Processing Addendum

This Data Processing Addendum (the Addendum) forms part of the SMT Master Service Agreement (and any ancillary or related documentation), as updated or amended from time to time (the Agreement), between the Customer (as identified on page 3 below) and SMT. All capitalised terms not defined in this Addendum shall have the meaning set out in the Agreement.


  1. This Addendum has been pre-signed by SMT.
  2. If SMT processes personal data on behalf of a SMT customer that qualifies as a controller with respect to that personal data under the EU General Data Protection Regulation (Regulation 2016/679) (an Eligible Customer), such Eligible Customer may execute this Addendum. Eligible Customers can complete this Addendum by:
    .     Completing the information in the signature box and counter-signing on page 3; and
    .     Submitting the completed and signed Addendum to SMT at Any questions regarding this Addendum should be sent to
  3. Upon receipt of the validly completed and signed Addendum in accordance with the instructions above, this Addendum will become legally binding.


If the entity signing this Addendum is an Eligible Customer at the date of counter-signature, this Addendum will form part of the Agreement. In such case, the SMT entity that is a party to the Agreement will be a party to this Addendum, as identified in the Eligible Customer SMT invoice.
If the entity signing this Agreement is not an Eligible Customer at the date of counter-signature, this Agreement will not be valid or legally binding.
The parties agree that the obligations under this Addendum that are specific to the EU General Data Protection Regulation (Regulation 2016/679) shall not apply until the later of the Eligible Customer counter-signature or the date the EU General Data Protection Regulation (Regulation 2016/679) has come into full force and effect.

1. Data Protection

1.1.  Definitions: In this Addendum, the following terms shall have the following meanings:

1.2.  Relationship of the parties: Customer (the controller) appoints SMT as a processor to process the personal data described in the Agreement (the "Data") for the purposes described, and the terms set out, in the Agreement, including, for the avoidance of doubt, to provide you with, and update and improve, our services (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.

1.3.  Prohibited data: Unless explicitly requested by SMT to do so, Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to SMT for processing.

1.4.  International transfers: SMT shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., New Zealand), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
1.5.  Confidentiality of processing: SMT shall ensure that any person is authorized to process the Data (an "Authorised Person") shall protect the Data in accordance with SMT’s confidentiality obligations under the Agreement.

1.6.  Security: SMT shall implement technical and organisational measures, as set out in Annex A, which may be amended and updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").

1.7.  Subcontracting: Customer consents to SMT engaging third party subprocessors to process the Data for the Permitted Purpose provided that: (i) SMT maintains an up-to-date list of its subprocessors, which shall be available on its website on or before 25 May 2018, which it shall update with details of any change in subprocessors at least 30 days prior to the change; (ii) SMT imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) SMT remains liable for any breach of this Addendum that is caused by an act, error or omission of its subprocessor. Customer may object to SMT’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, SMT will either not appoint or replace the subprocessor or, if this is not reasonably possible, in SMT’s sole discretion, Customer may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by Customer up to and including the date of suspension or termination).

1.8.  Cooperation and data subjects' rights: SMT shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to SMT, SMT shall promptly inform Customer providing full details of the same.

1.9.  Data Protection Impact Assessment: If SMT believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

1.10.  Security incidents: If it becomes aware of a confirmed Security Incident, SMT shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. SMT shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep Customer informed of all material developments in connection with the Security Incident.

1.11.  Deletion or return of Data: Upon termination or expiry of the Agreement, SMT will, on Customer’s explicit request, delete or return the Data in its possession or control (in a manner and form decided by SMT, acting reasonably). This requirement shall not apply to the extent that SMT is required by applicable law to retain some or all of the Data, which Data SMT shall securely isolate and protect from any further processing.

1.12.  Audit: Customer acknowledges that SMT is regularly audited against SOC 2 standards by an independent third-party auditor. Upon Customer’s request, and subject to the confidentiality obligations set out in the Agreement, SMT shall make available to Customer that is not a competitor of SMT (or Customer’s independent, third-party auditor that is not a competitor of SMT) a copy of SMT’s SOC 2 report in the same manner and form that SMT makes the SOC 2 report generally available to customers.