LeadHQLeadHQ

Data Processing Agreement – Sales Optimization B.V.

PARTIES:

  1. Sales Optimization B.V., statutorily established at Johan Huizingalaan 763 A, 1066VH Amsterdam, registered in the Chamber of Commerce under number 88991229 and legally represented by Mr. D. de Vries, hereinafter referred to as: “Data Processor”; and

  2. The party identified as “CLIENT” in the signed Service Agreement, hereinafter referred to as: “Data Controller” or “CLIENT“.

Individually referred to hereinafter as: “Party” and collectively as: “Parties”.

CONSIDERING THAT:

  • An agreement has been reached between the Data Processor and the Data Controller, based on which the Data Processor performs activities for the Data Controller, which consist of the provision of (online) services for the Data Controller, hereinafter referred to as “Service Agreement”;

  • The Data Processor Processes Personal Data on behalf of the Data Controller – as referred to in the General Data Protection Regulation (“GDPR“) in the context of fulfilling its obligations arising from the Service Agreement;

  • Parties wish to make agreements on the Processing of Personal Data within this Data Processing Agreement (“DPA”) within the meaning of Article 28(3) of the Regulation;

  • The Data Processor can, during the implementation of the Service Agreement with the Data Controller, be classified as Data Processor within the meaning of Article 4(8) of the GDPR;

  • The Data Controller will be classified as Data Controller within the meaning of Article 4(7) of the GDPR.

DECLARE TO HAVE AGREED AS FOLLOWS:

Article 1 – Definitions

  1. In this DPA, terms indicated with a capital letter have the meaning ascribed to them in Article 4 of the GDPR. In addition, the following terms in this DPA are described as follows:

  2. General Terms and Conditions: the latest version of the terms and conditions of Data Processor that are applicable to the Service Agreement.

  3. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  4. AP: Autoriteit Persoonsgegevens (Dutch supervisory authority).

  5. Employee(s): individuals who are employed by or work for the Data Processor, either as employees, self-employed or as (temporary) seconded/detached/payrolled personnel. 

  6. In Writing / Written: by post or email.

  7. Service Agreement: the agreement between the Data Processor and the Data Controller, based on which the Data Processor provides (online) services for the Data Controller.

  8.  Service(s): the services provided by the Data Processor as agreed upon in the Service Agreement.

  9. Sub-Processors: the processors engaged by the Data Processor who process Personal Data on behalf of the Data Processor and for the benefit of the Data Controller.

  10. UAVG: Law of May 16, 2018, containing rules for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union 2016, L 119) (Implementation Act General Data Protection Regulation).

Article 2 – Subject of the DPA

  1. This DPA regulates the Processing of Personal Data by the Data Processor in the execution of the Service Agreement.

  2. The Data Controller determines the purpose and means by which the Personal Data will be Processed by the Data Processor.

  3. The Data Processor shall process Personal Data on behalf of the Data Controller in accordance with the written instructions of the Data Controller and solely for the purpose of providing the Services as described in the Service Agreement.

  4. The nature and purpose of the Processing, the type of Personal Data, and the categories of Data Subjects are described in Appendices 1 through 3, depending on which Service(s) the Data Controller purchases from the Data Processor, as described in the Service Agreement or as additionally agreed upon In Writing.

  5. Parties will comply with the GDPR and the UAVG when Processing Personal Data, as well as with other applicable laws and regulations.

Article 3 – Responsibilities of the Data Processor

  1. The Data Processor will Process Personal Data on behalf of the Data Controller in accordance with the Written instructions of the Data Controller and solely for the purpose of providing the Services as described in the Service Agreement. If a provision of Union or Member State law applicable to the Data Processor requires the Data Processor to Process Personal Data for other purposes, the Data Processor will inform the Data Controller thereof prior to Processing, unless that law prohibits such notification.

  2. The Data Processor immediately informs the Data Controller if, in the Data Processor’s opinion, the instructions of the Data Controller constitute a violation of the GDPR, UAVG and/or other applicable laws and regulations. 

  3. The Data Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Data Processor will grant access to its Employees and/or Sub-processors to the Personal Data being Processed, only to the extent necessary for the execution of the Service Agreement.

  4. The Data Processor can provide Personal Data to the Data Controller from third-party sources. This provision will be coordinated in advance with the Data Controller. The Data Controller fully agrees to this data collection and the further Processing thereof.

  5. The Data Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk in accordance with Article 32 of the GDPR. A description of these measures is provided in Appendix 4.

Article 4 – Responsibilities of the Data Controller

  1. The Personal Data has been collected on behalf of the Data Controller by the Data Processor in accordance with Written instructions provided by the Data Controller within the Service Agreement. The Data Controller warrants that the given Written instructions are in accordance with the GDPR.

Article 5 – Audit Rights

  1. Upon request, the Data Processor will provide the Data Controller with  information that is reasonably necessary to demonstrate compliance with the obligations established in this DPA. 

  2. The Data Processor shall allow for and contribute to an audit, including inspections, requested by the Data Controller and conducted by an independent expert auditor bound by confidentiality.

  3. The Data Controller is entitled to perform an audit maximum once per year. The Data Controller may only conduct an additional audit if and insofar a Personal data breach has occurred relating to the Processing of Personal data under this DPA, provided that this Personal data breach triggers the notification obligation of Article 33 of the GDPR. This additional audit will be limited to the nature and scope of the Personal data breach in question. 

  4. The Data Processor may choose, in the event of an audit request from the Data Controller, to provide audit results from previously conducted audits by the Data Processor before allowing such an audit. If, after receiving such results, the Data Controller still wishes to have an audit conducted by an independent expert auditor, the Data Controller must specify why the previously provided audit results are insufficient. In such cases, the Data Processor allows the independent expert auditor to conduct an audit at a time mutually agreed upon by the Parties, but no more than once a year.

  5. The costs associated with the audit initiated by the Data Controller are borne by the Data Controller. 

  6. Parties will discuss the audit results and the potential follow-up actions of the audit initiated by the Data Controller, in mutual consultation.

Article 6 – Sub-processing

  1. By signing this DPA, the Data Controller provides the Data Processor with specific Written consent  for the engagement of the Sub-Processors specified in Appendices 1 through 3 to support the provision of the Service(s) as described in the Service Agreement.

  2. The Data Controller hereby provides the Data Processor with general Written consent to add or replace Sub-Processors. The Data Processor will inform the Data Controller of all of its current and intended Sub-Processors via the up-to-date list of its Sub-Processors on its website at https://leadhq.io/data-processing-agreement-sales-optimization/. The Data Controller may object to changes in the list of Sub-Processors in Writing on reasonable grounds. In the event of an objection by the Data Controller, the Parties will enter into discussions to try to reach for a reasonable solution.

  3. When the Data Processor engages a Sub-Processor for the execution of specific Processing Activities, the Data Processor will ensure that the Sub-Processor is bound by a written agreement imposing corresponding data protection obligations as arise from this DPA for the Data Processor.

Article 7 – International Transfers

  1. The Data Processor can transfer Personal Data to a third country or international organization outside the European Economic Area (EEA) within the context of the provision of the Service(s) purchased by the Data Controller. 

  2. The Data Processor will only transfer Personal Data to a third country or international organization outside the European Economic Area (EEA) if the Data Processor has taken such measures as are necessary to ensure the transfer is in compliance with the GDPR (e.g., Standard Contractual Clauses).

  3. The Data Processor will not transfer Personal Data outside the EEA other than the Personal Data currently included in Appendices 1 through 3 of this DPA without prior Written consent of the Data Controller, unless the Data Processor is legally obliged to do so. For as far as legally permitted, the Data Processor will inform the Data Controller of any international data transfer obligations. 

Article 8 – Personal data breach Notification

  1. As soon as the Data Processor discovers a Personal Data Breach, it will promptly notify the Data Controller thereof without undue delay and, where feasible, no later than 48 hours after discovery of the Personal data breach.

  2. The notification shall at least describe the nature of the Personal data breach, the likely consequences, and the measures taken or proposed to address the Personal data breach.

  3. The obligation to report a Personal data breach to the Data Protection Authority (AP) and/or the Data Subject(s) rests with the Data Controller.

  4. After the resolution of the Personal data breach, the Parties will evaluate the Personal data breach and, in joint consultation and all reasonableness, determine whether additional measures are required to prevent such Personal data breaches in the future.

Article 9 – Rights of Data Subjects

  1. In the event that a Data Subject submits a request regarding the legal rights established in Chapter III of the GDPR to the the Data Processor (e.g., for access, rectification, erasure), the Data Processor will promptly, and at least within one (1) week after receival, forward such a request to the Data Controller and will provide all reasonably necessary support to the Data Controller for the fulfilment of the Data Controller’s obligation to respond to the request.

  2. It is the responsibility of the Data Controller to handle requests from Data Subjects, communicate about them (timely) with the Data Subject, decide whether or not to comply with them, and, if necessary, issue an instruction to the Data Processor for implementation. Depending on the instruction, the Data Processor may charge reasonable costs for this.

Article 10 – Support and Costs

  1. The Data Processor will provide the Data Controller with all reasonably necessary assistance in fulfilling the obligations under Articles 32 to 36 of the GDPR. The Data Processor may charge reasonable costs for this.

Article 11 – Term and Termination

  1. This DPA comes into effect when both Parties have (digitally) approved the DPA and ends at the time the Service Agreement terminates or when the Personal Data is no longer processed by the Data Processor. It is not possible to terminate this DPA independently of the Service Agreement during its term.

  2. The Data Processor does not retain the Personal Data for longer than the agreed retention periods specified in Appendices 1 through 3 or until the end of the DPA.

  3. If the Data Processor, for any reason, is unable to comply with the DPA, it will promptly inform the Data Controller thereof. The Parties will then enter into consultations to find a reasonable solution.

  4. Upon termination of the Service Agreement, the Data Processor will, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller and delete existing copies unless applicable law requires storage of the Personal Data. If the storage of the Personal Data is legally required, the Data Processor will inform the Data Controller to the extent permitted by law.

Article 12 – Liability

  1. The liability of each Party under this DPA will be subject to the limitations and exclusions of liability set out in Article 12 of the General Terms and Conditions.

Article 13 – Final Provisions 

  1. The Data Processor may only amend this DPA by providing 30 days’ prior Written notice to the Data Controller. If the Data Controller does not agree to a material change, the Parties will enter into consultations to find a reasonable solution. If a reasonable solution cannot be reached, the Data Controller may terminate the Service Agreement and this DPA in the manner agreed upon in the Service Agreement.

  2. If one or more provisions in this DPA are found to be invalid, this shall not affect the validity of the other provisions in this DPA. In that situation, the Data Controller will then enter into consultation with the Data Processor to jointly formulate a new provision.

  3. In all cases not covered by this DPA, the Parties shall decide through mutual consultation.

  4. Dutch law applies to this DPA.

  5. Disputes arising out of or in connection with this DPA shall be submitted exclusively to the court that is also competent to rule on matters related to the Service Agreement.

  6. This DPA includes the following Appendixes, which constitute an integral part of this DPA:

    1. Appendix 1: Prospecting as a Service

      1. Description of Processing Activities;

      2. Sub-Processors.

    2. Appendix 2: LinkedIn Outreach

      1. Description of Processing Activities;

      2. Sub-Processors.

    3. Appendix 3: SDR as a Service

      1. Description of Processing Activities;

      2. Sub-Processors.

    4. Appendix 4: Security Measures

  7. This DPA forms an integral part of the Service Agreement and/or other agreements concluded between the Parties with regard to the Services. To the extent that the provisions of the DPA conflict with the provisions of the Service Agreement, the provisions of the Service Agreement shall prevail.

Appendix 1 – Prospecting as a Service

Based on the Client’s target audience description, the Data Processor searches for companies and contacts which fit Client’s description. The Data Processor sources this information from various databases.  

Description of Processing Activities

The Data Controller will Process the following Personal Data on behalf of and for the benefit of the Data Controller:

Types of Personal Data

Categories of Data Subjects

Nature of the Processing

Purpose(s)

Retention period

Personal details, contact details, address details  information regarding a person’s profession, data obtained from publicly available  sources (incl. but not limited to public social media accounts).

Prospects (business contacts).

B2B prospecting (list-building).

Performance of the Service Agreement.

During the Service Agreement and shorter on request of the Data Controller

Sub-Processors

At the time of signing this DPA, the Data Processor has engaged the following Sub-Processors, for which the Data Controller provides specific Written consent in accordance with Article 6 of this DPA.

A current and up-to-date list of Sub-Processors is maintained at https://leadhq.io/data-processing-agreement-sales-optimization/.

Organisation

Location

Appropriate safeguards (e.g.
SCCs)

Data Processing Activities

DPA Concluded? 

Additional information

LinkedIn Sales Navigator.

USA

EU-U.S. Data Privacy Framework (DPF) / SCCs

B2B contact research and prospecting.

Yes

https://legal.linkedin.com/dpa

Apollo.io

USA

EU-U.S. Data Privacy Framework (DPF) / SCCs

All-in-one sales platform; data enrichment & engagement.

Yes

https://www.apollo.io/privacy-policy/dpa

ZoomInfo

USA

EU-U.S. Data Privacy Framework (DPF) / SCCs

B2B contact and company data provision/enrichment.

Yes

https://www.zoominfo.com/about-zoominfo/privacy-center

Cognism

UK / EU / USA

Adequacy Decision (UK/EU) / SCCs (USA)

B2B contact and company data provision/enrichment.

Yes

https://www.cognism.com/data-processing-addendum

Lusha

USA / Israel / Australia

Adequacy Decision (Israel) / SCCs (USA/AUS)

B2B contact data provision/enrichment.

Yes

https://www.lusha.com/legal/dpa-2-2/

People Data Labs

USA

Standard Contractual Clauses (SCCs)

B2B contact and company data provision (API).

Yes

https://www.peopledatalabs.com/privacy-policy

Clay

USA

Standard Contractual Clauses (SCCs)

Data enrichment and aggregation; sales workflow automation.

Yes

https://www.clay.com/privacy

Datagma

France (EU) / USA

N/A (France) / SCCs (USA)

Real-time B2B data enrichment.

Yes

https://datagma.com/privacy-policy

ContactOut

Hongkong / USA

Standard Contractual Clauses (SCCs)

B2B contact data provision/enrichment. 

Yes

https://contactout.com/privacy

Forager.ai

USA

Standard Contractual Clauses (SCCs)

B2B contact and company data provision.

Yes

https://www.forager.ai/privacy-policy

Wiza

USA / Canada

Standard Contractual Clauses (SCCs)

Data extraction from LinkedIn.

Yes

https://wiza.co/privacy

Hunter.io

Belgium (EU) / USA

N/A (Belgium) / SCCs (USA)

Email address finding and verification.

Yes

https://hunter.io/dpa

Findymail

Germany (EU) / Finland (EU) / USA

N/A (EU) / SCCs (USA)

Email address finding and verification.

Yes

https://www.findymail.com/privacy-policy

Prospeo.io

USA (and other non-EU)

Standard Contractual Clauses (SCCs)

Email address finding and verification.

Yes

https://prospeo.io/privacy-policy

Zerobounce

USA / EU

EU-U.S. Data Privacy Framework (DPF)

Email address verification and validation.

Yes

https://www.zerobounce.net/policies/data-processing-agreement.html

Clearoutphone

Global

Standard Contractual Clauses (SCCs)

Phone number verification and validation.

Yes

https://clearoutphone.io/privacy-policy/

Expandi.io

EU

N/A (Intra-EU transfer)

LinkedIn outreach automation & campaign management.

Yes

https://expandi.io/privacy-policy/

Heyreach.io

EU

N/A (Intra-EU transfer)

LinkedIn outreach automation & campaign management.

Yes

https://www.heyreach.io/privacy-policy

LeadMagic.io

USA

Standard Contractual Clauses (SCCs)

Website visitor identification.

Yes

https://leadmagic.io/privacy

Bouncer Sp. z o.o.

EU

N/A (Intra-EU transfer)

Email address verification and validation.

Yes

https://www.usebouncer.com/gdpr/

Google LLC

USA / EU

EU-U.S. Data Privacy Framework (DPF) & SCCs

Data storage and delivery via Google Sheets (EU Data Residency enabled).

Yes

https://cloud.google.com/terms/data-processing-addendum

Surfe

EU

N/A (Intra-EU transfer)

CRM-LinkedIn integration, lead capturing, and data enrichment.

Yes

https://www.surfe.com/data-protection/

Appendix 2 – LinkedIn Outreach

The Data Processor runs cold outreach campaigns from the Client’s personal LinkedIn account.

Description of Processing Activities

The Data Processor will process the following Personal Data on behalf of and for the benefit of the Data Controller. This Personal Data is (where possible) a derivative of the Personal Data collected within the context of the Services as described in Appendix 1:

Types of Personal Data

Categories of Data Subjects

Nature of the Processing

Purpose(s)

Retention period

Personal details, contact details, address details  information regarding a person’s profession, data obtained from publicly available  sources (incl. but not limited to public social media accounts). 

Prospects (business contacts).

B2B lead generation.

Performance of the Service Agreement.

During the Service Agreement and shorter on request of the Data Controller

Sub-Processors

At the time of signing this DPA, the Data Processor has engaged the following Sub-Processors, for which the Data Controller provides specific Written consent in accordance with Article 6 of this DPA. A current and up-to-date list of Sub-Processors is maintained at https://leadhq.io/data-processing-agreement-sales-optimization/.

Organisation

Location

Appropriate safeguards (e.g. SCCs)

Data Processing Activities

DPA Concluded? 

Additional information

LinkedIn Sales Navigator.

USA

EU-U.S. Data Privacy Framework (DPF) / SCCs

B2B contact research and prospecting.

Yes

https://legal.linkedin.com/dpa

Clay

USA

Standard Contractual Clauses (SCCs)

Data enrichment and aggregation; sales workflow automation.

Yes

https://www.clay.com/privacy

Expandi.io

EU

N/A (Intra-EU transfer)

LinkedIn outreach automation & campaign management.

Yes

https://expandi.io/privacy-policy/

Heyreach.io

EU

N/A (Intra-EU transfer)

LinkedIn outreach automation & campaign management.

Yes

https://www.heyreach.io/privacy-policy

Google LLC

USA / EU

EU-U.S. Data Privacy Framework (DPF) & SCCs

Data storage and delivery via Google Sheets (EU Data Residency enabled).

Yes

https://cloud.google.com/terms/data-processing-addendum

Appendix 3 – SDR as a Service 

The Data Processor provides an Employee to the Client who handles sales tasks for the Client to ensure the Client ultimately meets with a potential Client. The Employee thereby operates directly within systems provided and controlled by the Data Controller.

Description of Processing Activities

The Data Processor will process the following Personal Data on behalf of and for the benefit of the Data Controller. This Personal Data is (where possible) a derivative of the Personal Data collected within the context of the Services as described in Appendix 1:

Types of Personal Data

Categories of Data Subjects

Nature of the Processing

Purpose(s)

Retention period

Name, professional email address, professional phone number, job title, company name, LinkedIn profile URL, CRM records, communication history, and calendar/appointment data.

B2B Prospects, leads, and existing business contacts of the Data Controller.

Multi-channel sales outreach (email, LinkedIn, phone), lead qualification, appointment setting, and CRM data management.

Performance of the Service Agreement.

During the Service Agreement and shorter on request of the Data Controller

Sub-Processors

At the time of signing this DPA, the Data Processor has engaged the following Sub-Processors, for which the Data Controller provides specific Written consent in accordance with Article 6 of this DPA. A current and up-to-date list of Sub-Processors is maintained at https://leadhq.io/data-processing-agreement-sales-optimization/.

Organisation

Location

Appropriate safeguards (e.g. SCCs)

Data Processing Activities

DPA Concluded? 

Additional information

Google LLC

USA / EU

EU-U.S. Data Privacy Framework (DPF) & SCCs

Data storage and reporting

[Yes/No]

https://cloud.google.com/terms/data-processing-addendum

Appendix 4 – Security measures

  • We use the latest antivirus software on our computers.

  • All our accounts are protected by 2FA (2 factor authentication).

  • Physical doors to our office are always locked when we are not present.

  • All system passwords will be reset on a regular basis.

  • A full security audit is carried out periodically.

  • We take measures to ensure employees only have access to sensitive data when necessary and remove permission upon completion.




Top