DATA PROCESSING ADDENDUM (DPA).
INTRODUCTION & CONTENTS.
Last Updated: April 2026
This Data Processing Addendum ('Addendum') forms part of the Master Subscription Agreement or other written or electronic agreement ('Agreement') between Precursive and the Customer for the purchase of Services. This Addendum applies to the extent Precursive processes Customer Personal Data on behalf of the Customer.
BACKGROUND.
(A) This Addendum is entered into by the parties to reflect their agreement concerning the processing of Personal Data by Precursive on behalf of the Customer in the context of the provision of the Services, and to ensure compliance with Data Protection Laws.
(B) This Addendum shall apply for so long as Precursive maintains Customer Personal Data on behalf of Customer.
(C) This Addendum does not replace, but rather supplements, any additional terms relating to the California Consumer Privacy Act of 2018 (CCPA) as may be set out in a separate California Data Processing Addendum (the "CCPA Addendum") between the parties. Where the CCPA applies, the terms of the CCPA Addendum shall take precedence with respect to such processing.
1. DEFINITIONS
1.1. In this Addendum, capitalized terms not otherwise defined shall have the meaning given to them in the Agreement. In addition, the following terms shall have the meanings set out below:
• "Agreement" means the Software Terms of Service, along with any applicable Order Form, Professional Service Agreement,
and any other exhibits, schedules, or addenda entered into between Precursive and Customer governing the provision of the
Services.
• "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Supervisory Authority"
and "Standard Contractual Clauses" shall have the meanings ascribed to them in the applicable Data Protection Laws.
• "Customer Personal Data" means any Personal Data which Precursive accesses or otherwise Processes outside of the
Customer's Salesforce environment, such as through the provision of support, professional services, or the routing of data to
third-party sub-processors to enable Artificial Intelligence (AI) features within the Services.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of personal data and privacy,
including, where applicable: ○ the European Union Regulation on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data (Regulation 2016/679) ("GDPR");
○ the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of
the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United
Kingdom or a part of the United Kingdom from time to time) ("UK GDPR");
○ the Privacy and Electronic Communications Directive 2002/58/EC (as amended), and the Privacy and Electronic
Communications (EC Directive) Regulations 2003 (as amended);
○ the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing
regulations, as amended or superseded from time to time ("CCPA"); and
○ any other applicable national or international data protection or privacy laws.
• "Services" means the software and services provided by Precursive to Customer as described in the Agreement.
• "Sub-processor" means any third party appointed by Precursive to Process Customer Personal Data on behalf of Precursive
in connection with the Services.
• "Technical and Organizational Measures" or "TOMs" means the technical and organizational security measures implemented
by Precursive to protect Customer Personal Data as set out in Annex 2.
2. ROLES AND SCOPE OF PROCESSING
2.1. The parties acknowledge and agree that for the purposes of the Data Protection Laws:
(a) The Customer is the Controller of the Customer Personal Data.
(b) Precursive will act as a Processor of Customer Personal Data solely to the extent that it accesses or otherwise Processes such data outside of the Customer’s Salesforce environment in connection with the provision of support, professional services, the processing of AI prompts and payloads via authorized sub-processors,or other services requested by the Customer that require such access. Precursive DPA (c) For the avoidance of doubt, where the Precursive software operates entirely within the Customer’s Salesforce environment and Precursive does not access Customer Personal Data, Precursive shall not be considered a Processor of such data under this Addendum.
However, Precursive shall develop and maintain the software in accordance with industry-standard security practices and shall not knowingly introduce functionality, updates, or integrations that create a material risk to the confidentiality, integrity, or availability of Customer
Personal Data.
2.2. The details of the Processing of Customer Personal Data are set out in Annex 1 to this Addendum.
2.3. Precursive shall Process Customer Personal Data only on the documented instructions of the Customer, unless required to do so by Data Protection Laws or other applicable law to which Precursive is subject. In such circumstances, Precursive shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
2.4. Precursive shall not Process Customer Personal Data for any purpose other than as necessary for the performance of the Services under the Agreement and this Addendum.
3. OBLIGATIONS OF PRECURSIVE (PROCESSOR)
3.1. Confidentiality: Precursive shall ensure that any persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2. Security: Precursive shall implement appropriate TOMs to ensure a level of security appropriate to the risk of Processing Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The TOMs are described in Annex 2. Precursive may update or modify the TOMs from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
3.3. Sub-processors:
(a) The Customer hereby generally authorizes Precursive to engage Sub-processors.
(b) Precursive shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes. Precursive shall maintain an up-to-date list of its Subprocessors, which is available on the Privacy Policy.
(c) Where Precursive engages a Sub-processor, it shall do so by way of a written contract that imposes on the Sub-processor data protection obligations that are no less protective than those contained in this Addendum. Precursive shall remain fully liable to the Customer for the performance of the Sub-processor’s obligations.
3.4. Data Subject Rights: Taking into account the nature of the Processing, Precursive shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising Data Subject rights under Data Protection Laws. Precursive shall promptly notify the Customer if it receives a request from a Data Subject concerning Customer Personal Data. Precursive shall not respond to any such Data Subject request directly unless expressly authorized to do so by the Customer or required by law.
3.5. Personal Data Breach Notification: Precursive shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data. Precursive shall provide the Customer with sufficient information to enable the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws. Such information shall include, at a minimum:
(a) The nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) The likely consequences of the Personal Data Breach;
(c) The measures taken or proposed to be taken by Precursive to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
3.6. Assistance to Controller: Precursive shall provide reasonable assistance to the Customer to support its compliance with applicable Data Protection Laws, including with respect to the security of processing, data protection impact assessments (DPIAs), and prior consultations with supervisory authorities, where required. Where such assistance would involve a material effort beyond Precursive’s standard service obligations, Precursive shall notify the Customer in advance of the estimated scope and cost of such assistance and obtain written approval before proceeding. Precursive shall not charge fees for assistance that is reasonably required due to a Personal Data Breach or Supplier’s non-compliance with this Addendum. Precursive DPA
3.7. Deletion or Return of Data: Upon termination or expiration of the Agreement, or upon Customer's written request, Precursive shall, at the Customer's option, delete or return to the Customer all Customer Personal Data and delete existing copies unless Data Protection Laws require storage of the Personal Data. Precursive shall complete such deletion within thirty (30) days of termination and shall, upon Customer’s written request, provide certification of such deletion.
3.8. Audits: Precursive shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Addendum and Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, provided that:
(a) The Customer provides reasonable advance notice of any audit or inspection.
(b) Any such audit or inspection shall be conducted during normal business hours, with minimal disruption to Precursive's business operations.
(c) The Customer or its mandated auditor shall comply with Precursive's reasonable security policies and confidentiality obligations.
(d) The Customer shall bear all costs of such audits. Where an audit is initiated due to a confirmed Personal Data Breach, a substantiated regulatory inquiry relating to the Customer’s obligations as a Controller , or suspected material non-compliance by Precursive, Customer shall not be responsible for auditrelated costs.
4. OBLIGATIONS OF THE CUSTOMER (CONTROLLER)
4.1. The Customer warrants and represents that:
(a) It has all necessary rights to provide the Customer Personal Data to Precursive for Processing hereunder.
(b) It has complied, and will continue to comply, with all Data Protection Laws in respect of its Processing of Personal Data and its instructions to Precursive.
(c) Its instructions to Precursive for the Processing of Personal Data comply with Data Protection Laws.
(d) It has informed and obtained all necessary consents from (or has another valid legal basis for) Data Subjects for the Processing of Personal Data by Precursive as described in this Addendum and the Agreement.
5. INTERNATIONAL DATA TRANSFERS
5.1. Precursive may transfer Customer Personal Data outside of the European Economic Area (EEA), the United Kingdom, or Switzerland. Such transfers shall be carried out in accordance with Data Protection Laws.
5.2. To the extent Customer Personal Data is transferred from the EEA or UK to a country not deemed by the European Commission or the UK government, as applicable, to provide an adequate level of protection for Personal Data, the parties shall ensure that such transfers are made pursuant to appropriate safeguards, such as the Standard Contractual Clauses, where applicable. Where applicable, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) shall apply with Module 2 (Controller to Processor) governing such transfers. Where Customer Personal Data is transferred from the United Kingdom to a country not recognized as providing adequate protection under UK Data Protection Laws, the parties shall rely on the EU Standard Contractual Clauses as supplemented by the UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office. Precursive shall implement any supplementary measures required under the SCCs and applicable Data Protection Laws to ensure an essentially equivalent level of protection.
6. LIABILITY
6.1. Except as set out in Clause
6.2 below, each party’s total aggregate liability to the other arising out of or in connection with this Addendum, whether in contract, tort (including negligence), breach of statutory duty or otherwise, shall be subject to the limitations of liability set forth in the Agreement. 6.2. Nothing in this Addendum shall limit or exclude either party’s liability:
(a) for fraud or fraudulent misrepresentation;
(b) for gross negligence or willful misconduct;
(c) for any breach of Clause 3.1 (Confidentiality), Clause 3.5 (Personal Data Breach Notification), or Clause 3.7 (Data Deletion or Return); (d) for unauthorized or unlawful use, disclosure, or processing of Customer Personal Data; or
(e) to the extent such liability cannot be limited under applicable Data Protection Laws, including obligations arising under the Standard Contractual Clauses (where applicable).
6.3. Each party shall be liable for its own compliance with applicable Data Protection Laws and for its own acts and omissions under this Addendum.
7. TERM AND TERMINATION
7.1. This Addendum shall become effective on the Effective Date of the Agreement and shall remain in force for the duration of the Agreement, and thereafter for so long as Precursive retains any Customer Personal Data on behalf of the Customer.
7.2. Any termination of the Agreement shall automatically result in the termination of this Addendum, provided that Precursive shall continue to comply with its obligations under this Addendum for as long as it retains Customer Personal Data.
8. GENERAL PROVISIONS
8.1. This Addendum shall be governed by and construed in accordance with the governing law clause in the Agreement.
8.2. This Addendum, together with the Agreement and any other referenced documents, constitutes the entire agreement between the parties concerning the Processing of Customer Personal Data and supersedes any prior agreements or understandings relating to such Processing.
8.3. In the event of any conflict or inconsistency between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail solely with respect to data protection matters. In the event of any conflict between this Addendum and the CCPA Addendum, the CCPA Addendum shall prevail with respect to CCPA matters.
ANNEX 1: DETAILS OF PROCESSING
This Annex 1 describes the Processing activities carried out by Precursive on behalf of the Customer under the Agreement and this Addendum.
1. Subject Matter and Duration of the Processing:
The subject matter of the Processing is the Customer Personal Data provided to Precursive for the purpose of using the Services (Precursive software subscriptions and related support/professional services). The duration of the Processing shall be for the term of the Agreement and until the Customer Personal Data is deleted or returned to the Customer in accordance with Clause 3.7 of the Addendum.
2. Nature and Purpose of the Processing:
The nature of the Processing involves the collection, storage, retrieval, use, disclosure (to Sub-processors), and deletion of Customer Personal Data as necessary to provide, maintain, and support the Precursive software and related services as defined in the Agreement. The purpose of the Processing is to enable Customer to utilize the full functionality of the Precursive software and to receive related support and professional services.
3. Type of Personal Data:
The types of Personal Data Processed may include, but are not limited to:
• Identification data: Names, email addresses, job titles, usernames, contact information of Customer's employees/users and their clients
(where relevant to the Services).
• Professional data: Information related to projects, tasks, resource allocation, time tracking, billing, and other data necessary for the
Customer to manage its professional services automation within the Precursive software.
• Technical data: IP addresses, login data, usage data related to the software, browser type and version, time zone setting and location,
browser plug-in types and versions, operating system and platform, and other technology on the devices used to access the Services.
• Any other Personal Data that Customer chooses to input into the Services.
4. Categories of Data Subjects:
The categories of Data Subjects whose Personal Data may be Processed include, but are not limited to:
• Customer's employees, agents, consultants, or contractors (i.e., the "Users" of the Precursive software).
• Customer's clients or customers (to the extent their personal data is entered into the software by Customer).
• Other individuals whose data is processed by the Customer using the Services.
5. Processing Operations:
The operations performed on the Personal Data include:
• Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• These operations are conducted as necessary for the provision and maintenance of the Services, including but not limited to, account management, user authentication, data storage, data display, reporting, technical support, troubleshooting, and system
maintenance.
• Processing operations also include the transient routing and transmission of Customer Personal Data (such as user prompts and contextual
Salesforce record data) to authorized third-party Large Language Model (LLM) providers to generate AI outputs.
For the avoidance of doubt, Precursive only Processes Customer Personal Data where such Processing occurs outside of the Customer’s Salesforce environment, and solely for the provision of support, professional services, the processing of AI prompts and payloads via authorized sub-processors or other Customer-requested activities requiring access to Customer data. Precursive does not Process Customer Personal Data in connection with the operation of the software where such software operates entirely within the Customer's Salesforce environment without Precursive's access.
ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
This Annex 2 outlines Precursive's current Technical and Organizational Measures to protect Customer Personal Data. Precursive reserves the right to update or modify these measures, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
1. Physical Access Control:
• Measures to prevent unauthorized physical access to premises and facilities where Personal Data is Processed.
• Controls for access to data centers and server rooms (e.g., restricted access, surveillance, access logs).
2. System Access Control:
• Measures to prevent unauthorized access to data processing systems.
• User authentication mechanisms (e.g., strong password policies, multi-factor authentication).
• Role-based access control (RBAC) to limit access to Personal Data based on job function and necessity.
• Regular review of user accounts and access privileges.
3. Data Access Control:
• Measures to ensure that persons authorized to use a data processing system only have access to the Personal Data they are authorized to Process, and that Personal Data cannot be read, copied, modified, or removed without authorization during Processing and after storage.
• Data segregation within multi-tenant environments.
• Encryption of Personal Data at rest and in transit where appropriate (e.g., TLS/SSL for data in transit, industry-standard encryption for data at rest).
4. Transmission Control:
• Measures to ensure that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport, and that it is possible to ascertain and verify to which entities Personal Data is transmitted.
• Use of secure communication protocols (e.g., HTTPS, VPNs).
5. Input Control:
• Measures to ensure that it is possible to check and establish whether and by whom Personal Data has been input into data processing systems, modified, or removed.
• Logging of data input, modification, and deletion.
• Audit trails and activity logs for key system operations.
6. Availability Control:
• Measures to ensure that Personal Data is protected against accidental destruction or loss and that it is available when required.
• Regular backups of Customer Personal Data.
• Redundancy and disaster recovery plans.
• Monitoring of system availability and performance.
7. Separation Control:
• Measures to ensure that Personal Data collected for different purposes can be Processed separately.
• Logical separation of Customer environments and data within the Salesforce platform.
8. Personnel Control:
• Measures to ensure that personnel involved in the Processing of Personal Data are subject to confidentiality obligations and receive appropriate training.
• Background checks (where legally permissible and appropriate for roles).
• Confidentiality agreements signed by all relevant employees and contractors.
• Regular data protection and security awareness training.
9. Incident Management:
• Defined processes for identifying, reporting, and responding to security incidents and Personal Data Breaches.
• Dedicated security team or personnel responsible for incident response.
10. Data Protection by Design and Default:
• Incorporation of data protection principles into the design and operation of the Services.
• Regular security assessments and penetration testing.
EXHIBIT A California Data Processing Addendum (“CCPA Addendum”)
BACKGROUND
A. This California Data Processing Addendum ('CCPA Addendum') forms part of the Precursive Data Processing Addendum and the underlying Agreement between Precursive and Customer. It applies solely where Customer is a Business subject to the California Consumer Privacy Act of 2018 (CCPA).
B. Customer is a Business to which the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (“CCPA”), applies, and Supplier and the Customer therefore wish to amend the Agreement to address the requirements of the CCPA.
C. In consideration of the mutual obligations set out in this addendum (“CCPA Addendum”), the parties hereby agree that the terms set our herein shall be added as an addendum to the Agreement. This CCPA Addendum shall apply for so long as Supplier maintains Personal Information on behalf of Customer. Save as expressly modified by the terms of this CCPA Addendum, the terms of the Agreement shall remain in full force and effect. Except where the context requires otherwise, references in this CCPA Addendum to the Agreement are to the Agreement as amended by, and including, this CCPA Addendum.
D. Capitalised terms used in this Addendum shall have the meanings set forth in the CCPA and where not defined therein shall have the meaning given to them in the Agreement.
1. Roles and Scope
1.1. This CCPA Addendum applies to the collection, retention, use, disclosure, and sale of Personal Information provided by Customer or which is collected on behalf of Customer by Supplier (“the Personal Information”) to provide Services to Customer pursuant to the Agreement or to perform a Business Purpose.
1.2. Customer is a Business and appoints Supplier as a Service Provider to process the Personal Information on behalf of Customer.
1.3. Supplier’s collection, retention, use, disclosure, or sale of Personal Information for its own purposes independent of Customer’s use of the Services specified in the Agreement are outside the scope of this CCPA Addendum. Supplier shall not use Personal Information obtained from Customer for its own independent purposes unless such use is (i) expressly authorized by Customer in writing, and (ii) subject to all applicable legal obligations, including any obligations imposed upon a “business” under the CCPA or equivalent laws.
2. Restrictions on Processing.
2.1. Supplier is prohibited from retaining, using, or disclosing the Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Agreement for Customer, as set out in this CCPA Addendum, or as otherwise permitted by the CCPA.
2.2. Supplier shall not further collect, sell, or use the Personal Information except as necessary to perform the Business Purpose. For the avoidance of doubt, Supplier shall not use the Personal Information for the purpose of providing services to another person or entity, except as permitted by the CCPA.
3. Notice.
3.1. Customer represents and warrants that it has provided notice that the Personal Information is being used or shared consistent with Cal. Civ. Code 1798.140(t)(2)(C)(i).
4. Consumer Rights.
4.1. Supplier shall provide reasonable assistance to Customer in facilitating compliance with Consumer rights requests.
4.2. Upon direction by Customer, and in any event no later than 30 days after receipt of a request from Customer, Supplier shall promptly delete the Personal Information as directed by Customer.
4.2.1. Supplier shall not be required to delete any of the Personal Information to comply with a Consumer’s request directed by Customer if it is necessary to maintain such information in accordance with Cal. Civ. Code 1798.105(d), in which case Supplier shall promptly inform Customer of the exceptions relied upon under 1798.105(d) and Supplier shall not use the Personal Information retained for any other purpose than provided for by that exception.
5. Deidentified Information.
5.1. In the event that either Party shares Deidentified Information with the other Party, the receiving Party warrants that it: (i) has implemented technical safeguards that prohibit reidentification of the Consumer to whom the information may pertain; (ii) has implemented business processes that specifically prohibit reidentification of the information; (iii) has implemented business processes to prevent inadvertent release of Deidentified Information; and (iv) will make no attempt to reidentify the information.
6. Mergers, Sales, or Other Asset Transfers.
6.1. In the event that either Party transfers to a Third Party the Personal Information of a Consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the Third Party assumes control of all or part of such Party to the Agreement, that information shall be used or shared consistently with applicable law. If a Third Party materially alters how it uses or shares the Personal Information of a Consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the Consumer in accordance with applicable law.
7. As Required by Law.
7.1. Notwithstanding any provision to the contrary of the Agreement or this CCPA Addendum, Supplier may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate federal, state, or local law.
8. Indemnification.
8.1. Supplier shall indemnify, defend, and hold harmless Customer from and against any third-party claims, damages, fines, or expenses (including reasonable attorneys’ fees) to the extent arising from Supplier’s material breach of this Addendum or willful misconduct in relation to Personal Information. Customer shall indemnify Supplier to the extent Supplier suffers direct loss solely as a result of Customer’s unlawful documented instructions, provided that Supplier acted in full compliance with those instructions and this Addendum.
8.2. Each party’s liability under this clause shall be subject to the limitations of liability set forth in the Agreement, except where such limitation does not apply under applicable law.
9. Sale of Information.
9.1. The Parties acknowledge and agree that the exchange of Personal Information between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this CCPA Addendum.
10. Security Incidents and Breach Notification
10.1. Supplier shall promptly notify Customer in writing without undue delay, and in any event within seventy-two (72) hours of becoming aware of any actual or reasonably suspected breach of security, unauthorized access, loss, or disclosure of Personal Information processed on behalf of Customer (“Security Incident”).
The notice shall include, to the extent known at the time:
a) A summary of the nature of the Security Incident, including categories and approximate number of affected data subjects and records;
b) The likely consequences of the Security Incident; and
c) The corrective actions taken or proposed to address the Security Incident.
Supplier shall take all reasonable steps to contain, investigate, and mitigate the Security Incident and shall provide regular updates to Customer until resolution.
Supplier shall cooperate fully with Customer’s efforts to comply with applicable data breach notification laws, including providing information necessary for Customer to make legally required notifications to affected individuals or regulatory authorities.
BACK TO TOP
PS CONTENT BY PS LEADERS.
THE PSA PLATFORM THAT DELIVERS.
BY PRODUCTS.
