Data Processing
Agreement (DPA)
Last Updated: October 2025
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the master services agreement or Terms of Service (“Agreement”) between Twenty (“Twenty” or “Processor”) and the customer entity (“Customer” or “Controller”) using Twenty’s services. This DPA reflects the parties’ agreement on the processing of personal data by Twenty on behalf of Customer in providing the Twenty CRM platform services. In case of any conflict between this DPA and the Agreement, the terms of this DPA will prevail to the extent of that conflict. The term of this DPA shall follow the term of the Agreement. Capitalized terms not defined herein have the meanings given in the Agreement.
This DPA applies to all personal data processing by Twenty as a Processor on behalf of Customer under the Agreement, including use of Twenty’s cloud-hosted service and any self-hosted deployment of Twenty’s software. For self-hosted deployments, Customer generally retains full control over the data and Twenty does not routinely access or host Customer’s personal data; Twenty will only process such data to the extent necessary to provide agreed support or services (e.g. for enterprise license verification or optional telemetry). Each party undertakes to comply with all applicable Data Protection Laws (defined below) relative to its role under this DPA.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is protected as personal data or personally identifiable information under applicable Data Protection Laws.
“Processing” means any operation or set of operations performed on Personal Data, whether by automated means or not, such as collection, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, erasing, or destroying. The terms “Process” and “Processed” have corresponding meanings.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller of Customer Personal Data.
“Processor” means the entity that Processes Personal Data on behalf of a Controller. For purposes of this DPA, Twenty is the Processor acting on behalf of Customer.
“Customer Personal Data” means any Personal Data that Customer or its Authorized Users input into, upload to, or store in the Twenty CRM service (including on the cloud platform or a self-hosted instance), which Twenty Processes on behalf of Customer under the Agreement. Customer Personal Data does not include data that Twenty processes as a Controller (such as business contact details for Customer’s account administrators, billing information, or telemetry that does not include personal data).
“Data Protection Laws” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable: (i) the EU General Data Protection Regulation 2016/679 (GDPR) and any applicable national implementing or supplementing laws; (ii) the UK Data Protection Act 2018 and the UK GDPR as defined in that Act; (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its ordinances (and as revised, the “Swiss DPA”); (iv) the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act (CPRA); (v) Brazil’s Lei Geral de Proteção de Dados (LGPD); and any other similar privacy laws in effect globally, in each case as amended, superseded or replaced from time to time.
“Sub-Processor” means any third party (including any Twenty affiliate) engaged by Twenty to assist in Processing Customer Personal Data on behalf of Customer in accordance with Customer’s Instructions (as defined below).
“Standard Contractual Clauses” or “SCCs”** means the EU Standard Contractual Clauses for international transfers of personal data to third countries, as approved by European Commission Decision 2021/914 of 4 June 2021 (including the appropriate modular terms), or any successor clauses approved by the EU Commission.
“UK Addendum” means the UK International Data Transfer Addendum (version B.1.0, in force 21 March 2022) issued by the UK Information Commissioner’s Office, which supplements the SCCs for data transfers subject to UK Data Protection laws.
“Customer Instruction” or “Instructions” means the written instructions of Customer directing Twenty to Process Customer Personal Data for specific purposes and in a manner consistent with the terms of the Agreement and this DPA. The Agreement (including this DPA), together with Customer’s use of the Twenty services, constitute Customer’s complete Instructions to Twenty for the Processing of Customer Personal Data.
“Personal Data Breach” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by Twenty or its Sub-Processors. For clarity, unsuccessful or attempted attacks that do not result in such compromise (e.g. blocked malware, pings, or failed login attempts) are not considered a Personal Data Breach for purposes of this DPA.
Any other capitalized term used in this DPA shall have the meaning given to it in the GDPR or other applicable Data Protection Laws, or in the Agreement.
2. Details of Processing
Purpose of Processing: Twenty shall Process Customer Personal Data solely for the purpose of providing and supporting the Twenty CRM software and related services to Customer under the Agreement, and not for any other purpose. This includes using the data as needed to host the CRM platform, to enable Customer-defined functionalities (such as managing customer relationships, tracking sales activities, and analyzing business performance), and to provide related technical support or services requested by Customer.
Nature of Processing: Twenty provides a cloud-based, software-as-a-service (SaaS) customer relationship management (CRM) platform (and also offers the software for self-hosting). In delivering these services, Twenty will perform operations such as storage and organization of data on Twenty’s systems, retrieval and viewing as instructed by Customer, and transmission or disclosure of data to authorized users or integrations as per the service functionality. Processing may include routine computer processing (e.g. cloud database storage, backups, caching via a content delivery network) necessary to provide and maintain the services. Twenty will Process Customer Personal Data only in accordance with Customer’s documented Instructions and the terms of the Agreement. Twenty will not “sell” or “share” Customer Personal Data for any purpose, nor Process it for Twenty’s own purposes or any purposes other than those defined by Customer in the Agreement.
Categories of Data Subjects: Because Customer controls what data is submitted to the Twenty platform, the categories of Data Subjects may include (but are not limited to):
Individuals about whom Customer stores information in the CRM, such as Customer’s own customers, leads, prospects, end-users or business contacts (e.g. sales prospects, support contacts).
Employees, agents, advisors, freelancers, or contractors of Customer who are end users authorized to use the Twenty platform (whose own contact details may be stored for account management and collaboration).
Other individuals whose personal data is entered into the service by Customer at its discretion (for example, individuals who interact with Customer’s business and whose data is logged in the CRM).
Twenty does not determine or limit the categories of Data Subjects that Customer may input, except as otherwise provided in the Agreement or applicable law. Customer should not input personal data of sensitive nature or of individuals who have not been given proper notice, unless this is permitted under the Agreement and Data Protection Laws.
Categories of Personal Data: Customer Personal Data submitted to the Twenty service may vary by Customer’s use case. It typically includes common CRM-related personal data such as:
Contact details (e.g. full name, email address, phone number, physical address, job title or role).
Business information and relationship details (e.g. employer or company affiliation, department, business contact preferences).
Communication records and correspondence (e.g. emails, chat logs, meeting notes or call notes stored in the CRM).
Sales and transaction data (e.g. records of orders, opportunities, invoices, or transaction history related to the Data Subject).
Any other personal information Customer or its users choose to import or record in the CRM (which is determined by Customer’s configuration and use of the services).
Twenty does not require or intend to collect any special categories of personal data (such as data revealing health, genetic, biometric, financial account, or other sensitive information) nor any data about children, except as Customer may incidentally decide to store such data. The services are not designed for processing highly sensitive data, and Customer is responsible for ensuring any such data is lawfully collected and appropriate safeguards are applied per Data Protection Laws and the Agreement.
Duration of Processing: Twenty will Process Customer Personal Data for the duration of the Agreement, until deletion of all Customer Personal Data in accordance with this DPA (see Section 8 on deletion).
3. Customer (Controller) Obligations
3.1 Compliance with Laws: Customer shall be responsible for ensuring that Customer’s use of the Twenty services and Customer’s Instructions to Twenty regarding Personal Data (including transfer to Twenty) comply with Data Protection Laws. Customer, in its role as Controller, is solely responsible for the lawfulness of the Processing and warrants that it has obtained and will maintain all necessary rights, consents, and legal bases to collect, use, and transfer the Customer Personal Data to Twenty for Processing as contemplated in the Agreement. In particular, Customer represents and warrants that it has provided all necessary notices to Data Subjects and obtained any required consents or authorizations for the Processing, including (if applicable) consent for use of the Twenty cloud service which may involve international data transfers.
3.2 Lawfulness and Purpose Limitation: Customer shall ensure that it only instructs Twenty to Process Personal Data in a manner that is lawful, fair, and transparent to the Data Subjects. Customer shall not use the services to Process Personal Data in a way that is not permitted under applicable laws (for example, uploading personal data that is obscene, defamatory, or collected in violation of privacy laws). Customer is responsible for the accuracy, quality, and legality of the Personal Data that it provides to Twenty and the means by which it was obtained.
3.3 Instructions: The parties agree that the Agreement (including this DPA), together with the functionality of the Twenty services, constitute Customer’s complete and final Instructions to Twenty for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed in writing. Customer shall ensure that its Instructions are at all times consistent with Data Protection Laws. If Customer wishes to modify or restrict Twenty’s processing Instructions, Customer must negotiate an appropriate amendment to this DPA. Customer shall inform Twenty without undue delay if Customer determines it cannot comply with its obligations under this DPA or Data Protection Laws.
3.4 Data Subject and Regulator Interactions: Customer bears responsibility for handling any requests or inquiries from Data Subjects or supervisory authorities regarding Customer Personal Data. It is Customer’s obligation to inform Data Subjects about their rights and to handle Data Subject requests (access, rectification, deletion, etc.) in accordance with Data Protection Laws. However, Twenty will provide reasonable assistance as described in Section 5.6 of this DPA. Customer is also responsible for any communications or notifications to supervisory authorities or Data Subjects that may be required under Data Protection Laws due to incidents not caused by Twenty’s breach of this DPA.
3.5 Email and Marketing Use: If Customer uses the Twenty services to send emails or other communications to Data Subjects (e.g. marketing or sales communications), Customer is solely responsible for ensuring that such activities comply with all applicable laws, including anti-spam laws (such as CAN-SPAM, CASL, PECR) and that appropriate consents have been obtained. Twenty merely provides the platform and will not be liable for unsolicited or unlawful messages sent by Customer through the service.
(In summary, Customer as Controller is responsible for the legality of Personal Data collection and use, obtaining consents, providing notices, and otherwise complying with Data Protection Laws for the data it processes using Twenty’s services.)
4. Twenty (Processor) Obligations
As Processor of Customer Personal Data, Twenty agrees to the following obligations, in accordance with Article 28 of the GDPR and equivalent provisions of other Data Protection Laws:
4.1 Processing on Documented Instructions: Twenty will Process Customer Personal Data only on Customer’s documented Instructions and for the purposes specified in the Agreement. Twenty will not Process the data for any other purpose unless required to do so by European Union, Member State, or other applicable law. If such a legal requirement applies, Twenty will inform Customer of that requirement before Processing (unless the law prohibits such notice on important grounds of public interest). By entering into the Agreement, Customer instructs Twenty to Process Customer Personal Data to provide the services, consistent with the Agreement and this DPA. Twenty will promptly inform Customer if, in Twenty’s opinion, an Instruction violates applicable law.
4.2 Personnel Confidentiality: Twenty will ensure that all personnel and agents authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality. Twenty limits access to Customer Personal Data to personnel who need access to deliver the services under the Agreement, and these individuals are trained in data protection and are subject to enforceable confidentiality duties.
4.3 Security Measures: Twenty shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data, as described in Section 7 (Security Measures) of this DPA. These measures are designed to ensure a level of security appropriate to the risk of the Processing, including protecting data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. Twenty regularly assesses and evaluates the effectiveness of these measures and will assist Customer in ensuring compliance with Customer’s security obligations under Article 32 GDPR (and analogous provisions of other Data Protection Laws) by providing the information and assistance described in this DPA.
4.4 Sub-Processor Management: Twenty will only engage Sub-Processors under the conditions outlined in Section 6 (Sub-Processors) below. Twenty will remain responsible for any acts or omissions of its authorized Sub-Processors that result in Twenty’s breach of any of its obligations under this DPA.
4.5 Assistance with Data Subject Requests: Taking into account the nature of the Processing and the functionality of the services, Twenty will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to Data Subjects’ requests to exercise their rights under Data Protection Laws (e.g. rights of access, rectification, erasure, restriction, data portability, and objection). Twenty has built self-service features into the platform that enable Customer to autonomously retrieve, correct, or delete Personal Data (for example, tools to search, export, or delete records). To the extent Customer is unable to address a Data Subject’s request through the available features, Twenty will, upon Customer’s request, provide commercially reasonable additional assistance to support Customer in responding to the request. If a Data Subject sends a request directly to Twenty, Twenty will not independently respond to such request (except to direct the Data Subject to contact the Customer, or as required by law); Twenty will promptly inform Customer of the request, and await Customer’s Instructions.
4.6 Notification of Personal Data Breach: In the event Twenty becomes aware of a Personal Data Breach involving Customer Personal Data, Twenty will notify Customer without undue delay. Specifically, Twenty will inform Customer’s account administrator or other designated contact as soon as possible (targeting no later than 72 hours from verification of the incident). Such notice will include relevant information about the nature of the breach and recommended remedial actions, to assist Customer in meeting any breach notification obligations under Data Protection Laws. Twenty will take prompt action to investigate and contain the breach, and will cooperate with Customer’s reasonable requests in connection with the investigation and any required notifications. Twenty’s notification of or response to a Personal Data Breach shall not be construed as an acknowledgment of fault or liability for the incident. Delays in notification may be necessary if required by law enforcement or if Twenty needs to determine the scope of the breach and ensure that any vulnerability has been mitigated.
4.7 Data Protection Impact Assessments: Upon Customer’s request, Twenty will provide reasonable assistance (by way of available documentation, standard templates, or communication of necessary information) to Customer in conducting data protection impact assessments (DPIAs) and any required prior consultations with supervisory authorities, to the extent Customer does not otherwise have access to the relevant information and such information is available to Twenty. Such assistance is provided insofar as it pertains to the Processing of Customer Personal Data by Twenty and to Twenty’s role in facilitating Customer’s compliance with its obligations under Data Protection Laws.
4.8 Cooperation with Authorities: Twenty will cooperate, upon Customer’s request, with supervisory authorities in the jurisdictions applicable to Customer Personal Data. Twenty will also reasonably assist Customer in responding to any request or investigation by data protection authorities that relates to Twenty’s Processing of Customer Personal Data or to this DPA, to the extent such cooperation is required of Customer by law. If a competent data protection authority makes an inquiry directly to Twenty about the Customer Personal Data, Twenty will (to the extent legally permissible) promptly inform Customer and assist Customer in responding, unless the inquiry obligates a direct response from Twenty.
4.9 Retention, Return and Deletion: Upon termination or expiration of Customer’s subscription or upon Customer’s written request, Twenty will return or securely delete all Customer Personal Data in its possession or control, except as otherwise required by law or permitted under the Agreement. This obligation will not apply to data that has been archived on back-up systems, which Twenty shall securely isolate and protect from any further Processing, and delete in the ordinary course of backup rotation. Twenty follows a data deletion policy such that, if Customer has not requested return of the data, Customer Personal Data will be automatically deleted from live systems after a maximum of ~90 days following service termination (and typically sooner, e.g. deletion of automated accounts typically occurs after 3 weeks). Back-up and archival data containing Personal Data is typically overwritten or purged within an additional 90 days after the end of the retention period. Upon Customer’s request, Twenty will provide a certification of deletion once all Customer Personal Data has been purged. If return of data is requested, Twenty will provide the Customer Personal Data in a commonly used electronic format. Any costs associated with data retrieval or specific deletion assistance that deviate from the standard process may be chargeable to Customer on a reasonable basis. (For clarity, Customer is responsible for exporting any data it wishes to retain before the deletion effective date. Once deleted, data may not be recoverable.)
4.10 Purpose Limitation: Twenty will not “sell” (as defined by the CCPA) Customer Personal Data or otherwise Process Customer Personal Data for purposes other than those instructed by Customer. Twenty acknowledges and agrees that it acts as a “Service Provider” under the CCPA/CPRA with respect to any California Personal Information (as defined in CCPA) processed on Customer’s behalf, and as an “Operator” under Brazil’s LGPD for any Brazilian personal data on Customer’s behalf. Twenty will not retain, use, or disclose Personal Data outside of the direct business relationship between Twenty and Customer, and will refrain from combining Customer Personal Data with personal information of other sources (except as needed to perform the services or as permitted by CCPA). If Twenty receives a request from a Consumer (as defined in CCPA) to exercise rights under CCPA, Twenty will inform the Consumer that the request cannot be acted upon directly and should be submitted to the Customer as the business (per 11 CCR § 7051). Twenty certifies it understands its restrictions and obligations under this Section and under CCPA and will comply with them.
(The above commitments of Twenty, as Processor, are intended to fulfill the requirements of GDPR Art. 28(3) and analogous provisions under other Data Protection Laws.)
5. Data Subject Rights and Requests
Customer is responsible for responding to any Data Subject requests regarding Personal Data that Customer controls. However, taking into account the nature of the services, Twenty will provide reasonable assistance to facilitate Customer’s obligation to honor Data Subject rights under GDPR Chapter III and other laws (access, rectification, objection, erasure, restriction, portability, etc.), as described in Section 4.5. If a Data Subject submits a request directly to Twenty regarding Customer Personal Data, Twenty will not respond substantively except to notify the Data Subject to contact Customer (where permissible) and to assist Customer by providing any relevant information or action as per Customer’s Instructions. Twenty’s platform includes self-service features that allow Customer to directly fulfill many Data Subject requests (for example, search and export tools, deletion functions). Where further assistance is needed, Customer may request Twenty’s help via support channels. Twenty will promptly cooperate with Customer’s written requests to provide available information or to execute actions necessary to comply with Data Subject rights, to the extent Twenty can reasonably do so. Any such assistance beyond the standard functionality may be subject to applicable service fees if the effort is substantial.
Customer shall be responsible for reviewing the request and verifying the Data Subject’s identity (if required) and for determining the appropriate response under the law. Customer is also responsible for any communications or notifications to the Data Subject, except to the extent where a direct response from Twenty is required by law. The parties shall keep each other informed, as appropriate, of any issues arising from such requests.
6. Sub-Processors
6.1 Authorized Sub-Processors. Customer provides general authorization to Twenty to engage third-party Sub-Processors to Process Customer Personal Data, solely for the purposes of providing and supporting the services as defined in the Agreement. Twenty maintains an up-to-date list of its Sub-Processors involved in the Processing of Customer Personal Data. As of the effective date of this DPA, the main Sub-Processors engaged by Twenty include: Amazon Web Services (cloud infrastructure hosting in Frankfurt, Germany), Cloudflare, Inc. (content delivery network, used for secure transmission and caching, with no long-term storage of Customer Personal Data), Stripe, Inc. (payment processing for service subscription fees), Sentry, Inc. (cloud error monitoring service). The full List of Sub-Processor is kept up to date on our OneLeet Trust Centre. The main Sub-Processors are all bound by written agreements that impose data protection obligations no less protective than those set forth in this DPA. Twenty shall be responsible for the performance of its Sub-Processors to the same extent Twenty would be liable if performing the services directly.
6.2 Notice and Objection Rights. Upon opt-in, Twenty will notify Customer of any intended addition or replacement of Sub-Processors that will Process Customer Personal Data, giving Customer advance notice via email or via an in-app notification. Twenty will endeavor to provide such notice at least 10 days before the new Sub-Processor starts Processing Customer Personal Data, thereby giving Customer the opportunity to review and object (if necessary). If Customer has a reasonable, good-faith objection to Twenty’s use of a new Sub-Processor (on grounds related to data protection), Customer shall notify Twenty in writing within 10 calendar days of receipt of the notice. The parties will then discuss Customer’s concerns in good faith with the aim of achieving a commercially reasonable resolution. If no resolution is reached, Customer, as its sole remedy, may terminate the service (without penalty) with respect to the part of the services that cannot be provided without the disputed new Sub-Processor. In such case, upon Customer’s request, Twenty will refund any pre-paid fees covering the remainder of the term for the terminated portion of the services. If Customer does not object within the notice period, the new Sub-Processor will be deemed accepted.
6.3 Sub-Processor Agreements. Twenty will enter into a written contract with each Sub-Processor having access to sensitive data, which imposes data protection obligations equivalent in scope to those imposed on Twenty under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures so that the Processing meets the requirements of Data Protection Laws. Twenty shall ensure that each Sub-Processor provides at least the level of data protection required of Twenty by this DPA and Data Protection Laws, including agreements to: (a) Process Personal Data only on Twenty’s behalf and only for the purposes Twenty instructs in providing the services; (b) implement appropriate security measures; (c) notify Twenty of any Personal Data Breach involving Customer Personal Data; and (d) delete or return Personal Data to Twenty (for return to Customer) upon termination of their services.
6.4 International Transfers by Sub-Processors: Twenty will ensure that any Sub-Processor located in a country that does not provide an adequate level of data protection (as defined by applicable Data Protection Laws) will be subject to appropriate safeguards for any cross-border transfer of Personal Data, in accordance with Section 7 of this DPA. This may include, as applicable, execution of Standard Contractual Clauses (Module 3: Processor-to-Processor) between Twenty and the Sub-Processor, the Sub-Processor’s certification under an approved framework such as the EU-U.S. Data Privacy Framework (if used as a transfer mechanism), or binding corporate rules or another lawful transfer mechanism. Twenty will make information about such safeguards available to Customer on request.
6.5 Liability for Sub-Processors: Twenty shall remain fully liable to Customer for the performance of any Sub-Processor that fails to fulfill its data protection obligations with respect to Customer Personal Data. In other words, Twenty will be liable for the acts and omissions of its Sub-Processors as if they were Twenty’s own acts or omissions. This provision does not limit any direct obligations or liability a Sub-Processor may owe to Customer under Data Protection Laws or a separate agreement.
(In summary, Twenty uses a few trusted Sub-Processors for sensitive data to support service delivery. Twenty will notify Customer of changes and allow objection. All Sub-Processors have contracts upholding GDPR-level protections, and Twenty remains responsible for their compliance.)
7. International Data Transfers
7.1 Data Hosting and Localization: As of the effective date, Customer Personal Data in the Twenty cloud service is primarily stored in data centers located in the European Union (Frankfurt, Germany) via Amazon Web Services (AWS). Customer acknowledges that Twenty and its Sub-Processors may access and Process Personal Data on a global basis as needed to provide the services, including for support and technical operations. This may involve transferring Customer Personal Data outside the country or region where it was originally collected, including to the United States. Twenty will ensure that all such transfers are made in compliance with Data Protection Laws governing cross-border data transfers. For regions with data residency commitments (if offered under the Agreement), Twenty will abide by those terms (for example, hosting EU Customer data in the EU region).
7.2 European Data Transfers (EEA and UK): To the extent Customer Personal Data subject to EU GDPR or the UK GDPR is transferred from the European Economic Area (EEA), Switzerland, or the United Kingdom to Twenty in a country not deemed by the European Commission (or other relevant authority) to provide an adequate level of data protection, the parties agree that such transfers shall be governed by the applicable Standard Contractual Clauses. Specifically:
EU Transfers: For Personal Data transfers from the EEA (or Switzerland) to countries not covered by an adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are hereby incorporated into this DPA by reference, and will be deemed executed between Customer (as data exporter) and Twenty (as data importer). The SCCs shall be populated as follows: Module Two (Controller-to-Processor) terms apply (or Module Three for any transfers from Twenty to a Sub-Processor); in Clause 7 the optional docking clause is not used; in Clause 9, Option 2 (General Written Authorization) is selected with a notice period of 10 days for Sub-Processor changes (per Section 6 of this DPA); in Clause 11, the optional language on independent dispute resolution is considered included; in Clause 17, Option 1 is chosen and the governing law of the SCCs shall be the law of the EU Member State where the data exporter is established (or, if the data exporter is not established in an EU Member State, then the law of Germany); in Clause 18(b), disputes shall be resolved before the courts of that same jurisdiction. Annex I of the SCCs (List of Parties, Description of Transfer) is deemed completed by the details set out in Annex A of this DPA; Annex II (Technical and Organizational Measures) is deemed completed by the measures described in Section 7 (Security Measures) of this DPA (and any Annex B attached); Annex III (List of Sub-Processors) is set forth in Section 6.1 of this DPA. By agreeing to this DPA, the parties are deemed to have signed the SCCs where required.
UK Transfers: For Personal Data transfers subject to UK Data Protection Laws, the UK Addendum (issued under s.119A(1) of the UK Data Protection Act 2018) is hereby incorporated. The UK Addendum is deemed executed with the information in Part 1 of the Addendum as follows: (i) the tables in Part 1 shall be completed using the information from the EU SCCs (as modified by this Section) and the options chosen above, (ii) either party may terminate the UK Addendum as set out in Section 19 of that Addendum if the UK Commissioner approves new transfer mechanisms that replace the SCCs, and (iii) the law of England and Wales will govern the Addendum. In the event of conflict between the SCCs and the UK Addendum, the UK Addendum shall prevail for data transfers from the UK.
Swiss Transfers: For Personal Data transfers subject to the Swiss DPA, the above EU SCCs (Module 2) will also apply with the following modifications to reflect Swiss law requirements: references to “GDPR” in the SCCs shall be understood as references to the Swiss DPA for data exclusively subject thereto; references to “EU”, “Member State” or “Supervisory Authority” shall be interpreted so as to include Switzerland and the Swiss Federal Data Protection and Information Commissioner (insofar as the Swiss DPA applies); the governing law in Clause 17 and jurisdiction in Clause 18 of the SCCs shall be the law and courts of Switzerland (if the Swiss DPA exclusively applies) or of the relevant EU Member State (if both Swiss and EU law apply to the transfer). Customer (as data exporter) and Twenty (as data importer) hereby agree that execution of the DPA also constitutes execution of the SCCs and applicable UK/Swiss adaptations, no further action is required to give effect to them.
7.3 Transfers from Brazil: For transfers of Personal Data subject to Brazil’s LGPD (Lei Geral de Proteção de Dados) to Twenty in countries not deemed adequate by Brazil’s National Data Protection Authority (ANPD), the parties agree to rely on Brazil’s Standard Contractual Clauses (as set forth in ANPD Resolution No. 19 of 2024) as the transfer mechanism. The Brazil SCCs are incorporated by reference into this DPA, and will apply to the same data and parties as the EU SCCs, with appropriate role designations (Customer as the exporting Controller and Twenty as the importing Processor). The selections and options of the Brazil SCCs shall align, where possible, with those of the EU SCCs and this DPA. In particular, the description of the transfer and retention period in the Brazil SCCs can be found in Annex A of this DPA (mirroring Section 2 of the DPA), and Twenty’s technical and security measures are those in Section 7 of this DPA (mirroring Annex II of EU SCCs). By entering this DPA, the parties are deemed to have executed the Brazil SCCs as separate counterparts, and no further signature is required. If needed, Twenty will provide a copy of the Brazil SCCs upon request.
7.4 Other Transfer Mechanisms: In addition to the foregoing, the parties may mutually agree in writing to implement an alternative or additional transfer mechanism that is recognized under Data Protection Laws as providing an adequate level of protection for Personal Data transferred across borders (such as Binding Corporate Rules, an approved certification or code of conduct, or new standard clauses issued by authorities). In the event Twenty adopts Binding Corporate Rules or self-certifies under a valid framework (such as any EU–US Data Privacy Framework or analogous Swiss/UK frameworks), and such mechanism covers the transfers of Customer Personal Data, Customer agrees that Twenty may rely on that mechanism in lieu of the SCCs, provided Twenty informs Customer of the switch. As of the Last Updated date of this DPA, Twenty’s U.S. affiliate is not a participant in the EU-U.S. Data Privacy Framework (DPF); therefore, the SCCs (with UK Addendum and Swiss modifications) and Brazil SCCs will primarily govern relevant international transfers. If Twenty in the future maintains a current DPF certification, Twenty shall inform Customer and ensure such certification and compliance with DPF Principles is maintained as required.
7.5 Disclosure of SCCs: If Customer’s jurisdiction requires the parties to file or register the Standard Contractual Clauses or Brazil SCCs, or if any regulator requests copies, the parties will work together in good faith to comply, taking into account the need to redact any confidential information. The parties agree that any supplementary measures (technical, organizational, or contractual) needed to ensure transferred data is adequately protected will be taken, such as encryption in transit and at rest, data minimization, and rigorous access controls, as described in Section 7 (Security Measures). Twenty will monitor legal developments and, if required by law or a regulator, will promptly implement additional safeguards or modifications to this Section to ensure continued compliance with Data Protection Laws regarding cross-border transfers.
(In summary, Customer Personal Data may be processed globally as needed for the service. When data is transferred from jurisdictions like the EU, UK, Switzerland, or Brazil to countries without an adequacy decision (e.g. to the US), the parties are contractually bound by the appropriate Standard Contractual Clauses or equivalent mechanisms to protect the data. This ensures that Data Subjects continue to have rights and protections even after the transfer.)
8. Security Measures
Twenty is committed to protecting the security, confidentiality, and integrity of Customer Personal Data. Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risk to Data Subjects, Twenty implements robust technical and organizational measures (TOMs) designed to ensure a level of security appropriate to the risk. These measures include, but are not limited to, the following:
Access Control: Access to Customer Personal Data is restricted on a least-privilege basis. Twenty enforces authentication controls for its systems (strong passwords and/or multi-factor authentication) and limits employee access to data to those personnel who require it to perform their job duties. Processes are in place to promptly revoke access when personnel leave or no longer need access.
Encryption: All Customer Personal Data transmitted over public networks is encrypted using industry-standard protocols (e.g. TLS/SSL). For data at rest, Twenty uses encryption mechanisms (such as AES-256) to encrypt personal data stored in databases or storage systems, except where not feasible due to the nature of the data store (in which case alternative controls ensure data segmentation and security).
Physical Security: Twenty’s production systems are hosted in secure data centers (provided by AWS) with robust physical security controls, including 24/7 monitoring, access badges, biometric scanners, surveillance cameras, and security personnel. Physical access is limited to authorized data center staff. (For self-hosted deployments, physical security of the server environment is Customer’s responsibility.)
Network Security & System Integrity: Twenty employs network security measures such as firewalls, intrusion detection/prevention systems, and regular network vulnerability scanning. The production environment is logically isolated and hardened. Anti-malware protections and security monitoring are implemented to detect and prevent unauthorized system access or anomalies.
Monitoring & Logging: Twenty maintains audit logs of relevant system and security events in the production infrastructure. Access to Customer Personal Data and actions performed by Twenty’s personnel are logged and monitored. Systems are configured to alert on suspicious activities or potential incidents so that Twenty’s security team can respond in a timely manner.
Data Resilience and Backup: Twenty performs regular backups of critical Customer data (with sensitive data encrypted in backup storage) to ensure data can be restored in case of accidental deletion or disaster. Backup procedures are tested periodically. Twenty’s hosting provider infrastructure is designed for high availability and resilience (including the use of redundant components, clustering, and failover mechanisms) to minimize the risk of data loss or downtime.
Vulnerability Management: Twenty regularly updates its software and systems with security patches. Twenty conducts periodic vulnerability assessments and penetration testing (both internal and external) to identify and remediate security weaknesses. Twenty also maintains a process for receiving and addressing vulnerability reports from third-party security researchers.
Organizational and Personnel Security: Twenty’s personnel with access to Customer Personal Data undergo background checks as permitted by law and are required to adhere to confidentiality agreements. Twenty provides training to its staff on data protection, privacy, and security best practices on a recurring basis. The company maintains up-to-date security policies and incident response plans.
Incident Management: Twenty has an incident response plan for addressing security incidents or Personal Data Breaches. This includes procedures for timely notification to affected customers (as described in Section 4.6), steps for containment and mitigation, and post-incident review to implement improvements. Twenty also maintains a business continuity and disaster recovery plan to ensure continuity of operations in the event of a serious incident or outage.
Regular Audits and Assessments: Twenty periodically reviews and assesses its security controls to ensure they remain effective and appropriate. This may include internal audits and obtaining relevant third-party certifications or attestations (if applicable to the scope of services). Results of such assessments or certifications can be made available to Customer as described in Section 9.
(Additional details about Twenty’s security measures may be provided in a Security Policy or Annex B to this DPA, which can be updated from time to time to reflect evolutions in our practices, provided such updates do not degrade the overall security of the services.)
9. Audit Rights and Compliance
Customer has the right to verify Twenty’s compliance with this DPA and its obligations under applicable Data Protection Laws. Twenty shall provide relevant information and documentation to demonstrate such compliance, and shall allow for and contribute to audits as described below:
9.1 Documentation and Trust Resources: Upon Customer’s written request, Twenty will provide Customer with reasonable documentation or summaries of certifications, external audit reports, or other evidence of Twenty’s compliance with its security and privacy obligations (subject to confidentiality). For example, if available, Twenty may share summaries of third-party penetration test results or data protection compliance certificates. Customer agrees to exercise any audit right by first reviewing such documentation, and Customer finds it sufficient, this shall satisfy Customer’s audit request.
9.2 Customer Audits: If the provided documentation is not sufficient to reasonably demonstrate compliance, Customer may perform an on-site audit of Twenty’s relevant procedures and systems no more than once per year (unless required more frequently by a supervisory authority or in case of a significant data incident). Customer must give at least 30 days’ prior written notice to request an audit, and the parties shall mutually agree on the scope, duration, and timing of the audit. Any audit shall be conducted during regular business hours, in a manner that does not unreasonably interfere with Twenty’s operations. Customer may perform the audit itself or via an independent third-party auditor approved by Twenty (such approval not to be unreasonably withheld). All auditors will be subject to a duty of confidentiality and shall not have access to non-Customer data or to Twenty’s proprietary information unrelated to the scope of the audit.
9.3 Limitations: Customer is responsible for all costs and fees related to an audit it initiates. Twenty may charge a reasonable fee for supporting an audit to the extent such audit exceeds the normal resources made available to demonstrate compliance. Before the start of an on-site audit, the parties will agree in writing to reasonable guidelines (e.g. security measures to protect the premises, and reimbursement terms if applicable). Reports or findings from any audit will be considered Twenty’s Confidential Information and must be kept secret by Customer, except to the extent disclosure is required by law or regulatory authority.
9.4 Remediation: If an audit reveals any material non-compliance, Twenty will take prompt action to address and remediate the issues identified. The parties will discuss the audit findings and an appropriate corrective action plan. Twenty will track the resolution of such findings and, upon request, report progress to Customer. If a material non-compliance cannot be cured within a reasonable time, Customer may exercise its termination rights as outlined in the Agreement.
9.5 Regulators: Notwithstanding the foregoing, if a data protection supervisory authority requires that Customer (or Customer’s designee) conduct an on-site audit of Twenty’s processing facilities, Twenty will cooperate and permit such audit. This section does not limit any audit rights a supervisory authority may have under applicable law.
(In summary, Twenty will help verify its compliance by providing information and accepting audits under controlled conditions, to meet the obligations of Article 28(3)(h) GDPR and similar laws. Customer agrees to handle audit information as confidential and to minimize any impact on Twenty’s business.)
10. Return and Deletion of Data
As described in Section 4.9, upon termination or expiration of the Agreement (or at any time upon Customer’s request), Twenty will, at Customer’s choice, return or delete all Customer Personal Data in Twenty’s possession or control. This includes deleting or anonymizing Customer Personal Data from Twenty’s live systems and services, and instructing any Sub-Processors to do the same. If return is requested, Twenty will provide the data export in a commonly used format (e.g. CSV, JSON, or database backup file). After confirming that Customer has retrieved required data, Twenty will proceed to delete the data from its systems.
If Customer does not make an election (return or deletion) within a reasonable time prior to contract termination, Twenty will proceed to delete the Customer Personal Data by default. Deletion shall be done in a secure manner, rendering the personal data unrecoverable. As noted, data on backup systems will be overwritten or deleted in accordance with Twenty’s data retention schedule. Twenty will not retain copies of Customer Personal Data except as required by law (and if so, such data will remain protected by this DPA and be isolated from further Processing).
Customer is advised that certain residual data may temporarily remain in transient memory or logs which will be purged in the normal course of operations. Twenty’s obligations of confidentiality, security, and protection continue to apply to any such data while it remains in Twenty’s possession. Upon Customer’s request, Twenty will confirm in writing that deletion is completed (this may be via a certification or through the absence of any recoverable data in the service accessible to Customer).
If applicable law requires further retention of any Customer Personal Data by Twenty (for example, for compliance with legal record-keeping obligations), Twenty will notify Customer and will isolate and protect that data from any further processing except to the extent required by law.
Retrieval during Term: During the term of the Agreement, Customer may export or download its data at any time through the service’s provided interfaces or APIs. Twenty shall, upon request, reasonably assist with such data export (e.g. providing database dumps or additional formats) if Customer is unable to self-serve.
This Section survives the termination of the Agreement. The parties agree that the certification of deletion provided by Twenty shall suffice as evidence that Twenty has complied with Customer’s directions to delete Personal Data as required by Data Protection Laws.
11. Additional Provisions for California and Other Jurisdictions
California (CCPA/CPRA): In addition to and consistent with the relevant sections above, the following terms apply to “California Personal Information” (as defined in Section 1798.140(o) of CCPA) that Twenty processes on behalf of Customer. Twenty is a “Service Provider” to Customer (who is a “Business”) for purposes of CCPA. Twenty certifies that it shall not: (a) sell or share (for cross-context behavioral advertising) such personal information; (b) retain, use, or disclose the personal information for any purpose other than for the specific purpose of providing the services (including retaining, using, or disclosing the information for a commercial purpose other than providing the services as specified in the Agreement); (c) retain, use, or disclose the information outside of the direct business relationship between Twenty and Customer. Twenty acknowledges these restrictions and will comply with them. Twenty will enable Customer to comply with Consumer requests to exercise rights (access, deletion, opt-out of sale/sharing, correction, etc.) by providing appropriate tools or assistance (as described earlier). The parties acknowledge that Twenty’s access to personal information is as a service provider and not for the purposes of determining the means and purposes of processing. Twenty shall provide an attestation to the above, upon Customer’s request, as required by CPRA regulations. If Twenty receives any request from a California Consumer to exercise rights, it will refer that request to Customer and not respond directly (per § 7051 of CCPA Regs)[53]. For clarity, the CCPA-specific terms here prevail only with respect to California Personal Information if in conflict with any other DPA terms.
Brazil (LGPD): Twenty agrees that with respect to any personal data subject to Brazil’s LGPD (Law No. 13,709/2018), it will act in accordance with the instructions of Customer (the “Controller”) as an “Operator” under LGPD. Twenty will assist Customer in meeting its obligations under LGPD (such as responding to data subject requests and data protection impact assessments) in a manner similar to what is described for GDPR. If Brazilian authorities issue standard contractual clauses or other transfer requirements beyond what is addressed in Section 7.3, Twenty will adhere to such requirements for transfers from Brazil. Twenty will also comply with LGPD’s provisions regarding data security and breach notification (Articles 46-48) by implementing security measures and notifying Customer of incidents as described in this DPA. Any required communication to ANPD (Brazil’s National Data Protection Authority) due to a data incident will be coordinated with Customer.
Swiss DPA: With regard to personal data subject to the Swiss Federal Data Protection Act (FADP), the term “personal data” as used in this DPA includes “personal data” as defined in the FADP. Any references to GDPR articles or EU law in this DPA shall be deemed to include the equivalent provisions of the Swiss DPA, and references to supervisory authorities include the Swiss Federal Data Protection and Information Commissioner. Twenty will process Swiss personal data in compliance with the Swiss DPA, and the transfer provisions of Section 7.2 (Swiss Transfers) ensure compliance with the cross-border requirements of the Swiss DPA.
Other Jurisdictions: If and to the extent Data Protection Laws from other jurisdictions (e.g. Canada’s PIPEDA, Australia’s Privacy Act, Singapore’s PDPA, etc.) apply to Customer Personal Data, Twenty will cooperate with Customer to address any additional requirements of those laws. This may include entering into additional contractual terms as required by such laws to legally Process or transfer personal data (for example, executing any required jurisdiction-specific addenda). The parties agree to negotiate in good faith to put in place such supplemental terms if needed. In any case, Twenty will maintain the privacy and security protections for all Customer Personal Data at a standard that meets the highest requirements among the applicable Data Protection Laws.
(The above provisions ensure that this DPA satisfies specific requirements of various laws like CCPA, LGPD, and the Swiss DPA. Twenty’s commitments are intended to meet the definitions of a “Service Provider” under CCPA and an “Operator” under LGPD, etc., and to affirm that Twenty only uses personal data as instructed by Customer.)
12. Limitation of Liability
12.1 Liability Cap: The parties agree that any liability arising under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. This means that neither party’s total liability for all claims under this DPA will exceed the liability cap (aggregate limit) that applies under the Agreement, except to the extent that mandatory law forbids such a cap for certain data protection liabilities. No provision of this DPA is intended to limit a Data Subject’s rights or remedies under Data Protection Laws against either party.
12.2 Liability Between the Parties: As between Customer and Twenty, Customer agrees that it shall be solely responsible for any damages or claims arising from Twenty’s Processing of Customer Personal Data in compliance with Customer’s Instructions, and Customer shall indemnify Twenty for any third-party claims or fines (including by Data Subjects or regulators) resulting from Customer’s Instructions or Customer’s failure to comply with its obligations under Data Protection Laws. Conversely, Twenty remains responsible for any violations of this DPA or Data Protection Laws caused by Twenty’s failure to comply with its obligations, or those of its Sub-Processors. Each party remains responsible for its own violations of Data Protection Laws.
12.3 No Third-Party Beneficiaries: This DPA is for the parties’ mutual benefit and does not confer any rights on any third party (except data subjects to the extent required by applicable SCCs). The Standard Contractual Clauses (where applicable) may grant enforceable rights to data subjects as third-party beneficiaries, as explicitly set out in those clauses. Apart from that, no person who is not a party to this DPA shall have any right to enforce any term of this DPA.
(In summary, each party’s liability under this DPA is governed by the same limitations and exclusions as in the main Agreement. The intent is not to create unlimited liability for either party except as allowed by law. The parties will each bear responsibility for their respective obligations.)
13. General Provisions
13.1 Governing Law: This DPA is governed by the same law and jurisdiction as the Agreement, unless otherwise required by the SCCs or other transfer addenda for specific international transfer matters (as noted in Section 7.2). In any case, no change in governing law is intended by this DPA except as necessary to incorporate the required international data transfer terms.
13.2 Order of Precedence: With regard to the subject matter of data protection, in the event of any conflict between this DPA and any other agreement between the parties (including the Agreement and its exhibits or any privacy policy), the terms of this DPA shall prevail. In the event of a conflict between this DPA and the Standard Contractual Clauses or other prescribed data transfer terms, the latter (the SCCs, UK Addendum, etc.) shall prevail to the extent they apply to protect the rights of data subjects or comply with law.
13.3 Changes to Data Protection Requirements: The parties acknowledge that data protection and privacy regulations may evolve. Twenty may update or amend this DPA from time to time as needed to comply with new legal requirements or to implement new Standard Contractual Clauses or other mechanisms approved under Data Protection Laws. If Twenty makes a material change to this DPA that significantly affects Customer’s rights, Twenty will provide notice (e.g. via email or service notification) to Customer. If Customer objects to the change and it materially diminishes privacy protections, Customer may notify Twenty and have the right to terminate the services to which the DPA applies, in which case Twenty will provide a pro-rated refund of any prepaid fees for the terminated period. Continued use of the services after the effective date of an updated DPA will constitute Customer’s consent to the updated DPA, to the extent permitted by law.
13.4 Invalidity and Severability: If any provision of this DPA is found by a court of competent jurisdiction or regulatory authority to be invalid or unenforceable, that provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable, or if it cannot be modified, it shall be severed, and the remainder of this DPA shall continue in full force and effect. The parties will negotiate in good faith a valid and enforceable provision to replace the invalid one, reflecting the original intent as closely as possible.
13.5 Entire Agreement; Conflict: This DPA (including its Annexes and any incorporated SCCs or Addenda) sets forth the entire understanding of the parties with regard to the Processing of Customer Personal Data. It replaces and supersedes any prior or contemporaneous agreements or understandings relating to that subject matter (including any prior data processing addendum or privacy exhibit to the Agreement), except where explicitly stated otherwise. In no event shall any party (including any affiliate of Twenty) be expected to sign or adhere to an external data processing or data protection agreement provided by Customer, and any such document will be void unless separately negotiated and signed by both parties.
13.6 Signatures and Execution: The parties agree that execution of the Agreement or an applicable Order Form incorporating this DPA by reference (including by electronic acceptance) shall constitute execution of this DPA. This DPA may be executed in counterparts or by affirmative acceptance through an online mechanism, each of which is deemed an original, and together constitute one and the same instrument. Where required, the parties shall be deemed to have signed the Standard Contractual Clauses (and UK Addendum, etc.) incorporated herein on the same date as the Agreement or applicable Order Form. No further handwritten signatures are required to give effect to this DPA or the SCCs, provided that if a regulatory authority or law requires this DPA (or SCCs) to be formally executed, the parties shall promptly do so.
13.7 Contact and Data Protection Officer: Customer may contact Twenty regarding any issues arising under this DPA at [email protected] or through its primary account representative. Twenty has appointed a Data Protection Officer (DPO) (or equivalent privacy official) if required by law; the current contact information for the DPO (if applicable) is available in Twenty’s Privacy Policy or upon request. Customer is responsible for providing Twenty with up-to-date contact information for a person (or team) authorized to handle Data Protection inquiries.
13.8 Survival: Provisions of this DPA that by their nature should survive termination (such as obligations of confidentiality, return/deletion, and liability) shall survive expiration or termination of the Agreement until fully performed.
ANNEX A – Details of Processing (Summary)
This Annex provides a summary of key Processing details as required by Article 28(3) GDPR and Annex I of the SCCs:
Data Exporter (Controller): Customer, as identified in the Agreement. Contact details: as specified in the account or Order Form (or Customer’s privacy office). The Customer’s business is determined by the context of the Agreement (e.g. Customer is using Twenty’s CRM services for its business purposes). Customer acts as Controller (and a Business under CCPA, and the data exporter under SCCs) with respect to Customer Personal Data.
Data Importer (Processor): Twenty, a public benefit corporation organized in the United States (or the relevant Twenty contracting entity specified in the Agreement). Address: 548 Market St #18300, San Francisco, CA 94104, USA (or as updated in the Agreement or Privacy Policy). Twenty provides cloud-based CRM software and related services. Twenty’s contact for privacy inquiries: [email protected]. Twenty acts as Processor (and Service Provider under CCPA, and data importer under SCCs).
Subject Matter of Processing: The subject matter is the Customer Personal Data entered into or collected via the Twenty CRM platform and processed by Twenty in order to provide the services to Customer, as described in the Agreement and this DPA.
Duration of Processing: For the duration of the Agreement until deletion of all Customer Personal Data by Twenty in accordance with the DPA (see Section 10). Some data may be retained for a limited period post-termination as described, solely for deletion or legal compliance purposes.
Nature and Purpose of Processing: See Section 2 of the DPA. In summary, Twenty will receive, host, store, organize, and otherwise process Customer Personal Data as necessary to provide the CRM software functionality and any related services (such as support, backups, etc.) to Customer. Processing includes operations such as computing, transmitting, and displaying the data per user actions, and producing analytics or reports as per the service features. Twenty also processes data as needed to ensure security, fix issues, and improve the services (in a manner consistent with the Agreement and not for independent purposes). All processing is performed according to Customer’s Instructions and solely for Customer’s business purposes.
Types of Personal Data Processed: Any Personal Data that Customer decides to import or create in the Twenty platform. Typical categories are listed in Section 2 above and include contact information, organizational details, communications, sales records, and other business-related personal information. The data may also include system-generated data like user IDs or metadata related to usage of the CRM. (Sensitive personal data is not anticipated, and special categories are not intentionally processed, except if uploaded by Customer contrary to recommendations.)
Categories of Data Subjects: As detailed in Section 2, data subjects include Customer’s end-user personnel and Customer’s own customers or leads and other individuals whose data is stored in the CRM. Could also include any other individuals who correspond with or are recorded by Customer using the service.
Frequency of Transfer: Continuous/on-going basis – Personal Data is transferred to Twenty’s systems whenever Customer uses the cloud service (e.g. data is uploaded, collected, or generated during the term of the Agreement).
Data Retention: Twenty will retain Customer Personal Data for the duration of the Agreement and will delete or return data upon termination as described in Section 10. Certain logs or backups containing Personal Data may be retained for up to 90 days beyond deletion, then overwritten, and any data retained longer to meet legal obligations will be protected until deletion.
Sub-Processors: The current Sub-Processors are listed in Section 6.1. This includes infrastructure providers (like AWS in Germany), and ancillary services (Cloudflare CDN, Stripe, Sentry, Front). Sub-Processors are subject to written agreements and provide similar data protection measures. Customer will be notified of any changes per Section 6.2.
Technical and Organizational Measures: See Section 8 (and any Annex B, if provided) for a description of the security measures implemented by Twenty, including: physical security of data centers, access controls, encryption, network security, monitoring, incident response, etc. These measures are intended to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and to enable restoration of data in case of incidents.
Cross-Border Transfers: Twenty may transfer data from the EEA/UK/Switzerland to the U.S. and possibly other countries as needed to provide support (e.g. if a support engineer outside EU accesses data). Such transfers are governed by SCCs and UK Addendum (Module 2, with Customer as exporter and Twenty as importer) and Swiss-specific terms, as detailed in Section 7.2. Transfers from Brazil are governed by Brazil SCCs as per Section 7.3. Twenty ensures any onward transfers (to Sub-Processors) are made under similar safeguards, such as SCCs Module 3 or other mechanisms.
Contact Points: For Customer: the contact information provided in the Agreement or Order (e.g. legal or privacy contact). For Twenty: [email protected] (and Data Protection Officer, if applicable, as per Privacy Policy).
(End of Annex A. This Annex may be considered the Appendix 1 of the SCCs, describing the parties, transfers, and processing operations.)
ANNEX B – Summary of Technical and Organizational Security Measures
(Referencing Article 32 GDPR and Annex II of SCCs, this annex summarizes Twenty’s key security measures, as of the Last Updated date. Twenty may update these measures from time to time, maintaining equal or better protection.)
Organizational Security: Twenty has appointed personnel responsible for security and privacy, including a security officer and, if required, a Data Protection Officer. Internal policies (reviewed at least annually) govern the confidentiality, integrity, availability, and resilience of personal data. Employees receive training on data protection and are bound by confidentiality agreements. Background checks are performed as law permits. Access to facilities and systems is limited to authorized personnel based on role.
Access Controls:
Physical Access: Data hosting is with AWS in secure facilities with multi-layer physical security controls (guarded premises, biometric access, surveillance, etc.). Office access for Twenty (if any data is accessible there) is secured via keycard and visitor protocols.
System Access: Unique user IDs are required for Twenty employees accessing systems with Personal Data. Strong password policies and multi-factor authentication (MFA) are enforced on administrative access. Access rights are granted on least privilege and need-to-know principles, and promptly revoked upon role change or termination. Administrative access to production systems is logged and monitored.
Data Access: Within the application, data is segmented by Customer organization to prevent unauthorized data access across customers. Customer users are authenticated and authorization checks enforced (role-based access inside the app). Twenty staff access to Customer data (for support) is limited and performed only when necessary and with Customer permission whenever feasible. All such access is logged.
Encryption:
In Transit: TLS encryption (HTTPS with strong ciphers) protects Personal Data in transit between Customer’s systems and Twenty’s service, and between data centers. For internal service communication, encryption or secure network protocols are used.
At Rest: Personal Data in databases and storage is encrypted at rest (using AES-256 or equivalent) on AWS-managed storage. Encryption keys are managed securely (leveraging AWS KMS or equivalent). Certain sensitive fields can be additionally encrypted or hashed at the application level if needed.
Network Security & Isolation: Twenty uses virtual private cloud (VPC) architectures to isolate production systems. Firewalls and security groups restrict inbound network access to only required ports/protocols. The production environment is separated from development/test environments. Anti-DDoS protections and rate-limiting are in place via Cloudflare CDN and AWS services. Regular vulnerability scanning of network infrastructure is performed.
Monitoring & Incident Management: Twenty employs monitoring tools to track system performance and security events (e.g. intrusion detection systems, file integrity monitoring). Logs of key events (logins, data access, configuration changes) are maintained centrally and protected from tampering. Twenty has an incident response plan that includes 24/7 availability of key staff, defined escalation procedures, investigation steps, and communication plans (including Customer notification as per DPA requirements). Incidents are documented with root cause analysis and remediation steps.
Malware and Endpoint Security: Servers are hardened (minimal installed services, regular patching). Anti-malware and anti-virus solutions are deployed on servers and employee endpoints, with automatic updates. Email and file uploads can be scanned for known threats. Employees are instructed to use company-approved devices with up-to-date security patches and endpoint protection when accessing systems with Personal Data.
Data Backup and Recovery: Databases are backed up daily (with more frequent incremental backups for critical data). Backup copies are encrypted and stored in geographically separate location(s) to ensure redundancy (at least within the same jurisdiction when required, e.g. within EU for EU data). Restoration procedures are tested periodically to verify integrity and restoration time objectives. Twenty’s disaster recovery plan aims to quickly recover service in case of a major outage (with defined RTO/RPO targets, e.g. RPO of a few hours, RTO of a few hours for major incidents).
Software Development Security: Twenty follows secure development practices. Code changes are peer reviewed and tested in non-production environments. Dependencies are monitored for vulnerabilities (using scanning tools) and promptly updated. Penetration tests by independent experts are conducted at least annually, and critical findings are remediated with high priority. In-app data entry points are protected against common web vulnerabilities (OWASP Top 10) through input validation, sanitization, and use of modern frameworks. Regular dependency and container security scans are in place.
Audit and Compliance: Twenty may maintain relevant security certifications or undergo third-party audits (e.g. SOC 2 Type II or ISO 27001) as it matures. While not all certifications may be in place, the controls above align with industry best practices. Audit logs and compliance evidence are retained as needed. Customer has rights to audit as per Section 9 of the DPA, and Twenty will cooperate by providing available audit results or letting Customer (or its auditor) verify controls in operation.
Sub-Processor Security: Twenty conducts due diligence on Sub-Processors’ security practices. Twenty has contracts in place requiring Sub-Processors to implement appropriate security measures and notify Twenty in case of incidents. Many Sub-Processors (like AWS, Cloudflare) maintain high-standard security certifications and audits which Twenty reviews. Twenty monitors compliance of Sub-Processors and will take necessary actions (including suspension or replacement) if any Sub-Processor is found to be inadequate in protecting personal data.
(This Annex B is a high-level summary; more detailed information can be provided by Twenty upon request, such as a copy of its security whitepaper or policies. All measures are in place as of the last update and are subject to continuous improvement.)
By using or signing the Agreement, each party acknowledges it has read and understood this DPA and agrees to be legally bound by it.