This Data Processing Addendum (“DPA”) forms part of and is subject to the ClickTerm agreement between TelQ Telecom GmbH (ClickTerm) and the Organization (the “Agreement”). For example, if you accept ClickTerm’s Terms of Use, the Terms of Use and this DPA together form the Agreement.
This DPA applies only to the extent ClickTerm processes Personal Data as a Processor on behalf of the Organization.
If there is a conflict between this DPA and the rest of the Agreement, this DPA prevails only for data protection / processing terms (consistent with the Terms of Use precedence).
Provider / Processor. The Service is provided by TelQ Telecom GmbH, registered in Germany under HRB 144036, Neuer Wall 71, 20354 Hamburg, Germany (“TelQ”, “ClickTerm”, “we”, “us”). TelQ acts as the Processor under this DPA.
Organization / Controller. The entity using ClickTerm is the “Organization” (“you”). You are the Controller, unless you are acting as a Processor for another Controller (in which case you represent that you are authorised to give the instructions described in this DPA).
“Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR, UK GDPR, and any national implementing laws, and (where applicable) US state privacy laws.
“GDPR” means Regulation (EU) 2016/679.
“Personal Data”, “Controller”, “Processor”, “processing”, and “Supervisory Authority” have the meanings given in the GDPR (or equivalent meanings under applicable Data Protection Laws).
“Customer Personal Data” means Personal Data processed by ClickTerm as Processor on behalf of the Organization in connection with the Service.
“Sub‑processor” means a Processor engaged by ClickTerm to process Customer Personal Data.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
“SCCs” means the EU Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914.
“Restricted Transfer” means a transfer of personal data that is restricted under applicable Data Protection Laws (for example, a transfer of personal data outside the EEA/UK without an adequacy decision or other valid transfer mechanism).
ClickTerm will process Customer Personal Data only on documented instructions from you, which are:
the Agreement (including this DPA and the Terms of Use),
the Documentation and in‑product configuration/settings you control, and
any additional written instructions you provide and we accept in writing.
If ClickTerm believes an instruction violates applicable Data Protection Laws, ClickTerm will notify you (unless prohibited by law).
ClickTerm ensures that persons authorised to process Customer Personal Data are subject to confidentiality obligations (contractual or statutory).
The subject matter, nature, purpose, duration of processing, and categories of Personal Data and data subjects are set out in Schedule 1.
You grant ClickTerm a general authorisation to appoint Sub‑processors to process Customer Personal Data, in accordance with this DPA.
ClickTerm publishes a Sub‑Processors and Processors transparency list (including scope information and feature‑dependent applicability). The current list is available at:https://api.clickterm.com/clickwrap/9ca82158-c7a6-4e1d-b803-d5f27b5a8164/latest
Before adding or replacing a Sub‑processor that processes End‑User / clickwrap flow data (Scope A), ClickTerm will inform you by publishing an updated version of the Sub‑Processors and Processors document in the ClickTerm Admin Console and requiring explicit re‑acceptance.
Notice method (written): a new published version of the Sub‑Processors and Processors clickwrap document, presented for acceptance in the Admin Console.
Notice period: changes take effect no earlier than 30 days after publication, unless a shorter timeline is required for urgent security, fraud prevention, or legal compliance.
Opportunity to object: you may object by declining the updated version within the notice period.
If you decline: ClickTerm may (a) propose a commercially reasonable alternative, (b) disable the affected optional feature, or (c) terminate the affected services in accordance with the Agreement and this DPA.
For Sub‑processor changes that do not affect Scope A, ClickTerm may (at its discretion) use the same mechanism and/or provide notice by email or in‑product notice. In all cases where Data Protection Laws require notice and an opportunity to object, ClickTerm will provide such notice and opportunity in a compliant manner.
ClickTerm will:
enter into a written agreement with each Sub‑processor imposing data protection obligations no less protective than those in this DPA, and
remain responsible for Sub‑processors’ performance of their obligations to the extent required by Data Protection Laws.
If ClickTerm (or a Sub‑processor) processes Customer Personal Data in a country not recognised as providing an adequate level of protection under applicable Data Protection Laws, the parties agree that an appropriate transfer mechanism will apply.
Where required, the SCCs are incorporated by reference and will apply as set out in Schedule 3 (including the applicable module(s) and Annex mapping).
Where required:
for UK restricted transfers, the SCCs will be supplemented by the UK ICO International Data Transfer Addendum (or other valid UK transfer mechanism), as set out in Schedule 3; and
for Swiss transfers, the SCCs will be interpreted/adapted to meet Swiss requirements, as set out in Schedule 3.
Where required to enable transfers to a Sub‑processor, you authorise ClickTerm to enter into the SCCs (and any UK/Swiss supplements) with that Sub‑processor on your behalf, strictly for the purpose of enabling the relevant transfer.
Taking into account the nature of the processing and the information available to ClickTerm, ClickTerm will provide reasonable information and assistance (upon request) that you may require to document or assess international transfer compliance requirements (for example, to support a transfer impact assessment), consistent with the DPA assistance provisions and subject to confidentiality and security limitations.
ClickTerm will implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as described in Schedule 2.
ClickTerm may update these measures to reflect technical progress and development, provided that updates will not materially decrease the overall security of the Service.
ClickTerm will notify you without undue delay after becoming aware of a Personal Data Breach. Where feasible, ClickTerm will aim to provide initial notice within 72 hours of awareness.
ClickTerm will:
take reasonable steps to mitigate and remediate the effects of the breach (to the extent within ClickTerm’s control), and
provide information reasonably necessary to help you meet your breach notification obligations under Data Protection Laws.
Taking into account the nature of the processing and the information available to ClickTerm, ClickTerm will provide reasonable assistance to you with:
Data subject rights requests (access, rectification, erasure, restriction, objection, portability), to the extent you cannot fulfil the request through self‑service features in ClickTerm;
DPIAs and consultations with Supervisory Authorities, to the extent required and you cannot reasonably fulfil your obligations independently using available Documentation and Service functionality; and
Third‑party requests: unless prohibited by law, ClickTerm will notify you of legally binding requests compelling disclosure of Customer Personal Data and will redirect other inquiries (e.g., from data subjects or regulators) to you unless legally required to respond.
Costs. ClickTerm may charge reasonable fees for assistance that goes beyond what is legally required or beyond what is available through self‑service features and Documentation, and will inform you where practicable.
ClickTerm will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits/inspections by you or an auditor you appoint, subject to the following:
Primary method: where available, ClickTerm may satisfy audit requests by providing summaries and/or reports from independent third‑party security and compliance assessments (or comparable documentation).
Scope and scheduling: audits must be reasonably scoped, scheduled with reasonable advance notice, and designed to minimise disruption and protect confidentiality and security.
Frequency: no more than one audit per 12‑month period, unless (i) required by a Supervisory Authority, (ii) you have documented, reasonable concerns of non‑compliance, or (iii) a prior audit identified material non‑conformities.
Costs: unless required by law, you bear your own audit costs, and ClickTerm may charge reasonable fees for time and resources expended in supporting the audit.
Audit outputs and related information are ClickTerm Confidential Information.
Nothing in this section limits any rights mandated by law.
During the term, you can access, retrieve, export, and delete Customer Personal Data using the Service features (to the extent available for your plan and configuration).
You may request deletion by:
using the Service’s self‑serve account deletion/cancellation functionality (where available), or
contacting ClickTerm support.
Within 30 days after termination/expiration (or your written request, if later), ClickTerm will delete or irreversibly anonymise Customer Personal Data from ClickTerm’s active systems, except to the extent retention is required by law or reasonably necessary for:
establishing, exercising, or defending legal claims,
preventing fraud or abuse,
security and incident response, or
complying with statutory retention obligations (e.g., accounting and tax requirements), noting that such retention should be limited to what is necessary.
Where Customer Personal Data is retained under this section, ClickTerm will keep it protected and confidential and will not use it for other purposes.
You will:
ensure you have a lawful basis and have provided required notices and obtained required consents for the processing of Customer Personal Data and for the instructions you give ClickTerm;
not instruct ClickTerm to process Customer Personal Data in a manner that violates Data Protection Laws; and
not submit special category / sensitive data or other regulated data where doing so would impose obligations beyond those set out in the Agreement (unless ClickTerm has agreed otherwise in writing).
You are responsible for determining whether the Service meets your compliance requirements for your specific use case and jurisdictions.
Order of precedence. If there is a conflict between this DPA and the rest of the Agreement, this DPA prevails only for data protection / processing terms.
Liability. This DPA does not change liability allocation except as required by Data Protection Laws.
Governing law and venue. This DPA is governed by the laws of Germany. Venue is Hamburg, Germany, unless mandatory law provides otherwise (aligned with the Terms of Use).
Survival. Sections intended to survive termination (including confidentiality, audits, deletion/return, international transfers, and miscellaneous) survive for so long as ClickTerm retains Customer Personal Data.
Service: ClickTerm clickwrap agreement management and evidence platform.
Subject matter: Provision of the Service, including: creating/managing clickwrap templates and versions, presenting clickwraps to end users, recording clickwrap events and audit trails, and generating downloadable acceptance artifacts (such as certificates), as configured by the Organization.
Nature of processing: Cloud hosting/storage; rendering/display; logging/audit trails; generating documents/artifacts; transmitting data via APIs/webhooks; account administration within the Service (as configured).
Purpose of processing: Providing the Service to the Organization and operating, securing, and supporting the Service in accordance with the Agreement.
Duration: For the term of the Agreement, plus the period required to complete deletion/anonymisation under this DPA (and any limited lawful retention as described in Section 9).
Categories of data subjects (examples):
Organization’s authorised users/admins using ClickTerm
End users interacting with clickwrap flows presented by the Organization (e.g., customers, users, contractors)
Categories of Personal Data (examples, depending on configuration and what you include in clickwrap content/placeholders):
Identity/contact details: name, email address, company/employer, job title, phone number, address
Business identifiers: registration/business ID number, VAT/tax ID (if provided by you)
Clickwrap content that contains Personal Data (if you include Personal Data in your agreement text)
Clickwrap Event and audit trail metadata: acceptance status (accepted/declined/pending), timestamps, clickwrap version identifiers, audit log entries
Technical/device/network metadata: IP address, user agent, browser and device information, operating system, approximate location derived from IP (if applicable), and identifiers generated by ClickTerm for event tracking
Optional delivery metadata (if enabled): email delivery details for sending acceptance copies/certificates to end users
Special categories / sensitive data: Not intended. The Organization must not upload special categories of Personal Data to the Service unless specifically agreed in writing.
ClickTerm maintains technical and organisational measures designed to protect Customer Personal Data. Measures include, as appropriate for the Service:
Security policies and access governance
Confidentiality obligations for personnel and contractors
Vendor/Sub‑processor onboarding and contractual controls
Role‑based access and least‑privilege principles
Administrative access controls (e.g., MFA where supported), secure credential management
Logging of administrative access and security‑relevant events
Encryption in transit using industry‑standard TLS
Encryption at rest where supported by underlying storage systems and cloud infrastructure
Firewalls/WAF/DDoS protections where applicable
Segmentation of environments where appropriate
Vulnerability management and patching practices
Monitoring and alerting for availability/security events
Incident response procedures for detection, containment, remediation, and post‑incident review
Measures supporting availability and integrity (e.g., redundancy, backups, recovery procedures)
Change management practices to reduce operational risk
ClickTerm may evolve these measures over time, provided the overall level of security is not materially reduced.
This Schedule applies only to the extent required by applicable Data Protection Laws for Restricted Transfers.
Incorporation. The SCCs are incorporated by reference.
Modules. The parties agree that the SCC module(s) apply as follows:
Module Two (Controller → Processor): applies where the Organization is a Controller and ClickTerm is a Processor.
Module Three (Processor → Processor): applies where the Organization is a Processor acting on behalf of another Controller and ClickTerm acts as a Sub‑processor.
Clause selections / options (where applicable):
Clause 7 (Docking): not selected, unless the parties agree otherwise in writing.
Clause 9 (Use of Sub‑processors): Option 2 (general written authorisation) applies, consistent with Section 4 of this DPA.
Clause 11 (Redress): not selected.
Clause 17 (Governing law): Germany.
Clause 18 (Choice of forum and jurisdiction): Hamburg, Germany (or another EU Member State forum if required by mandatory law for the relevant transfer).
Annex mapping. For purposes of the SCCs:
Annex I (A/B/C) is satisfied by the information in Schedule 1 and the Agreement parties’ details, and the competent supervisory authority is the authority applicable to the data exporter under GDPR (or, where applicable, the supervisory authority determined under GDPR rules).
Annex II (Technical and organisational measures) is satisfied by Schedule 2.
Annex III (List of Sub‑processors) is satisfied by the published Sub‑Processor List at:https://api.clickterm.com/clickwrap/9ca82158-c7a6-4e1d-b803-d5f27b5a8164/latest
Where the UK GDPR applies and a UK Restricted Transfer requires a transfer mechanism, the SCCs are supplemented by the UK ICO International Data Transfer Addendum (“UK Addendum”), incorporated by reference.
The parties agree the UK Addendum information is completed as follows (using the UK Addendum structure):
Table 1 (Parties): the “Exporter” is the Organization; the “Importer” is ClickTerm (TelQ Telecom GmbH).
Table 2 (Selected SCCs): the SCCs incorporated above (Decision 2021/914), with modules determined by roles (Module Two or Module Three as applicable).
Table 3 (Appendix Information):
Annex 1A/1B: Schedule 1
Annex II: Schedule 2
Annex III: Sub‑Processor List (link above)
Table 4 (Ending this Addendum): the parties agree that the UK Addendum may be terminated/ended in accordance with its terms and applicable law.
Where Swiss data protection law applies and a Swiss Restricted Transfer requires a transfer mechanism, the SCCs incorporated above apply with the following adaptations to satisfy Swiss requirements:
references to “Member State” include Switzerland (as relevant);
references to the “GDPR” include the applicable Swiss data protection law;
the competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC) (as applicable); and
data subject rights and enforcement are interpreted to preserve Swiss mandatory protections.
This Schedule applies only to the extent and for so long as Customer Personal Data processed by ClickTerm on behalf of the Organization is subject to applicable US state privacy laws that require specific vendor terms (including, where applicable, the California Consumer Privacy Act as amended by the CPRA) (“US State Privacy Laws”).
Roles. With respect to such Customer Personal Data, the parties intend that:
the Organization is a “business” and/or “controller” (or equivalent); and
ClickTerm is a “service provider” and/or “processor” (and/or “contractor,” if applicable) (or equivalent), processing Customer Personal Data on behalf of the Organization.
Permitted purpose. ClickTerm will process Customer Personal Data only for the business purpose(s) of providing the Service as described in the Agreement, including operating, maintaining, supporting, and securing the Service, and improving the Service only as permitted by the Agreement and only in aggregated/de‑identified form where required/appropriate.
No “sale” or “sharing”. ClickTerm will not “sell” or “share” (as those terms are defined under US State Privacy Laws) Customer Personal Data processed on behalf of the Organization.
Retention, use, and disclosure limits. ClickTerm will not retain, use, or disclose such Customer Personal Data for any purpose other than the permitted purpose(s) described above, except as permitted by US State Privacy Laws.
Combining data. ClickTerm will not combine Customer Personal Data processed on behalf of the Organization with personal information received from (i) another customer, or (ii) ClickTerm’s own interactions as a controller, except as permitted by US State Privacy Laws (for example, to perform the Services, to help ensure security and integrity, to prevent fraud, or to comply with law).
Assistance. Taking into account the nature of the processing, ClickTerm will provide reasonable assistance as required by US State Privacy Laws to enable the Organization to respond to verified consumer requests and other compliance obligations, consistent with Section 7 of this DPA.
Conflicts. If there is a conflict between this Schedule and the rest of the Agreement regarding US State Privacy Laws, this Schedule will control only to the extent necessary to comply with US State Privacy Laws.