​

Effective: February 3, 2025

This data processing agreement shall apply to all customers where Peaky is acting as a data
processor, unless Peaky's and the customer have entered into a separate agreement governing data
processing, such as a specific DPA from the customer.

Data Processing Agreement

This Data Processing Agreement (“DPA”) is an addendum to the legal agreement between you (the
“Customer”) and Peaky for your use of the Peaky Services (the “Agreement”).

1. Definitions
For the purposes of the DPA the following definitions apply;
“Customer Personal Data” means the categories of Personal Data that are set out in Annex A to this
DPA and that are Processed by Peaky on behalf of the Customer.
“Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the
Council on the protection of natural persons with regard to the Processing of Personal Data and on
the free movement of such data (General Data Protection Regulation or the “GDPR”) (ii) means the
GDPR as it forms part of domestic law in the United Kingdom by virtue of the European Union
(Withdrawal) Act 2018 and the Data Protection Act 2018; (iii) the Norwegian legislation implementing
the GDPR; and (iv) any equivalent legislation, or legislation dealing with the same subject matter,
anywhere in the world; each as applicable and each as amended, consolidated or replaced from time
to time.
“New Sub-Processor” means any Sub-Processors engaged by Peaky after the effective date of the
Agreement.
“Personnel” means any current, former or prospective employee, consultant, temporary worker,
agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.
“SCC” means the European Commission’s standard contractual clauses for data transfers between
EU and non-EU countries and/or, where applicable, the addendum to those standard contractual
clauses or international data transfer agreement published by the Information Commissioner’s Office
for data transfers from the UK.
“Sensitive Data” means: (i) social security number, tax file number, passport number, driver’s license
number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the
truncated (last four digits) of a credit or debit card); (iii) employment, financial, credit, genetic,

biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union
membership, information about sexual life or sexual orientation, or criminal record; (v) account
passwords; (vi) personal data relating to criminal convictions or offences, or (vii) other information
that falls within the meaning of “special categories of data” or “sensitive data” under applicable Data
Protection Laws.
“Sub-Processor” means an entity to which Peaky subcontracts its processing of the Customer
Personal Data.
“Data Subject”, “Controller”, “Personal Data”, “Personal Data Breach”, “Processing” (with
“Process” and “Processed” to be construed accordingly) and “Processor” shall have the meaning
provided to such term under the GDPR.
“Supervisory Authority” shall have the meaning given to the term under the GDPR, or shall refer to
the Information Commissioner’s Office to the extent the UK GDPR applies.
All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. For
the avoidance of doubt, all references to the Agreement shall include this DPA and any relevant
SCCs (where implemented in connection with the Agreement).

2. Roles and responsibilities
The parties acknowledge and agree that with regards to the Processing of Customer Personal Data
in the course of providing the Services, Customer is the Controller and Peaky is a Processor acting
on behalf of Customer as further described in Annex A (Details of Data Processing).
In the course of providing the Services, Peaky shall Process Customer Personal Data only:
• in accordance with Customer’s documented lawful instructions as set forth in this DPA; except
when required to Process any Customer Personal Data: (i) in relation to any EU/EEA member
state, by the laws of the EU/EEA or an EU/EEA member state; or (ii) in relation to the UK, by
the laws applicable in the UK, in which case Peaky shall inform Customer in advance of such
Processing, to the maximum extent permitted by applicable law, or as otherwise agreed in
writing; and
• to the extent necessary in connection with this DPA or the Services, including as described in
Annex A below, (together, the “Permitted Purposes”).
If at any point, Peaky becomes unable to comply with Customer’s instructions regarding the
Processing of Customer Personal Data (whether because Peaky believes that an instruction infringes
the applicable law of the United Kingdom, or applicable EU/EEA law or national law of an EU/EEA
Member State, or as a result of a change in applicable law, or a change in Customer’s instructions),
Peaky shall reasonably promptly:
• notify Customer of such inability, providing a reasonable level of detail as to the instructions
with which it cannot comply and the reasons why it cannot comply, to the extent permitted by
applicable law; and

• cease all Processing of the affected Customer Personal Data (other than merely storing and
maintaining the security of the affected Customer Personal Data) until such time as Customer
issues new instructions with which Peaky is able to comply.
The Customer shall: (i) comply with its obligations under applicable laws, including Data Protection
Laws, in respect of its Processing of Customer Personal Data and any Processing instructions issued
to Peaky; and (ii) provide all notices and obtain all consents and rights necessary under Data
Protection Laws for Peaky to Process Customer Personal Data for the purposes described in the
Agreement. This DPA does not relieve the Customer’s obligations under Data Protection Law.
The Customer shall not provide (or cause to be provided) any Sensitive Data to Peaky for Processing
under the Agreement, and Peaky will have no liability for Sensitive Data, whether in connection with a
Personal Data Breach or otherwise.
Notwithstanding the foregoing, in the event that the Customer provides Sensitive Data to Peaky,
Peaky shall not be obliged to Process such Sensitive Data.

3. Security
Subject to Section 8, Peaky will implement and maintain appropriate technical and organizational
security measures to protect Customer Personal Data from accidental or unlawful destruction,
accidental loss, alteration, unauthorized disclosure or access, any other breach of security, and take
reasonable steps to ensure a level of security appropriate to the risks arising from its Processing
activities, in accordance with applicable Data Protection Law. The security measures shall at all times
be designed to preserve the security and confidentiality of Customer Personal Data in accordance
with Peaky's security standards set out in Annex B to this DPA.
Peaky shall take reasonable steps to ensure: (i) that Customer Personal Data are kept confidential;
and (ii) that all relevant Peaky Personnel and any relevant Sub-Processors have committed
themselves to ensuring the confidentiality of all Customer Personal Data that they Process.
Peaky shall ensure that Customer Personal Data is solely Processed by Peaky's Personnel who are
authorized by Peaky to Process Customer Personal Data.
Customer is responsible for reviewing relevant information pertaining to data security as is made
available by Peaky. Based on such information, the Customer shall make an independent
assessment on whether the Peaky Service complies with the Customer’s obligations pursuant to
applicable laws, including Data Protection Laws. Customer understands that Peaky's security
measures may be updated or modified as needed, provided that such updates and/or modifications
do not negatively affect the overall level of security for the Peaky Services provided to Customer.

4. Personal Data Breach and other notifications
Peaky shall:

• reasonably promptly notify the Customer of:
• any confirmed Personal Data Breach affecting Customer Personal Data upon becoming
aware thereof;
• receipt of any correspondence or communication from any Data Subject or Supervisory
Authority regarding the Processing of Customer Personal Data; and
• promptly take reasonable steps to contain and investigate any Personal Data Breach affecting
Customer Personal Data.
Peaky's notification of, or response to, a Personal Data Breach under this Section 4 shall not be
construed as an acknowledgment by Peaky of any fault or liability with respect to the Personal Data
Breach.

5. Cooperation with the Customer
In respect of the Processing of Customer Personal Data, taking into account the nature of the
Processing and the information available to Peaky, Peaky shall, at the Customer’s written request
and expense, reasonably promptly assist the Customer with the Customer’s legal obligations under
Data Protection Law by providing the Customer with any reasonable technical and organizational
assistance necessary to:
• implement appropriate technical and organizational measures for the purpose of complying
with Data Protection Law;
• enable the Customer to respond appropriately to requests from relevant Data Subjects to
exercise their rights;
• notify the appropriate Supervisory Authority and Data Subjects, where required, of any
Personal Data Breach affecting Customer Data;
• carry out data protection impact assessments where required by applicable Data Protection
Law;
• obtain any necessary authorizations from Supervisory Authorities where required by applicable
Data Protection Law; and
• conduct prior consultations with Supervisory Authorities where required by applicable Data
Protection Law.
For the avoidance of doubt, Peaky shall be entitled to receive remuneration for any
documented costs Peaky incurs in connection with its assistance under this Section 5.

6. Audit and compliance review
Peaky shall, in relation to its Processing of Customer Personal Data, maintain documentation of its
compliance with this DPA and Data Protection Law, including written records of all Customer
Personal Data Processed on behalf of the Customer. Peaky shall provide access to the
aforementioned documentation upon the Customer’s reasonable notice.

At the Customer’s request and expense, Peaky shall: (i) promptly provide Customer with all
information reasonably necessary to enable Customer to demonstrate compliance with its obligations
under Data Protection Law, to the extent that Peaky is reasonably able to provide such information;
and (ii) subject to Section 8, allow for and contribute to audits, including inspections, conducted by
the Customer of Peaky's premises and security systems specific for Customer, as Customer may
reasonably require to ascertain compliance with Data Protection Law.
The Parties shall agree on the timing of such audits, including the scope and methods for the audits.
Unless otherwise agreed, a maximum of one (1) audit may be conducted each year. Notwithstanding
the foregoing, the Customer shall be entitled to carry out additional audits to the extent that the
performance of such audits are necessary for the Customer’s compliance with Data Protection Law.
The Customer shall give Peaky reasonable notice of the audit. The audit shall be conducted in a
manner that causes the least possible disruption to Peaky's ordinary operations. Further, all on-site
audits shall be restricted to Peaky's standard opening hours, and Peaky's shall provide the Customer
with copies of Peaky's then-current policies and procedures regarding access to its premises, and
the Customer shall procure that all Personnel involved in such on-site audits shall abide by such
policies and procedures at all times. The audit result shall be documented appropriately. No provision
of this DPA shall entitle Customer, or any auditor, to access confidential information of Peaky or any
third party. Peaky may object to any third-party auditor appointed by Customer if the auditor is, in
Peaky's reasonable opinion: (i) not suitably qualified or independent; (ii) a competitor, or affiliate of a
competitor, of Peaky; or (iii) otherwise manifestly unsuitable for the role. Any such objection by Peaky
will require Customer to appoint another auditor or conduct the audit itself.
The Customer may appoint a third party to conduct audits on its behalf at Customer’s own expense.
The relevant third party may not be a competitor of Peaky.
Costs for any audits initiated by the Customer pursuant to this Section 6 shall be borne by the
Customer. Notwithstanding the foregoing, if audits, pursuant to this Section 6, identifies that Peaky is
in material non-compliance with this DPA or Data Protection Laws, costs for such audits shall be
borne by Peaky.

7. Use of Sub-Processors
The Customer hereby grants Peaky a general authorization to subcontract its processing of the
Customer Personal Data to a Sub-Processor, subject to this Section 7.
Peaky shall take reasonable steps to ensure that, in each instance in which it engages a Sub-
Processor to Process any Customer Personal Data, it shall: (i) appoint such Sub-Processors in
accordance with the Customer’s prior authorization as granted above; and (ii) use commercially
reasonable efforts to enter into a written agreement with each Sub-Processor, requiring the Sub-
Processor to comply with data protection obligations equivalent in all material respects to those
imposed on Customer under this DPA with respect to the Processing of Customer Personal Data.

Peaky shall be responsible for any acts or omissions of such Sub-Processor in breach of this DPA
and for any acts or omissions of such Sub-Processors that cause Peaky to breach any of its
obligations under this DPA.
Peaky will inform the Customer if Peaky intends to appoint or use a New Sub-Processor to the extent
applicable to the Processing of Customer Personal Data by updating the list of Peaky current Sub-
Processors available in Annex C herein. If the Customer has reasonable grounds to object to Peaky's
use of a New Sub-Processor, and such objection directly relates to Customer’s obligations under
Data Protection Law, the Customer shall notify Peaky thereof in writing within fifteen (15) calendar
days after receipt of Peak notice.
Following such an objection from the Customer, Peaky shall be entitled to terminate the Agreement
for convenience without being obligated to refund any amounts that the Customer has already paid,
to the fullest extent permitted under applicable law.

8. Obligations of Customer
Customer warrants that it shall at all times comply with its obligations under Data Protection Laws in
respect of Peaky's engagement to Process any Customer Personal Data.
Customer acknowledges that the security measures set out in Annex B below are sufficient for the
purposes of Processing the Customer Personal Data under this DPA.
Customer shall not, whether through action or omission, place Peaky in breach of any Data
Protection Laws.

9. International Transfers
Customer agrees that Peaky shall be entitled to transfer and Process Customer Personal Data within
the EU/EEA and the UK.
Subject to Section 7, Customer acknowledges that Peaky may transfer and Process Customer
Personal Data to areas outside the EU/EEA/UK. Peaky shall take all reasonable steps to ensure that
such transfers are made in compliance with the requirements of the Agreement, this DPA and Data
Protection Law.
To the extent that Peaky transfers Customer Personal Data protected by Data Protection Laws to a
country outside of EU/EEA/UK that is not recognized as providing an adequate level of protection for
personal data (as described in applicable Data Protection Law), Peaky shall ensure that the transfer
is based on the appropriate version(s) of the SCCs. Peaky shall enter into written agreement
including appropriate SCCs with all of Peaky's Sub-Processors that might Process Customer Data
outside the EU/EEA/UK, and shall require that its Sub-Processors abide by and Process Data in
compliance with the SCCs.
 

10. Return or Deletion of Data
Upon termination of the Agreement, Peaky shall delete or return to Customer, at Customer’s choice,
all Customer Personal Data in Peaky's possession or control within sixty (60) days after the
termination. This requirement shall not apply to the extent Peaky is required by applicable law to
retain some or all of the Customer Personal Data, or to Customer Personal Data that is archived in
back-up systems, which Peaky shall securely isolate, protect from any further Processing and
eventually delete in accordance with Peaky's ́s deletion policies, except to the extent required by
applicable law.

Annex A – Details of Data Processing
Processor:
Peaky is the Processor of Customer Personal Data.
Controller:
The Customer is the Controller of Customer Personal Data.
Subject matter:
Processing of Customer Personal Data by Peaky on behalf of the Customer under, or in connection
with, the Agreement.
Duration of Processing:
Peaky will Process Customer Personal Data as outlined in Section 10 (Return or Deletion of Data) of
this DPA.
Purposes of Processing:
Peaky shall only Process Customer Personal Data for the following purposes: (i) Processing as
necessary to provide the Peaky Services in accordance with, or in connection with, the Agreement;
(ii) Processing initiated by Customer in its use of the Peaky Services; and (iii) Processing to comply
with any other reasonable instructions by Customer (e.g., via email or support tickets) that are
consistent with the terms of the Agreement.
Nature of the Processing:
Peaky provides a well-being and performance platform, and related services, that allows users to
engage and provide self-assessment , create or engage with messages, as more particularly
described in the Agreement.
Data Subjects:
Any user the Customer invites into the Services, such as Customer personnel.
Categories of Customer Personal Data:
The Customer may upload, submit or otherwise provide certain Personal Data to or for the use of the
Services, the extent of which is typically determined and controlled by the Customer in its sole
discretion, and may include email addresses (required for login), organization (required), username,
name, location, picture, video, user activity, and profile bio.

Sensitive Data:
It is not the intention of either Party that Peaky should Process any Sensitive Data as part of the
provision of the Services.

Annex B – Security Measures
The Security Measures applicable to the Service are described here (as updated from time to time in
accordance with Section 3 of this DPA).



 

 

​

​

​

​

​

​

​

​

​

​

​

​

​

 

* For a complete overview of personal data processing locations, international transfers and which
sub-processor our sub-processors use, please review the links listed below or visit www.peaky.io