In case you need a signed version, click here

Effective Date

March 10, 2025

For the prior version, please click here.

Purpose

This Data Processing Addendum, together with its Schedule(s) (“DPA”), is entered into by and between Freshworks and Customer (each a “Party” and collectively, the “Parties”). This DPA forms a part of, and is subject to, the Main Service Agreement or other written contract or electronic terms of service (“Agreement”) between the Parties. Except for modifications to this DPA by Freshworks, this DPA will be in effect as of the date which is the earlier of (i) Customer’s initial access to any Service through any online provisioning, registration or order process or (ii) the effective date of the first Service Order Form, as applicable (the “Effective Date”); provided, however, the relevant obligations apply only to the extent that (i) Personal Data is subject to the Applicable Data Protection Laws; and (ii) an Applicable Data Protection Law has taken effect.

Modifications to this Agreement:

From time to time, Freshworks may modify this Data Processing Addendum Unless otherwise specified by Freshworks, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service Order Form after the updated version of this DPA goes into effect. Freshworks will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means.

The “Effective Date” of this DPA is the date which is the earlier of (a) Customer’s initial access to any Service through any online provisioning, registration or order process or (b) the effective date of the first Service Order Form, as applicable, referencing this DPA.

Acceptance

BY ACCEPTING THIS DPA OR ACCESSING OR USING THE SERVICE, YOU: (i) AGREE TO THE TERMS AND CONDITIONS OF THIS DPA ON CUSTOMER’S BEHALF; (ii) REPRESENT AND WARRANT THAT YOU HAVE THE LEGAL AUTHORITY TO SIGN FOR AND BIND CUSTOMER TO THIS DPA; AND (iii) HAVE READ THROUGH AND UNDERSTAND THIS DPA.

Relationship with the Agreement

Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 10 of this DPA. In the event of a conflict between this DPA and the Agreement, the DPA will control to the extent necessary to resolve the conflict. In the event the Parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this DPA, the International Data Transfer Mechanism will control.

Data Processing

a. Scope and Roles. This DPA applies when Personal Data is processed by Freshworks. Section 5 of this DPA applies when Personal Data is processed by Freshworks as Processor to Customer, who will act as Controller of the Personal Data. Section 6 of this DPA applies when certain Personal Data about Customer or its users is processed by Freshworks as a Controller in accordance with Freshworks’ privacy notice available at https://www.freshworks.com/privacy.

b. Processing Details. Schedule 1 of this DPA (i) describes the purposes of Freshworks’ processing, the types or categories of Personal Data involved in the processing, and the categories of Data Subjects affected by the processing; and (ii) lists the Parties’ statuses under Applicable Data Protection Laws.

c. Location of Processing. Data that Freshworks processes for Customer as a Processor may be stored in the EU or outside of the EU, depending on the Freshworks product. Data that Freshworks processes about Customer or its users as a Controller may also be processed or stored in the EU or outside of the EU.

d. International Data Transfer.

i. Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra measures to ensure that the Personal Data has special protections if the law of the recipient’s jurisdiction does not protect Personal Data in a manner equivalent to the transferring entity’s jurisdiction (an “International Data Transfer Mechanism”). The Parties will comply with an International Data Transfer Mechanism that may be required by Applicable Data Protection Laws.

ii. If the International Data Transfer Mechanism upon which the Parties rely is invalidated or superseded, the Parties will work together in good faith to find a suitable alternative.

iii. Schedule 4 of this DPA provides (i) jurisdiction-specific obligations; and (ii) information for international transfers by the Parties, including the Standard Contractual Clauses.

e. Compliance with Laws. The Parties will comply with their respective obligations under Applicable Data Protection Laws.

f. Notification. Freshworks will notify Customer if it determines that it can no longer meet its obligations under Applicable Data Protection Laws.

Freshworks’ Obligations as a Processor

a. Scope of Processing. Freshworks shall process Personal Data solely to carry out its obligations under the Agreement and to carry out Customer’s documented instructions.

b. Processing Instructions.

i. This DPA contains Customer’s initial instructions to Freshworks. The Parties agree that Customer may communicate any change in its initial instructions to Freshworks by way of written notification to Freshworks and that Freshworks shall abide by such instructions.

ii. Regardless of any prohibitions in this DPA or the Agreement, the Parties agree that Freshworks may, and Customer instructs Freshworks to, process Personal Data for the following activities that are related to the Agreement: detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; and provide, maintain, or improve the quality of the services.

iii. Notwithstanding the foregoing, any instructions that would lead to processing outside the scope of this DPA (e.g., because a new processing purpose is introduced) will require a prior agreement between the Parties and, where applicable, shall be subject to the contract change procedure under the Agreement.

iv. Where instructed by Customer, Freshworks shall correct, delete, or block Personal Data.

v. Freshworks shall promptly inform Customer in writing if, in Freshworks’ opinion, infringes Applicable Data Protection Laws and provides an explanation of the reasons for its opinion in writing.

vi. Freshworks is not liable for any DP Losses arising from or in connection with any processing conducted in accordance with Customer’s instructions.

c. Confidentiality. Freshworks will ensure that each person who processes Personal Data is subject to a duty of confidentiality with respect to such Personal Data.

d. Disclosure to Third Parties. Freshworks will not disclose Personal Data to any third party (including any government agency, court, or law enforcement) except as set forth in this DPA, or with written consent from Customer, or as necessary to comply with applicable mandatory laws. If Freshworks is obliged to disclose Personal Data to a law enforcement agency or third party, Freshworks agrees to give the Customer reasonable notice of the access request prior to granting such access, to allow Customer to seek a protective order or other appropriate remedy. If such notice is legally prohibited, Freshworks will take reasonable measures to protect the Personal Data from undue disclosure as if it were Freshworks’ own confidential information being requested and shall inform the Customer promptly if and when such legal prohibition ceases to apply.

e. Data Subject Requests.

i. In case Customer receives any request or communication from Data Subjects which relates to the processing of Personal Data ("Request"), Freshworks shall provide Customer with full cooperation, information and assistance ("Assistance") in relation to any such Request were instructed by Customer.

ii. Where Freshworks receives a Request, it shall (i) not directly respond to such Request, (ii) forward the request to the Customer within three (3) business days of identifying the Request as being related to Customer, and (iii) provide Assistance according to further instructions from Customer.

f. Assistance.

i. Freshworks shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to Freshworks.

ii. Upon request, Freshworks shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations (if any) to conduct data protection assessments or prior consultations with data protection authorities related to Customer’s use of the Service, to the extent that Customer does not otherwise have access to the relevant information and such information is available to Freshworks.

g. Information Rights and Audit.

i. Freshworks shall, in accordance withApplicableData Protection Laws, make available to Customer on request in a timely manner such information as is necessary to demonstrate compliance by Freshworks with its obligations under Applicable Data Protection Laws.

ii. Freshworks has obtained third-party certifications and audits set forth on its security page at https://www.freshworks.com/security/resources/. Upon Customer’s written request and subject to the confidentiality obligations set forth in the Agreement, Freshworks will make available to Customer a copy of Freshworks’ then-most- recent third-party certifications or audits, as applicable.

iii. Freshworks shall, upon reasonable notice, allow for and contribute to inspections of its processing of Personal Data, as well as the technical and organizational measures (“TOMs”) applicable thereto, during regular business hours and with minimal interruption to Freshworks’ business operations. Such inspections must be conducted by Customer, its affiliates, or an independent third party on Customer’s behalf (which will not be a competitor of Freshworks) that is subject to reasonable confidentiality obligations.

iv. Customer shall pay Freshworks reasonable costs for allowing or contributing to audits or inspections in accordance with Section 5(f) of this DPA where the Customer wishes to conduct more than one audit or inspection in a 12-month period.

v. If Customer discovers unauthorized use of Personal Data by Freshworks or Freshworks’ Subprocessors, Customer may, upon notice, take reasonable and appropriate steps to remediate such unauthorized use.

g. Data Protection Authorities.

i. Freshworks will immediately refer to Customer any requests received from data protection authorities that relate to Freshworks’ processing of Personal Data.

ii. Freshworks undertakes to cooperate with Customer in its dealings with data protection authorities and with any audit requests received from data protection authorities. Customers shall be entitled to disclose this DPA or any other documents (including contracts with subcontractors) that relate to the performance of its obligations under this DPA (commercial information may be removed).

h. Subprocessors. Customer hereby consents to the engagement of the Subprocessor(s) listed in Schedule 3 of this DPA (“List of Sub-processors”). Freshworks will enter into a written agreement with the Subprocessor that, to the extent that the Subprocessor performs the same data processing services provided by Freshworks under this DPA, imposes on the Subprocessor the same contractual obligations that Freshworks has under this DPA. Freshworks shall provide Customer with at least 15 days’ prior notice of any planned changes to the Subprocessor list, through the addition or replacement of Subprocessors. Customer can object to the planned addition or replacement of a Subprocessor by notifying Freshworks promptly in writing. Freshworks shall provide Customer with the information necessary to enable the Customer to exercise its right to object. If Customer objects to the addition or replacement of any Subprocessor, Freshworks will either refrain from adding or replacing the Subprocessor, or Customer may choose to suspend or terminate the Service(s) within 15 days of receiving the notification from Freshworks (without prejudice to any fees incurred by the Customer prior to such suspension or termination).

i. Duration of Processing; Deletion and Return of Personal Data. Freshworks shall retain Personal Data for a period coterminous with the term of the Agreement. Customer may export all Customer Data prior to the termination of Customer’s Account. In any event, following the termination of Customer’s Account and the Agreement, Customer Data will be retained in accordance with the Data Retention Period as defined in the Agreement.

Freshworks’ Obligations as Independent Controller

The terms of this Section 6 apply only to Freshworks’ processing of certain Personal Data about Customer or its users as a Controller in accordance with Freshworks’ privacy notice available at https://www.freshworks.com/privacy:

a. Freshworks acknowledges and agrees that Freshworks is independently responsible for compliance and will comply with Applicable Data Protection Laws (e.g., obligations of Controllers).

b. Freshworks agrees to be responsible for providing notice to Data Subjects as may be required by Applicable Data Protection Laws and responding to Data Subjects’ requests to exercise their rights under Applicable Data Protection Laws.

c. If Freshworks receives any type of request or inquiry from a governmental, legislative, judicial, law enforcement, or regulatory authority, or faces an actual or potential claim, inquiry, or complaint in connection with Parties’ processing of Personal Data provided to Freshworksby or on behalf of Customer, its affiliates, or their respective end users, or obtained or collected by Freshworks in connection with the purposes described in Schedule 1 of this DPA (collectively, an “Inquiry”), then Freshworks will notify Customer without undue delay, but in no event later than ten (10) business days, unless such notification is prohibited by applicable law. Freshworks will promptly provide Customer with information relevant to the Inquiry, including any information relevant to the defense of a claim, to enable Customer to respond to the Inquiry.

Security

a. Freshworks will implement appropriate technical and organizational measures to protect Personal Data from a Data Breach and to preserve the security and confidentiality of Personal Data.

b. Upon becoming aware of a confirmed Data Breach, Freshworks shall:

i. Notify Customer of the Data Breach without undue delay;

ii. Make reasonable efforts to identify the cause of such an incident and take those steps Freshworks deems necessary and reasonable in order to remediate the cause of the incident to the extent that it is within Freshworks’ reasonable control.

iii. Provide reasonable information, cooperation and assistance to Customer in relation to any action to be taken in response to the Data Breach under Applicable Data Protection Laws, including regarding any communication of the Data Breach to Data Subjects and any governmental entity.

Amendments

Where amendments are required to ensure compliance with this DPA with Applicable Data Protection Laws, or the requirements of a competent supervisory authority, the Parties shall cooperate in good faith to agree on such amendments upon request of Customer and, for the avoidance of doubt, with no additional costs to Customer. Where the parties are unable to agree upon such amendments, either party may terminate the Agreement and this DPA with 90 days written notice to the other party.

Miscellaneous

a. Limitation of Liability. The limitation of liability stated in the Agreement applies to any breaches of this DPA.

b. No Consideration. No Party shall receive any remuneration for performing its obligations under this DPA except as explicitly set out herein or in another agreement.

c. Notification. Where this DPA requires a "written notice", such notice can also be communicated per email to the other Party. Notices shall be sent to the contact persons set out in Schedule 1 of this DPA.

d. Modifications. From time to time, Freshworks may modify this DPA. Unless otherwise specified by Freshworks, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service Order Form after the updated version of this DPA goes into effect. Freshworks will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email, or other means.

e. Further Amendment. Except as set forth in the Agreement and this DPA, any supplementary agreements or amendments to this DPA must be made in writing and signed by both Parties.

f. Savings Clause. Should individually provisions of this DPA become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this agreement.

Definitions

a. "Agreement" shall mean the Terms of Service available at https://www.freshworks.com/terms or a Main Service Agreement executed between the Parties.

b. "Applicable Data Protection Laws" shall mean the data protection laws applicable to the processing of Personal Data under the Agreement, including as relevant the GDPR, CCPA, and any other data protection laws, in each case as amended from time to time and including any regulations promulgated thereunder.

c. “CCPA” means the California Consumer Privacy Act.

d. “Controller” means the entity that determines the purposes and means of processing Personal Data. “Controller” includes equivalent terms in Applicable Data Protection Laws, such as the CCPA-defined terms “business” and “third party”, as context required.

e. “Data Breach” means “personal data breach”, “personal information breach”, “security breach”, and other analogous terms referenced in Applicable Data Protection Laws.

f. “Data Exporter” means the Party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism and (2) transfers Personal Data, or makes Personal Data available to, the Data Importer.

g. “Data Importer” means the Party that (1) is located in a jurisdiction that is not the same as Data Exporter’s jurisdiction and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made available by the Data Exporter.

h. “Data Subject” means an identified or identifiable natural person. “Data Subject” includes equivalent terms in Applicable Data protection Laws, such as the CCPA-defined term “consumer”, as context requires.

i. “DP Losses” means all liabilities, including: (1)costs (including legal costs); (2) claims, demands, actions, settlements, charges, procedures, expenses, losses and damages (whether material or non-material, and including for emotional distress); and (3) to the extent permitted by applicable law: (a) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a data protection authority or any other relevant regulatory authority; (b) compensation to a Data Subject ordered by a data protection authority to be paid by Freshworks; (c) the costs of compliance with investigations by a data protection authority or any other relevant regulatory authority.

j. "GDPR" shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

k. "Personal Data" shall mean any information relating to an identified or identifiable natural person. “Personal Data” includes equivalent terms in Applicable Data Protection Laws, such as the CCPA-defined term “personal information”, as context requires.

l. “Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in Applicable Data Protections Laws, such as the CCPA-defined term “service provider”, as context requires.

m. "Standard Contractual Clauses" means the European Union standard contractual clauses for the transfer of Personal Data from the European Economic Area to third countries in the form set out in the Annex of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

n. “Sensitive Data” means the following types and categories of data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status; genetic data; biometric data; government identification numbers; payment card information; unencrypted identifier or username in combination with a password or other access code that would allow access to an account; precise geolocation information; and information from a known child.

o. “Subprocessor” means a Processor engaged by a party who is acting as a Processor.

p. The following terms have the meanings assigned to them in Applicable Data Protection Laws: “de-identified data”, "process" (and its cognates), “pseudonymous data”, and “sub-processor”.

SCHEDULE 1:

DESCRIPTION OF THE PROCESSING

A. LIST OF PARTIES

Data exporter:

Shall be that of the Freshworks Customer described in the Agreement.

Name; address; contact person’s name, position, and contact details:The full name, address and contact details for Data Exporter are set out in the Agreement, or can be requested by either Party.

Activities relevant to the data transferred under these Clauses: Export of Personal Data in connection with use of the Processor’s services.

Role: Controller or Processor

Data importer:

Name: Freshworks Inc.

Address: 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA, legal@freshworks.com (with CC to support@freshworks.com)

Contact person’s name, position and contact details: Marcus Toussaint, dpo@freshworks.com, c/o Freshworks GmbH, Neue Grünstraße 17, 10179 Berlin

Activities relevant to the data transferred under these Clauses: Processing on behalf of Customer (providing services)

Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer and its Users may import Customer Data into the Services, the extent of which is solely determined and controlled by Customer in its discretion, and which may include, but is not necessarily limited to, Personal Data relating to the following categories of data subjects: Customer’s Users, Agents, and End Users; Customer’s prospects and customers, and the employees, agents, or representatives for such prospects and customers (who are natural persons); Customer’s suppliers and business partners, and the employees, agents, or representatives for such suppliers and business partners (who are natural persons); and Customer’s employees, independent contractors, agents, and advisors (who are natural persons).

Categories of personal data transferred

Customer and its Users may import Customer Data to the Services, the extent of which is solely determined and controlled by Customer in its discretion, and which may include, but is not necessarily limited to, the following categories of Personal Data: first and last name; professional or employment-related information; contact information (e.g., e-mail address, telephone number, mailing address); unique identifiers (e.g., IP address); internet or other electronic network activity information (e.g., browsing history, search history, Internet behaviors and interactions); account information; user data; Customer’s communications; purchase and transaction history; and inferences drawn from Personal Data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards

Customer and its Users may import categories of sensitive data into the Services, the extent of which is solely determined and controlled by Customer in its discretion, and which may include Personal Data that reveals [racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or data concerning health or a natural person’s sex life or sexual orientation].

The applicable security measures are set forth in Schedule 2.

Frequency of the transfer

The frequency of the transfer is on a continuous basis for the duration of the Agreement.

Nature of the processing

As defined in the Agreement.

Purpose(s) of the data transfer and further processing

Freshworks will process Personal Data as necessary to provide the Service pursuant to the Agreement, as further specified in the Service Order Form, and as further instructed by the Customer in use of the Service.

The period for which the personal data will be retained or the criteria used to determine that period

Personal Data will be retained during the term of the Agreement and in accordance with the Data Retention Period as defined in the Agreement.

The subject matter, nature, and duration of processing by sub-processors

As set forth in Schedule 3.

SCHEDULE 2:

TECHNICAL AND ORGANISATIONAL MEASURES (TOMs) TO ENSURE THE SECURITY OF THE DATA

The current TOMs are available at https://www.freshworks.com/technical-organisational-measures/.

SCHEDULE 3:

LIST OF SUB-PROCESSORS

The controller Customer has authorised the use of the Subprocessors listed at https://www.freshworks.com/privacy/sub-processor/.

SCHEDULE 4:

JURISDICTION-SPECIFIC OBLIGATIONS AND INFORMATION FOR INTERNATIONAL TRANSFERS

A. Generally.

1. The Parties agree that, for any jurisdiction not listed below that requires an International Data Transfer Mechanism, they hereby enter into and agree to be bound by the Standard Contractual Clauses for transfers of Personal Data from that jurisdiction unless (i) the Parties otherwise agree in writing or (ii) a jurisdiction promulgates its own International Data Transfer Mechanism, in which case the Parties hereby agree to negotiate an update to this DPA to incorporate such International Data Transfer Mechanism.

2. The Parties agree to adopt the additional technical, organizational, and/or contractual protections that may be required by their transfer impact assessment, if any, described in Schedule 2 of this DPA.

B. Standard Contractual Clauses.

1. The Parties agree that by executing this DPA they also execute the Standard Contractual Clauses, which are incorporated into this DPA by this reference and form an integral part of the Agreement.

2. Module Two (Controller to Processor) will apply when Customer is a Controller. Module Three (Processor to Processor) will apply when the Customer is a Processor.

3. The Parties agree that for Personal Data of Data Subjects located in jurisdictions subject to the Standard Contractual Clauses, Schedules 1-4 of this DPA contain information relevant to the Standard Contractual Clauses and their Annexes.

4. Notwithstanding the fact that the Standard Contractual Clauses and/or UK IDTA are incorporated herein by reference without the signature pages of the Standard Contractual Clauses actually being signed by the Data Exporter or Data Importer, the Parties agree that its respective execution of the Agreement is deemed to constitute its execution of the Standard Contractual Clauses and/or the UK IDTA on behalf of the Data Exporter/Data Importer (as applicable).

5. All notices, requests, monitoring/audit rights, conduct of claims, liability, and erasure or return of data relating to the Standard Contractual Clauses will be provided/managed/interpreted, as applicable, in accordance with the relevant provisions of the Agreement, to the extent that such provisions do not conflict with the Standard Contractual Clauses.

C. European Union. For transfers from the European Union (“EU”) that are not subject to an adequacy decision, exception, or alternative International Data Transfer Mechanism (such as the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”)), the Parties enter into and agree to be bound by the Standard Contractual Clauses. The Parties agree to select the following options made available by the Standard Contractual Clauses:

1. Clause 7 (Docking Clause) – the optional provision applies;

2. Clause 9(a) (Use of sub-processors) – Option 2 applies (and the parties will follow the process and timings agreed in the DPA to appoint sub-processors);

3. Clause 11(a) (Redress) – the optional provision does not apply;

4. Clause 17 (Governing law) – option 1 applies, and the Agreement is governed by the laws of the Federal Republic of Germany.

5. Clause 18(b) (Choice of forum and jurisdiction) – the parties hereby submit to the exclusive personal jurisdiction to the courts of Berlin, Germany.

6. Annex 1A: the relevant details are set out in the Agreement, including Schedule 1 of this DPA.

7. Annex 1B: the relevant details are those set out in the Agreement, including Schedule 1 of this DPA.

8. Annex 1C: the competent supervisory authority is the supervisory authority applicable to Customer (or, where relevant, applicable to Customer’s representative) or, where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located.

9. Annex 2: the security provisions contained in the DPA, including Schedule 2 of this DPA, and any other applicable security-related provisions in the Agreement apply.

10. Annex 3: Schedule 3 of this DPA describes the relevant Subprocessors and their roles in processing Personal Data.

D. Switzerland. For transfers of Personal Data from Switzerland that are not subject to an adequacy decision, exception, or alternative International Data Transfer Mechanism (such as the Swiss-U.S. Data Privacy Framework), the Parties agree to adopt the following modifications to the Standard Contractual Clauses to make them applicable to such transfers: the competent supervisory authority in Annex 1.C under Clause 13 will be the Federal Data Protection and Information Commissioner; references to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the Standard Contractual Clauses will be understood as references to Applicable Data Protection Laws of Switzerland.

E. United Kingdom. For transfers of Personal Data from the United Kingdom that are not subject to an adequacy decision, exception, or alternative International Data Transfer Mechanism (such as the UK Extension to the EU-U.S. DPF), the Parties hereby incorporate the International Data Transfer Agreement, as issued and may be updated from time to time by the Information Commissioner in the United Kingdom under S119A(1) Data Protection Act 2018 (the “UK IDTA”) by reference into this DPA, and also enter into and agree to be bound by the Mandatory Clauses of the UK IDTA. Pursuant to Sections 5.2 and 5.3 of the UK IDTA, the Parties agree that the following information is relevant to Tables 1-4 of the UK IDTA and that by changing the format and content of the Tables neither Party intends to reduce the Appropriate Safeguards (as defined in the UK IDTA).

1. Table 1: The information needed to complete Table 1 to the UK IDTA is set out in the Agreement, including Schedule 1 of this DPA.

2. Table 2:

i. The UK country’s law that governs the UK IDTA is England and Wales.

ii. The primary place for legal claims to be made by the parties is: England and Wales.

iii. The statuses of the Data Exporter and Data Importer are described in Schedule 1 of this DPA.

iv. The UK GDPR applies to the Importer’s Processing of the Transferred Data.

v. The Agreement, including this DPA, sets out the Processor’s or Sub-Processor’s instructions for Processing the Transferred Data.

vi. The duration that Data Importer may process Personal Data is set forth in this DPA.

vii. The UK IDTA is coterminous with the DPA. Neither Party may terminate the UK IDTA before the DPA ends unless one of the Parties breaches the UK IDTA, as set forth in Section 9(a) of this DPA, or the Parties agree in writing.

viii. Data Importer may transfer Personal Data to another organization or person (who is a different legal entity) if such transfer complies with the UK IDTA’s applicable Mandatory Clauses.

ix. The Parties will review the Security Requirements listed in Table 4, and the supplementary schedules described in Schedule 2, to this DPA each year.

3. Table 3: The categories of Personal Data, Sensitive Data, Data Subjects, and purposes of processing are described in Schedule 1 of this DPA. Such a description may only be updated by written agreement of the Parties.

4. Table 4: The security measures adopted by the Parties are described in Schedule 2 of this DPA. Such security measures may only be updated by written agreement of the Parties.

F. California. The following terms apply if the CCPA applies to Customer’s use of the Services to process Personal Data. For purposes of this Section F, the following terms have the meaning assigned to them in the CCPA: “business”, “business purpose”, “commercial purpose”, “consumer”, “service provider”, “sell” (and is cognates); “share” (and is cognates); “third party”.

1. Freshworks’ Obligations as a Service Provider. Freshworks will have the following obligations if it processes Personal Data of consumers in its capacity as Customer’s service provider:

i. Freshworks will provide the same level of privacy protection for the Personal Data as required of businesses by the CCPA.

ii. Customer is disclosing Personal Data to Freshworks solely for the following business purposes and Freshworks will process the Personal Data solely for the following purposes: (i) processing related to ensuring security and integrity, to the extent that the information is reasonably necessary for these purposes; (ii) debugging to identify and repair errors that impair existing intended functionality; and (iii) performing services on behalf of the business, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.

iii. Freshworks is prohibited from (i) retaining, using, or disclosing the Personal Data for any purpose other than the specified business purposes, including (a) for a commercial purpose other than carrying out Customer’s instructions, except as permitted by the CCPA; (b) outside of the Parties’ direct business relationship, except as expressly permitted by the CCPA; and (c) by combining Personal Data that Freshworks receives from, or on behalf of, Customer with Personal Data that Freshworks receives from, or on behalf of any other person, or collects from Freshworks’ own interaction with the consumer, provided that Freshworks may combine Personal Data to perform any business purpose expressly permitted by the CCPA; and (ii) selling or sharing the Personal Data that Freshworks collects or obtains pursuant to the Agreement.

iv. Notwithstanding the foregoing prohibitions, the Parties agree that Freshworks may, and Customer instructs Freshworks to, process Personal Data when necessary to support the specified business purposes.

v. If Freshworks discloses Personal Data to a Subprocessor under this DPA, Freshworks and Subprocessor will enter into a written contract that prohibits sub-processor from (i) selling or sharing Personal Data; or (ii) retaining, using, or disclosing Personal Data for any purpose other than for the specific business purpose(s) for which the Personal Data was disclosed. Freshworks will require any Subprocessor to comply with applicable obligations under Applicable Data Protection Laws, including to provide the same level of privacy protection required of businesses by the CCPA.

2. Freshworks’ Obligations as a Third Party. Freshworks will have the following obligations with respect to Personal Data that it collects, exchanges, or otherwise processes in connection with Freshworks’ performance of the Agreement as a third party:

i. Freshworks will provide the same level of privacy protection for the Personal Data as required of businesses by the CCPA.

ii. Freshworks acknowledges that Customer is making Personal Data available to Customer for the limited and specific purposes described in Schedule 1 of this DPA and Freshworks agrees to use such Personal Data only for such purposes and no other purpose.

iii. Freshworks will not sell or share Personal Data made available to it by Customer, unless Freshworks provides consumers with notice and the opportunity to opt out of such selling or sharing.

iv. Freshworks will allow Customer to take reasonable and appropriate steps to that Freshworks is using the Personal Data provided or made available to Freshworks by or on behalf of Customer, or obtained or collected by Freshworks in connection with the purposes described in Schedule 1 of this DPA, in a manner consistent with Customer’s obligations under the CCPA and the information rights and audit terms set forth in Section 5(g) of this DPA.