SageSims Data Processing Addendum

Effective Date: December 1, 2025

This Data Processing Addendum (“DPA”) forms part of the Master Subscription and Services Agreement, Order Form, Statement of Work, or other written agreement between SageSims and Customer that governs Customer’s access to and use of SageSims products and services (the “Agreement”).

If there is a conflict between this DPA and the Agreement on data protection matters, this DPA will control to the extent required by Applicable Data Protection Law.

1. Parties, scope, and roles

1.1 Parties.

This DPA is between:

  • SageSims (“Processor”, “Service Provider”, or “SageSims”), and

  • The entity identified as Customer in the Agreement (“Controller” or “Customer”).

1.2 Scope.

This DPA applies when SageSims processes Personal Data on behalf of Customer in providing:

  • SageSims Decision Readiness Lab

  • SageSims Campus Lab

  • SageSims Simulation Coach Academy

  • SageSims Onsite and Virtual Decision Readiness Intensives

  • SageSims Onsite and Virtual All Hands Simulation Days and add-on sessions

  • SageSims Decision Readiness Blueprint

  • SageSims Decision Readiness Action Lab

  • Any related portals, dashboards, and support services

1.3 Roles.

For the Processing of Personal Data described in this DPA:

  • Customer is the Controller (or equivalent term such as “Business” under US state privacy laws).

  • SageSims is the Processor (or “Service Provider” / “Processor” / “Contractor” under such laws).

If and to the extent SageSims determines the purposes and means of Processing Personal Data for its own independent purposes, SageSims acts as a separate controller for that Processing and that Processing is outside the scope of this DPA.

2. Definitions

2.1 “Applicable Data Protection Law” means all data protection and privacy laws and regulations that apply to the Processing of Personal Data under the Agreement, which may include, as applicable, the GDPR, UK GDPR, CCPA/CPRA and similar US state privacy laws, and any implementing national laws.

2.2 “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by SageSims on behalf of Customer under the Agreement.

2.3 “Processing” and related terms such as “Data Subject”, “Controller”, “Processor”, and “Personal Data Breach” have the meanings given in the GDPR or similar Applicable Data Protection Law.

2.4 “Subprocessor” means any third party engaged by SageSims to Process Personal Data on behalf of Customer.

2.5 Other capitalized terms have the meanings set out in the Agreement or this DPA.

3. Subject matter, nature, purpose, duration, and data categories

3.1 Subject matter and purpose.

SageSims will Process Personal Data only as necessary to provide the products and services described in Section 1, including:

  • Provision, configuration, and operation of the SageSims platforms

  • Running simulations, capturing decisions, and producing reports and insights

  • Managing participant accounts, roles, and session logistics

  • Providing support, maintenance, security, and improvements to the services

  • Delivering related consulting, Blueprint, Action Lab, and facilitation services agreed in SOWs

This is consistent with standard controller-processor arrangements where the processor acts only on documented instructions.

3.2 Duration.

The duration of Processing is the term of the Agreement, plus any post-termination periods needed for data return, deletion, dispute resolution, and legal compliance.

3.3 Categories of Data Subjects.

Depending on how Customer uses the services, Personal Data may relate to:

  • Customer’s board members, executives, managers, and staff who participate in simulations

  • Customer’s students or learners (for Campus Lab)

  • Customer’s consultants, contractors, and facilitators

  • Customer’s other invitees or approved participants

3.4 Categories of Personal Data.

Typical categories include:

  • Identification and contact data. Name, business email, job title, role, department, organization, and basic profile information.

  • Session and participation data. Simulation roles, decisions and choices made in scenarios, responses to prompts or polls, activity timestamps, scores or metrics, feedback and reflections, chat messages and comments.

  • Technical data. IP address, device or browser type, basic usage logs, and other online identifiers.

  • Program-related logistics. Information about cohorts, teams, and high-level functional responsibilities.

The parties do not anticipate the Processing of “special categories” of Personal Data (for example health data, religious beliefs) or highly sensitive regulated data such as payment card data or government ID numbers in the ordinary use of SageSims. If Customer chooses to include such data, Customer is responsible for ensuring an appropriate legal basis, notices, and safeguards, and for informing SageSims in advance where law requires.

3.5 Data location.

SageSims may Process Personal Data in the regions and data centers described in its documentation and as further set out in Section 8 (International transfers).

Details of Processing are further described in Schedule 1.

4. Customer responsibilities

Customer will:

  • Ensure it has a valid legal basis and authority for Processing Personal Data and for instructing SageSims to Process Personal Data on its behalf.

  • Provide Data Subjects with appropriate privacy notices describing the use of SageSims where required by law.

  • Not instruct SageSims to Process Personal Data in a way that would breach Applicable Data Protection Law.

  • Ensure the Personal Data it provides is accurate and limited to what is necessary for the relevant simulation or program.

Customer is responsible for its secure use of the services, including managing user access, protecting credentials, and securing Personal Data before it enters and after it leaves SageSims systems.

5. SageSims’ processing obligations

SageSims will:

5.1 Process on documented instructions.

Process Personal Data only on documented instructions from Customer, as set out in the Agreement, this DPA, and Customer’s use and configuration of the services, unless SageSims is required to do otherwise by law. In that case SageSims will inform Customer unless the law prohibits this.

5.2 Confidentiality.

Ensure that persons authorized to Process Personal Data are bound by confidentiality obligations.

5.3 Security.

Implement and maintain appropriate technical and organizational measures designed to protect Personal Data as described in Schedule 2 (Security / Technical and Organizational Measures). These measures will take account of the nature of Processing, the state of the art, costs of implementation, and the risks to Data Subjects.

5.4 Assistance with Data Subject rights.

Taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, to the extent reasonably possible, in fulfilling Customer’s obligations to respond to Data Subject requests (access, correction, deletion, restriction, portability, or objection). If SageSims receives a request directly from a Data Subject, it will notify Customer and not respond except as instructed or required by law.

5.5 Assistance with compliance.

Provide reasonable assistance to Customer in meeting obligations under Applicable Data Protection Law related to security, Personal Data Breaches, impact assessments, and prior consultations, taking into account the nature of Processing and information available to SageSims.

5.6 Records.

Maintain records of Processing of Personal Data as required by Applicable Data Protection Law.

6. Subprocessors

6.1 Authorization for Subprocessors.

Customer authorizes SageSims to use Subprocessors to provide the services and to Process Personal Data on its behalf. SageSims will maintain a list of current Subprocessors and will make it available via documentation or upon request, similar to other SaaS providers.

6.2 Subprocessor obligations.

SageSims will:

  • Enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those in this DPA.

  • Remain responsible to Customer for the Subprocessor’s performance of its data protection obligations.

6.3 Changes to Subprocessors.

SageSims will provide notice (for example via email or a public list) of any new Subprocessor that will Process Personal Data. Customer may object on reasonable data protection grounds within a specified period (for example 30 days). If the parties cannot resolve the objection, Customer may terminate the affected services as its sole remedy, with a refund of prepaid unused fees for those services.

7. Personal Data Breaches

7.1 Notification.

SageSims will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data that SageSims Processes on Customer’s behalf.

7.2 Information and cooperation.

SageSims will provide Customer with information about the Breach that Customer reasonably requires to meet its obligations under Applicable Data Protection Law, where such information is reasonably available, and will cooperate with Customer in investigations, notifications, and remedial actions.

7.3 No admission.

SageSims’ notification is not an admission of fault or liability for the incident.

8. International transfers

8.1 General.

SageSims may Process and transfer Personal Data globally where necessary to provide the services. SageSims will ensure that such transfers comply with Applicable Data Protection Law, for example by relying on adequacy decisions, standard contractual clauses, or other approved safeguards, consistent with how major cloud providers handle cross-border Processing.

8.2 Standard Contractual Clauses and equivalents.

Where required, the parties agree that the relevant standard contractual clauses or similar transfer mechanisms are incorporated by reference or attached as a schedule, and this DPA supplements and is read together with those clauses.

9. Audits and inspections

9.1 Third-party reports.

SageSims may satisfy audit obligations by providing summary information, independent audit reports, or certifications, if available, that describe its security controls and compliance posture.

9.2 On-site audits.

Where Customer cannot reasonably satisfy its audit obligations through reports and documentation, Customer (or an independent auditor acting under confidentiality) may conduct an audit of SageSims’ relevant Processing facilities and practices, subject to:

  • Reasonable prior written notice

  • Mutually agreed scope, timing, and duration

  • Conduct during Business Hours and in a manner that does not unreasonably disrupt operations or compromise other customers’ data or SageSims’ security

Audits are limited to once in any 12-month period unless required by a supervisory authority or following a confirmed material security incident.

9.3 Costs.

Customer bears its own audit costs. Where SageSims faces significant additional costs, the parties will agree on cost-sharing in advance.

10. Data return and deletion

10.1 During the term.

During the Agreement term, Customer may export certain Personal Data using the service’s standard export capabilities, where available, or request reasonable assistance from SageSims.

10.2 Deletion on termination.

Within a commercially reasonable period after termination or expiry of the Agreement, SageSims will delete or anonymize Personal Data in its systems, except to the extent retention is required by law, permitted for limited backup retention, or necessary to protect legal rights. Where deletion is not feasible, SageSims will implement measures to isolate and protect Personal Data from further Processing.

10.3 Customer copies.

Customer is responsible for exporting and preserving any Personal Data it wishes to keep before contract termination, subject to any agreed “data extraction” assistance.

11. US state privacy terms (service provider / processor status)

When US state privacy laws such as the CCPA/CPRA apply and Customer is a “Business” and SageSims is a “Service Provider” or “Contractor”:

  • SageSims will Process Personal Information only to provide the services and as otherwise permitted under those laws.

  • SageSims will not “sell” or “share” Personal Information as those terms are defined under such laws.

  • SageSims will not use Personal Information for its own purposes outside the permitted scope, except as allowed for security, compliance, product improvement using aggregated or de-identified data, and similar activities permitted to service providers.

Customer agrees it will not make Personal Information available to SageSims that is subject to heightened restrictions (for example precise geolocation, protected classifications, or children’s data) without informing SageSims and ensuring both parties can meet applicable requirements.

12. Liability and order of precedence

12.1 Liability.

Liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12.2 Order of precedence.

If there is a conflict between this DPA and the Agreement regarding data protection, this DPA will prevail to the extent necessary to comply with Applicable Data Protection Law. If there is a conflict between this DPA and any applicable standard contractual clauses or equivalent, those clauses will prevail to the extent required by law.

12.3 Term.

This DPA will remain in effect for as long as SageSims Processes Personal Data on behalf of Customer under the Agreement.

Get In Touch
Let Us Contact You

info@sagesims.com

© 2025. All rights reserved.

+1 (206) 679-1685