Data Processing Addendum

v2026-v1 Effective 27 April 2026 View version history

Friendly8 Last updated: 27 April 2026, Bodegraven, Netherlands

1. Introduction

This Data Processing Addendum ("DPA") is entered into between you (the customer) and Relead Consultancy B.V. (trading as Friendly8 and Friendly Aide), registered in the Dutch Chamber of Commerce under number 82933138, with its registered address at Polderbrink 2, 2411 ZN, Bodegraven, Netherlands ("Friendly8"). It forms part of the Friendly8 Terms and Conditions and applies where you instruct us to process personal data on your behalf in the course of providing the Platform. It sets out the obligations of each party under applicable data protection law, including the UK GDPR, EU GDPR (Regulation (EU) 2016/679), and any national implementing legislation.

2. Definitions

"Controller" — the party that determines the purposes and means of processing personal data; in this context, you (the customer).
"Processor" — the party that processes personal data on behalf of the Controller; in this context, Friendly8.
"Data Protection Law" — all applicable laws and regulations relating to the processing of personal data, including the GDPR and UK GDPR.
"Personal Data" — any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Law.
"Processing" — any operation performed on personal data, as defined in applicable Data Protection Law.
"Sub-processor" — a third party engaged by Friendly8 to carry out processing activities on your behalf.
"EEA" — the European Economic Area.
"Standard Contractual Clauses" / "SCCs" — the standard data protection clauses adopted by the European Commission for transfers of personal data to third countries.

3. Roles and Scope

3.1 You are the Controller of any personal data contained within your Customer Data. Friendly8 is the Processor acting on your documented instructions.

3.2 This DPA applies to personal data that you and your Users submit to the Platform, including contact records in Cust8, communications in Inboxes8, task data in Todos8, transcription content in MakeNotes8, social post content in Posts8, and website visitor data captured through Storyflow8.

3.3 Friendly8 also acts as an independent Controller in respect of personal data collected about you and your Users for account management, billing, and platform improvement purposes, as described in our Privacy Policy.

4. Friendly8's Obligations as Processor

Friendly8 will:

4.1 Process personal data only on your documented instructions and not for any other purpose, unless required to do so by applicable law, in which case Friendly8 will inform you before such processing unless prohibited by law.

4.2 Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations.

4.3 Implement and maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, at a minimum:

Encryption of data in transit (TLS 1.2 or above) and at rest (AES-256);
Role-based access controls and principle of least privilege;
Regular security testing and vulnerability assessments;
Incident response procedures.

4.4 Assist you in responding to requests from data subjects exercising their rights (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible, given the nature of the processing.

4.5 Assist you in meeting your obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, in each case to the extent reasonably practicable given the information available to Friendly8.

4.6 Upon termination of the Terms and Conditions, at your choice, delete or return all personal data and delete existing copies within 30 days, except where retention is required by law.

4.7 Make available to you all information reasonably necessary to demonstrate compliance with this DPA and allow for, and contribute to, audits and inspections conducted by you or an auditor appointed by you, subject to reasonable prior notice and appropriate confidentiality obligations.

5. Your Obligations as Controller

You confirm that:

5.1 You have a lawful basis under applicable Data Protection Law for each type of personal data you input into the Platform.

5.2 You have provided all required notices to and obtained all required consents from data subjects whose personal data you submit to the Platform.

5.3 Your instructions to Friendly8 comply with applicable Data Protection Law.

5.4 You will not submit special category personal data (health, genetic, biometric, racial or ethnic origin, political opinions, religious beliefs, trade union membership, or data concerning sex life or sexual orientation) or personal data relating to criminal convictions or offences to the Platform unless you have notified us in advance and we have agreed in writing to the additional safeguards required.

6. Sub-processors

6.1 You grant Friendly8 general authorisation to engage Sub-processors to carry out processing activities in connection with the Platform.

6.2 A current list of Sub-processors is available at [sub-processor list URL / in Account settings]. Friendly8 will notify you of any intended changes to this list (additions or replacements) with at least 30 days' notice.

6.3 You may object to a new Sub-processor on reasonable grounds relating to data protection within 14 days of notice. If you object and Friendly8 cannot reasonably accommodate that objection, you may terminate your Subscription as your sole remedy.

6.4 Friendly8 imposes data protection obligations on all Sub-processors equivalent to those in this DPA.

7. International Data Transfers

7.1 If Friendly8 transfers personal data originating from the EEA or UK to a country that does not provide an adequate level of data protection, Friendly8 will ensure that appropriate safeguards are in place, such as:

EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs); or
Binding Corporate Rules; or
Another lawful transfer mechanism under applicable Data Protection Law.

7.2 The SCCs or equivalent mechanism are deemed incorporated by reference into this DPA to the extent required.

8. Personal Data Breaches

8.1 Friendly8 will notify you without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting your Customer Data.

8.2 The notification will include, to the extent available at the time: a description of the nature of the breach; the categories and approximate number of data subjects and records affected; likely consequences; and measures taken or proposed to address the breach.

8.3 Friendly8 will cooperate with you and take all reasonable steps to investigate, mitigate, and remediate the breach.

9. Data Protection Impact Assessments

At your reasonable written request, Friendly8 will provide information and assistance required for you to carry out a data protection impact assessment (DPIA) or prior consultation with a supervisory authority under applicable Data Protection Law.

10. Governing Law

This DPA is governed by the laws of the Netherlands. As Friendly8 is established in the Netherlands (an EU Member State), the EU GDPR applies directly and no separate SCCs are required for intra-EEA processing.

11. Order of Precedence

In the event of any conflict between this DPA and the Terms and Conditions regarding the processing of personal data, this DPA will prevail.