Data Processing Agreement

Effective April 26, 2026

1. Parties & scope

This Data Processing Agreement (“DPA”) is between you (the “Customer” or “Controller”) and Trusted Leads (“Processor”) and applies to all personal data processed by Trusted Leads on your behalf in connection with the services. For data processed for our own purposes (e.g. account, billing), our Privacy Policy applies.

2. Definitions

• Personal Data — any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1) and equivalent CCPA/CPRA terms.
• Processing — any operation performed on personal data (collection, storage, use, disclosure, deletion).
• Sub-processor — a third party engaged by Trusted Leads to process Customer Personal Data.
• Data Subject — the individual to whom Personal Data relates.

3. Details of processing

3.1 Subject matter

Trusted Leads processes Customer Personal Data to provide B2B lead-generation, email verification, lead-scoring, and outbound-delivery services as described in the Terms of Service.

3.2 Duration

Processing continues for the duration of your account and for the retention windows defined in our Privacy Policy, after which data is deleted or returned per Section 9.

3.3 Nature & purpose

Storage, retrieval, transformation, enrichment, and transmission of B2B contact records to fulfil your scrape, verification, and outreach requests.

3.4 Categories of data subjects

• Customer's end users (your team) — name, email, role, workspace assignment.
• Business contacts collected via scrapers — name, business email, employer, job title, public profile data.

3.5 Categories of personal data

• Identity & contact data: name, business email, phone (if public), LinkedIn URL.
• Employment data: company, job title, seniority, location.
• Account & usage data: login timestamps, IP address, browser, audit events.

4. Processor obligations

Trusted Leads shall:

• Process Personal Data only on documented Customer instructions, including with regard to international transfers.
• Ensure persons authorised to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures (Section 7).
• Engage sub-processors only under written terms providing protections at least equivalent to this DPA.
• Assist Customer in responding to data-subject requests and regulatory inquiries.
• Notify Customer of personal data breaches without undue delay (Section 8).
• Make available all information necessary to demonstrate compliance.

5. Controller obligations

The Customer warrants that:

• It has a valid lawful basis (GDPR Art. 6) for instructing Trusted Leads to process Personal Data, including for outreach to scraped contacts.
• It will provide a compliant privacy notice to its own end users.
• It will honour opt-out and unsubscribe requests it receives, and will not use the platform to send messages prohibited by CAN-SPAM, GDPR, CASL, TCPA, or similar laws.
• It will not upload special-category data (GDPR Art. 9) to the platform.

6. Sub-processors

Trusted Leadsuses the following sub-processors to deliver the service. Use of the platform constitutes general authorisation for these sub-processors. We will give 30 days' notice of new sub-processors via this page; object by emailing hello@datryxen.io within 14 days.

• Supabase, Inc. (US) — managed Postgres, authentication, storage.
• Cloudflare, Inc. (US) — CDN, DNS, DDoS protection, Tunnel ingress.
• Google LLC (US) — Gmail / Google Sheets API access only when the Customer connects their own Google account; scope is limited to the resources the Customer authorises.
• Resend, Inc. / Spacemail — transactional email delivery.
• Hetzner Online GmbH (DE/FI) — underlying infrastructure for self-hosted components.

7. Security measures

• Encryption in transit (TLS 1.2+) for all customer connections.
• Encryption at rest for production databases and backups.
• Role-based access control with least-privilege defaults; multi-factor authentication for production console access.
• Workspace isolation — Postgres row-level security ensures tenants cannot read each other's data.
• Secrets stored in environment-scoped vaults, never in source control.
• Audit logging for authentication, billing, and admin actions, retained for at least 90 days.
• Regular dependency-vulnerability scanning and patching.

8. Personal-data breach notification

Trusted Leads will notify affected Customers without undue delay and in any case within 72 hours of becoming aware of a personal-data breach affecting their data, with the information required by GDPR Art. 33(3) to the extent known.

9. Return & deletion

On termination of the services, Trusted Leadswill, at the Customer's choice, delete or return all Customer Personal Data within 30 days, and delete existing copies (subject to legal-retention obligations summarised in our Privacy Policy).

10. Audits

Trusted Leads will respond to reasonable, written audit questionnaires from Customer no more than once per 12 months, and may satisfy audit obligations by providing third-party reports (e.g. SOC 2, penetration-test summaries) where available.

11. International transfers

Personal Data is primarily stored in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (Module Two — Controller to Processor) and, for UK transfers, the UK International Data Transfer Addendum, both incorporated into this DPA by reference.

12. Liability

The liability limits set out in the Terms of Service apply to claims under this DPA. Nothing in this DPA limits either party's liability for matters that cannot be limited under applicable law.

13. Conflict

In case of conflict between this DPA and the Terms of Service, this DPA prevails as to processing of Personal Data.

14. Contact

Privacy & data-protection inquiries: hello@datryxen.io.