Catapult Labs

Data Processing Agreement

ACCEPTANCE OF THIS DATA PROCESSING AGREEMENT

By downloading, installing, accessing, or using the Catapult application or Services after being presented with this Data Processing Agreement, the Customer (as Controller) acknowledges that it has read, understood, and agrees to be bound by all terms and conditions of this Data Processing Agreement. Such acceptance shall have the same legal effect as a handwritten signature.

If the Customer does not agree to this Data Processing Agreement, it must not download, install, access, or use the Catapult application or Services.

DATA PROCESSING AGREEMENT

This Data Processing Agreement (DPA) is entered into between:

(1) Catapult Labs Ltd with registered address 241 Southwark Bridge Road, London, England, SE1 6FP (Catapult); and

(2) the individual or entity on whose behalf the person clicking "I Accept" is acting (the Customer). By clicking "I Accept", the person accepting this DPA represents and warrants that they have the authority to bind the Customer to the terms of this DPA.

Background

The Customer has entered into Catapult’s Terms and Conditions available at www.catapult.xyz/terms.html and Privacy Policy available at www.catapult.xyz/privacy.html (together, the Customer Agreement) under which it processes Personal Data as a Processor on behalf of the Customer, the Controller of the Personal Data (as defined below). This DPA forms part of, and is incorporated into, the Customer Agreement. This DPA sets out the terms under which Catapult will process Personal Data on behalf of the Customer in compliance with Data Protection Legislation (as defined below).

Definitions and Interpretation

The following definitions and rules of interpretation apply in this DPA.

Definitions

Business Purposes
the services to be provided by the Processor to the Controller and any other purpose specifically identified in Annex A (and any Processing strictly necessary to provide, secure, maintain and improve the Services, in each case in accordance with the Controller’s documented instructions and the Data Protection Legislation).
Commissioner
the Information Commissioner (the UK supervisory authority) for the purposes of the UK GDPR and the DPA 2018.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing
have the meanings given in the Data Protection Legislation.
Data Protection Legislation
all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
EU GDPR
the General Data Protection Regulation ((EU) 2016/679).
Services
the services to be provided by Catapult to the Customer as set out in the Customer Agreement.
Term
for the duration of the Customer Agreement.
UK GDPR
has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.1 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

1.2 A reference to writing or written includes email.

1.3 In the case of conflict or ambiguity between:

  1. any provision contained in the body of this DPA, and any provision contained in the Annexes, the provision in the body of this DPA will prevail; and
  2. the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail.

1.4 Nothing in this DPA shall be construed to reduce, limit or prevent Catapult from Processing data (including Personal Data) as an independent controller where such Processing is (i) outside the scope of the Customer’s instructions, and (ii) necessary for Catapult’s legitimate business operations, compliance or security, in each case in accordance with applicable law. This includes the right to create and use aggregated and/or anonymised data and to use Personal Data (on an aggregated/anonymised basis) for artificial intelligence (AI) and machine learning purposes.

2. Personal data types and processing purposes

2.1 The parties acknowledge that:

  1. Catapult will primarily act as a Processor on behalf of the Customer; and
  2. in certain circumstances, Catapult may act as an independent Controller, including (but not limited to) in relation to:
  1. its own business operations, billing, account administration, fraud prevention, security monitoring, incident detection, and legal compliance;
  2. the creation, use and improvement of aggregated and/or anonymised data; and
  3. the training, development, and enhancement of its AI and machine learning models and algorithms,

provided that in each case such Processing is carried out in accordance with Catapult’s privacy policy available at www.catapult.xyz/privacy.html and applicable Data Protection Legislation.

  1. Where Catapult acts as an independent Controller under clause 2.1(b), it shall ensure that any Personal Data used for AI training or model improvement is aggregated and/or anonymised to the greatest extent technically feasible before such use.

2.2 The Controller retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the Processing instructions the Controller gives the Processor.

2.3 The Controller warrants that the Processor's expected use of the Personal Data and any specific instructions it gives to the Processor will comply with the Data Protection Legislation. The Controller shall ensure it has a lawful basis for Processing and for providing the Personal Data to Catapult.

2.4 The Annexes describe the subject matter, duration, nature and purpose of Processing and the Personal Data categories and Data Subject types in respect of which the Processor may Process the Personal Data.

2.5 Notwithstanding any other provision of this DPA, Catapult may:

  1. aggregate and/or anonymise Personal Data so that it no longer relates to an identified or identifiable individual; and
  2. use, disclose, and retain such aggregated and/or anonymised data for any purpose, including for the development and improvement of its Services, analytics, AI and machine learning models, and for its other business purposes.

Once Personal Data has been aggregated or anonymised in accordance with this clause and applicable Data Protection Legislation, it shall no longer constitute Personal Data and the obligations in this DPA shall not apply to it.

3. Processor obligations

3.1 The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Controller's written instructions. The Processor will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Processor must promptly notify the Controller if, in its opinion, the Controller's instructions do not comply with the Data Protection Legislation. Where the Processor reasonably considers an instruction to be unlawful, it may suspend Processing under that instruction until the parties have agreed a lawful alternative.

3.2 The Processor must comply promptly with any Controller written instructions requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing. The Processor shall be entitled to charge its reasonable costs for complying with any such instruction that is outside the scope of the Services or requires material additional work.

3.3 The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Controller or this DPA specifically authorises the disclosure, or as required by applicable law, court or regulator (including the Commissioner). If any applicable law, court or regulator (including the Commissioner) requires the Processor to process or disclose the Personal Data to a third-party, the Processor must first inform the Controller of such legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless applicable law prohibits the giving of such notice.

3.4 The Processor will reasonably assist the Controller, with meeting the Controller's compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor's processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation. Such assistance shall be provided (i) to the extent required by the Data Protection Legislation, (ii) at the Controller’s written request, and (iii) at the Controller’s cost (including Catapult’s reasonable time and expenses), unless otherwise required by law.

3.5 The Processor must notify the Controller promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Processor's performance of Services or this DPA. For clarity, this obligation does not require the Processor to provide legal advice.

3.6 The Processor will only collect Personal Data for the Controller using a notice or method that the Controller specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Controller's identity, the purpose or purposes for which their Personal Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. The Processor will not modify or alter the notice in any way without the Controller’s written consent. This clause 3.6 applies only where the Processor collects Personal Data directly from Data Subjects on the Controller’s behalf.

4. Processor's employees

4.1 The Processor will ensure that all of its employees:

  1. are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
  2. have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
  3. are aware both of the Processor's duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

4.2 The Processor will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of the Processor’s employees with access to the Personal Data.

5. Security

5.1 The Processor must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annex C.

5.2 The Processor must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  1. the pseudonymisation and encryption of Personal Data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

5.3 The Controller acknowledges that the Processor may update or modify its technical and organisational measures from time to time, provided that such updates and modifications do not materially degrade the overall security of the Services.

6. Personal data breach

6.1 The Processor will without undue delay and in any event within seventy-two (72) hours notify the Controller in writing if it becomes aware of:

  1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Processor will use reasonable endeavours to restore such Personal Data as soon as possible;
  2. any accidental, unauthorised or unlawful processing of the Personal Data; or
  3. any Personal Data Breach.

6.2 Where the Processor becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Controller with the following written information to the extent reasonably available:

  1. description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
  2. the likely consequences; and
  3. a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Processor will reasonably co-operate with the Controller, including but not limited to:

  1. assisting with any investigation;
  2. providing any access or relevant information reasonably required; and
  3. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

6.4 The Processor will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Controller's written consent, except when required to do so by applicable law. The Processor may communicate with its subcontractors, advisers, insurers and regulators as necessary to comply with law, manage the incident, or mitigate risk, provided it remains bound by appropriate confidentiality obligations.

6.5 The Processor agrees that the Controller has the sole right to determine:

  1. whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Controller's discretion, including the contents and delivery method of the notice; and
  2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. For clarity, nothing in this clause requires the Processor to bear the cost of any remedy, credit monitoring or notification unless caused solely by the Processor’s breach of this DPA or applicable law.

7. Transfers of Personal Data

7.1 The Processor participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Processor (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR. The Processor must identify in Annex A the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Processor must immediately inform the Customer of any change to that would require the parties to implement alternative appropriate safeguards. SCCs apply only where, and to the extent that, a transfer outside the UK/EEA actually occurs.

7.2 If any Personal Data transfer between the Customer and the Processor requires execution of SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to the Processor outside the EEA), the parties will complete all relevant details in, and execute, the SCCs contained in Annex B, and take all other actions required to legitimise the transfer. Where SCCs are required for Controller-to-Processor transfers, the parties will use Module 2 of the EU SCCs (and the UK Addendum, where applicable).

7.3 If the Customer consents to appointment by the Processor of a subprocessor located outside the EEA in compliance with the provisions of clause 8, then the Customer authorises the Processor to enter into SCCs contained in Annex B with the subprocessor. The Processor will make the executed SCCs available to the Customer on request. Where SCCs are required for Processor-to-Subprocessor transfers, the Processor may enter into such SCCs in its own name.

8. Subprocessors

8.1 By clicking "I Accept" or by continuing to use the Services, the Controller grants the Processor a general authorisation to appoint and replace subprocessors, provided that:

  1. the Processor maintains an up-to-date list of approved subprocessors;
  2. the Processor makes such list available to the Controller on request. The Controller acknowledges it has had the opportunity to view the list of subprocessors prior to clicking “I Accept”;
  3. any subprocessors are contractually bound by written agreement to terms equivalent to those set out in this DPA in respect of the protection of Personal Data; and
  4. the Controller may periodically review the subprocessor list referred to in clause 8.1(a) and object in writing on reasonable grounds relating to data protection to any subprocessor, whether existing or newly appointed, within ten (10) days of becoming aware of such subprocessor's involvement, failing which the subprocessor shall be deemed approved.

8.2 Where the Controller objects under clause 8.1(d), the parties will work together in good faith to resolve the objection. If the parties cannot resolve the objection within thirty (30) days, the Processor may, at its option: (i) not appoint or cease using the relevant subprocessor; or (ii) allow the Controller to suspend the affected Services; or (iii) terminate the affected Services on written notice, without liability (other than fees accrued for Services provided prior to suspension/termination).

9. Complaints, data subject requests and third-party rights

9.1 The Processor shall take such technical and organisational measures as may be appropriate, and promptly provide such information to the Controller as the Controller may reasonably require, to enable the Controller to comply with:

  1. the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
  2. information or assessment notices served on the Controller by the Commissioner or other relevant regulator under the Data Protection Legislation.

9.2 The Controller shall notify the Processor immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's or the Controller's compliance with the Data Protection Legislation.

9.3 The Processor must notify the Controller within five (5) business days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

9.4 The Processor will give the Controller all reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request. Such assistance shall be provided at the Controller’s cost and subject to the Processor’s reasonable security and confidentiality requirements.

9.5 The Processor must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Controller's written instructions, or as required by applicable law.

9.6 The Processor is not responsible for responding to Data Subject requests except to the extent required by the Data Protection Legislation and this DPA.

10. Term and termination

10.1 This DPA will remain in full force and effect so long as:

  1. the Services are provided; or
  2. the Processor retains any of the Personal Data related to the Services in its possession or control.

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Customer Agreement to protect the Personal Data will remain in full force and effect.

10.3 The Processor may suspend Processing (in whole or part) immediately on notice if (i) the Controller’s instructions are unlawful or would cause the Processor to breach the Data Protection Legislation, or (ii) the Controller is in material breach of this DPA and fails to remedy that breach within a reasonable period after notice.

10.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Customer Agreement or this DPA, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within thirty (30) days, either party may terminate the Customer Agreement and this DPA on written notice to the other party.

11. Data return and destruction

11.1 At the Controller’s request, the Processor will give the Controller a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Controller. The Processor may charge its reasonable costs for providing such copy or access where not included in the Services.

11.2 On termination of this DPA for any reason or expiry of its term, the Processor will securely delete or destroy or, if directed in writing by the Controller, return and not retain, all or any of the Personal Data related to this DPA in its possession or control, except that:

  1. Catapult may retain copies of Personal Data to the extent required by applicable law or for the establishment, exercise or defence of legal claims (subject to appropriate safeguards); and
  2. Catapult may permanently retain aggregated and/or anonymised data derived from the Personal Data for any purpose, including the training and improvement of its AI and machine learning systems.

11.3 If any law, regulation, or government or regulatory body requires the Processor to retain any documents, materials or Personal Data that the Processor would otherwise be required to return or destroy, it will notify the Controller in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

11.4 The Processor will certify in writing to the Controller that it has deleted or destroyed the Personal Data within thirty (30) days after it completes the deletion or destruction. Such certification may be provided on a reasonable, summary basis.

12. Records

12.1 The Processor will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (Records). This clause applies to the extent required by the Data Protection Legislation.

12.2 The Processor will ensure that the Records are sufficient to enable the Controller to verify the Processor’s compliance with its obligations under this DPA and the Data Protection Legislation and the Processor will provide the Controller with copies of the Records on request. The Processor may redact confidential information and information relating to other customers.

12.3 The Processor will review the information listed in the Annexes to this DPA periodically to confirm its current accuracy and update it when required to reflect current practices.

13. Audit

13.1 The Controller may audit the Processor’s compliance with this DPA only to the extent required by the Data Protection Legislation and subject to this clause 13. Audits shall: (a) be limited to one (1) audit in any rolling twelve (12) month period (unless a Personal Data Breach has occurred and the audit is reasonably necessary in relation to that breach, or an audit is required by the Commissioner); (b) be conducted on at least thirty (30) days’ prior written notice; (c) take place during normal Business Hours; (d) be limited in scope to the Personal Data and Processing activities covered by this DPA; and (e) not unreasonably interfere with the Processor’s business operations.

13.2 As a first step, the Processor may satisfy audit requests by providing (at the Processor’s discretion): (a) copies of relevant policies and procedures; (b) a summary of security controls; and/or (c) third‑party audit reports or certifications (e.g., SOC 2/ISO 27001) where available. The Controller agrees to accept such materials as sufficient evidence of compliance unless it has reasonable grounds to believe a material non‑compliance exists.

13.3 If an on-site or remote audit is reasonably required after the Processor has provided materials under clause 13.2, the audit shall be conducted by an independent auditor bound by confidentiality, subject to the Processor’s reasonable security requirements, and shall not include: (a) access to systems not involved in providing the Services; (b) access to source code; (c) penetration testing without the Processor’s prior written consent; or (d) access to information relating to other customers.

13.4 The Controller shall bear all costs of any audit (including the Processor’s reasonable time and expenses). If an audit reveals material non‑compliance by the Processor, the Processor shall remedy such non‑compliance within a reasonable period and the Controller may request one (1) follow‑up audit solely to confirm remediation.

14. Limitation of Liability

The limitation of liability as set out in the Customer Agreement applies to this DPA. Nothing in this DPA shall increase either party’s liability beyond that set out in the Customer Agreement.

15. Notice

15.1 Any notice given to a party under or in connection with this DPA shall be in writing and shall be:

  1. delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
  2. sent by email to the details set out in the Customer Agreement or such details as notified to a party.

15.2 Any notice shall be deemed to have been received:

  1. if delivered by hand, at the time the notice is left at the proper address;
  2. if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting; or
  3. if sent by email, at the time of transmission, or, if this time falls outside Business Hours in the place of receipt, when Business Hours resume.

15.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of England and Wales and under the exclusive jurisdiction of the English courts. The parties agree that this DPA, when accepted via the click-wrap mechanism described in clause 17.2, shall be enforceable as a binding agreement under the laws of England and Wales, and the Customer's electronic acceptance shall be admissible as evidence of agreement.

17. General

17.1 This DPA constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes any prior agreements, save for any existing non-disclosure agreement.

17.2 Any amendments to this DPA may be made:

  1. in writing and signed by both parties; or
  2. by Catapult providing an updated version of this DPA through the Services, website, or Customer portal, where the updated DPA is accepted by the Customer through click-through, electronic acceptance, or continued use of the Services following notice of the update.

The Customer acknowledges and agrees that electronic acceptance of this DPA or any updated version of it shall constitute valid and binding acceptance for all purposes.

17.3 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

17.4 This DPA may be accepted electronically by the Customer by downloading, installing, accessing, or using the Catapult application or Services after being presented with this DPA. Such electronic acceptance shall constitute a valid “writing” and “signature” for all purposes under this DPA and applicable law. No separate wet-ink or handwritten signature is required.

17.5 Catapult shall present this DPA to the Customer prior to or at the point of download, installation, or first access to the Services. The Customer’s downloading, installation, access, or use of the Catapult application or Services after being presented with this DPA shall constitute binding acceptance of the entire DPA, including all Annexes.

17.6 The date of acceptance shall be recorded automatically by Catapult’s systems at the time the Customer downloads, installs, first accesses, or uses the Services after being presented with this DPA.

ANNEX A: Details of Processing

Subject Matter

Provision of the Services, where such provision involves the processing of Personal Data on the Customer’s behalf.

Duration

For the term of the Customer Agreement and any period during which the Processor processes Personal Data on the Controller’s behalf in connection with the Services.

Nature and Purpose

Processing activities may include the collection (where applicable), recording, organisation, structuring, storage, consultation, analysis, aggregation, reporting, deletion, and anonymisation of Personal Data strictly as necessary to:

  • provide the Services to the Customer;
  • carry out analysis, reporting and insight generation for the Customer’s internal business purposes;
  • train, develop, optimise and improve Catapult’s artificial intelligence and machine learning models and algorithms (on an aggregated and/or anonymised basis where feasible);
  • support, maintain, secure and improve the Services; and
  • comply with the Customer’s documented instructions and applicable Data Protection Legislation.

Categories of Personal Data

Depending on the Services used and the Customer’s dataset, the Personal Data may include:

  • names
  • business contact details (including email address, telephone number, job title and employer)
  • customer, prospect or user identifiers
  • usage, engagement and interaction data relating to products or services of the Customer
  • survey responses, feedback and research inputs
  • commercial, transactional or account-level data provided by the Customer; and
  • any other Personal Data uploaded to or made available through the Services by or on behalf of the Customer.

The Services are not intended to require the Processing of Special Category Data or criminal offence data (as defined under the Data Protection Legislation). However, it is acknowledged that such data may be included incidentally within Personal Data provided by the Customer.

Where Special Category Data or criminal offence data is incidentally included, such data shall be processed by Catapult only to the extent technically unavoidable and strictly in accordance with the Customer’s documented instructions and this DPA.

The Customer remains responsible for:

  • determining and documenting a lawful basis and (where required) a condition for processing under Articles 6, 9 and/or 10 of the UK GDPR
  • ensuring appropriate notices are provided to Data Subjects; and
  • not providing Special Category Data or criminal offence data to Catapult unless necessary for the Services or expressly agreed in writing.

Categories of Data Subjects

The Data Subjects may include:

  • the Customer’s customers or end users
  • prospective customers or leads
  • members, subscribers or account holders
  • employees, contractors or representatives of the Customer; and
  • other individuals whose Personal Data is included in datasets provided by or on behalf of the Customer.

Approved subprocessors

The Controller authorises the Processor to engage the subprocessors listed by Catapult from time to time, together with any additional subprocessors notified by the Processor to the Controller in accordance with clause 8 of this DPA, including providers of infrastructure, cloud hosting, analytics, security, customer support, and other support services.

International Transfers

Personal Data may be processed in the United Kingdom and, where applicable, other locations where Catapult or its approved subprocessors operate, subject to appropriate safeguards in accordance with the DPA and Data Protection Legislation.

Aggregated / Anonymised Data and AI Use

Catapult is authorised to aggregate and/or anonymise Personal Data and to use such data (and any models or insights derived from it) for its own business purposes, including the development and enhancement of its AI and machine learning capabilities provided that such data has been irreversibly anonymised such that it no longer constitutes Personal Data under applicable Data Protection Legislation. Such data shall cease to be Personal Data once properly aggregated or anonymised.

Annex B: EU SCCs

Incorporation of the EU SCCs

To the extent that the processing of Personal Data under this DPA involves a transfer of Personal Data to a country outside of the United Kingdom and/or the European Economic Area that is not subject to an adequacy decision under the Data Protection Legislation, this Annex B and the following terms shall apply.

Applicable Modules

Module 2 (Controller to Processor) of the EU Standard Contractual Clauses approved by the European Commission on 4 June 2021 pursuant to Commission Implementing Decision (EU) 2021/914 (the EU SCCs) is hereby incorporated by reference and shall apply where:

  • the Customer is the exporter of Personal Data as Controller; and
  • Catapult is the importer of Personal Data as Processor.

Module 3 (Processor to Sub-Processor) of the EU SCCs shall apply only where:

  • Catapult, acting as Processor, transfers Personal Data to an authorised Sub-Processor located outside the UK and/or EEA; and
  • such transfer requires appropriate safeguards under the Data Protection Legislation.

No other Modules (including Modules 1 or 4) of the EU SCCs shall apply unless the parties expressly agree otherwise in writing.

Completion of the EU SCCs

For the purposes of the EU SCCs, the following information applies

Clause 7 (Docking Clause)

The docking clause is not used.

Clause 9 (Use of Sub-Processors)

Option 2 (General authorisation) applies.

The procedure for appointing Sub-Processors is as set out in clause 8 of this DPA.

Clause 11 (Redress)

The optional language in Clause 11(a) is not used.

Clause 17 (Governing Law)

The governing law shall be

The law of the EU Member State in which the Customer is established, provided such law permits third-party beneficiary rights.

Failing that, the law of Ireland shall apply.

Clause 18 (Choice of Forum and Jurisdiction)

The courts determined in accordance with Clause 17 shall have jurisdiction.

Annex I to the EU SCCs – List of Parties

Data Exporter

Role: Controller

Name: As set out in the DPA / Customer Agreement

Address: As set out in the DPA / Customer Agreement

Contact details: As set out in the DPA / Customer Agreement

Data Importer

Role: Processor

Name: Catapult Labs Ltd

Address: 241 Southwark Bridge Road, London, England, SE1 6FP

Annex II to the EU SCCs – Description of the Processing

The subject matter, nature, purpose and duration of the processing, the types of Personal Data and categories of Data Subjects are as set out in Annex A (Details of Processing) to this DPA.

Annex III to the EU SCCs – Technical and Organisational Measures

The technical and organisational security measures implemented by the Data Importer are as set out in Annex C (Security Measures) to this DPA.

UK Addendum to the EU SCCs

Where the UK GDPR applies to a transfer described above, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office under section 119A of the Data Protection Act 2018 (the UK Addendum) is incorporated by reference and applies as follows:

Tables 1, 2 and 3 of the UK Addendum are deemed completed by reference to

  • this DPA
  • Annex A (Details of Processing); and
  • Annex C (Security Measures).

Table 4 (Ending the UK Addendum) is selected.

In the event of any conflict or inconsistency between

  • the EU SCCs
  • this DPA; and
  • the UK Addendum,

the following order of precedence shall apply

  1. the UK Addendum
  2. the EU SCCs; and
  3. this DPA.

ANNEX C: Security Measures

Catapult shall maintain appropriate technical and organisational measures designed to protect Personal Data against accidental, unauthorised or unlawful processing, access, disclosure, alteration, loss, destruction or damage. These measures include, as applicable:

1. Physical access controls

Catapult operates primarily as a software provider and does not host production infrastructure on its own premises.

Physical access to cloud hosting facilities is managed by Catapult’s cloud infrastructure providers.

Catapult personnel use company-approved devices and are required to keep devices secure when working remotely or from shared locations.

2. System access controls

Access to production systems is restricted to authorised personnel with a legitimate business need.

User access is protected by strong authentication, including multi-factor authentication where supported.

Access rights are reviewed periodically and removed or updated when personnel change role or leave Catapult.

Administrative access is limited to authorised personnel and granted on a least-privilege basis.

3. Data access controls

Personnel may only access Customer Personal Data where required to provide, support, secure, maintain or improve the Services, or as otherwise permitted under the DPA.

Access to Customer Personal Data is restricted based on role and business need.

Catapult maintains internal policies and procedures governing confidentiality, acceptable use, and handling of Personal Data.

Personnel with access to Personal Data are subject to confidentiality obligations.

4. Transmission controls

Personal Data is encrypted in transit using industry-standard encryption protocols where technically feasible.

Catapult uses secure communication channels for the transfer of Personal Data between systems and subprocessors.

Where third-party subprocessors are used, Catapult requires appropriate contractual safeguards for the protection of Personal Data.

5. Storage and encryption controls

Personal Data is encrypted at rest where supported by Catapult’s hosting and storage providers.

Secrets, credentials and access tokens are stored using appropriate secure storage mechanisms.

Catapult applies reasonable safeguards to prevent unauthorised access to stored Personal Data.

6. Input controls and logging

Catapult maintains logs or records designed to help identify access to, changes to, or processing of relevant systems where technically feasible.

Logs are used for security monitoring, troubleshooting, incident investigation, and service reliability.

Access to logs is restricted to authorised personnel.

7. Availability, backups and resilience

Catapult uses cloud infrastructure and managed service providers designed to provide resilience, availability and continuity of service.

Catapult maintains backup, replication, or recovery processes appropriate to the nature of the Services.

Catapult takes reasonable steps to restore availability and access to Personal Data in a timely manner following a physical or technical incident.

8. Data segregation

Catapult uses logical separation measures to help prevent Customer Personal Data from being accessed by or disclosed to unauthorised customers or users.

Access controls and application-level controls are used to restrict access to Customer workspaces, accounts and connected data sources.

9. Secure development and vulnerability management

Catapult applies secure development practices appropriate to the nature of the Services.

Catapult reviews and addresses identified security vulnerabilities based on severity and risk.

Changes to production systems are managed through controlled development, review and deployment processes.

10. Incident management

Catapult maintains procedures for identifying, investigating, escalating and responding to security incidents.

Catapult will notify the Customer of Personal Data Breaches in accordance with the DPA.

Catapult will take reasonable steps to mitigate the effects of any confirmed Personal Data Breach.

11. Subprocessor and vendor security

Catapult assesses subprocessors and vendors that may process Personal Data based on the nature of the service provided and the associated risk.

Catapult requires subprocessors that process Personal Data to enter into written agreements containing appropriate data protection and confidentiality obligations.

Catapult maintains or makes available a list of subprocessors as described in the DPA.

12. Personnel security and training

Catapult personnel are required to comply with internal security and data protection policies.

Personnel receive data protection and security awareness training appropriate to their role.

Catapult takes reasonable steps to ensure personnel with access to Personal Data understand their confidentiality and security obligations.

13. Security review and improvement

Catapult may update these technical and organisational measures from time to time, provided that such updates do not materially reduce the overall level of protection for Personal Data.

Catapult periodically reviews its security measures and may update controls as the Services, risks, legal requirements or industry practices evolve.