Data Processing Addendum
This Data Processing Addendum (“Addendum”) forms part of the Terms of Service, as updated from time to time, or the Master Subscription Agreement between Limble and Customer (together the “Parties”) governing Customer’s use of the Subscription Services (altogether “Principal Agreement”). This Addendum is concluded between Limble Solutions, Inc. (“Limble”) and the Customer.
The Parties agree that the terms set out below are added as an Addendum to the Principal Agreement.
1. Definitions and Interpretation.
In this Addendum: 1.1. “Applicable Data Protection Law” means the following data protection law(s), as applicable, including any subsequent amendments, modifications and revisions thereto: (i) European Data Protection Law; and (ii) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”) and any other applicable U.S. federal and state privacy laws that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information) (“U.S. Privacy Laws”);
1.2. “Consumer” has the meaning defined in the U.S. Privacy Laws;
1.3. “Customer Personal Data” means Personal Data contained within Customer Data;
1.4. “Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Applicable Data Protection Law;
1.5. “European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”), and Switzerland, each as applicable, and as may be amended or replaced from time to time;
1.6. “International Data Transfer” means any disclosure of Customer Personal Data by an organization subject to European Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;
1.7. “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA;
1.8. “Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws;
1.9. "Security Documentation" means the security measures applicable to the Subscription Services, as described in Annex II of this Addendum and the summaries of the then-current SOC 2 Type II audit reports (or comparable industry-standard successor report) that Limble generally makes available to its customers as updated from time to time;
1.10. “Subprocessor” means a Processor engaged by Limble to Process Customer Personal Data;
1.11. “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
1.12. “Third-Party Controller” means a Controller for which Customer is a Processor;
1.13. “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022); and
1.14. “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Processor,” “Processed,” and “Supervisory Authority” have the meaning given to them in Applicable Data Protection Law, and their cognate terms shall be construed accordingly.
In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies. Capitalized terms used but not defined herein have the meaning given to them in the Principal Agreement.
2. Scope
2.1. This Addendum applies to the Processing of Customer Personal Data by Limble subject to Applicable Data Protection Law to provide the Subscription Services.
2.2. The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this Addendum.
2.3. Customer is a Controller and appoints Limble as a Processor on behalf of Customer. If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Limble; must obtain all necessary authorizations from the Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of the Third-Party Controller.
2.4. Customer acknowledges that Limble may Process Personal Data (e.g., Account Data) relating to the operation, support, or use of the Subscription Services for its own business purposes, such as accounting and finance, account management, sales and marketing, and compliance with law. Limble is the Controller for such Processing and will Process such data in accordance with Applicable Data Protection Law.
2.5. Customer is responsible for compliance with the requirements of Applicable Data Protection Law applicable to Controllers. Customer shall, in its use of the Subscription Services, Process Customer Personal Data in accordance with the requirements of Applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Personal Data.
2.6. Customer acknowledges that Limble is required under GDPR to collect and maintain records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which Limble is acting, and to make such information available to Supervisory Authorities. Accordingly, if GDPR applies to the Processing of Customer Personal Data, Customer will, where requested, provide such information to Limble, and will ensure that all information provided is kept accurate and up-to-date.
3. Processing of Customer Personal Data
3.1. Limble shall (i) comply with Applicable Data Protection Law in the Processing of Customer Personal Data, provide the level of privacy protection required by the U.S. Privacy Laws and provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the U.S. Privacy Laws; and (ii) not Process Customer Personal Data other than on the Customer’s documented instructions as set forth in Section 3.3.
3.2. With respect to the Processing of Personal Data subject to U.S. Privacy Laws, except as explicitly set forth in the Principal Agreement or the Addendum, Limble is prohibited from (i) Selling or Sharing Customer Personal Data, (ii) collecting, retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the Subscription Services or as otherwise permitted by U.S. Privacy Laws, (iii) having, deriving or exercising any rights or benefits regarding the Customer Personal Data, and (iv) combining Customer Personal Data with Personal
Data obtained from, or on behalf of, sources other than Customer, except for internal use in order to deliver the Subscription Services.
3.3. Limble shall only Process Customer Personal Data on behalf of and in accordance with Customer’s instructions unless required to do so by Applicable Data Protection Law. Customer instructs Limble to Process Customer Personal Data for the following purposes: (i) Processing in accordance with the Principal Agreement, the Addendum and applicable Order Form(s) and SOW(s); (ii) Processing for Customer which is initiated by Authorized Users in their use of the Subscription Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Principal Agreement and this Addendum. This Addendum and the Principal Agreement are Customer’s complete and final instructions to Limble for the Processing of Customer Personal Data.
3.4. Unless prohibited by applicable law, Limble will inform Customer if Limble is subject to a legal obligation that requires Limble to Process Customer Personal Data in contravention of Customer’s documented instructions.
4. Processor Personnel.
Limble will ensure that all personnel including employees, agents, sub-contractors and sub-processors authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
5. Security
5.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Limble shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures described in Annex II.
5.2. Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer’s intended Processing and will notify Limble in writing prior to any intended Processing for which Limble’s security measures may not be appropriate. Customer is solely responsible for its use of the Subscription Services, including (i) making appropriate use of the Subscription Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; (ii) securing the account authentication credentials, systems, and devices Customer uses to access the Subscription Services; and (iii) backing up Customer Personal Data.
5.3. Limble will not materially decrease the overall security of the Subscription Services during the term of the Principal Agreement.
6. Subprocessing
6.1. Customer hereby authorizes Limble to engage the Subprocessors included in Limble’s Trust Center (see here).
6.2. Limble will enter into a written agreement with Subprocessors which imposes the obligations required by Applicable Data Protection Law. Limble shall ensure that the Subprocessors agree in writing to similar or equivalent restrictions and requirements that apply to Limble in this Addendum with respect to Customer Personal Data, such that the data Processing requirements of such Subprocessor with respect to Customer Personal Data are no less onerous than the data Processing requirements of Limble as set out in this Addendum. Limble shall be liable to Customer for the performance of its Subprocessors' obligations under this Addendum to the same extent Limble would be liable for failing to fulfill its own obligations under this Addendum.
6.3. Limble will notify Customer prior to the addition or replacement of any Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Applicable Data Protection Law by providing written notice detailing the grounds of such objection within fifteen (15) days following Limble’s notification of the intended change. If such objection is not unreasonable, Customer and Limble will work together in good faith to address Customer’s objection. If Limble is unable to make such change within a reasonable
period of time, which shall not exceed sixty (60) days, Customer may terminate the relevant parts of the Subscription Services by providing thirty (30) days written notice to Limble. Customer shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Subscription Services.
7. Data Subject Rights and Consumer Rights
7.1. Limble shall promptly notify Customer if it determines that it can no longer meet its obligations under Applicable Data Protection Law. Upon receiving notice from Limble in accordance with this subsection, Customer may direct Limble to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
7.2. Taking into account the nature of the Processing, Limble shall provide commercially reasonable assistance to the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations to respond to requests to exercise Data Subject Rights and U.S. Privacy Law-related Consumer rights requests under the Applicable Data Protection Law. Limble shall: (i) promptly notify Customer if it receives a request to exercise Data Subject Rights under Applicable Data Protection Law in respect of Customer Personal Data; and (ii) ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable law to which Limble is subject, in which case Limble shall to the extent permitted by applicable law inform Customer of that legal requirement before Limble responds to the request.
7.3. Customer shall promptly inform Limble if it receives any request to exercise Data Subject Rights or any Consumer request made pursuant to the U.S. Privacy Laws affecting Customer Personal Data Processed by Limble that Customer must comply with. Customer shall provide Limble with the information necessary for Limble to comply with any such request.
8. Personal Data Breach
8.1. Limble will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Limble’s notification is delayed, it will be accompanied by reasons for the delay.
8.2. Limble shall make reasonable efforts to identify, mitigate and remediate the cause of a Personal Data Breach and shall provide sufficient information to Customer to allow Customer to meet any obligations to report or inform individuals or Supervisory Authorities of the Personal Data Breach. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.
8.3. Limble shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations under European Data Protection Law to provide notice of Personal Data Breaches to Supervisory Authorities and Data Subjects, as applicable.
9. Data Protection Impact Assessment and Prior Consultation.
Taking into account the nature of the Processing and the information available to Limble, Limble shall reasonably assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations under European Data Protection Law to conduct data protection impact assessments and prior consultations with Supervisory Authorities.
10. Audit
10.1. Limble will make available to Customer all information reasonably necessary to demonstrate compliance with its obligations under Applicable Data Protection Law. Upon Customer's written request at reasonable intervals, Limble shall provide a copy of Limble's then most recent summaries of third-party audits or certifications, as applicable.
10.2. If Customer reasonably believes it needs further information in order to confirm Limble's compliance with the provisions of this Addendum relating to Customer Personal Data, Limble will use commercially reasonable efforts to respond to written questions by Customer regarding the Security Documentation.
10.3. If Customer is not satisfied with Limble's responses to questions provided pursuant to Section 10.2 and if Applicable Data Protection Law or the SCCs grant Customer the right to audit Limble's Processing activities covered under this Addendum, then Limble shall permit Customer to audit Limble's compliance with the data security and data protection obligations under this Addendum. Customer may request such audit no more than once in each twelve (12) month period and it shall be conducted during Limble's regular business hours. In order to request an audit, Customer shall (i) notify Limble in writing via email to privacy@limble.com at least thirty (30) days in advance, detailing the dates and duration of the audit and the identity and the qualifications of the auditor, (ii) agree in writing with Limble on (a) the scope of the audit, (b) the security and confidentiality controls required for access to the information, facilities or processes in scope of such audit, and (c) the reasonable reimbursement rate for which Customer shall be responsible, and (d) cause such auditor to sign a non-disclosure agreement that is satisfactory to Limble. Limble may object to any external auditor if, in Limble's reasonable opinion, the auditor is not qualified, does not have an appropriate security clearance, is a competitor to Limble, or is not independent. If Limble objects to the identity or qualifications of any proposed auditor, Limble shall provide, in writing, a reason for such objection and Customer will be required to propose another auditor. All information provided or made available to Customer or its auditor pursuant to such audit shall be considered Limble's Confidential Information.
10.4. With respect to the Processing of Personal Data subject to U.S. Privacy Laws, Customer has the right to take reasonable and appropriate steps to ensure Limble uses Customer Personal Data in a manner consistent with Limble's obligations under this Addendum, subject to the procedures set forth in this Section 10.
10.5. The Parties agree that the audit rights described in Article 28 of the GDPR shall be satisfied by this Section 10.
11. International Data Transfers
11.1. Customer hereby authorizes Limble to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or other competent authorities (including the competent authorities in the UK and Switzerland), as appropriate; on the basis of adequate safeguards in accordance with European Data Protection Law; or pursuant to the SCCs, Annex III and the UK Addendum referred to in Sections 11.2 and 11.3.
11.2. By entering this Addendum, Customer and Limble conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Limble; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this Addendum respectively; and Annex III to this Addendum contains additional terms applicable to International Data Transfers under the SCCs. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.
11.3. By entering into this Addendum, Limble and Customer conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Limble; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 11.2 of this Addendum; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
11.4. If Limble’s compliance with European Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Limble’s control, including if a legal instrument for International Data Transfers is invalidated,
amended, or replaced, then Customer and Limble will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities or other competent authorities, Limble reserves the right to amend this Addendum by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with European Data Protection Law.
12. Liability
12.1. As permitted under applicable law, the aggregate liability of either Party and its Affiliates towards the other Party and its Affiliates, whether in contract, tort, or any other theory of liability, under or in connection with this Addendum will be subject to the limitations on liability and liability caps agreed to by the Parties in the Principal Agreement.
12.2. Where Limble has paid compensation, damages or fines, Limble is entitled to claim back from Customer that part of the compensation, damages or fines corresponding to Customer’s part of responsibility for the compensation, damages or fines.
13. Termination and Return or Deletion
13.1. This Addendum will terminate simultaneously and automatically upon the termination of the Principal Agreement, or when Limble ceases Processing Customer Personal Data, whichever is later.
13.2. Customer Personal Data will be returned or deleted along with other Customer Data as set forth in the Principal Agreement.
14. Modification of this Addendum.
This Addendum may only be modified by a written amendment signed by both Limble and Customer or as set forth in the Principal Agreement.
15. Miscellaneous
15.1. If any provision of this Addendum is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
15.2. In the event of any conflict or inconsistency between this Addendum and the Principal Agreement, this Addendum will govern with respect to the Processing of Customer Personal Data. In the event of any conflict between (i) the SCCs or UK Addendum (as applicable), and (ii) this Addendum, the SCCs or UK Addendum shall prevail.
15.3. This Addendum applies only between Customer and Limble and does not confer any rights to any third party, except that Customer's Affiliates, who submit or provide Customer Personal Data to Limble in connection with Customer's use of the Subscription Services, are intended third-party beneficiaries of this Addendum.
ANNEX I DESCRIPTION OF THE TRANSFER
A. LIST OF PARTIES ● Data Exporter: ● Name: Customer (as defined in the Principal Agreement, and as indicated in the Order Form or the customer’s Subscription Software account).
● Address: As indicated in the Order Form or in the customer’s Subscription Software account.
● Contact Person’s name, position, and contact details: As indicated in the Order Form or in the Customer’s Subscription Software account.
● Activities relevant to the data transferred under these Clauses: Customer receives Subscription Services as described in the Principal Agreement and Customer provides Personal Data to Limble in that context.
● Signature and date: See the Order Form or the electronic acceptance of the Principal Agreement through the Subscription Software’s self-serve subscription tool.
● Role (Controller/Processor): Controller, or Processor on behalf of Third-Party Controller.
● Data Importer: ● Name: Limble Solutions, Inc.
● Address: 3290 West Mayflower Way, Lehi, UT 84043, United States of America.
● Contact Person’s name, position, and contact details: Manuel Martinez-Herrera, General Counsel, privacy@limble.com, Tel: 801-851-1218.
● Activities relevant to the data transferred under these Clauses: Limble provides Subscription Services to Customer as described in the Principal Agreement and Processes Personal Data on behalf of Customer in that context.
● Signature and date: See the Order Form or the electronic acceptance of the Principal Agreement through the Subscription Software’s self-serve subscription tool.
● Role (Controller/Processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller.
B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER
● Categories of Data Subjects whose Personal Data is transferred: The data subjects may include Customer’s personnel, staff, work requestors, contractors, and consultants.
● Categories of Personal Data Transferred:
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Limble does not intend to receive sensitive Personal Data from its Customers.
● The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis for the duration of the Principal Agreement.
● Nature of the processing: The Personal Data will be processed and transferred as described in the Principal Agreement.
● Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Subscription Services as described in the Principal Agreement.
● The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Customer Personal Data will be retained, and returned or deleted, along with other Customer Data, as set forth in the Principal Agreement.
● For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Principal Agreement and this Addendum. The Processing will take place for the duration of the Principal Agreement.
C. COMPETENT SUPERVISORY AUTHORITY ● The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority: (a) of Customer’s country of establishment in the EU, or, where not applicable; (b) of the country where the Customer’s EU data protection representative is located; or, where not applicable, (c) the Irish Data Protection Commission.
● The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
● The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
Previous versions
Data Processing Addendum, Version 2.0 (October 16, 2023 - June 8, 2025)
Data Processing Addendum, Version 2.1 (June 9, 2025 - December 9, 2026)
Data Processing Addendum, Version 2.2 (December 10, 2025 - April 19, 2026)