Data Processing Agreement

This Data Processing Agreement is entered into between:

Data Processor: Overlay Apps Ltd, a company incorporated in England and Wales, operating the Act On It application available on the Salesforce AppExchange (referred to in this agreement as "Overlay Apps", "we", or "us").

Data Controller: The organisation or individual that has installed Act On It from the Salesforce AppExchange and is using the application within their Salesforce environment (referred to in this agreement as "you", "your", or "the Customer").

By installing and using Act On It, the Customer agrees to the terms of this Data Processing Agreement. This agreement forms part of, and is subject to, the Act On It Terms of Service.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Law.

"Processing" means any operation performed on Personal Data, including access, reading, displaying, or transmitting data within a system.

"Data Protection Law" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable successor legislation.

"Salesforce Environment" means the Customer's Salesforce organisation, hosted and operated by Salesforce Inc. under a separate agreement between the Customer and Salesforce.

Act On It is a notification and alerting application that operates entirely within the Customer's Salesforce Environment. It monitors Salesforce records and data according to rules configured by the Customer, and delivers notifications to Salesforce users within that same environment.

The purpose of processing is to provide the notification and alerting services described in the Act On It Terms of Service, as directed by the Customer through their configuration of the application.

Overlay Apps processes Personal Data solely on the documented instructions of the Customer. The Customer, as Data Controller, determines what data Act On It accesses and what notifications are generated.

The categories of Personal Data processed by Act On It depend entirely on the Customer's Salesforce configuration and the notifications the Customer chooses to create. This may include:

• Salesforce user names, email addresses, and identifiers (for notification recipients)
• Record data fields included in notification message templates by the Customer
• Notification delivery status and engagement data (whether a notification was viewed or acted upon)
• Opt-out preferences set by individual Salesforce users

Act On It does not process special categories of Personal Data as defined under Article 9 UK GDPR unless the Customer explicitly includes such data in their notification configuration, which Overlay Apps does not recommend and for which the Customer bears sole responsibility as Data Controller.

All Personal Data processed by Act On It remains within the Customer's Salesforce Environment at all times. Act On It does not transfer, export, copy, or store Personal Data outside of Salesforce.

Overlay Apps does not operate any external servers, databases, or data storage systems that receive or hold Customer Personal Data. No international data transfers are made by Overlay Apps in connection with the provision of Act On It.

The hosting and infrastructure of the Customer's Salesforce Environment is governed by the separate agreement between the Customer and Salesforce Inc. Customers should refer to Salesforce's own data processing terms for information about where their Salesforce data is hosted.

Overlay Apps does not engage any third-party sub-processors in the provision of Act On It. No Personal Data is shared with or accessible by any third party in connection with the operation of the application.

If this position changes, Overlay Apps will provide at least 30 days prior written notice to Customers before engaging any new sub-processor, and will update this agreement accordingly.

Overlay Apps implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Act On It has passed the Salesforce AppExchange Security Review, an independent assessment of the application's security architecture and data handling practices
• The application operates exclusively within Salesforce's security model, inheriting Salesforce's enterprise-grade access controls, field-level security, and permission sets
• No credentials, tokens, or Personal Data are stored outside the Customer's Salesforce Environment
• Access to the application is governed by the Customer's own Salesforce permission and profile configuration

The Customer, as Data Controller, is responsible for responding to requests from data subjects exercising their rights under Data Protection Law.

Overlay Apps will provide reasonable assistance to the Customer in fulfilling such requests where the requested data is accessible through Act On It. Given that all data processed by Act On It resides within the Customer's Salesforce Environment, the Customer can typically fulfil data subject requests directly through their Salesforce administrative tools without requiring assistance from Overlay Apps.

To request assistance with a data subject request, contact us at [email protected] .

In the event that Overlay Apps becomes aware of a confirmed Personal Data breach affecting Customer data processed through Act On It, Overlay Apps will notify the Customer without undue delay and in any case within 72 hours of becoming aware.

Given that Act On It does not hold or store Customer Personal Data externally, any data breach affecting Customer data is most likely to originate from or affect the Customer's Salesforce Environment directly, in which case Salesforce's own breach notification procedures will apply.

Overlay Apps does not retain Customer Personal Data outside of the Customer's Salesforce Environment. All notification history, delivery records, and engagement data generated by Act On It is stored within the Customer's Salesforce org as standard Salesforce objects.

Upon uninstallation of Act On It, the Customer can manage and delete all associated data through their standard Salesforce data management tools. Overlay Apps has no copies of this data to delete.

Overlay Apps will make available to the Customer all information reasonably necessary to demonstrate compliance with this agreement.

Given the nature of Act On It as a 100% native Salesforce application with no external data handling, Overlay Apps considers the Salesforce AppExchange security review certificate and this published agreement to be the primary means of demonstrating compliance. Customers requiring additional assurance should contact us to discuss their specific requirements.

This agreement is governed by the laws of England and Wales. Any disputes arising under or in connection with this agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Overlay Apps may update this agreement from time to time. Where changes are material, we will provide at least 30 days notice by email to the contact address associated with the Customer's AppExchange installation, or by prominent notice on this page.

Continued use of Act On It following the effective date of any update constitutes acceptance of the revised agreement.

Previous versions of this agreement are available on request.