Data Processing Addendum

Effective as of 11/6/25

This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement between Productiv and Customer for the purchase and use of the Services (the “Agreement”).

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

Customer enters into this DPA for itself and, if required under applicable data protection laws, on behalf of any of its Affiliates that use the Services and for which Productiv processes Personal Data as a Processor.

In providing the Services, Productiv may process Personal Data on behalf of Customer, and the parties agree to comply with this DPA with respect to that processing, acting reasonably and in good faith.

If Customer does not process Personal Data through the Services or is not subject to applicable data-protection laws, this DPA will not apply.

•  Definitions.

1. Authorized Affiliate means any of Customer’s Affiliates that is subject to Data Protection Laws and permitted to use the Services under the Agreement.
2. CCPA means the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., as amended by the California Privacy Rights Act, and related regulations.
3. Controller means the entity that determines the purposes and means of Processing Personal Data.
4. Data Protection Laws means all applicable privacy and data protection laws of the European Union, EEA, Switzerland, the United Kingdom, and the United States, including the CCPA. 
5. Data Subject means the identified or identifiable person to whom Personal Data relates.
6. GDPR means the EU GDPR and UK GDPR as defined in Regulation (EU) 2016/679 and the UK Data Protection Act 2018.
7. International Data Transfer means any transfer of Personal Data from the EEA, Switzerland, or the United Kingdom to a country or organization outside those jurisdictions.
8. Processing means any operation performed on Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, or deletion.
9. Processor means the entity that Processes Personal Data on behalf of the Controller, including any “service provider” as defined by the CCPA. 
10. Public Authority means any government, regulatory, or law enforcement body, including courts and agencies.
11. Standard Contractual Clauses means the EU Commission’s approved clauses for international data transfers, as updated from time to time. 
12. Subprocessor means any Processor engaged by Productiv or its Affiliates to Process Personal Data. 
13. UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner’s Office under the UK Data Protection Act 2018.

 

• Processing of Personal Data.

1. 1. Roles of the Parties. Customer will use the Services and provide Personal Data only in compliance with Data Protection Laws and is solely responsible for the accuracy, quality, and legality of Personal Data and how it was obtained. 
   2. Customer’s Processing of Personal Data. Customer shall use the Services to Process Personal Data in accordance with the applicable requirements of Data Protection Laws. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. 
   3. Productiv’s Processing of Personal Data. Productiv will treat all Personal Data as Confidential Information and will Process it only as instructed by Customer, including to provide the Services and fulfill its obligations under the Agreement and applicable Order Forms, to carry out Processing initiated by Authorized Users during use of the Services, and to comply with other written, reasonable instructions from Customer that are consistent with the Agreement. 
   4. Details of the Processing. Productiv will Process Personal Data only as needed to provide the Services described in the Agreement. The subject matter, duration, nature, and purpose of the Processing, along with the types of Personal Data and categories of Data Subjects, are described in Schedule 1 (Details of Processing). 
   5. CCPA. The parties agree that Productiv acts as a Service Provider under the California Consumer Privacy Act (CCPA). Productiv will not “sell” Personal Data (as defined in the CCPA), will not retain, use, or disclose Personal Data for any purpose other than providing the Services under the Agreement, will not use Personal Data outside the direct business relationship between Productiv and Customer, and will not combine Personal Data received from Customer with information obtained from other sources, except as permitted under the CCPA (for example, to detect security incidents or improve the Services).

 

• Rights of Data Subjects. 

• Notification of Data Subject Requests. Productiv will, to the extent permitted by law, promptly notify Customer if it receives any complaint, dispute, or request from an individual whose Personal Data is being processed (a “Data Subject Request”). Productiv will not respond directly to any Data Subject Request, except to confirm receipt or redirect the individual to Customer.

• Assistance with Data Subject Requests. Taking into account the nature of the Processing, Productiv will reasonably assist Customer, through appropriate technical and organizational measures, in fulfilling Customer’s obligations to respond to Data Subject Requests under Data Protection Laws. If Customer cannot address a Data Subject Request using the Services, Productiv will, upon Customer’s written request and where legally allowed, provide commercially reasonable assistance to support Customer’s response. Customer will be responsible for any reasonable costs Productiv incurs in providing such assistance.

• Productiv Personnel.

1. 1. Confidentiality. Productiv will ensure that all personnel who have access to Personal Data are informed of its confidential nature, have received appropriate training, and are bound by written confidentiality obligations no less protective than those in the Agreement. These obligations will survive the end of each individual’s engagement with Productiv. 
   2. Reliability and Training. Productiv will take commercially reasonable steps to ensure that its personnel who Process Personal Data are reliable and properly trained to meet Productiv’s data-protection obligations.
   3. Limited Access. Productiv will limit access to Personal Data to only those personnel who need such access to perform the Services under the Agreement.

 

• Sub-processors. 

1. 1. Appointment. Customer agrees that Productiv’s Affiliates may act as Sub-processors and that Productiv and its Affiliates may engage third-party Sub-processors to support delivery of the Services. Before granting any Sub-processor access to Personal Data, Productiv will enter into a written agreement requiring data-protection obligations that are no less protective than those in this Agreement for the type of Processing performed.
   2. List and Notifications. The current list of authorized Sub-processors (including their processing activities and locations) is available at https://productiv.com/legal/data-sub-processors/. Customer consents to these Sub-processors, their locations, and activities. Customer may subscribe to receive notice of new Sub-processors at the same link, and Productiv will notify Customer before adding any new Sub-processor. 
   3. Objection Right. Customer may object to a new Sub-processor by notifying Productiv in writing within 30 days after receipt of Productiv’s notice. Productiv will use reasonable efforts to provide an alternative that avoids use of the objected-to Sub-processor without unreasonably affecting Customer. If no alternative is available within 60 days, Customer may terminate the affected Order Form and will receive a pro-rated refund for any prepaid fees for the unused portion of the term. 
   4. Liability. Productiv remains responsible for the acts and omissions of its Sub-processors to the same extent it would be liable if performing their services itself, unless otherwise stated in the Agreement. 

 

• Audit.

1. 1. Information Requests. Upon written request, Productiv will provide Customer with the information reasonably necessary to demonstrate Productiv’s compliance with this DPA, which may include Productiv’s most recent third-party security certifications or audit reports (such as SOC 2 or ISO 27001). Customer agrees to review such reports before requesting any on-site audit.
   2. Formal Audits. If, after reviewing such documentation, Customer has a good-faith, legally required need for additional assurance, Productiv will permit an audit of its relevant data-protection controls. Any such audit must (i) be limited to documents and facilities relevant to the Processing of Personal Data, (ii) be conducted no more than once per year, during normal business hours, and in a manner that avoids material disruption, and (iii) be performed by an independent auditor bound by confidentiality and pre-approved by Productiv.
   3. Lawfulness and Cost. Productiv may object to or suspend any audit that would violate law or another customer’s confidentiality. Each party will bear its own costs.

 

• Data Security and Incident Notification. 

1. 1. Security Measures. Productiv will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, consistent with industry standards and Productiv’s published Security Practices. These measures include (i) controls to protect the confidentiality, integrity, and availability of Personal Data and (ii) safeguards to prevent unauthorized or unlawful Processing, loss, destruction, or damage of Personal Data.
   2. Incident Notification. Productiv maintains incident-response policies and will promptly (and without undue delay) notify Customer after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Productiv or its Sub-processors (a “Customer Data Incident”). Productiv will investigate the incident, take reasonable steps to remediate the cause, and keep Customer informed as appropriate. These obligations do not apply to incidents caused by Customer or its Authorized Users.

 

• Government Access Requests. 

1. 1. Safeguards. Productiv will maintain appropriate technical and organizational measures to protect Personal Data from unlawful or excessive access by public authorities, consistent with Data Protection Laws.
   2. Notifications. If Productiv receives a legally binding request from a government or law-enforcement agency to access Personal Data (a “Request”), Productiv will, unless prohibited by law, promptly notify Customer and describe the nature of the Request.
   3. Limitation and Challenge. If Productiv is legally prohibited from notifying Customer, it will use reasonable efforts to obtain permission to share limited information as soon as possible. Productiv will assess each Request and, where it believes there are reasonable grounds, will seek to narrow or challenge the Request to the extent permitted by law.
   4. Legal Constraints. These obligations do not require Productiv to take or refrain from any action that would violate applicable law or expose it to civil or criminal penalties (for example, contempt of court). If Productiv must comply with a Request, it will notify Customer as soon as legally permitted and provide relevant details of the disclosure. Any disclosure will be limited to the minimum information required by law.

 

• Return and Deletion of Customer Data. 

1. 1. Return or Deletion. Productiv shall return or delete Personal Data in accordance with the procedures and timeframes specified in the Agreement. 
   2. Ongoing Compliance. Until all Personal Data has been deleted or returned, Productiv will continue to comply with this DPA and maintain appropriate safeguards for that data. 

 

• Authorized Affiliates. 

1. 1. Contractual Relationship. By signing this DPA, Customer enters into it on behalf of itself and, where applicable, on behalf of any Authorized Affiliates. Each Authorized Affiliate agrees to be bound by Customer’s obligations under this DPA to the extent Productiv Processes Personal Data on that Affiliate’s behalf. In such cases, the Authorized Affiliate is deemed a Controller under Data Protection Laws. 
   2. Communication. The Customer that signed the Agreement will coordinate all communications with Productiv under this DPA and may make and receive all communications on behalf of its Authorized Affiliates.
   3. Rights of Authorized Affiliates. Where Customer signs this DPA on behalf of its Authorized Affiliates, (i) those Affiliates may exercise the rights and seek the remedies provided under this DPA only to the extent required by applicable Data Protection Laws, and (ii) except where Data Protection Laws require an Affiliate to act directly against Productiv, only the Contracting Customer may exercise such rights or seek such remedies, doing so collectively for itself and all Authorized Affiliates rather than separately for each one.

 

• Limitation of Liability. The parties agree that their liability (and that of their Affiliates) under this DPA is limited by, and subject to, the limitations and exclusions set out in the Limitation of Liability section of the Agreement. 

• International Data Transfers.

1. 1. Authorization. Customer authorizes Productiv to transfer and Process Personal Data internationally as needed to provide the Services, including to Productiv’s Sub-processors listed at https://productiv.com/legal/data-sub-processors, in accordance with Data Protection Laws and this DPA.
   2. EEA Transfers. For Personal Data originating in the EEA, the parties agree that Module 2 (Controller to Processor) of the EU Standard Contractual Clauses (“SCCs”) is incorporated by reference and completed as follows: (i) the data exporter is Customer; (ii) the data importer is Productiv; (iii) the optional docking clause in Clause 7 applies; (iv) Clause 9(a) Option 2 applies with a 30-day notice period; (v) the governing law in Clause 17 is Irish law; and (vi) the courts in Clause 18(b) are the Courts of Ireland. Schedules 1 and 2 of this DPA serve as Annexes I and II to the SCCs. 
   3. UK Transfers. For Personal Data originating in the United Kingdom, the UK International Data Transfer Addendum (“UK Addendum”) issued by the Information Commissioner’s Office is incorporated. It is completed as follows: (i) the data exporter is Customer and the data importer is Productiv; (ii) the “Approved EU SCCs” are the SCCs incorporated under Section 12(b); (iii) Schedules 1 and 2 of this DPA provide the information required in Tables 1–3 of Part 1 of the UK Addendum; and (iv) either party may end the UK Addendum as set out in section 19 thereof. 
   4. Change in Law. If a law, regulation, or court decision affects the validity or enforceability of the SCCs or other transfer mechanism, the parties will cooperate in good faith to adopt a legally valid substitute or alternative transfer mechanism that ensures continued compliance with Data Protection Laws.

 

• Miscellaneous.  

1. 1. This DPA may be modified only by a written amendment issued by Productiv and effective after notice to Customer. Any amendment will apply prospectively and not retroactively. If a court or other competent authority finds any provision of this DPA invalid or unenforceable, the remaining provisions will remain in full force and effect.

SCHEDULE 1

DETAILS OF PROCESSING

 

1. LIST OF PARTIES

Name of Data Importer:	Productiv, Inc.
Address:	477 Sutter St, Ste 405, San Francisco, CA 94108
Contact details:	[email protected]
Activities relevant to the data transferred under these Clauses:	See Schedule 1(B) below and the Agreement.
Signature and date:	This Schedule 1 shall automatically be deemed executed when the Agreement is executed by Productiv.
Role (controller/processor):	Processor

 

Name of Data Exporter:	The party identified as the “Customer” in the Agreement.
Address:	Reference is made to the Agreement.
Contact person’s name, position, and contact details:	Reference is made to the Agreement.
Activities relevant to the data transferred under these Clauses:	See Schedule 1(B) below and the Agreement.
Signature and date:	This Schedule 1 shall automatically be deemed executed when the Agreement is executed by Customer.
Role (controller/processor):	Controller

 

1. DESCRIPTION OF PROCESSING/ TRANSFER

 

Categories of Data Subjects whose Personal Data is transferred	Customer’s employees and contractors.
Categories of Personal Data transferred	Name, contact information and other information necessary to provide the Services under the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards	No sensitive data is processed under the Agreement.
Frequency of Transfer	Continuous.
Nature and purpose(s) of the data transfer and Processing	Productiv will process Personal Data as necessary to provide the Services under the Agreement.
Retention period (or, if not possible to determine, the criteria used to determine the period)	Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing	Productiv will restrict the onward Subprocessor’s access to Personal Data only to what is strictly necessary to provide the Services, and Productiv will prohibit the Subprocessor from Processing the Personal Data for any other purpose.
Identify the competent supervisory authority/ies in accordance with Clause 13	Where the EU GDPR applies, the competent supervisory authority shall be designated in accordance with Clause 13 of the EU SCCs. Where the UK GDPR applies, the UK Information Commissioner's Office.

SCHEDULE 2

PRODUCTIV SECURITY PRACTICES

Details related to Productiv’s security practices, including third party audit reports, externally facing policies, and organizational security measures to protect Customer Data are available at trust.productiv.com.

Where applicable, this Schedule 2 will serve as Annex 2 to the Standard Contractual Clauses.