Sage People Master Subscription Agreement (MSA) – Replaced on 03/01/2020


This Agreement was updated on April 1, 2019. Previous versions of this agreement are available here for reference.


“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with, the subject entity, where “control” is the direct or indirect ownership or control of at least a majority of the voting rights in the entity, or otherwise the power to direct the management and policies of the entity. An entity is an Affiliate only so long as such control continues.

“Agreement” means these subscription terms, any addendums, exhibits and schedules hereto, and your Order.

“Customer Data” means the data submitted by Users, or otherwise on your behalf, into the Services.

“Data Protection Laws” has the meaning set forth in the Data Processing Addendum attached hereto as Exhibit A.

“Documentation” means the user guides, specifications, instructions and manuals made available by us through the Services. User guides are available online at, or such other URL as we give you notice of.

“Effective Date” means the date (i) this Agreement is signed by you, or (ii) if entered into electronically the date on which you signify your acceptance of this Agreement in accordance with the procedures specified from time to time by us.

“Force Majeure Event” means an act of God (e.g. a natural disaster, accident or epidemic) or another event outside of a party’s reasonable control (e.g. acts of war, terrorism, government authority or by another third party outside the party’s control).

“Intellectual Property Rights” means rights recognised by any jurisdiction with respect to intellectual work product, such as patent rights (including priority rights), design rights, copyrights (including moral rights), mask work rights, trade secret rights, trademarks, service marks, know-how and domain name rights.

“Order” means an ordering document issued by us (also known as a (“licence order”) and signed by you and us for subscription to the Services.

“Salesforce” means, Inc., a Delaware corporation, having its principal place of business at The Landmark @ One Market, Suite 300, San Francisco, California 94105, and EMEA Limited, a limited liability company having its registered office at Floor 26 Salesforce Tower, 110 Bishopsgate, London, EC2N 4AY, United Kingdom, and their respective Affiliates (as the context requires).

“Salesforce Technology” means all of Salesforce’s proprietary technology (including software, hardware, products, processes, algorithms, user interfaces, know-how, techniques, designs and other tangible or intangible technical material or information) made available to you by Salesforce in providing the Service.

“Services” means the software-as-a-service solutions that you procure from us under this Agreement, other than Third-Party Service(s).

“Third-Party Service” means (except for Salesforce and the Salesforce Technology) any product (e.g. software, cloud services, or forms), tool (e.g. integration or development tools) or service (e.g. implementation, configuration, development or accounting) provided to you by a party other than us (“Third-Party Provider(s)”).

“User” means a named individual (i) who is your employee, consultant, contractor or agent and who has been supplied with a user identification and password for the Services by you or by us at your request or (ii) whose data is stored in the Services only (as this category of User is not permitted to access the Services with a user identification and password).

“we”, “us” or “our” means Sage People Limited (registered company no. 06221457) of North Park, Newcastle Upon Tyne, United Kingdom, NE13 9AA.

“you” or “your” or “Customer” means the person accepting this Agreement, provided that if such acceptance is on behalf of a company or other legal entity then: (i) the signatory represents that they have the authority to bind such entity to the terms of this Agreement; and (ii) “you” and “your” or “Customer” refers to such entity and, to the extent any of your Affiliates use the Services, such Affiliates.

Other capitalised terms have the respective meanings given to them elsewhere in this Agreement.



2.1. Access to the Services. Subject to the terms and conditions of this Agreement and your payment of all applicable fees, we grant you a limited, non-exclusive, non-sublicensable, non-transferable (except as expressly permitted herein) right to access and use the Services described in your Order solely for your internal business purposes.

2.2. User Subscriptions. Each User must have a paid subscription for the Services. User subscriptions are for named Users and cannot be shared or used by more than one User but may be transferred to new Users from Users who no longer require ongoing use of the Services. We reserve the right to monitor your use of the Services to verify compliance with any usage limits and this Agreement.

2.3. Your Responsibilities. You are responsible for: (i) the confidentiality of User access credentials that are in your possession or control; (ii) the activity of your Users in the Services; and (iii) your Users’ compliance with this Agreement. You must notify us immediately if you become aware, or reasonably suspect, that your account’s security has been compromised. You are also responsible for storing, maintaining and backing up Customer Data and the Service includes functionality to assist you in backing-up Customer Data.

2.4. Restrictions. Except as expressly authorised by us prior to each instance, you shall not: (i) permit any third party to access or use the Services (other than your Users); (ii) except as expressly permitted by law notwithstanding this prohibition, derive the source code or use tools to observe the internal operation of the Services; (iii) copy, modify or make derivative works of the Services; (iv) use the Services or any materials provided by us to build a competitive product or service or to benchmark with a non-Sage product or service, (v) remove any proprietary markings or notices from any materials provided to you by us; (vi) create internet links to or from, or frame or mirror any part of the Services; or (vii) use the Services: (a) to send spam, duplicative or unsolicited messages in violation of applicable laws or regulations; (b) to send or store material that violates the rights of a third party; (c) to send or store material containing viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs; (d) in a way that interferes with or disrupts the integrity, security, availability or performance of the Services; or (e) for any other illegal or unlawful purpose. You may not knowingly facilitate or aid a third party in any of the foregoing activities. A breach of this section is a material breach of this Agreement.



3.1. Availability. We will use reasonable efforts to maintain availability of the Services 24 hours a day, 7 days per week, except for scheduled maintenance, of which we shall give at least 8 hours’ notice via the Services. You can view any scheduled maintenance windows, availability and performance status at Maintenance windows are determined by Salesforce (and are not subject to agreement in advance). While maintenance is typically conducted outside of ordinary working hours, we do not set maintenance windows and have no ability to change them. We do not offer service credits for service outages.

3.2. Customer Support. We will provide you with the customer support related services set forth in your Order in accordance with our then-current service level standards which are available on

3.3. Professional Services. We may also provide other services, such as implementation and training. Any such services are outside the scope of the Services provided under this Agreement and require a separate written agreement between the parties.



4.1. Orders. All fees and other applicable charges will be as set out in your Order. Unless stated otherwise in your Order, all fees and charges due will be invoiced in advance and payable within 30 days of the invoice date. All payment obligations are non-cancellable and all amounts paid are non-refundable other than as set out in this Agreement. You are responsible for paying for all Users for the entire term of your Order, whether or not such User accounts are actively used. A User with “licence administrator” status may add Users by executing an additional Order, and such additional subscriptions shall (i) have a subscription period coterminous with the current subscription period; (ii) be chargeable at the applicable rates as set out in such additional Order; and (iii) be charged the annual amount of the Order fees pro-rated to the nearest whole month. You may only withhold the portion of an invoice that you dispute in good faith if you provide us (by the applicable invoice due date) with a written notification describing in reasonable detail the basis for such withholding and timely pay the undisputed portion of such invoice.

4.2. Billing and Contact Information. You will provide us with complete and accurate billing and contact information for your account with us and shall promptly notify us of any change thereto.

4.3. Taxes. All fees are exclusive of applicable taxes, levies, or duties imposed by taxing authorities, and you shall be responsible for their payment, excluding taxes on our net income.

4.4. Late Payment; Non-Payment. If any fees are not received by us by the due date, interest of 4% above the base rate of the Bank of England shall be payable on any overdue balance. Non-payment of any fees due by you to us is a material breach of this Agreement.

4.5. Suspension. In addition to any other rights we may have, we may suspend your access to the Services if you fail to pay any invoice within 30 days of receiving notice that payment is overdue. We will only exercise our suspension rights after providing you with 3 days’ notice. You will continue to be charged for User licences during any period of suspension. We may also impose a reconnection fee of up to the equivalent of 1 month’s licence fee if your access is suspended and you thereafter request access to the Service.



5.1. Services. Subject to the limited rights expressly granted hereunder, as between the parties we own all rights, title and interest, including all Intellectual Property Rights, in and to the Services, including any configurations, customisations, modifications, enhancements, updates and revisions thereof. All rights not expressly granted in this Agreement are reserved by us. The Sage names and logos and the product names associated with the Services are our or our licensors’ trademarks, and no right or licence is granted under this Agreement to use them.

5.2. Customer Data. Subject to the limited rights expressly granted hereunder, as between the parties you own all rights, title and interest, including all Intellectual Property Rights, in and to Customer Data. You grant us, our Affiliates and subcontractors a worldwide, royalty-free, non-exclusive licence to host and use the Customer Data to the extent necessary to provide the Services and perform our rights and obligations under this Agreement.

5.3. Feedback. You may, but are not required to, provide us or our Affiliates or subcontractors with ideas, suggestions, requests, recommendations or feedback about the Services (“Feedback”). If you do so, you grant us and our Affiliates a non-exclusive, worldwide, perpetual, irrevocable licence to use, exploit, reproduce, incorporate, distribute, disclose, and sublicence the Feedback for any purpose.



6.1. Confidential Information. “Confidential Information” means all information of a party or its Affiliates (“Discloser”) disclosed to the other party or its Affiliates (“Recipient”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. The terms of your Order, the Services and the Documentation are our Confidential Information. Customer Data is your Confidential Information.

6.2. Exceptions. Confidential Information excludes: (i) information that was known to the Recipient without a confidentiality restriction prior to its disclosure by the Discloser; (ii) information that was or becomes publicly known through no wrongful act of the Recipient; (iii) information that was rightfully received from a third party authorised to make such disclosure without restriction; (iv) information that has been independently developed by the Recipient without use of, or reference to, the Discloser’s Confidential Information; and (v) information that was authorised for release in writing by the Discloser.

6.3. Confidentiality Obligations. The Recipient will use the same degree of care as it uses for its own confidential information of like nature, but no less than reasonable care, to protect the Discloser’s Confidential Information from any use or disclosure not permitted by this Agreement or authorised by the Discloser. The Recipient may disclose the Discloser’s Confidential Information to its employees, Affiliates and service providers who need access to such Confidential Information to effect the intent of this Agreement, provided that they are bound by confidentiality obligations no less restrictive than those herein.

6.4. Disclosure Required by Law. The Recipient may disclose Confidential Information to the extent required by court or administrative order or law, provided that the Recipient provides advance notice thereof (to the extent permitted) and reasonable assistance, at the Discloser’s cost, to enable the Discloser to seek a protective order or otherwise prevent or limit such disclosure.

6.5. Injunctive Relief. A breach of the Recipient’s confidentiality obligations may cause irreparable damage, which money cannot satisfactorily remedy, and therefore the Discloser may seek the remedies of injunction, specific performance and other equitable relief for any threatened or actual breach of this section 6 without the need to prove damages or post a bond or other surety.

6.6. Data Privacy. We will process all Customer Data, including your personal data (as defined in Exhibit A), pursuant to the Data Processing Addendum attached hereto as Exhibit A.


7.1. No Endorsement or Warranty. We may present to you (including on our websites) Third-Party Services. We do not endorse or make any representation, warranty or promise regarding, and do not assume any responsibility for, any such Third-Party Service, regardless of whether it is described as “authorised”, “certified”, “recommended” or the like. We have no obligation to make available or provide support for Third-Party Services and do not guarantee the initial or continuing interoperability of the Services with any Third-Party Services.

7.2. Third Party Networks and Facilities. We are not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet by your Third-Party Provider, and you acknowledge that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities. This shall not relieve us of our responsibility in respect of the operation of our internal communications networks and facilities that are within our control.

7.3. Data Sharing. If you obtain a Third-Party Service that requires access to or transfer of Customer Data, you acknowledge that any such access or transfer is between you and the Third-Party Provider pursuant to the Third-Party Provider’s own terms and conditions and privacy notices, and that we are authorised to provide the Customer Data as requested by the Third-Party Service. We are not responsible for any modification, loss, damage or deletion of Customer Data by any Third-Party Service obtained by you.



8.1. Term. All subscriptions specified in your initial Order will run for the initial subscription period set forth therein. All subscriptions will automatically renew for additional subscription periods of one year unless either party gives the other party notice of non-renewal at least 45 days prior to the end of the relevant subscription period. If you add subscriptions after the beginning of a subscription period, the initial term of such new subscriptions will run for the remainder of the then-current subscription period. You may reduce the number of subscriptions, effective only upon expiration of the then current subscription period, by providing us with at least 45 days’ prior written notice. This Agreement will remain in effect until all User subscriptions have expired.

8.2. Termination for Cause or Change in Control. Either party may terminate this Agreement for cause: (i) with written notice to the other party of a material breach of this Agreement which is incurable or, if curable, which remains uncured for 30 days after such notice; or (ii) to the extent permitted by applicable law, upon written notice to the other party after the other party becomes the subject of a petition in bankruptcy or other proceedings relating to insolvency or makes an assignment for the benefit of creditors. If you materially breach this Agreement, we may temporarily suspend your access to the Services or withhold further performance of our obligations under this Agreement. We may also terminate this Agreement upon written notice to you if there is a change in control that results in you being an Affiliate of any of our direct competitors.

8.3. Effect of Termination. On expiration or termination of this Agreement: (i) all applicable User licences and other rights granted to you will immediately terminate; (ii) a party’s rights, remedies, obligations or liabilities that have accrued up to the date of termination, including any claim for damages from pre-existing breach, shall not be affected; and (iii) subject to section 8.5, Recipient shall, at the request of Discloser, delete or destroy Discloser’s Confidential Information in its possession or control. Notwithstanding the foregoing, Recipient may retain Discloser’s Confidential Information (a) to the extent required by law or governmental authority, or (b) that is automatically stored in accordance with Recipient’s generally applicable backup policies (“Backup Media”). All Backup Media shall remain subject to the confidentiality obligations set forth herein, notwithstanding the expiration or termination of this Agreement, so long as it remains undeleted.

8.4. Survival. Any provision of this Agreement that expressly or by implication is intended to operate after expiration or termination of this Agreement shall remain in full force and effect.

8.5. Access to Customer Data. If requested by you within 30 days before the effective date of termination or expiration of this Agreement (“Retention Period”), we will make a file of Customer Data available to you for downloading in comma separate value (.csv) format along with attachments in their native format. After the Retention Period, we will have the right to delete all Customer Data and will have no further obligation to make it available to you. We recommend that you download a copy of this data before the Retention Period expires.



9.1. Authority. Each party represents to the other that it has the authority to enter into this Agreement, to carry out its obligations under it, and to give the rights and licences granted herein.

9.2. Our Warranties. We warrant that: (i) the Services will perform materially in accordance with the Documentation; and (ii) we will not materially decrease the functionality of the Services during a current subscription term.

9.3. Remedies. If you notify us in writing that the Services do not conform with any of the warranties in section 9.2, we will use reasonable efforts to investigate and correct any such non-conformance promptly. You will use reasonable efforts to mitigate any damage you may incur as a result of such non-conformance. Subject to your right to terminate this Agreement for cause, this section 9.3 constitutes your sole and exclusive remedy for breach of the warranties in section 9.2.




10.1. Our Indemnification. Subject to section 10.3, we will indemnify and hold you and your Affiliates, officers, directors, employees, and agents harmless from and against any and all costs, damages, losses, liabilities and expenses, including reasonable attorneys’ fees and costs (collectively, “Damages”), to the extent arising out of a claim alleging that the Services infringe or misappropriate the Intellectual Property Rights of a third party, except to the extent that the alleged infringement is based on: (a) a modification of the Services by anyone other than us; (b) use of the Services in combination with any software, hardware, network or system not supplied by us if the alleged infringement relates to such combination; or (c) use of the Services in a manner contrary to our written instructions or the Documentation. If the Services infringe, or we reasonably believe they may infringe, Intellectual Property Rights, we may, at our own expense and option: (i) procure the right for you to continue use of such Services; (ii) modify such Services so that they become non-infringing without material loss of functionality; or (iii) if (i) or (ii) are not feasible, terminate the Agreement and refund you a pro-rata portion of any prepaid fees for the Services covering the period when you were unable to use the Services due to the infringement claim. THE INDEMNIFICATION OBLIGATIONS SET FORTH ABOVE REPRESENT OUR SOLE AND EXCLUSIVE LIABILITY AND YOUR EXCLUSIVE REMEDY FOR ANY THIRD-PARTY CLAIM DESCRIBED IN THIS SECTION.

10.2. Indemnification by You. Subject to section 10.3, you will indemnify and hold us and our Affiliates, officers, directors, employees, and agents harmless from and against any and all Damages to the extent arising out of a third-party claim alleging that your collection, retention or use of Customer Data or your use of the Services in breach of this Agreement infringes the rights of, or has caused harm to, a third party.

10.3. Indemnification Procedure. In the event of a potential indemnity obligation under this section 10, the party claiming the indemnity shall provide to the other party: (i) prompt written notice of the claim such that the other party’s ability to defend the claim is not prejudiced; (ii) sole control of the defence and settlement of the claim; and (iii) all reasonable assistance, at the other party’s expense. Without the prior written consent of the party claiming the indemnity, the other party shall not settle or consent to an adverse judgment in any such claim that adversely affects the rights or interests of, or imposes additional obligations on, the party claiming the indemnity.




11.2. Unlimited Liability. Nothing in this Agreement shall be construed so as to limit or exclude any liability which cannot be legally limited, including but not limited to liability for: (i) death or personal injury caused by a party’s negligence; or (ii) fraud or fraudulent misrepresentation by a party.

11.3. Scope. The exclusions and limitations above apply to all causes of action, whether arising from breach of contract, tort, breach of statutory duty or otherwise, even if such loss was reasonably foreseeable or if one party had advised the other of the possibility of such loss, provided that nothing in this Agreement shall limit or exclude any liability which cannot be excluded or limited as a matter of law. A party may not circumvent the limitations of liability herein or receive multiple recovery under this Agreement by bringing separate claims on behalf of its Affiliates.



12.1. Compliance with Laws. Each party shall comply with all applicable laws, statutes, codes and regulations in relation to the Services, including applicable anti-bribery and anti-corruption laws, Data Protection Laws and tax evasion laws. The Services may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it is not named on any U.S. government denied persons list and that it is not owned or controlled by a politically exposed person. You shall not permit Users to access or use the Services in violation of any U.S. export law or regulation or in any Restricted Territories. “Restricted Territories” means (i) Cuba, Iran, North Korea, Syria and the territory of Crimea / Sevastopol, and (ii) any other country or territory that is subject to sanctions by the United Kingdom, the European Union, or the U.S. Each party will promptly report to the other party if it has violated, or if a third party has a reasonable basis for alleging that it has violated, this section. A breach of this section is a material breach of this Agreement.

12.2. Public Cloud. The Services are accessible through the public cloud. Sage People and its licensors make no representation or warranty that the Services are appropriate or available for use in jurisdictions not compatible with accessibility through the public cloud.

12.3. Assignment. Neither party may assign any rights or obligations under this Agreement without the other party’s prior written consent, provided that a party may assign the Agreement in its entirety (i) in connection with a merger, acquisition, corporate reorganisation or sale of substantially all of its assets or (ii) to an Affiliate. Any attempted assignment in breach of this Agreement shall be void.

12.4. Remedies Not Exclusive. Except as expressly set forth herein, any remedy in this Agreement is not exclusive of any other available remedy.

12.5. No Third Party Beneficiaries. Except as expressly set out in this Agreement, a person who is not a party to this Agreement will have no rights to enforce it.

12.6. Entire Agreement. This Agreement constitutes the entire agreement between the parties regarding its subject matter and supersedes all prior or contemporaneous written and oral agreements, negotiations and discussions between the parties regarding the subject matter herein. Any Order in effect at the Effective Date shall, from the Effective Date, be subject to the terms of this Agreement. In no event shall any of your terms or conditions (including those in or attached to any purchase order you may send to us) apply to any Order or vary this Agreement. The parties acknowledge that except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

12.7. Severability. If any provision of this Agreement is held to be invalid, illegal or unenforceable, then to the extent possible such provision shall be construed to reflect the intent of the original provision, with all other provisions in this Agreement remaining in full force and effect.

12.8. No Partnership or Agency. Each party is an independent contractor and neither party has any authority to act on behalf of the other. Neither party will represent itself as agent, servant, franchisee, joint venture or legal partner of the other. We are entering into this Agreement as principal and not as agent for any other Sage company, and claims under this Agreement may be brought only against us and not against any of our Affiliates.

12.9. Waiver. A party’s failure or delay to exercise or enforce any right under this Agreement will not act as a waiver of such right. Rights may only be waived in writing signed by the waiving party.

12.10. Force Majeure. Notwithstanding any provision contained in the Agreement, neither party will be liable to the other to the extent performance of any obligations under the Agreement is delayed or prevented by a Force Majeure Event.

12.11. Order of Precedence. In the event of any conflict or inconsistency, the order of precedence shall be: (i) your Order; (ii) these terms (including any addendums, schedules or exhibits hereto); and (iii) the Documentation.

12.12. Updates. From time to time, we may amend these terms. We will notify you of any material changes by promptly sending an email or posting a notice in the Services. By continuing to access or use the Services after such notice, you are indicating that you agree to be bound by the modified terms. Notwithstanding the foregoing, if the changes have a material adverse impact on and are not acceptable to you, then you must notify us within 30 days after receiving notice of the change. If we cannot accommodate your objection, then the prior terms shall remain in force until the expiration of your then-current subscription period. Any renewed subscription will be governed by our then-current terms.

12.13. No Publicity. Neither party shall make any public statement about this Agreement or the relationship of the parties governed by this Agreement without the other party’s prior written consent, except that while you are a customer, Sage may use your name and logo in its customer list (e.g., online and in presentations) in a manner that does not suggest endorsement.

12.14. Governing Law and Jurisdiction. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any such dispute or claim.

12.15. Notices. Any notice required to be given under this Agreement shall be in writing and shall be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its address set out in this Agreement, or such other address as may have been notified by that party for such purposes. A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in business hours, at 9 am on the first business day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by e-mail shall be deemed to have been received at the time of transmission.

12.16. Interpretation. Headings are for convenience only and may not be used in interpretation. The word “including” is not a word of limitation. The Agreement shall not be interpreted against the drafter.

12.17. Future Functionality. You agree that your purchase of subscriptions is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written public comments we make with respect to future functionality or features.



The Services are hosted and powered by Salesforce. The following terms are specifically required by Salesforce.

13.1. Access; Separate Agreement. You will have access to the Salesforce platform facilities via us and will not require a separate licence with Salesforce. This licence will be limited to use of the Salesforce Technology only as is necessary to use the Service. Salesforce requires that each of our customers accepts a separate agreement with them for use of the Salesforce Technology, a copy of which is linked in your Order and available for your reference online at

13.2. API. If the Services offer integration capabilities via an application programming interface (“API”), the number of API calls you can make per account is limited to 1,000 calls/day/User (aggregated over all Users under your account), up to an aggregate maximum of 1,000,000 calls/day/your account.

13.3. Storage Limitations. The maximum data storage space provided to you at no additional charge is the greater of 1 GB or an aggregate of 20 MB per User licence. The maximum file storage space provided to you at no additional charge is 2 GB per User licence. If the amount of data storage or file storage required exceeds these limits, you will be charged storage fees at our then current list price. We will use reasonable efforts to notify you when the average storage used per licence reaches approximately 90% of the maximum; however, any failure to so notify you shall not affect your responsibility for such additional storage charges. We reserve the right to establish or modify our general practices and limits relating to storage of Customer Data.


Data Processing Addendum


1.1. In this Addendum, unless the context otherwise requires:

“Data Protection Laws” means all applicable laws and regulations governing the use or processing of personal data, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any national laws implementing or supplementing or superseding the foregoing; “controller”, “data subject”, “personal data”, “personal data breach”, “processing”, “processor” and “supervisory authority” have the meanings given to them in Data Protection Laws and the term “supervisory authority” shall be deemed to include the UK Information Commissioner;

“European Law” means European Union law, member state law and/or the law in any part of the UK;

“International Transfer” means a transfer of Relevant Data from the European Union or the UK to a third country or international organisation;

“Relevant Data” means all Customer Data: (i) which relates to a data subject; and (ii) in respect of which you (the Customer) are the controller; and (iii) which will be processed by us on your behalf in connection with the Agreement, as more particularly described in Schedule 1 (Specification of processing);

“Security Incident” means a personal data breach in respect of the Relevant Data;

“Sub-processor” means another processor; and

“Your Data Responsibilities” means your protection responsibilities under or in connection with the Agreement, including:

• your contractual relationships with third parties, other members of your group and your other processors;
• the compliance of your processing (and of other members of your group, if any) under this Addendum and the Agreement as controller;
• the compliance of your business with applicable Data Protection Laws;
• the compliance of your intra-group transfers (if any) of personal data;
• the compliance of your transfers (if any) of personal data to processors and/or other suppliers;
• the compliance of your processing of Relevant Data as controller;
• the compliance of your remote use of our systems from a third country or international organisation (if any)

and otherwise complying with your controller obligations under applicable Data Protection Laws.

1.2. Where there is any inconsistency between the terms of this Addendum and any other term of the Agreement, the terms of this Addendum shall take precedence.



2.1. The parties acknowledge that, for the purposes of the Agreement, you are the controller and we are the processor of the Relevant Data. Details of the processing we shall carry out for you are set out in Schedule 1 (Specification of processing), which you agree that you have checked and confirmed as correct. The parties may update Schedule 1 (Specification of processing) during the term of the Agreement, in accordance with the Agreement or by mutual written agreement, to reflect changes in processing or for other reasons. Each updated version shall form part of the Addendum.

2.2. You warrant and represent that:
2.2.1. you will comply, and will ensure that your instructions for the processing of Relevant Data will comply, with Data Protection Laws;
2.2.2. you are authorised by the relevant data subjects, or are otherwise permitted pursuant to Data Protection Laws, to disclose the Relevant Data to us;
2.2.3. you will, where necessary, and in accordance with Data Protection Laws, obtain all necessary consents and rights and provide all necessary information and notices to data subjects in order for:

(i) you to disclose the Relevant Data to us;

(ii) us to process the Relevant Data for the purposes set out in the Agreement and this Addendum and in accordance with Data Protection Laws; and

2.2.4. your instructions to us and/or to any Sub-Processor(s) relating to processing of Relevant Data will not put us or any Sub-processor(s) in breach of Data Protection Laws.

2.3. You acknowledge and agree that we may be required or permitted by European Law to disclose certain personal data or other information relating to you, the Services and/or the Agreement to third parties. We may also be required by European Law to process the Relevant Data other than on your documented instructions under paragraph 3.1.1. If that happens, we will inform you of that legal requirement before the processing, unless that legal requirement or law prohibits us from doing so on important grounds of public interest. Where we are prohibited from informing you of the legal requirement, and/or where we are subject to an ongoing legal requirement to process, you give us general authorisation and consent to carry out that processing without your specific authorisation or consent.

2.4. Where we assist you with your compliance with data protection requirements or otherwise under or pursuant to this Addendum, we reserve the right to charge you on the basis of our standard applicable pricing. You will reimburse us for all additional costs and liabilities incurred by us resulting from any failure or delay(s) by you to comply with your obligations under this Addendum.



3.1. We shall:
3.1.1. Lawful instructions: except as indicated in paragraph 2.3 and paragraph 5.1.5, only process the Relevant Data in accordance with your documented instructions including with regard to International Transfers; you hereby instruct us to process the Relevant Data in order to provide the Services and any other instructions set out in the Agreement; nothing in this paragraph 3.1.1 will permit you to vary our obligations and/or any instructions under the Agreement other than with our prior written agreement; if we reasonably consider that any of your instructions may put us and/or any Sub-processor(s) in breach of Data Protection Laws and/or any provision of the Agreement, we shall be entitled not to carry out that processing and will not be in breach of the Agreement or otherwise liable to you as a result of our failure to carry out or delays in carrying out that processing;

3.1.2. Security of Processing: implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Relevant Data), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Relevant Data, as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects, and including, as and where appropriate, measures to ensure:

(a) the pseudonymisation and/or encryption of the Relevant Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability of and access to the Relevant Data in a timely manner in the event of physical or technical incident; and

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

3.1.3. take steps to ensure that any natural person acting under our authority who has access to Relevant Data does not process them except on your instructions, unless he or she is required to do so by European Law; and

3.1.4. operate, maintain and enforce an information security management programme (“Security Programme”) which is consistent with recognised industry best practice; the Security Programme contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas:

• Information security policies
• Organisation of information security
• Human resources security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Legislative, regulatory and contractual compliance;

3.1.5. Assistance in Compliance: taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests by data subjects exercising their rights under Data Protection Laws;

3.1.6. assist you in ensuring compliance with the obligations in Data Protection Laws in respect of security of processing, notification of a Security Incident to a supervisory authority, communication of a Security Incident to the data subject, data protection impact assessments and prior consultation, taking into account the nature of processing and the information available to us;

3.1.7. Staff Confidentiality Obligations: ensure that our staff are authorised to process the Relevant Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and

3.1.8. Return or Deletion of Relevant Data: at your option (to be exercised by written notice from you) delete or return to you, all the Relevant Data after the end of the provision of the Services relating to the processing, and (in the case of return), delete existing copies of the Relevant Data unless any European Law requires us to store the Relevant Data; however we will be entitled to retain any Relevant Data which: (a) we have to keep to comply with any applicable laws; (b) we are required to keep for insurance, accounting, taxation, legal, regulatory or record keeping purposes; or (c) is necessary to investigate and resolve performance or security issues, and this Addendum will continue to apply to retained Relevant Data; notwithstanding any provision to the contrary in the Agreement, we shall be entitled to delete the Relevant Data in accordance with our normal data cleansing policies; in respect of Relevant Data which are archived/backed up, you instruct us to retain those archived/backed up Relevant Data in accordance with the typical period for which those Relevant Data are archived/backed up by us for the Services in question.



4.1. Without prejudice to any provisions in the Agreement relating to sub-contracting, you hereby give your general written authorisation to us engaging Sub-processors to process the Relevant Data. By entering into the Agreement, you approve the Sub-processors set forth in Schedule 2. Where the Sub-processor is in a third country, you hereby instruct us to make an International Transfer under paragraph 5.

4.2. We shall inform you of (but will not be required to obtain your consent to) any intended changes concerning the addition or replacement of Sub-processors, thereby giving you the opportunity to object to such changes.

4.3. If we appoint a Sub-processor, we will put a written contract in place between us and the Sub-processor that specifies the Sub-processor’s processing activities and imposes on the Sub-processor substantially similar terms as appropriate to the sub-processing they will undertake. If that Sub-processor fails to fulfil its data protection obligations, we shall remain liable to you for the performance of that Sub-processor’s obligations.



5.1. We shall only make an International Transfer to a recipient:

5.1.1. on the basis of an adequacy decision made under Data Protection Laws;
5.1.2. on the basis of appropriate safeguards that are in place, and you agree to execute any documents (including data transfer agreements) relating to that International Transfer which we request that you to execute from time to time for that purpose;
5.1.3. on the basis of binding corporate rules approved by a competent supervisory authority; or
5.1.4. on the basis of an applicable derogation in Data Protection Laws
which in each case applies to the International Transfer in question, or
5.1.5. if we are required to make the International Transfer to comply with European Law, in which case we will notify you of the legal requirement prior to that International Transfer unless the European Law prohibits us from notifying you on public interest grounds.

5.2. You acknowledge and agree that you shall be responsible, and we shall not be responsible, for any International Transfers that occur when Users access the Services through a browser from a third country or international organisation, as further referred to in paragraph 7.



6.1. At your reasonable request and subject to you entering into an appropriate confidentiality agreement, we shall:
6.1.1. make available to you such information as may reasonably be necessary to demonstrate compliance with the obligations for processor agreements laid down in Data Protection Laws; and
6.1.2. subject to the restrictions in paragraph 6.3 below, allow you (or an independent, third-party professional auditor mandated by you) to conduct an audit, including inspection, of our processing of Relevant Data pursuant to the Agreement, and contribute to that audit
except that you agree that nothing in this paragraph 6.1 shall require us to act in breach of an obligation of confidentiality owed to a third party.

6.2. With respect to paragraph 6.1, we shall immediately inform you in writing, but without any obligation to give legal advice if, in our opinion, to follow an instruction given by you would give rise to a breach of applicable Data Protection Laws.

6.3. When exercising your rights under paragraph 6.1.2 above, you shall:
6.3.1. promptly provide us with information regarding any non-compliance discovered during the course of an audit;
6.3.2. use reasonable endeavours to conduct such audits during reasonable times and for a reasonable duration, which shall not unreasonably interfere with our day-to-day operations; and
6.3.3. not exercise your audit rights more than once in any twelve (12) month period except: (i) if and when required by instruction of a supervisory authority or by order of a court; or (ii) where the parties reasonably believe a further audit is necessary due to a Security Incident.

6.4. In relation to any Sub-processors that are engaged pursuant to paragraph 4, you acknowledge and agree that it is sufficient, for the purposes of satisfying the requirements of paragraph 6.1, that we shall have a right to audit those Sub-processors on your behalf, subject to reasonable restrictions.


7.1. You shall comply with Your Data Responsibilities. We are not in any way responsible for Your Data Responsibilities.



8.1. Where, and to the extent, we undertake any processing of personal data as a controller under the Agreement or this Addendum (for example but not exhaustively, in the management of our relationship with you, for analytics under paragraph 9 or for marketing under paragraph 10) then this shall be done in accordance with our privacy notice at and with applicable Data Protection Laws.



9.1. We may use the Relevant Data and other data to run statistical reports within the Services for our own use; for example, showing which features are the most popular with Users, which features cause issues, for benchmarking in aggregate form and/or to gain insights. We may use this to improve the Services, add new features and functionality, and provide you with insights. You consent to and authorise our access to and use of the Relevant Data for those purposes, and agree that our use of the Relevant Data is legitimate, necessary and proportionate given the negligible impact on you and the benefit you and your Users will receive from product improvements and enhancements. For further information, including our legitimate interests for conducting analytics, please see our privacy notice at



10.1. Unless you have opted out of direct marketing communications (e.g. told us not to start them or told us to stop them), you acknowledge and agree that we may use personal data (such as the telephone and email contact details we have collected for you and your staff) to provide direct marketing communications to you which may be of interest, based on the individual recipient’s use of the Services or areas of interest. Direct marketing communications include telephone, email and other forms of electronic communication. We track whether marketing emails are opened and whether links in the emails are clicked on. This is built into the emails and to stop this occurring you need to unsubscribe from the emails. Please be assured that we will not take contact details from the Relevant Data and use them to send direct marking communications – we only use contact details we collect as controller.

10.2. How to opt out of direct marketing. If you or your staff prefer not to receive direct marketing from us, please tell the caller, click on the ‘unsubscribe’ button in the relevant communication (to stop email marketing only) or contact us at [email protected]. It may take up to one month for your preferences to be updated across our systems.

10.3. For further information, please see our privacy notice at


Schedule 1
Specification of processing

Subject matter and duration of the processing of Relevant Data:
Subject matter: the provision of our Services.
Duration: the term of the Agreement, including any transition periods on entrance or exit from the Agreement.

Nature and purpose of the processing of Relevant Data:
Any or all of the following processing operations for the purpose of providing the Services, depending on the Services chosen by you; your use of and requirements for the Services; the requirements in the Agreement; and third party requests and other extraneous events (the “Purposes”):
– Collection
– Recording
– Organisation
– Structuring
– Storage
– Adaptation/alteration
– Retrieval
– Consultation
– Use
– Disclosure by transmission / dissemination or otherwise making available
– Alignment / combination
– Restriction
– Erasure / destruction
– Others: …………………………………….

Type of Relevant Data (including any special categories of Relevant Data or other sensitive data):
Any or all of the following depending on the Purposes:
– Personal details (any information that identifies the data subject and their personal characteristics e.g. name, address, contact details, age, sex, date of birth, physical description and any identifier issued by a public body, e.g. National Insurance number or social security number)
– Education and training details (any information which relates to the education and any professional training of the data subject e.g. academic records, qualifications, skills, training records, professional expertise, and student and pupil records)
– Family, lifestyle and social circumstances (any information relating to the family of the Data subject and the data subject’s lifestyle and social circumstances e.g. current marriage and partnerships and marital history, details of family and other household members, habits, housing, travel details, leisure activities and membership of charitable or voluntary organisations)
– Employment details (any information relating to the employment of the data subject e.g. employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records and security records) and pension information)
– Financial details (any information relating to the financial affairs of the data subject e.g. income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details and pension information)
– Goods and services provided (any information relating to goods and services that have been provided e.g. goods or services supplied, licences issued, agreements and contracts)
– Special categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a data subject, data concerning health or data concerning a data subject’s sex life or sexual orientation)
– Criminal data (criminal convictions and offences or related security measures, including personal data relating to: (a) the alleged commission of offences by the individual (b) proceedings for an offence committed or alleged to have been committed by the individual or the disposal of such proceedings, including sentencing)
– Others: …………………………………….

Categories of data subjects:
Any or all of the following depending on the Purposes:
– Staff including volunteers, agents, temporary and casual workers of yours
– Customers/clients (who are individuals or sole traders) of yours
– Suppliers (sole traders) of yours
– Contact persons of corporate entities (e.g. at suppliers or customers, where supplier is not a sole trader or customer is not an individual) of yours
– Members or supporters (e.g. shareholders) of yours
– Complainants, correspondents and enquirers of yours
– Relatives, guardians and associates (of data subjects) of your staff
– Advisers, consultants and other professional experts or legal representatives (individuals/sole traders) of yours
– Partners, resellers (individuals/sole traders) of yours
– Donors, supporters (individuals/sole traders) of yours
– Students if input by you
– Offenders and suspected offenders if input by you
– Landlords/tenants of yours
– Users of the Services not included in the above
– Others: …………………………………….

Controller’s obligations and rights:
The obligations in paragraph 2.2 and paragraph 7.
The rights to enforce the data processing terms in paragraphs 3, 4, 5 and 6 against us as your processor.


Schedule 2
Authorised sub-processors

Sub-processor Specification of processing EMEA Limited Hosting of the Services and provision of the cloud platform to Salesforce, Inc. Hosting of the Services and provision of the cloud platform to Salesforce
Sovren Resume parsing (only applicable to the extent you use “Sage People Recruit”)
Exit popup

Take an Interactive tour of Sage People

Discover how Sage People can transform the way you hire, manage, engage and retain your workforce, in this interactive product tour.