Effective Date: March 3, 2026
This Addendum comprises a variation, and is supplemental to, the End User License Agreement (the “EULA”) for the provision of Software as set out in the EULA (the “Services”). In the event of any conflict between the EULA and this Addendum, the terms and conditions of this Addendum shall control solely to the extent necessary to ensure compliance with Privacy Laws (defined below) in connection with Processing under this Addendum.
Notwithstanding the foregoing, any limitations of liability, damage exclusions, and warranty disclaimers in the EULA apply to this Addendum and control to the extent permitted by applicable law. Except to the extent expressly superseded or modified in this Addendum, the terms and conditions of the EULA will apply to this Addendum and remain in full force and effect.
1. Definitions
1.1 “Applicable EU Law” means any applicable law of the European Union (or the law of one or more of the Member States of the European Union).
1.2 “California Privacy Law” means, as applicable, the California Consumer Privacy Act and related regulations and, when effective, the California Privacy Rights Act and related regulations.
1.3 “Data Processing Particulars” means in relation to any Processing under this Addendum:
a) the subject matter and duration of the Processing;
b) the nature and purpose of the Processing;
c) the type of the Personal Data being Processed; and
d) the categories of Data Subjects.
1.4 “EU GDPR” means Regulation (EU) 2016/679.
1.5 “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of Personal Data.
1.6 “Privacy Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation or other binding restriction (as amended, consolidated or re-enacted from time to time) governing the Processing or protection of Personal Data, including for example, and without limitation, EU GDPR and Directive 2002/58/EC, UK GDPR, California Privacy Law, and any other U.S. federal, state, or local privacy or personal data protection law and implementing regulations that become effective during the term of the EULA and are applicable to the Processing under this Addendum.
1.7 “Processing”, “Processed” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, retention, storage, deletion and/or management of Personal Data.
1.8 “Supervisory Authority” means an independent public authority that is established by an EU Member State to monitor the application of the EU GDPR or by the United Kingdom to monitor the application of the UK GDPR.
1.9 “UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) and the UK Data Protection Act 2018 (as amended).
1.10 Unless otherwise provided a capitalised term that is not defined in this Addendum shall have the meaning given to it in the EULA and the words and expressions in, and the rules of interpretation of, the EULA shall have the same meaning in this Addendum.
2. Data Processing and Security Responsibilities
2.1 For the purposes of this Addendum, Customer is the Controller and Macabacus is the Processor with respect to the Personal Data Processed by Macabacus on behalf of Customer in connection with the Services, as described in the Data Processing Particulars in Annex A. To the extent that Customer is an EU-based customer subject to DORA for whom Macabacus is an ICT third-party service provider (as defined in DORA), the DORA Addendum available at https://macabacus.com/legal/dora-addendum shall supplement this Addendum. Each party shall comply with the Privacy Laws applicable to it in such role.
2.2 Customer agrees that it has:
a) made and shall maintain all necessary registrations and notifications as required in order to permit Macabacus to perform its obligations and exercise its rights under this Addendum;
b) obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Macabacus to perform its obligations and exercise its rights under this Addendum, and shall inform Macabacus immediately if any such consents are withdrawn;
c) ensured and shall continue to ensure that all Personal Data Processed by Macabacus is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Macabacus to perform its obligations and exercise its rights under this Addendum;
d) ensured and shall continue to ensure that there are valid legal bases to enable Macabacus to Process Customer’s Personal Data;
e) Processed and will continue to Process in accordance with all applicable Privacy Laws.
2.3 In the course of Processing on behalf of Customer as detailed in Annex A, Macabacus shall:
a) except as otherwise permitted herein, only use, disclose, transfer, retain, and otherwise Process as reasonably necessary for the purposes of rendering the Services and as otherwise instructed by Customer in writing from time to time or as otherwise required or permitted by applicable Privacy Law, and not Process in any other manner without the express prior written authorization of Customer unless required to do so by applicable law;
b) as soon as reasonably practicable, inform the Customer if, in Macabacus’ opinion, any instruction received from the Customer infringes Applicable EU Law;
c) not disclose any Personal Data to any third party without the prior written authorization of Customer, except to sub-processors engaged in accordance with Section 4 of this Addendum, or as instructed by Customer;
d) not “sell” or “share” the Personal Data within the meaning of applicable Privacy Laws;
e) where any disclosure, transfer or other Processing is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law);
f) promptly notify Customer in writing of any (i) enquiry received from individuals relating to the individual’s rights under Privacy Laws; (ii) complaint received by Macabacus either from an individual or a Supervisory Authority relating to the Processing, and (iii) order, demand or warrant purporting to compel the production of any Personal Data, and provide reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests or enquiries, limited to Personal Data within Macabacus’ possession or control, in each case to the extent permitted by law;
g) implement reasonable and appropriate physical, technical, administrative and organizational security procedures and practices appropriate to the sensitivity of the Personal Data, to protect the Personal Data against loss, theft, destruction, alteration and unauthorized or unlawful access, use or disclosure, as would allow Macabacus to ensure the ongoing confidentiality, integrity and availability of Processing systems and services (the “Security Measures”). The parties acknowledge and agree that the Security Measures are described in Annex B and may be updated by Macabacus from time to time, provided that such updates do not materially diminish the overall security of the Services;
h) limit access to Personal Data only to those employees and permitted contractors of Macabacus who need access and solely for the purposes set out in this Addendum;
i) ensure the employees and permitted contractors of Macabacus agree to protect the confidentiality and security of the Personal Data in accordance with the terms of this Addendum;
j) provide reasonable assistance, at Customer’s cost and request, to Customer in connection with Customer’s obligations under Privacy Laws, including:
(i) the security and integrity of Processing;
(ii) notifications and communication of Security Breaches as required by Privacy Laws to the Supervisory Authority and /or any affected individuals; and
(iii) undertaking any data protection impact assessments that are required by Privacy Laws and, where necessary, consulting with the relevant Supervisory Authority in respect of any such data protection impact assessments;
k) otherwise comply with Privacy Laws applicable to the Processing by Macabacus; and
l) notify Customer if Macabacus determines it can no longer meet its obligations under applicable Privacy Laws with respect to Processing.
3. Third-Party Certifications; Audits
3.1 Upon request, Macabacus shall provide Customer with Macabacus’ most current third-party certifications and/or independent audit reports (e.g., SOC reports) as may be relevant and available in respect of the Services, and Customer agrees to accept such materials as a primary means of verifying compliance, where reasonable.
3.2 Where Customer reasonably determines that the aforementioned materials provided are insufficient to confirm compliance with this Addendum, Customer may conduct an audit or inspection of Macabacus’ relevant records to verify compliance with this Addendum. Customers shall use remote audits and/or document reviews as the default approach, is subject to a limited scope of the Processing and the Services, and shall be limited to the systems and records used to Process Customer’s Personal Data in connection with the Services. Any such audit shall be conducted no more than once in any twelve (12) month period (unless required by applicable law or following a Security Breach).
4. Sub-processing
Customer authorizes Macabacus shall use sub-processors to provide the Services, including the Processing activities set out in Annex A. Macabacus shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are sufficient to permit Macabacus to comply with its obligations under this Addendum.
Prior to appointing any new sub-processor in addition to or in lieu of those listed in Annex C, Macabacus shall notify Customer of such sub-processors, and Customer shall have ten (10) days to object to such appointment by providing detailed reasons in writing for such objection to Macabacus, which objection must be reasonable and limited to the data protection and/or information security impacts of the proposed sub-processor on Processing, at which point Customer will be deemed to have given written consent to appoint and use such sub-processor if Macabacus has not received an objection from Customer.
If Customer objects in writing to the proposed appointment, the Parties shall work together in good faith to resolve Customer’s reasonable concerns. If the parties cannot resolve the objection, Customer may terminate only the affected Services in accordance with Section 12.2 (Termination for Cause) of the EULA, and such termination shall be Customer’s sole and exclusive remedy with respect to such objection.
5. Security Breach Notification
5.1 Macabacus will do as follows:
(i) notify Customer without undue delay upon Macabacus becoming aware of a Security Breach. To the extent known at the time, Macabacus’ notice shall include:
(a) a description of the nature of the Security Breach;
(b) the likely consequences of the Security Breach; and
(c) a point of contact for further information.
(ii) may investigate the Security Breach and provide Customer with detailed information about the Security Breach;
(iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach; and
(iv) comply with laws applicable to a Security Breach;
5.2 Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Breach. Macabacus shall reasonably assist Customer in fulfilling Customer’s obligation under applicable law or regulation to notify the relevant Supervisory Authority and data subjects about such Security Breach.
5.3 Macabacus’ notification of or response to a Security Breach under this section is not an acknowledgement by Macabacus of any fault or liability with respect to the Security Breach.
6. Data Transfers
Customer acknowledges and agrees that in the course of providing the Services to Customer, Macabacus may transfer Personal Data that is subject to Applicable EU Law to sub-processors in countries outside of the European Economic Area (“EEA”). Macabacus shall ensure that appropriate transfer mechanisms are in place within the meaning of Applicable EU Law to such transfer, including, where applicable, an adequacy decision and/or other lawful transfer mechanism recognized under Applicable EU Law. Where required, the parties shall enter into and comply with the applicable standard contractual clauses and/or other lawful transfer mechanism recognized under Applicable EU Law.
7. Termination
7.1 This Addendum shall come into force on the Effective Date and shall remain in force until the termination or expiry of the EULA.
7.2 Upon the termination of the EULA or at such other times as instructed by Customer in writing, Macabacus shall securely dispose of the Personal Data and all existing copies, subject to Macabacus’ requirements to retain certain Personal Data in order to comply with its legal and regulatory obligations and applicable law or as otherwise necessary in the context of any disputes or litigation.
8. Governing Law and Jurisdiction of Addendum
8.1 This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws specified in the EULA.
8.2 The Customer and Macabacus agree that the courts specified in the EULA shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Addendum or its subject matter or formation (including non-contractual disputes or claims).
ANNEX A
DATA PROCESSING DESCRIPTION
Subject-matter and duration of the Processing.
The Services are intended to provide Customer with productivity and brand compliance solutions for Microsoft Office, and do not require Macabacus to access or Process Customer document contents or other end-user content.
The duration of the Processing is continuous and for the duration of the Agreement, as further permitted by the Agreement or as otherwise necessary to fulfill obligations under the Agreement.
Nature and purposes of the Processing.
The nature of the Processing is limited collection, use, storage, and disclosure (to authorized sub-processors) solely on Customer’s instructions, for the purpose of performing the Services, including to:
- Facilitate subscription payment processing; and
- Facilitate subscription management.
Data Categories.
The following categories of Data Subjects are involved:
- Corporate end-users of Macabacus’ software and services
The following types of Personal Data may be Processed:
| ● First and last name | ● Business address |
| ● Company name | ● Billing contact and invoicing details |
| ● Business email | ● Business credit card details (if applicable) |
| ● Business phone number | · IP Address |
ANNEX B
SECURITY MEASURES
Macabacus has implemented the following administrative, technical and physical measures to safeguard the Personal Data it Processes, which are intended to be descriptive and may be updated or substituted by Macabacus from time to time, provided that the overall level of protection is not materially diminished:
- administrative safeguards:
- user accounts permissioned based on principle of least privilege
- employees authorized to only access data required for their duties
- access is reviewed at least quarterly
- technical safeguards:
- web application firewalls
- intrusion protection systems
- static application security testing
- disaster management backup processes
- long password requirements
- two-factor authentication requirements
- encryption of data at rest and in transit
- hashing of data where appropriate
- physical safeguards:
- secure data centre(s) used by Macabacus for Macabacus-controlled systems supporting the Services, which are SOC 2 compliant or subject to equivalent security controls
ANNEX C
SUBCONTRACTORS
Subprocessors associated with Processing transferred to Macabacus are located here: https://macabacus.com/legal/third-parties