This Data Protection Addendum (this “DPA”) is entered into between Callidus Software Inc., located at 4140 Dublin Blvd #400, Dublin, CA 94568, USA (“Callidus”), and Service Provider (defined below). This DPA is effective on the date the parties sign the applicable Agreement.


  1. The parties have entered into one or more agreements for the provision of services by Service Provider to Callidus (“Agreement“)
  2. In connection with the Services, the parties anticipate that Service Provider, may from time to time process certain personal data in respect of which (as defined below) Callidus may be a data controller under the Data Protection Legislation (as defined below).
  3. The Service Provider and Callidus have agreed to this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such personal data as required by the Data Protection Legislation.


Adequate Country” means a country or territory that is recognised under Data Protection Legislation from time to time as providing adequate protection for personal data.

Service Provider” means the provider of Services to Callidus that is identified on, and is a party to, the Agreement.

Data Protection Legislation” means all privacy laws and regulations applicable to any Personal Data processed under or in connection with this Agreement, including without limitation, the Data Protection Directive 95/46/EC (as the same may be superseded by the GDPR, the Privacy and Electronic Communications Directive 2002/58/EC and all national legislation implementing or supplementing the foregoing.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data” means all data which is defined as ‘Personal Data’ in the Data Protection Legislation and that is provided directly or indirectly by Callidus to Service Provider, or accessed, stored or otherwise processed by Service Provider or its subprocessors (as applicable) for the purposes of delivering the Services to Callidus.

“Processing”, “Data Controller”, Data Processor “, “Data Subject” and “Supervisory Authority” shall have the meanings ascribed to them in the Data Protection Legislation.

Services” means the Services provided by Service Provider to Callidus according to the Agreement.

Standard Contractual Clauses / SCC” means the Standard Contractual Clauses document attached as Attachment 1.


2.1       Scope and Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Callidus is the Data Controller, Service Provider is the Data Processor.

2.2       Compliance with Laws. Service Provider will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the Data Protection Legislation.

2.3       Processing Instructions. Service Provider will process Callidus’ data in accordance with the Agreement; and with the Callidus’ reasonable instructions.

2.4       Record-keeping. The types of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Attachment 2 of this DPA.


3.1       Callidus acknowledges that the provision of the Services under the Agreement may require the export of Personal Data to countries outside the European Economic Area (EEA) from time to time.

To the extent any processing of Personal Data by Service Provider takes place in any country outside the EEA (except if in an Adequate Country),, the parties agree that the standard contractual clauses approved by the EU authorities under Data Protection Legislation and  as set out in Attachment 1 of this DPA will apply in respect of that processing and Service Provider will comply with the obligations of the ‘data importer’ in the standard contractual clauses and Callidus will comply with the obligations of ‘data exporter

3.2       If, in the performance of this DPA, Service Provider transfers any Personal Data to a sub-processor (which may include without limitation any affiliates of Service Provider) and without prejudice to Section 7 where such sub-processor will process Personal Data outside the EEA (except if exported to an Adequate Country), Service Provider shall in advance of any such transfer ensure that:

  1. the Service Provider has executed or procured that the sub-processor executes on behalf of Callidus standard contractual clauses approved by the EU authorities under Data Protection Legislation and set out in Attachment 1; and
  2. the sub-processor commits to comply with substantially the same terms as Service Provider commits to in Clause 3.3.

3.3       Callidus is self-certified under the EU-US privacy shield framework, Accordingly, and without prejudice to Clause 3.1, Service Provider agrees in relation to any processing of Personal Data by Service Provider or its sub-processors:

  1. to process Personal Data at all times in accordance with the Privacy Shield principles which can be found at (“Principles”) or such site as may be subsequently updated from time to time;
  2. to provide at least the same level of privacy protection as is required under the Principles;
  3. to transfer Personal Data to any third party sub-contractor only for limited and specified purposes as set out in this DPA and pursuant to the Callidus’ reasonable instructions;
  4. to take reasonable and appropriate steps to ensure that any third party sub-contractor effectively processes the Personal Data transferred to it in a manner which is consistent with the Callidus’ obligations under the Principles;
  5. to promptly notify the Callidus upon the Service Provider’s (or any of its third party sub-contractors’) determination that it can no longer meet its obligation in respect to the processing of Personal Data and the Principles as required under this DPA;
  6. to provide upon request or allow the Controller to provide a summary of the relevant privacy provisions in this DPA or in any contracts that the Processor may have with any sub-contractors to an agent of the US Department of Commerce; and
  7. where the Service Provider (or any of its third party sub-contractors) becomes aware that it is no longer processing data in accordance with this DPA, to immediately take all reasonable and appropriate steps to stop and remediate such unauthorised processing.


4.1       Security. Service Provider will take adequate technical and organizational security measures to safeguard Callidus Personal Data and other confidential information against accidental loss, unauthorized access, destruction, disclosure, transfer or other any improper use   of Callidus’ Data, according to the measures set forth in this section, including the measures set out in Attachment 3. Service Provider shall provide all reasonable assistance as Callidus requests  to the Service Provider, at no additional cost, in relation to (i) Callidus’ obligations under Data Protection Legislation with respect to: data protection impact assessments (as such term is defined in the GDPR); (ii) notifications to the Supervisory Authority and/or communications to Data Subjects by Callidus in response to any Security Incident; and (iii) Callidus’ compliance with its obligations under the GDPR with respect to the security of processing . Service Provider will not divulge, make public or otherwise disclose any Personal Data or other confidential information of Callidus, whether directly or indirectly, to any third party without the express, written consent of Callidus and in giving such consent, Callidus may impose such terms and conditions as it considers reasonable or necessary.

4.2       Certifications. Service Provider uses external auditors to verify the adequacy of its security measures. This audit: (a) will be performed at least annually; (b) will be performed according to an industry standard such as Service Organization Control (SOC) 2 Trust Services Principles or ISO27001 etc; (c) will be performed by an independent third party.

4.3       Audit Procedure. Service Provider shall provide all information necessary and reasonable cooperation and assistance with Callidus and/or its auditors to allow Callidus to meet applicable requirements under the Data Protection Legislation.

4.4.      Records.  Service Provider shall, in accordance with Data Protection Legislation, make available to Callidus such information in Service Provider’s possession or control as Callidus may reasonably request with a view to demonstrating Service Provider’s compliance with the obligations of data processors under Data Protection Legislation in relation to its processing of Personal Data.

4.5       Deletion. As soon as reasonably practicable following, and in any event within ninety (90) days of, termination or expiry of the Agreement or completion of the Services, Service Provider will delete or return (at Callidus direction) the Callidus Personal Data (including copies thereof) processed pursuant to this DPA.


5.1       Service Provider shall maintain security incident response policies and procedures and shall (a) immediately upon becoming aware, notify the Callidus Data Privacy Officer by emailing of any actual or potential breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Service Provider, (a “Security Event”) and taking into account the nature of processing and the information available to Service Provider at the time it became aware of the Security Event; (b) take all necessary steps to mitigate the effects and to minimize any damage resulting from the Security Event and (c) provide all reasonable cooperation and assistance during such investigation to remediate such occurrence.

5.2       In the case of any Security Event, Service Provider will provide to Callidus an oral report within twenty-four (24) hours of becoming aware of the Security Event (“Discovery”) and a comprehensive written report no later than five (5) business days from Discovery of the Security Event, setting out all relevant information on the Security Event, including the following:

  1. a description of the nature Security Event,
  2. the date the Security Event occurred,
  3. the date the Security Event was discovered,
  4. the identity and last known mailing address of individual(s) concerned,
  5. the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,
  6. a summary of the possible consequences for the relevant data subjects
  7. a description of the steps and measures taken to date, or that otherwise should be taken, to respond to, deal with or otherwise mitigate any impacts of the Security Event and the details of the person(s) or entity(ies) which has, will or should be taking such steps,
  8. the contact details of any law enforcement authority or data protection officer that has been contacted about the Security Event and contact information for the relevant official,
  9. a description of the steps that have been, or will be, taken to prevent a recurrence of the Security Event and the details of the person or entity which has, will or should be taking such steps,
  10. full contact information for the individual(s) principally responsible for responding to the access, disclosure or transfer. Service Provider will update its written disclosure as new, material information becomes available; and
  11. Service Provider will update the written report as new, material information is Discovered;


6.1       Service Provider shall ensure its personnel involved in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and have executed written confidentiality agreements.

6.2       Service Provider shall ensure that access to Personal Data is limited to personnel involved in the performance of the Services.

6.3       Service Provider shall take all reasonable steps to ensure the reliability of any Callidus personnel engaged in the Processing of Personal Data.


7.1       Subcontracting. Service Provider is authorized to subcontract Services with Callidus’ written consent, not to be unreasonably withheld or delayed.

7.2       Sub-processor Obligations. Service Provider will ensure that any sub-processor it engages to provide the Services on its behalf in connection with the Agreement restricts the sub-processor’s access to Callidus’ Data only to the extent necessary to provide the Service and not for any other purpose; and (ii) enters into a written contract which imposes on such sub-processor to provide sufficient guarantees to implement appropriate technical and organisational measures, including relevant contractual obligations regarding confidentiality, data protection, data security, and audit rights – such terms shall substantially be no less protective of Personal Data than those imposed on Service Provider in this DPA; and (iii) Service Provider remains responsible for its compliance with the DPA and for any acts or omissions of the sub-processor that cause Service Provider to breach any of Service Provider’s obligations under this DPA.

7.3       Objection to New Sub-Processors. 
Service Provider will maintain a list of sub-processors and will add the names of new and replacement sub-processors to the list prior to them starting sub-processing of Personal Data. If Callidus has a reasonable objection to any new or replacement sub-processor, it shall notify Service Provider of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. If Service Provider is able to provide the Services to Callidus in accordance with the Agreement without using the sub-processor and decides in its discretion to do so, then Callidus will have no further rights under this Section 7.3 in respect of the proposed use of the sub-processor.  If Service Provider requires to use the sub-processor and is unable to satisfy Callidus as to the suitability of the sub-processor or the documentation and protections in place between Service Provider and the sub-processor within thirty (30) days from the Callidus’s notification of objections, Callidus may elect to suspend Service(s) or terminate the Agreement.


Where required under Data Protection Legislation, Service Provider shall immediately notify Callidus if it receives a request from a Data Subject to access, rectify or erase that person’s Personal Data or if a Data subject objects to the processing of, or makes a data portability request in respect of, such Personal Data (“together Data Subject Request”). Service Provider shall provide all reasonable and necessary assistance to Callidus so that Callidus can respond to a Data Subject Request. Service Provider will not independently respond to requests from Callidus’s end users without Callidus’s prior written consent, except to confirm that the request relates to Callidus. To the extent Callidus does not have the ability to address a Data Subject Request, Service Provider shall upon the Callidus’s request, and at no additional cost, provide reasonable assistance to facilitate such Data Subject Request.


9.1       Interpretation. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, this DPA shall apply so far as the subject matter concerns the processing of Personal Data.

9.2       Counterparts. This DPA may be executed in two or more counterparts, each of which will be deemed an original and which taken together will be deemed to constitute the same document. The parties may sign this DPA by email or facsimile.

9.3       Severability. If any provision of this DPA is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed and the remainder of terms will remain in full effect.

9.4       Governing law and jurisdiction. This DPA is governed by the law of the Agreement.

Standard Contractual Clauses Agreement

EU-standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, EU-Commission decision of 5 February 2010, 2010/87/EU.


For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Callidus Software Inc.
4140 Dublin Blvd, #400
Dublin, CA, 94568, USA
(the data exporter)


The entity identified as “Service Provider” in the Addendum
(the data importer)

each a ‘party’; together ‘the parties’,

HAVE AGREED to incorporate the Standard Contractual Clauses (the Clauses) located at by reference to this Agreement in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Attachment 2.

Appendix 1 of the Clauses is completed as follows:

Appendix 1 to the Standard Contractual Clauses

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer): Callidus Software Inc. (“Callidus”)

Callidus is a provider of enterprise software and offers Software as a Service (SaaS) solutions, especially in the field of sales effectiveness and sales performance management. Callidus also offers on premise software solutions as well as consulting services and technical support in relation to all its products and services.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):  Service Provider processes Personal Data upon the instruction of the data exporter in accordance with the terms of the Agreement.

The data subjects, categories of personal data and processing operations are as set out in paragraphs (c), (d) and (e) of Attachment 2 of this DPA and the security measures required of the data importer are as set out in Attachment 3 of this DPA..

Details of the Personal Data and processing activities

  1. Data categories
    The data categories processed may include identification data (name, address, email, date of birth, etc.), financial information (credit card details, account details, payment information, etc.), IT information (usage data, location data, etc.), sensitive categories (health/genetic/biometric/religious/political etc.) and any other data category so agreed to be processed between the parties needed to provide the services.
  2. Duration
    The duration of the processing will be: until the earliest of (i) expiry/termination of the Agreement or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement (to the extent applicable), unless otherwise Agreed in writing;
  3. Nature of data processing
    The processing will comprise: the activities set out in the order or schedule to the Agreement;
  4. Purpose of data processing
    The purpose of the data process is to allow Service Provider to carry out its obligations in relation to the Services it provides to Callidus.
  5. Data subjects
    The data subjects may include Callidus employees, prospects, contractors, business partners, customers, other service providers, and any other data subject so agreed to between the parties in providing the services.

Details of Security Measures

  1. Physical access control
    Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are processed, include:


    • Establishing secure areas, restriction of access paths;
    • Establishing access authorizations for employees and third parties;
    • Access control system (ID reader, magnetic card, chip card);
    • Key management, card-keys procedures;
    • Door locking (electric door openers etc.);
    • Security staff, janitors;
    • Surveillance facilities, video/CCTV monitor, alarm system;
    • Securing decentralized data processing equipment and personal computers.
  2. Virtual access control
    Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:


    • User identification and authentication procedures;
    • ID/password security procedures (special characters, minimum length, change of password);
    • Automatic blocking (e.g. password or timeout);
    • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
    • Creation of one master record per user, user master data procedures, per data processing environment.
  3. Data access control 
    Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include:


    • Internal policies and procedures;
    • Control authorization schemes;
    • Differentiated access rights (profiles, roles, transactions and objects);
    • Monitoring and logging of accesses;
    • Disciplinary action against employees who access Personal Data without authorization;
    • Reports of access;
    • Access procedure;
    • Change procedure;
    • Deletion procedure;
  4. Disclosure control 
    Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:
    • Encryption/tunneling;
    • Logging;
    • Transport security.
  5. Entry control 
    Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:


    • Logging and reporting systems;
    • Audit trails and documentation.
  6. Availability control 
    Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include:


    • Backup procedures;
    • Mirroring of hard disks (e.g. RAID technology);
    • Uninterruptible power supply (UPS);
    • Remote storage;
    • Anti-virus/firewall systems;
    • Disaster recovery plan.
  7. Separation control 
    Technical and organizational measures to ensure that Personal Data collected for different purposes can be processed separately include:


    • Separation of databases;
    • Segregation of functions (production/testing);
    • Procedures for storage, amendment, deletion, transmission of data for different purposes.