i.e. Processes). Natterbox Derived Data with their own or third-party systems where such derived data includes Personal Data.
1. General Terms
1.1 To the extent that Client Processes Natterbox Derived Data that contains Personal Data (or provides Natterbox Derived Data that contains Personal Data to third parties) it shall do so as a Data Controller.
1.2 The right to re-Process specific Natterbox Derived Data by third parties must be agreed and approved in writing by Natterbox. The Client's request for such approval shall set out details of the specific Natterbox Derived Data requested ("Specific Data") together with the information in paragraph 2.
1.3 Subject to paragraph 1.2, where explicit authorisation and instructions are provided by Client, Natterbox will facilitate integration or transfer of Specific Data to specified third parties.
1.4 Natterbox may charge fees for:
1.4.1 technical assistance and costs implementing, managing and facilitating such integrations referred to in paragraph 1.3; and
1.4.2 integration or transfers of Natterbox Derived Data to Client where Natterbox reasonably considers such assistance to be onerous.
1.5 Client must apply or ensure it has and at all times maintains in place technical and organisational measures and procedures to ensure an appropriate level of security for Natterbox Derived Data in its possession or control (including any Natterbox Derived Data shared by or on behalf of Client with third parties) appropriate to the risk, including protecting such Natterbox Derived Data against the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access.
1.6 By transferring Natterbox Derived Data out of Natterbox’s platform to Client's own or third-party systems, to the extent permitted by law, Natterbox is no longer responsible (and hereby excludes any and all liability) for the security and integrity of such Natterbox Derived Data including any compliance with the GDPR and Client shall be wholly responsible for all GDPR and other statutory regulations governing the usage, security and retention of such Natterbox Derived Data.
2. Requirements:
In any request for access to Natterbox Derived Data, Client must inform Natterbox of:
2.1 The Natterbox Derived Data to be transferred
2.2 The means of Natterbox Derived Data transfer
2.3 The nature of the processing of the Natterbox Derived Data
2.4 The purpose of the processing of the Natterbox Derived Data
2.5 The name of the processor(s) of the Natterbox Derived Data
2.6 The location of the processing of the Natterbox Derived Data
2.7 The duration of the processing of the Natterbox Derived Data
3. Termination:
3.1 Natterbox reserves the right to modify or terminate this Annex and the permission for Client and third parties to use the Natterbox Derived Data with immediate effect by notice in writing to the Client in the event of misuse of Natterbox Derived Data by or on behalf of Client or any third party to which Client provides the Natterbox Derived Data, unreliability, performance impact, excessive communications load, insufficient data security or any data breach (including a Personal Data Breach) or otherwise if Natterbox receives notification in accordance with paragraph 3.2.
3.2 Client must inform Natterbox as soon as practicable when the integration or transfer of Natterbox Derived Data is no longer required, the Natterbox Derived Data is no longer being Processed by or on behalf of Client or any third party to which Client provides the Natterbox Derived Data or if Client wishes to terminate this Annex.
4. Communication
4.1 Authorisation requests and communication regarding transfers of Natterbox Derived Data should be sent to privacy@natterbox.com
Annex C - EU to UK Data Transfer Safeguards
As Natterbox is based in a country with an adequacy decision by the European Commission, it is not required to conclude Standard Contractual Clauses (‘SCCs’) for the transfer of Personal Data to the UK. However, Natterbox will duly observe all its respective obligations under this Agreement and the applicable Data Protection Laws. In addition, in connection with the processing of Personal Data, Natterbox shall:
1. ensure that any Subcontractor and/or Affiliate will be subject to a written agreement with Natterbox requiring the Subcontractor to comply with the same data protection obligations as set out in this Agreement; and
2. include in its agreement with its Subcontractor(s) and/or Affiliate(s) any additional contractual obligations for the Subcontractor(s) and/or Affiliate(s) resulting from the outcome of a Transfer Impact Assessment to be performed by Natterbox; and
3. enter into International Data Transfer Agreements, or any other model contract that provide adequate safeguards and is issued by Natterbox’s competent data protection authority, with its Subcontractor and/or Affiliate, if Personal Data is processed outside the European Economic Area (EEA) without an adequate level of protection as determined by the European Commission. With regard to transfer of Personal Data between Natterbox and its Affiliate(s) Binding Corporate Rules can serve as such model contract, if available; and
4. grant the right to audit Natterbox’s compliance with above mentioned obligations and applicable Data Protection Laws in accordance with clause 4.9 (Audit Rights) of this Data Processing Agreement.