Last updated: 21 September 2025
This Addendum only applies to businesses in the European Union or United Kingdom, and only when required by GDPR or UK Data Protection Laws.
This Data Processing Addendum (the Addendum) forms part of the MinuteDock Terms of Service (and any related documentation, such as our Privacy Policy), as amended from time to time (the Agreement), between you (the Customer) and MinuteDock. All capitalised terms not defined in this Addendum have the meaning set out in the Agreement.
Part A: General data protection terms Part B: Additional region-specific terms
Part A (General Data Protection Terms) of this Addendum applies whenever MinuteDock processes Personal Data as a Processor (or sub-Processor) on behalf of the Customer. MinuteDock and the Customer must always comply with this Part A.
In addition, certain additional region-specific terms may apply to the processing in the circumstances described in Part B (Additional Region-Specific Terms). MinuteDock and the Customer must also comply with Part B, where it applies.
Conflict Resolution: To the extent of any conflict between: (a) this Addendum and the MinuteDock Terms of Use, this Addendum will prevail, and (b) Part A and Part B of this Addendum, Part B will prevail.
In this Addendum, the following terms have the following meanings:
(a) Applicable Data Protection Law means all privacy and data protection laws which apply to the processing of Personal Data pursuant to the Agreement and this Addendum.
(b) Controller means: - (a) the natural or legal person which determines the purposes and means of the processing of Personal Data; and - (b) any natural or legal person who is a “controller”, “business” or substantially similar concept under Applicable Data Protection Law.
(c) Customer has the same meaning as “subscriber” in the Agreement.
(d) Data Subject means: - (a) a natural person; and - (b) any natural person who is a “data subject”, “consumer” or substantially similar concept under Applicable Data Protection Law.
(e) Personal Data means: - (a) any information about a Data Subject; and - (b) any information that is “personal data”, “personal information”, “personally identifiable information” or substantially similar concept under Applicable Data Protection Law.
(f) Processor means: - (a) a natural or legal person which processes Personal Data on behalf of the Controller; and - (b) any natural or legal person who is a “processor”, “service provider” or substantially similar concept under Applicable Data Protection Law.
(g) Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
(a) The Customer appoints MinuteDock to process Personal Data on its behalf and in accordance with its documented instructions.
(b) Accordingly, the Customer is the Controller of the Personal Data that is the subject of the Agreement and this Addendum and MinuteDock is the Processor (except where the Customer is a Processor of the Personal Data on behalf of a third-party Controller, in which case Customer is a Processor and MinuteDock is the Customer’s sub-Processor).
(c) The Customer’s processing instructions are set out in full in the Agreement, including this Addendum. If the Customer wishes to change its processing instructions, it must agree this in writing with MinuteDock.
(d) Specifically, the Customer instructs MinuteDock to process the categories of Personal Data (the Data) for the purposes (the Permitted Purpose) set out in Annex B (Data Processing Schedule).
(e) If the Customer uses or integrates any third-party service to MinuteDock’s services (such as a supported third-party integration), any processing of Data by that third-party service will be governed by that third-party’s privacy notice and/or data processing terms, and not by this Addendum.
(f) Each party must comply with the obligations that apply to it under Applicable Data Protection Law, and any applicable additional region-specific terms set out in Part B to this Addendum. If the Customer is a Processor on behalf of a third-party Controller, the Customer will ensure that its instructions to MinuteDock described in this Addendum align with the instructions of that third-party Controller.
As Controller, the Customer must ensure that it (or, where Customer is a Processor, the relevant third-party Controller) has provided all required transparency, and has all necessary rights and permissions under Applicable Data Protection Law for MinuteDock to process the Data for the Permitted Purpose.
MinuteDock will ensure that any person it authorises to process the Data will be subject to a duty of confidence that aligns with MinuteDock’s confidentiality obligations under the Agreement. We will not sell personal data or collect, retain, use, or disclose it for any purpose other than as permitted by you and this Agreement, or as required by law.
(a) MinuteDock will maintain for the duration of the Agreement appropriate technical and organisational measures to protect the Data against a Security Incident. Such measures shall include the measures in Annex A.
(b) MinuteDock may amend its technical and organisational security measures from time to time, as it considers necessary to provide appropriate protection for the Data in light of evolving industry practices, new technologies and emerging cyberthreats. Any such amendments will not diminish the overall security of MinuteDock’s processing.
(c) The Customer acknowledges it is also responsible for maintaining appropriate technical and organisational security measures for the Data it processes and instructs MinuteDock to process on its behalf. Such measures shall include maintaining security over the access credentials it uses for MinuteDock’s platform.
(a) The Customer authorises MinuteDock to engage Subprocessors and disclose or transfer the Customer’s Personal Data to them. The Customer acknowledges and approves the list of Subprocessors outlined in MinuteDock’s Privacy Policy, understanding that this list may be updated regularly, in which case the company shall be informed by the Processor according to the Privacy Policy notification process.
(b) MinuteDock imposes data protection terms on all sub-Processors it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law and consistent with this Addendum.
(c) MinuteDock remains liable for any breach of this Addendum that is caused by its sub-Processor.
Objection Process: If the Customer objects on reasonable grounds relating to data protection within 14 days of receiving notice of MinuteDock’s proposed appointment or replacement of a sub-Processor, MinuteDock will discuss with the Customer whether it is possible to appoint or replace the sub-Processor in a way that resolves the Customer’s objection. If this is not possible, then:
(d) MinuteDock may (in its sole discretion) choose either not to appoint or replace the sub-Processor, or to suspend or terminate the Agreement with one month’s written notice in accordance with the ‘Cancellation & Termination’ clause in the Agreement (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination); or
(e) Customer may choose to terminate the Agreement in accordance with the ‘Cancellation & Termination’ clause in the Agreement.
If the Customer cannot fulfil any requests it receives directly using existing functionality in the MinuteDock’s platform, MinuteDock will provide the Customer with such reasonable and timely information and assistance (at the Customer’s expense) as the Customer may require to enable the Customer to respond to:
(a) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law; and
(b) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with MinuteDock’s processing of the Data to the extent the Customer is obligated to respond under Applicable Data Protection Law.
If any such request, correspondence, enquiry or complaint is made directly to MinuteDock, MinuteDock will advise the relevant person to contact the Customer directly and promptly inform the Customer and provide it with full details (unless prohibited by applicable law).
MinuteDock will assist the Customer to conduct a data protection impact assessment and/or consult with its data protection supervisory authority if required by Applicable Data Protection Law by:
(a) providing information about the technical and organisational measures it maintains to protect the Data in Annex A to this Addendum;
(b) providing the information contained in the Agreement and this Addendum; and
(c) if subclauses (a) and (b) above are insufficient for Customer to comply with its assessment or consultation obligations, MinuteDock will provide Customer with additional reasonable assistance upon Customer’s request.
If MinuteDock becomes aware of a Security Incident, MinuteDock will inform the Customer without undue delay using the contact details provided under the Customer’s MinuteDock account, and will provide reasonable information and cooperation to the Customer so that they can fulfil any data breach reporting obligations they may have under Applicable Data Protection Law.
MinuteDock will further take reasonably necessary measures to remedy or mitigate the effects of the Security Incident and keep the Customer informed of all material developments in connection with the Security Incident. Any notification or response to a Security Incident by MinuteDock shall not be deemed an acknowledgement by MinuteDock of any fault or liability regarding the incident.
Upon termination or expiry of the Agreement (or unless otherwise instructed by the Customer), MinuteDock will retain a copy of the Data to allow the Customer to regain access to it in accordance with the ‘Your Data & Security’ clause in the Agreement. MinuteDock will delete or return the Data to the Customer on request (unless required by applicable law to retain some or all of the Data).
Neither party shall make an international transfer of Data that it processes pursuant to the Agreement and this Addendum unless it has first done all such things as are necessary to ensure that the transfer is compliant with Applicable Data Protection Law and any applicable region-specific terms set out in Part B to this Addendum.
Part B (Additional Region-Specific Terms) of this Addendum applies only where one or more of the specific Applicable Data Protection Laws described below apply to the Personal Data that MinuteDock processes as a Processor (or Sub-Processor) on behalf of the Customer. In such circumstances, MinuteDock and the Customer acknowledge that they must comply with the relevant terms set out in this Part B, which are necessary in the interests of both parties complying with the applicable Data Protection Laws. If applicable, this Part B applies in addition to the data protection terms set out in Part A (General Data Protection Terms).
This Part B, clause 2 applies where and to the extent that European Data Protection Law applies to the processing of Data pursuant to the Agreement and this Addendum.
In this Part B, clause 2, the following terms have the following meanings:
(a) European Data Protection Law means any and all of EU Data Protection Law, UK Data Protection Law and Swiss Data Protection Law.
(b) EU Data Protection Law means: - (i) EU Regulation 2016/679 (the “EU GDPR”) - (ii) EU Directive 2002/58/EC - (iii) the national laws of each EEA member state made under, pursuant to, or that implement (i) or (ii), or which otherwise relate to the processing of Personal Data; in each case, as amended or superseded from time to time.
(c) Restricted Transfer means: - (i) where the EU GDPR applies, a transfer of Personal Data to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an “EU Restricted Transfer”) - (ii) where the UK GDPR applies, a transfer of Personal Data to any other country which is not subject to or based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (a “UK Restricted Transfer”) - (iii) where the Swiss DPA applies, a transfer of Personal Data to any other country which is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner or Federal Council (as applicable) (a “Swiss Restricted Transfer”).
(d) Sensitive Data means: - (i) Personal Data revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of unique identification, data concerning a Data Subject’s health or data concerning a Data Subject’s sex life or sexual orientation - (ii) any other Personal Data which is “special category data” under Applicable Data Protection Law.
(e) Standard Contractual Clauses means: - (i) where the EU GDPR or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) - (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under section 119A(1) of the DPA 2018 (“UK Addendum”).
(f) Swiss Data Protection Law means: - (i) the Swiss Federal Act on Data Protection of 25 September 2020 and its corresponding ordinances (“Swiss DPA”) - (ii) any other national laws in Switzerland applicable (in whole or in part) to the processing of Personal Data; in each case, as amended or superseded from time to time.
(g) UK Data Protection Law means: - (i) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) - (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as it continues to have effect under section 2 of the European Union (Withdrawal) Act 2018 - (iii) the Data Protection Act 2018 (the “DPA 2018”) - (iv) any other laws in the UK made under, pursuant to, or that implement (i), (ii) or (iii), or which otherwise relate to the processing of Personal Data; in each case, as amended or superseded from time to time.
To the extent that any transfer of Data from Customer to MinuteDock is a Restricted Transfer, the Standard Contractual Clauses shall be incorporated into this Addendum and apply as follows:
(a) where the Restricted Transfer is an EU Restricted Transfer, the EU SCCs will apply between Customer and MinuteDock as follows: - (i) Module Two will apply (unless Customer is a Processor and MinuteDock is a sub-Processor, in which case Module Three will apply) - (ii) in Clause 7, the optional docking Clause will apply - (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-Processor changes shall be as set out in Part A, clause 1.6 of this Addendum - (iv) in Clause 11, the optional language will not apply - (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law - (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland - (vii) in Annex I: (A) Parts A and B shall be deemed completed with the information set out in Annex B to this Addendum; (B) Part C shall be deemed completed in accordance with the criteria set out in Clause 13(a) of the EU SCCs - (viii) Annex II shall be deemed completed with the security measures set out in Annex A to this Addendum
(b) where the Restricted Transfer is a UK Restricted Transfer, the UK Addendum will apply between Customer and MinuteDock as follows: - (i) the EU SCCs, completed as set out above shall apply between Customer and MinuteDock, and shall be modified by the UK Addendum (completed as set out in sub-clause (ii) below) - (ii) tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options “Exporter” and “Importer” shall be deemed checked in table 4. The start date of the UK Addendum (as set out in table 1) shall be the date of the Agreement
(c) where the Restricted Transfer is a Swiss Restricted Transfer, the EU SCCs will apply between Customer and MinuteDock as set out above with the following modifications: - (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA - (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA - (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law” (as applicable) - (iv) the term “member state” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland) - (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner - (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection and Information Commissioner” and “applicable courts of Switzerland” - (vii) in Clause 17, the EU SCCs shall be governed by the laws of Switzerland.
MinuteDock will not make a Restricted Transfer of the Data to a recipient in another country unless it has done all such things as are necessary to ensure that the Restricted Transfer is compliant with European Data Protection Law. Such measures may include transferring the Data to a recipient in a country that is deemed to provide adequate protection for Personal Data under European Data Protection Law (for example, New Zealand) or to a recipient that has executed Standard Contractual Clauses with MinuteDock in accordance with European Data Protection Law.
MinuteDock shall inform the Customer if it is unable to comply with the Customer’s processing instructions, including if, in its opinion, a processing instruction would infringe any European Data Protection Law.
MinuteDock shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by Customer in relation to the processing of the Customer’s Personal Data by MinuteDock. The Customer shall not exercise its audit rights more than once per calendar year except following a Personal Data Breach or an instruction by a regulatory authority. The Customer shall give MinuteDock at least sixty (60) days prior written notice of its intention to audit MinuteDock pursuant to this Agreement. Audit shall be conducted during MinuteDock’s business hours, shall not disrupt MinuteDock’s operations and shall ensure the protection of the Customer’s, MinuteDock’s and other Data Subjects’ Personal Data. MinuteDock and the Customer shall mutually agree in advance on the date, scope, duration and security and confidentiality controls applicable to the audit. The Customer acknowledges that the signing of a non-disclosure agreement may be required by the Processor prior to the conduction of the audit.
Information and audit rights of MinuteDock only arise to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of European Data Protection Law.
In accordance with Article 32 (1) of the GDPR, the MinuteDock shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures shall be designed to protect the rights and freedoms of natural persons, considering the risks of varying likelihood and severity, including the risk of a Personal Data Breach.
MinuteDock shall also assess the risks associated with processing activities and apply measures that are consistent with the requirements set forth in Article 32 (1) GDPR, ensuring the security of the Customer’s Personal Data at all times.
The categories of data subjects include:
The types of Personal Data processed include:
Not applicable
Continuous for the duration of the Agreement.
As described in the Agreement and this Addendum.
As described in the Agreement and this Addendum.
For the duration of the Agreement and as set out in Part A, Clause 1.10 of the Addendum.
The subject matter, nature and duration of the processing are as set out above.
The competent EU supervisory authority shall be determined by reference to the place of establishment of the Customer in accordance with Clause 13 of the Standard Contractual Clauses.
The Information Commissioner’s Office.