Let’s talk

DATA PROCESSING ADDENDUM

Other policies

Terms & Policies

Services Agreement

Support Addendum

Supplemental Services Terms

Subprocessor List

Service Level Addendum

Version 1.0 (last updated April 11, 2025) 

DPA SETUP PAGE

DPA Setup Page
for Bonterms Data Protection Addendum (DPA)
By executing an Agreement or Order referring to and incorporating this Data Processing Addendum, Agiloft and Customer (as defined below), enter into the Bonterms Data Protection Addendum (DPA) (Version 1.0) (available at https://bonterms.com/forms/data-protection-addendum-v1/). The DPA includes the contents of this DPA Setup Page, including the Key Terms and Schedules. Capitalized terms not defined in this DPA Setup Page have the meanings given in the Bonterms Data Protection Addendum. Notices of updates to the Subprocessor List will be provided by email to the Customer Notifications Contact (as defined in the Agiloft Services Agreement).
Key Terms
AgreementThe Agiloft Services Agreement, at https://www.agiloft.com/terms-policies/services-agreement/, or separate agreement under which Agiloft is providing the Subscription Services to Customer.
OrderThe applicable ordering documents (e.g., order form, change order, Statement of Work, quotation, quote) signed by both parties for Customer’s purchase of the Subscription Services. 
CustomerThe organization executing the applicable Agreement or Order.
Agiloft” or “ProviderAgiloft, Inc.
DPA Effective DateThe Effective Date of the Agreement.
Subprocessor Listhttps://www.agiloft.com/privacy-policy/subprocessors/
Schedules
The following Schedules are incorporated into this DPA:
Schedule 1Subject Matter and Details of Processing
Schedule 2Technical and Organizational Measures
Schedule 3Cross-Border Transfer Mechanisms
Schedule 4Region-Specific Terms

SCHEDULES

Schedule 1 – Subject Matter and Details of Processing

Customer / ‘Data Exporter’ Details
Name:Customer (as defined above)
Contact details for data protection:The individual or email specified in the Agreement or applicable Order
Main address:The address specified in the Agreement or applicable Order
Customer activities:Receipt of data importer’s Services as specified in the Agreement or applicable Order
Role: Controller
Provider / ‘Data Importer’ Details
Name:Agiloft
Contact details for data protection:Jon Larsen, Data Protection Officer ([email protected]) Art. 27 GDPR Representative: Prighter (https://prighter.com/q/19881203804)
Main address:303 Twin Dolphin Drive, Floor 6 Redwood City, CA 94065 USA
Provider activities:Performance by Agiloft of the Services as specified in the Agreement or applicable Order
Role: Processor
Details of Processing
Categories of Data Subjects:Employees or other personnel of data exporterOther users authorized by data exporter to use the Services in accordance with the AgreementData subjects whose Personal Data resides within documents or other information uploaded by or at the request of Customer, to Agiloft’s platform
Categories of Customer Personal Data:Personal Data including information relating to individuals provided to the data importer via the Services (or at the direction of) data exporter, which may include: First and last nameTitlePositionEmployerContact information (email, phone, business address)Identification Data (email, phone)And other Personal Data that resides within data exporter’s documents
Sensitive Categories of Data and additional associated restrictions/safeguards:No sensitive data is intended to be transferred unless the user includes it unexpectedly in unstructured data.
Frequency of transfer:Continuous until the expiration or termination of the Agreement
Nature of the Processing:Agiloft processes Personal Data as necessary to perform Services as specified in the Agreement (or applicable Order) under the terms and conditions set forth therein, and as further instructed by Customer in its use of the Services. As an unintended consequence of the Agiloft’s platform ‘reading’ or ‘ingesting’ documents uploaded by or at the direction of data exporter, data importer processes Personal Data contained in such documents. Data importer will ignore such Personal Data and will never share it with third parties. Data importer processes Personal Data in the United States as necessary to perform the Bot Service component of the Services. The Bot Service is a multi-tenant app service for orchestrating messages between Teams and Agiloft (Customer contracts and related documents; customer data related to contracts).Data importer processes Personal Data in the United States as necessary to perform the Microsoft Word Services component of the Services. The Microsoft Word Services is a multi-tenant app service for converting and manipulating Microsoft Word Documents within the Agiloft environment (Customer contracts and related documents; customer data as contained within the documents).Data importer processes Personal Data in the United States as necessary to perform the Adobe Sign integration component of the Services. The Adobe Sign integration allows customers to send packages for e-signature via their Agiloft environment, which may include customer data including contract titles and email addresses.
Purpose of the Processing:For data importer to provide the Services described in the Agreement (and any applicable Order) to data exporter, as detailed more fully therein.
Duration of Processing / retention period:Duration of the underlying Agreement during which data exporter is receiving the Services from data importer.
Competent supervisory authority/ies in accordance with Clause 13:The competent supervisory authority will be determined in accordance with Clause 13(a) and, where possible, will be the Irish Data Protection Commissioner.
Transfers to Subprocessors:See Agiloft’s Subprocessor List, at https://www.agiloft.com/privacy-policy/subprocessors/

Schedule 2 – Technical & Organizational Measures

MeasureDescription
Measures of pseudonymisation and encryption of personal dataData is encrypted in-transit using TLS. Data is encrypted at rest with at least 256-bit encryption.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and servicesAgiloft uses vulnerability assessments, patch management, threat protection and scheduled procedures to identify, assess, protect and mitigate threats. Agiloft enforces the principle of least privilege for IT systems. All access is revoked upon termination of employment.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentDisaster recovery and business continuity plans and procedures are maintained for critical systems to identify and mitigate against events that may impact availability of or access to Agiloft services and ensure recovery from disasters and interruptions of service.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure the security of the processingMultiple types of automated vulnerability scans and assessments are performed at various frequencies, including upon changes to code, weekly and monthly. Third-party penetration tests are conducted annually and upon significant changes to infrastructure or software. Industry security audits (e.g., SOC 1, SOC 2, ISO 27001, and Cyber Essentials Plus) are performed annually.
Measures for user identification and authorisationAgiloft enforces the principle of least privilege for IT systems. Access is limited to employees with requirements based on job function. Access reviews are conducted quarterly for key systems. All access is revoked upon termination of employment.
Measures for the protection of data during transmissionAll data is encrypted in transit using TLS.
Measures for the protection of data during storageAll data is encrypted at rest with at least 256-bit encryption.
Measures for ensuring physical security of locations at which personal data are processedAgiloft’s physical and environmental controls are inherited from AWS.
Measures for ensuring events loggingEvent logging and system audit and monitoring procedures are in place to record access and system activity and logged to a central location. In addition, within the customer’s Agiloft environment, Activity Log and History are customer-configurable.
Measures for ensuring system configuration, including default configurationAgiloft’s infrastructure systems are maintained and created with configuration management tools that deploy and enforce baseline configurations on all systems.
Measures for internal IT and IT security governance and managementAgiloft maintains an information security management framework as required by all current certifications (SOC 1, SOC 2, ISO 27001, and Cyber Essentials Plus).
Measures for certification/assurance of processes and productsProcesses and procedures are reviewed bi-annually and on an as-needed basis. Agiloft engages third-party auditors to perform annual SOC 1, SOC 2, ISO 27001, and Cyber Essentials Plus audits to assess the effectiveness of organizational controls. Penetration tests are performed on Agiloft’s infrastructure and software at least annually and after significant change.
Measures for ensuring data minimisationOnly data which is relevant and necessary for the provision of Agiloft’s services is processed to ensure data minimisation. Customers control the type of data stored and processed in their Agiloft environment.
Measures for ensuring data qualityChange management procedures and tracking mechanisms are implemented for testing, approval and tracking of changes to Agiloft software and infrastructure.
Measures for ensuring limited data retentionData retention policies are in place to comply with applicable laws and are reviewed regularly.
Measures for ensuring accountabilityAccess and activities are logged and stored. Logs are retained for defined periods to facilitate audit and review of access and system activities. Employees are required to abide by Agiloft’s information security policies and violations will result in disciplinary procedures up to and including termination.
Measures for allowing data portability and ensuring erasureProcesses are implemented to handle data subject requests for data controlled by Agiloft. Customers may submit such requests at https://prighter.com/q/19881203804. Agiloft customers control the type of data in their Agiloft environment and are responsible for handling requests regarding data they control.
Subprocessor AgreementAgiloft enters into agreements with our subprocessors with data protection obligations substantially similar to those contained in the DPA. Technical and organizational measures to protect personal data are required. Subprocessors must (a) notify Agiloft in the event of a Security Incident so Agiloft may notify Customer; (b) delete personal data when instructed by Agiloft in accordance with Customer’s instructions; (c) not engage additional sub-processors without Agiloft’s authorization; d) not change the location where personal data is processed.

Schedule 3 – Cross-Border Transfer Mechanisms

  1. Definitions. Capitalized terms not defined in this Schedule are defined in the DPA.
    1. “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
    2. “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force as of March 21, 2022.
    3. In addition:

      Designated EU Governing Law” means:Republic of Ireland
      Designated EU Member State” means:Republic of Ireland
  2. EU Transfers. Where Customer Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:
    1. The EU SCCs are hereby incorporated by reference as follows:

      (a) Module 2 (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Provider is a Processor of Customer Personal Data;

      (b) Module 3 (Processor to Processor) applies where Customer is a Processor of Customer Personal Data (on behalf of a third-party Controller) and Provider is a Processor of Customer Personal Data;

      (c) Customer is the “data exporter” and Provider is the “data importer”; and

      (d) by entering into this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.
    2. For each Module, where applicable the following applies:

      (a) the optional docking clause in Clause 7 does not apply;

      (b) in Clause 9, Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA;

      (c) in Clause 11, the optional language does not apply;

      (d) in Clause 13, all square brackets are removed with the text remaining;

      (e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Designated EU Governing Law;

      (f) in Clause 18(b), disputes will be resolved before the courts of the Designated EU Member State;

      (g) Schedule 1 (Subject Matter and Details of Processing) to this DPA contains the information required in Annex 1 of the EU SCCs; and

      (h) Schedule 2 (Technical and Organizational Measures) to this DPA contains the information required in Annex 2 of the EU SCCs.
    3. Where context permits and requires, any reference in this DPA to the EU SCCs shall be read as a reference to the EU SCCs as modified in the manner set forth in this Section 2.
  3. Swiss Transfers. Where Customer Personal Data is protected by the FADP and is subject to a Restricted Transfer, the following applies:
    1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:

      (a) in Clause 13, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner;

      (b) in Clause 17 (Option 1), the EU SCCs will be governed by the laws of Switzerland;

      (c) in Clause 18(b), disputes will be resolved before the courts of Switzerland;

      (d) the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c); and

      (e) all references to the EU GDPR in this DPA are also deemed to refer to the FADP.
  4. UK Transfers. Where Customer Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the following applies:
    1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:

      (a) each party shall be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under section 119 (A) of the Data Protection Act 2018;

      (b) the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Customer Personal Data;

      (c) in Table 1 of the UK Addendum, the parties’ key contact information is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;

      (d) in Table 2 of the UK Addendum, information about the version of the EU SCCs, modules and selected clauses which this UK Addendum is appended to are located above in this Schedule 3;

      (e) in Table 3 of the UK Addendum:
      (i) the list of parties is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
      (ii) the description of transfer is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
      (iii) Annex II is located in Schedule 2 (Technical and Organizational Measures) to this DPA; and
      (iv) the list of Subprocessors is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA.

      (f) in Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked); and

      (g) in Part 2: Part 2 – Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119 (A) of the Data Protection Act 2018 on 2 February 2022, as it is revised under section ‎‎18 of those Mandatory Clauses.
  5. Data Privacy Framework. For clarity, a transfer of Customer Personal Data from the EU, UK or Switzerland to Provider in the United States subject to the EU-U.S. Data Privacy Shield Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Shield Framework, as applicable (collectively, the “DPF”), shall not constitute a Restricted Transfer so long as Provider maintains an active certification to the DPF and certification to the DPF remains a legal basis for transfer of Personal Data to the United States under the GDPR, UK GDPR or FADP, as applicable.

Schedule 4 – Region-Specific Terms

California

  1. Definitions. CCPA and other capitalized terms not defined in this Schedule are defined in the DPA.
    1. “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA.
    2. The definition of “Data Subject” includes “consumer” as defined under the CCPA.
    3. The definition of “Controller” includes “business” as defined under the CCPA.
    4. The definition of “Processor” includes “service provider” as defined under the CCPA.
  2. Obligations.
    1. Customer is providing the Customer Personal Data to Provider under the Agreement for the limited and specific business purposes of providing the Cloud Service as described in Schedule 1 (Subject Matter and Details of Processing) to this DPA and otherwise performing under the Agreement.
    2. Provider will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as is required by the CCPA.
    3. Provider acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 9 (Audits) of this DPA to help to ensure that Provider’s use of Customer Personal Data is consistent with Customer’s obligations under the CCPA, (ii) receive from Provider notice and assistance under Section 7 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA and (iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
    4. Provider will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA.
    5. Provider will not retain, use or disclose Customer Personal Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4 or (ii) outside of the direct business relationship between Provider with Customer, except, in either case, where and to the extent permitted by the CCPA.
    6. Provider will not sell or share Customer Personal Data received under the Agreement.
    7. Provider will not combine Customer Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA.