Skip to content

DATA PROCESSING ADDENDUM

Updated on November 11, 2025

This Data Processing Addendum (“DPA”) is incorporated by reference into the applicable Agreement between Customer and ePS. All capitalized terms used in this DPA but not defined have the meaning set forth in the Agreement. By accepting this DPA while executing the Agreement or Purchase Documentation, Customer agrees to the terms of this DPA.

Background

  1. ePS and Customer entered into that certain License and Purchase Agreement on file between the parties (the “Agreement”) which may involve the Processing of Personal Data of Data Subjects in the context of ePS products and/or services provided under the Agreement.
  2. The EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”), including other applicable Data Protection Laws, applies to the Processing of Customer Personal Data by ePS.
  3. The parties wish to execute this DPA to meet their obligations under Data Protection Laws in respect of ePS’s Processing of Customer Personal Data.

The parties therefore agree as follows:

1. Scope

1.1   This DPA applies where, and only to the extent, that ePS Processes Personal Data on behalf of Customer in the course of providing products and/or services pursuant to the Agreement. The Parties agree that this DPA is terminated upon the termination of the Agreement.

1.2   Customer provides the Personal Data and, in the context of an ePS-hosted solution, primarily controls the upload and handles directly the use of the Personal Data that have been uploaded into ePS’s hosted solution. It is the sole responsibility and liability of Customer to ensure that any and all Personal Data are collected and transmitted to ePS in compliance with Data Protection Laws (as defined below).

For Customer-deployed implementations of ePS products where Customer hosts and operates the software in its own environment, ePS does not act as a Processor except to the extent ePS may, at Customer’s request, access Personal Data for the limited purpose of providing technical support, troubleshooting, or maintenance. Such limited access is deemed Processing under this DPA.

1.3   The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processor”, and “” have the meanings ascribed to them in the Data Protection Laws. “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data, including but not limited to: (i) the GDPR, (ii) the GDPR as transposed into United Kingdom national law by operation of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, and (iii) the California Consumer Privacy Act; in each case as amended, repealed, consolidated or replaced from time to time.

2. Roles and Responsibilities

2.1   As between ePS and Customer, Customer is the Controller of Personal Data and ePS will Process such Personal Data only as a Processor acting on behalf of Customer.

2.2   Customer represents and warrants that it has express consent and/or a legal basis to Process and transfer the relevant Personal Data, and that Data Subjects have been properly informed of the collection and Processing of their Personal Data. Furthermore, Customer represents and warrants that the contents of the Personal Data are not unlawful and do not infringe any rights of a third party. Customer shall indemnify ePS from all claims and actions of third parties related to the Processing of Personal Data without express consent and/or legal basis under this DPA.

2.3   ePS shall Process Personal Data on behalf of Customer only in accordance with this DPA and documented instructions received from Customer. If ePS is legally required to Process Personal Data otherwise than as instructed by Customer, ePS shall inform Customer before such Processing occurs, unless the law requiring such Processing prohibits ePS from doing so. ePS is not responsible for compliance with any Data Protection Laws applicable to Customer or its industry that are not generally applicable to EPS.

2.4   ePS shall provide assistance (at Customer’s expense) as Customer may reasonably require to comply with its obligations as a Controller under Articles 32 to 36 of the GDPR, including reasonable cooperation to assist Customer in responding to requests from individuals exercising their data protection rights or applicable data protection authorities relating to the Processing of Personal Data under the Agreement. In the event that any such request is made directly to ePS, ePS will not respond to such communication directly without Customer’s prior authorization, unless legally required to do so. If ePS is required to respond to such a request, ePS will promptly notify Customer and provide it with a copy of the request, unless legally prohibited from doing so. Upon Customer’s reasonable request, ePS shall further assist Customer in complying with its obligations relating to security of processing, breach notifications, and prior consultation with supervisory authorities, taking into account the nature of the Processing and the information available to ePS.

3. Processing

3.1   The following pertain to ePS’s Processing of Personal Data on behalf of Customer:

  1.     Purpose: The purpose of the Processing under this DPA is the provision of products and/or services to Customer under the Agreement.
  2.     Nature of the processing: As described in the Agreement.
  3.     Frequency of the transfer: Continuous during the term of the Agreement.
  4.     Types of Personal Data: The types of Personal Data are determined by Customer in its sole discretion and may include, but are not limited to: first and last name; business email; business phone; business address.
  5.     Categories of Data Subjects: The categories of Data Subjects whose Personal Data may be transferred are determined and controlled by Customer in its sole discretion and may include, but are not limited to: Customer employees; Customer customers.

3.2   Customer consents to Personal Data being processed outside of the European Union to the same extent that such processing already takes place in accordance with the Agreement. Where Personal Data are transferred outside their country of origin, each party shall ensure that such transfers are made in compliance with the requirements of Data Protection Laws.

As a global organization, ePS may need to transfer personal data to its affiliates, authorized service providers, and trusted partners located outside of the United States. In such cases, ePS implements appropriate safeguards to protect personal data in accordance with applicable Data Protection Laws.

3.3   To the extent that ePS Processes any Personal Data originating from the EEA, Switzerland, or the United Kingdom, ePS shall ensure that such transfers are made in compliance with Chapter V of the GDPR and applicable Data Protection Laws.

(i) Data Privacy Framework. ePS represents that it is self-certified under the EU–U.S. Data Privacy Framework, the UK Extension to the EU–U.S. Data Privacy Framework, and the Swiss–U.S. Data Privacy Framework, and complies with the Data Privacy Principles when Processing such Personal Data. ePS shall notify Customer without undue delay if its self-certification is withdrawn, terminated, revoked, or otherwise invalidated.

(ii) Alternative Transfer Mechanisms. If, for any reason, the Data Privacy Framework ceases to be a valid data-transfer mechanism, ePS shall ensure that such transfers are conducted under an alternative lawful mechanism recognized by the European Commission or the UK Information Commissioner’s Office, such as the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and/or the UK Addendum.

3.4   Upon termination or expiration of the Agreement, ePS shall, at Customer’s request, promptly delete or return all Customer Personal Data and delete copies thereof, unless otherwise required by applicable law.

4. Security

4.1   ePS has implemented and will maintain appropriate technical and organizational security measures to protect the Personal Data from Personal Data Breaches and to preserve the security and confidentiality of Customer’s Personal Data. These technical and organizational security measures are set forth in Annex A. The technical and organizational measures listed in Annex A may be modified or updated at ePS’s discretion; provided that the modifications or updates must at least achieve the level of protection of the previous measures. ePS employees who have access to Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2   Upon becoming aware of a Personal Data Breach, ePS will notify Customer without undue delay and will provide information relating to the Personal Data Breach as it becomes known or as is reasonably requested by Customer. ePS will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Personal Data Breach.

4.3   If Customer is provided an ePS-hosted solution, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the ePS-hosted solution, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the hosted solution and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the hosted solution.

5. Sub-Processing

5.1   Customer agrees that in order to provide the products and/or services, ePS may engage sub-processors to Process Customer Personal Data. This may include engagement to provide hosting services or to provide product support. Through its execution of this DPA, Customer authorizes ePS, within the framework of the Agreement, to engage sub-processors. Approved sub-processors as of the date of acceptance of this DPA include:

Sub-processor Description of Processing
Amazon Web Services, Inc. Hosting and infrastructure services
Microsoft Corporation (Office 365) Productivity and collaboration tools
Zoom Video Communications, Inc. Video conferencing and collaboration
Atlassian Pty Ltd. Support and development ticketing platform
Salesforce.com, Inc. Customer relationship management
ConnectWise, LLC Remote support and troubleshooting
DocuSign, Inc. Electronic signature and contract management services
GitHub, Inc. Source-code management and CI/CD automation platform
Oracle America, Inc. (NetSuite) ERP and financial management platform
HubSpot, Inc. Marketing automation tool
Wrike, Inc. Project management platform
EProductivity Software Packaging Technology India Private Limited (subsidiary of EPS Packaging US, LLC) Subsidiary that may provide support, maintenance, and engineering services on behalf of ePS, which may involve limited access to customer data for troubleshooting or technical support purposes

5.2   ePS shall ensure by means of a written contract, which can also be concluded in an electronic format, with the sub-processor that the material provisions agreed in this DPA, or otherwise required by Data Protection Laws, also apply to the sub-processor.

5.1   ePS shall inform Customer of any intended changes concerning the addition or replacement of other sub-processors, and provide Customer the opportunity, within ten (10) days of such notification from ePS, to object to such changes. If Customer objects, the parties shall discuss Customer’s concerns in good faith. If the parties are unable to agree regarding such changes, ePS reserves the right to terminate the relevant Agreement without liability.

6. Audit Rights and Compliance Assistance. ePS shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA. Compliance may be demonstrated through independent third-party certifications, audit reports, attestations, summaries of security and privacy assessments, or other equivalent documentation.

Customer acknowledges that such documentation and certifications provide sufficient evidence of ePS’s compliance, and that ePS is not required to permit Customer or any third party to conduct on-site audits or inspections of ePS’s facilities or systems.

8. Miscellaneous.

8.1   Additional Provision Applicable to California. The disclosure of California Personal Data by Customer to ePS does not form part of any monetary or other valuable consideration exchanged between the parties.

8.2   Order of Precedence. Except as expressly set forth herein, all terms and conditions of the Agreement remain in full force and effect. In the event of a conflict between the provisions of this DPA and the Agreement, the provisions of this DPA control.

8.3   Modification and Amendment. This DPA may only be modified by a written amendment signed by authorized representatives of the parties.

8.4   Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

8.5   Language. This DPA is only in English, which is controlling in all respects. If there are any conflicts or inconsistencies between the English-language version and a translation, the English-language version controls. Any notices relating to this DPA must be in writing in English.

8.6   Data Protection Contact. Questions or communications relating to this DPA may be directed to privacy@epssw.com.

 

Annex A

Technical and Organizational Security Measures

Description of the technical and organizational measures implemented by ePS to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.

1.  Access control to premises and facilities

Measures must be taken to prevent unauthorised physical access to premises and facilities holding Personal Data. Measures shall include:

  • Access control system
  • ID reader, magnetic card, chip card
  • (Issue of) keys
  • Door locking (electric door openers etc.)
  • Surveillance facilities
  • Alarm system, video/CCTV monitor
  • Logging of facility exits/entries

2.  Access control to systems

Measures must be taken to prevent unauthorised access to IT systems. These must include the following technical and organisational measures for user identification and authentication:

  • Password procedures (incl. special characters, minimum length, forced change of password)
  • Use of Multi-Factor Authentication (MFA) for all administrative and remote access accounts, and for other users where technically feasible
  • No access for guest users or anonymous accounts
  • Central management of system access
  • Access to IT systems subject to approval from HR management and IT system administrators

3.  Access control to data

Measures must be taken to prevent authorised users from accessing data beyond their authorised access rights and prevent the unauthorised [input, reading, copying, removal] modification or disclosure of data. These measures shall include:

  • Differentiated access rights
  • Access rights defined according to duties
  • No access for guest users or anonymous accounts
  • Automated log of user access via IT systems
  • Measures to prevent the use of automated data Processing systems by unauthorised persons using data communication equipment

4.  Disclosure control

Measures must be taken to prevent the unauthorised access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

  • Encryption using a VPN for remote access, transport and communication of data.

5.  Availability control

Measures should be put in place to ensure that data are protected against accidental destruction or loss. These measures must include:

  • Ensuring that installed systems may, in the case of interruption, be restored
  • Ensure systems are functioning, and that faults are reported
  • Ensure stored Personal Data cannot be corrupted by means of a malfunctioning of the system
  • Uninterruptible power supply (UPS)
  • Business Continuity procedures
  • Remote storage
  • Anti-virus/firewall systems

6.  Segregation control

Measures should be put in place to allow data collected for different purposes to be Processed separately. These should include:

  • Restriction of access to data stored for different purposes according to staff duties.
  • Segregation of business IT systems
  • Segregation of IT testing and production environments

7.  Pseudonymization and encryption of personal data

  • Data in transit are encrypted using industry-standard transport encryption protocols such as TLS 1.2 or higher.
  • Data at rest are protected through strong encryption (for example, AES-256 or equivalent) to ensure confidentiality and integrity.
  • Encryption keys are managed securely and access is restricted to authorized personnel only.
  • Pseudonymization of data can be applied where appropriate or upon request by the Customer.

8.  Procedures for regular review, assessment and evaluation

  • There are strict, segregated controls around administrative access to the physical and logical areas where hypervisors may be controlled or installed. Very limited authentication, encrypted connectivity, and minimal port access is permitted. System access privilege checks are performed monthly.

9.  Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • These measures include ensuring that installed systems may, in the case of interruption, be restored; ensuring systems are functioning, and that faults are reported; ensuring stored Personal Data cannot be corrupted by means of a malfunctioning of the system; uninterruptible power supply (UPS); disaster recovery procedures; anti-virus/firewall systems.

10.  Ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Backup data are retained for a limited period (typically 5 days) solely to ensure recoverability from accidental deletion or other operational issues.

The above technical and organizational measures are periodically reviewed for effectiveness and updated as necessary to maintain an appropriate level of security.