This Data Processing Addendum (“DPA”) forms part of and is subject to the ClickTerm agreement between TelQ Telecom GmbH (ClickTerm) and the Organization (the “Agreement”). For example, if you accept ClickTerm’s Terms of Use, the Terms of Use and this DPA together form the Agreement.
This DPA applies only to the extent ClickTerm processes Personal Data as a Processor on behalf of the Organization.
If there is a conflict between this DPA and the rest of the Agreement, this DPA prevails only for data protection / processing terms (consistent with the Terms of Use precedence).
Provider / Processor. The Service is provided by TelQ Telecom GmbH, registered in Germany under HRB 144036, Neuer Wall 71, 20354 Hamburg, Germany (“TelQ”, “ClickTerm”, “we”, “us”). TelQ acts as the Processor under this DPA.
Organization / Controller. The entity using ClickTerm is the “Organization” (“you”). You are the Controller, unless you are acting as a Processor for another Controller (in which case you represent that you are authorised to give the instructions described in this DPA).
“Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR and any national implementing laws.
“GDPR” means Regulation (EU) 2016/679.
“Personal Data”, “Controller”, “Processor”, “processing”, and “Supervisory Authority” have the meanings given in the GDPR (or equivalent meanings under applicable Data Protection Laws).
“Customer Personal Data” means Personal Data processed by ClickTerm as Processor on behalf of the Organization in connection with the Service.
“Sub‑processor” means a Processor engaged by ClickTerm to process Customer Personal Data.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
ClickTerm will process Customer Personal Data only on documented instructions from you, which are:
the Agreement (including this DPA and the Terms of Use),
the Documentation and in‑product configuration/settings you control, and
any additional written instructions you provide and we accept in writing.
If ClickTerm believes an instruction violates applicable Data Protection Laws, ClickTerm will notify you (unless prohibited by law).
ClickTerm ensures that persons authorised to process Customer Personal Data are subject to confidentiality obligations (contractual or statutory).
The subject matter, nature, purpose, duration of processing, and categories of Personal Data and data subjects are set out in Schedule 1.
You grant ClickTerm a general authorisation to appoint Sub‑processors to process Customer Personal Data, in accordance with this DPA.
ClickTerm publishes a Sub‑Processors and Processors transparency list (including scope information and feature‑dependent applicability). The current list is available at:
https://api.clickterm.com/clickwrap/9ca82158-c7a6-4e1d-b803-d5f27b5a8164/latest
Before adding or replacing a Sub‑processor that processes End‑User / clickwrap flow data (Scope A), ClickTerm will inform you by publishing an updated version of the Sub‑Processors and Processors document in the ClickTerm Admin Console and requiring explicit re‑acceptance.
Notice method (written): a new published version of the Sub‑Processors and Processors clickwrap document, presented for acceptance in the Admin Console.
Notice period: changes take effect no earlier than 30 days after publication, unless a shorter timeline is required for urgent security, fraud prevention, or legal compliance.
Opportunity to object: you may object by declining the updated version within the notice period.
If you decline: ClickTerm may (a) propose a commercially reasonable alternative, (b) disable the affected optional feature, or (c) terminate the affected services in accordance with the Agreement and this DPA.
For Sub‑processor changes that do not affect Scope A, ClickTerm may (at its discretion) use the same mechanism and/or provide notice by email or in‑product notice. In all cases where Data Protection Laws require notice and an opportunity to object, ClickTerm will provide such notice and opportunity in a compliant manner.
ClickTerm will:
enter into a written agreement with each Sub‑processor imposing data protection obligations no less protective than those in this DPA, and
remain responsible for Sub‑processors’ performance of their obligations to the extent required by Data Protection Laws.
If ClickTerm (or a Sub‑processor) processes Customer Personal Data in a country not recognised as providing an adequate level of protection under applicable Data Protection Laws, the parties agree that an appropriate transfer mechanism will apply.
Where required, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (“SCCs”) are incorporated by reference, and the applicable module(s) apply automatically based on the parties’ roles for the relevant transfer.
Where required:
for UK restricted transfers, the SCCs will be supplemented by the UK ICO International Data Transfer Addendum (or other valid UK transfer mechanism); and
for Swiss transfers, the SCCs will be interpreted/adapted to meet Swiss requirements (e.g., references to EU Member States include Switzerland, and references to supervisory authority are read accordingly).
Where required to enable transfers to a Sub‑processor, you authorise ClickTerm to enter into the SCCs (and any UK/Swiss supplements) with that Sub‑processor on your behalf, strictly for the purpose of enabling the relevant transfer.
ClickTerm will implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as described in Schedule 2.
ClickTerm may update these measures to reflect technical progress and development, provided that updates will not materially decrease the overall security of the Service.
ClickTerm will notify you without undue delay after becoming aware of a Personal Data Breach. Where feasible, ClickTerm will aim to provide initial notice within 72 hours of awareness.
ClickTerm will:
take reasonable steps to mitigate and remediate the effects of the breach (to the extent within ClickTerm’s control), and
provide information reasonably necessary to help you meet your breach notification obligations under Data Protection Laws.
Taking into account the nature of the processing and the information available to ClickTerm, ClickTerm will provide reasonable assistance to you with:
Data subject rights requests (access, rectification, erasure, restriction, objection, portability), to the extent you cannot fulfil the request through self‑service features in ClickTerm;
DPIAs and consultations with Supervisory Authorities, to the extent required and you cannot reasonably fulfil your obligations independently using available Documentation and Service functionality; and
Third‑party requests: unless prohibited by law, ClickTerm will notify you of legally binding requests compelling disclosure of Customer Personal Data and will redirect other inquiries (e.g., from data subjects or regulators) to you unless legally required to respond.
Costs. ClickTerm may charge reasonable fees for assistance that goes beyond what is legally required or beyond what is available through self‑service features and Documentation, and will inform you where practicable.
ClickTerm will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits/inspections by you or an auditor you appoint, subject to the following:
Primary method: where available, ClickTerm may satisfy audit requests by providing summaries and/or reports from independent third‑party security and compliance assessments (or comparable documentation).
Scope and scheduling: audits must be reasonably scoped, scheduled with reasonable advance notice, and designed to minimise disruption and protect confidentiality and security.
Frequency: no more than one audit per 12‑month period, unless (i) required by a Supervisory Authority, (ii) you have documented, reasonable concerns of non‑compliance, or (iii) a prior audit identified material non‑conformities.
Costs: unless required by law, you bear your own audit costs, and ClickTerm may charge reasonable fees for time and resources expended in supporting the audit.
Audit outputs and related information are ClickTerm Confidential Information.
Nothing in this section limits any rights mandated by law.
During the term, you can access, retrieve, export, and delete Customer Personal Data using the Service features (to the extent available for your plan and configuration).
You may request deletion by:
using the Service’s self‑serve account deletion/cancellation functionality (where available), or
contacting ClickTerm support.
Within 30 days after termination/expiration (or your written request, if later), ClickTerm will delete or irreversibly anonymise Customer Personal Data from ClickTerm’s active systems, except to the extent retention is required by law or reasonably necessary for:
establishing, exercising, or defending legal claims,
preventing fraud or abuse,
security and incident response, or
complying with statutory retention obligations (e.g., accounting and tax requirements), noting that such retention should be limited to what is necessary.
Where Customer Personal Data is retained under this section, ClickTerm will keep it protected and confidential and will not use it for other purposes.
You will:
ensure you have a lawful basis and have provided required notices and obtained required consents for the processing of Customer Personal Data and for the instructions you give ClickTerm;
not instruct ClickTerm to process Customer Personal Data in a manner that violates Data Protection Laws; and
not submit special category / sensitive data or other regulated data where doing so would impose obligations beyond those set out in the Agreement (unless ClickTerm has agreed otherwise in writing).
You are responsible for determining whether the Service meets your compliance requirements for your specific use case and jurisdictions.
Order of precedence. If there is a conflict between this DPA and the rest of the Agreement, this DPA prevails only for data protection / processing terms.
Liability. This DPA does not change liability allocation except as required by Data Protection Laws.
Governing law and venue. This DPA is governed by the laws of Germany. Venue is Hamburg, Germany, unless mandatory law provides otherwise (aligned with the Terms of Use).
Survival. Sections intended to survive termination (including confidentiality, audits, deletion/return, and miscellaneous) survive for so long as ClickTerm retains Customer Personal Data.
Service: ClickTerm clickwrap agreement management and evidence platform.
Subject matter: Provision of the Service, including: creating/managing clickwrap templates and versions, presenting clickwraps to end users, recording clickwrap events and audit trails, and generating downloadable acceptance artifacts (such as certificates), as configured by the Organization.
Nature of processing: Cloud hosting/storage; rendering/display; logging/audit trails; generating documents/artifacts; transmitting data via APIs/webhooks; account administration within the Service (as configured).
Purpose of processing: Providing the Service to the Organization and operating, securing, and supporting the Service in accordance with the Agreement.
Duration: For the term of the Agreement, plus the period required to complete deletion/anonymisation under this DPA (and any limited lawful retention as described in Section 9).
Categories of data subjects (examples):
Organization’s authorised users/admins using ClickTerm
End users interacting with clickwrap flows presented by the Organization (e.g., customers, users, contractors)
Categories of Personal Data (examples, depending on configuration and what you include in clickwrap content/placeholders):
Identity/contact details: name, email address, company/employer, job title, phone number, address
Clickwrap content that contains Personal Data (if you include Personal Data in your agreement text)
Clickwrap Event and audit trail metadata: acceptance status (accepted/declined/pending), timestamps, clickwrap version identifiers, audit log entries
Technical/device/network metadata: IP address, user agent, browser and device information, operating system, approximate location derived from IP (if applicable), and identifiers generated by ClickTerm for event tracking
Optional delivery metadata (if enabled): email delivery details for sending acceptance copies/certificates to end users
Special categories / sensitive data: Not intended. The Organization must not upload special categories of Personal Data to the Service unless specifically agreed in writing.
ClickTerm maintains technical and organisational measures designed to protect Customer Personal Data. Measures include, as appropriate for the Service:
Governance and policies
Security policies and access governance
Confidentiality obligations for personnel and contractors
Vendor/Sub‑processor onboarding and contractual controls
Access controls
Role‑based access and least‑privilege principles
Administrative access controls (e.g., MFA where supported), secure credential management
Logging of administrative access and security‑relevant events
Encryption and transmission
Encryption in transit using industry‑standard TLS
Encryption at rest where supported by underlying storage systems and cloud infrastructure
Network and infrastructure security
Firewalls/WAF/DDoS protections where applicable
Segmentation of environments where appropriate
Vulnerability management and patching practices
Monitoring and incident response
Monitoring and alerting for availability/security events
Incident response procedures for detection, containment, remediation, and post‑incident review
Availability and resilience
Measures supporting availability and integrity (e.g., redundancy, backups, recovery procedures)
Change management practices to reduce operational risk
ClickTerm may evolve these measures over time, provided the overall level of security is not materially reduced.