Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service between Customer and Codas Labs, LLC, doing business as LeadTale (“LeadTale”) and applies when LeadTale processes Customer Personal Data on Customer’s behalf in the course of providing the Service.

This DPA reflects the parties’ agreement regarding compliance with the EU General Data Protection Regulation (“GDPR”), the UK GDPR and Data Protection Act 2018 (“UK Data Protection Laws”), the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and other applicable US state privacy laws (collectively, “Data Protection Laws”). In the event of a conflict between this DPA and the Terms of Service, this DPA prevails solely with respect to the processing of Customer Personal Data.

Capitalized terms not defined here have the meaning given in the Terms of Service or in applicable Data Protection Laws.

“Customer Personal Data” means Personal Data that LeadTale processes on behalf of Customer in the course of providing the Service.

“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings given in the GDPR.

“Subprocessor” means any third party engaged by LeadTale to process Customer Personal Data.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission in Decision 2021/914 and, where applicable, the UK International Data Transfer Addendum issued by the UK Information Commissioner.

The parties acknowledge that, with respect to the Processing of Customer Personal Data in the course of providing the Service:

• Customer is the Controller (or, where Customer is itself a Processor, the intermediate Processor acting on behalf of a third-party Controller).
• LeadTale is the Processor, processing Customer Personal Data on Customer’s documented instructions.

This DPA does not apply to LeadTale’s processing of business-contact information in the LeadTale database, which LeadTale processes as an independent Controller under the terms of the Privacy Policy.

Customer is responsible for the lawful collection of Customer Personal Data, for obtaining all necessary consents and providing all required notices, and for determining the purposes and means of Processing.

Subject matter: the provision of the Service as described in the Terms of Service, including data enrichment, verification, lookup, export, and related features.

Nature and purpose of processing: to provide, secure, support, and improve the Service for Customer.

Duration:for the term of the Customer’s Subscription and any post-term period during which LeadTale continues to hold Customer Personal Data for return or deletion, subject to applicable retention requirements.

Categories of Data Subjects:Customer’s employees and authorized users; business contacts (leads, prospects, customers) whose information Customer submits to the Service; and any other Data Subjects whose Personal Data Customer chooses to process using the Service.

Types of Personal Data: name, business email address, business phone number, job title, employer, professional profile identifiers, work location, and any other Personal Data Customer chooses to upload or enrich. Customer agrees not to use the Service to process special categories of Personal Data (for example, health, biometric, racial, or financial data) unless expressly agreed in writing.

LeadTale will process Customer Personal Data only on Customer’s documented instructions, including as set out in this DPA, the Terms of Service, Customer’s configuration of the Service, and any additional written instructions accepted by LeadTale.

LeadTale will notify Customer if, in its opinion, an instruction violates Data Protection Laws. LeadTale may be required to process Customer Personal Data for its own legitimate business operations (such as billing, account management, and product improvement in de-identified or aggregated form), and to comply with legal obligations.

LeadTale ensures that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and receive training on data protection and security practices.

LeadTale implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

• Encryption of Customer Personal Data in transit and at rest.
• Role-based access controls, least-privilege access, and centralized secret management.
• Network segmentation, firewalling, and DDoS protection at the infrastructure layer.
• Audit logging, monitoring, and anomaly detection on production systems.
• Vulnerability scanning, dependency scanning, and regular security reviews.
• Incident response procedures and business continuity planning.
• Background checks and confidentiality agreements for personnel with data access.

Additional detail on LeadTale’s security program is available on the Security page. LeadTale may update its security measures from time to time, provided that any such update does not materially diminish the overall level of protection.

Customer authorizes LeadTale to engage Subprocessors to process Customer Personal Data, provided that LeadTale:

• Imposes on each Subprocessor, by written contract, data protection obligations substantially equivalent to those in this DPA.
• Remains liable to Customer for each Subprocessor’s performance of its obligations.
• Maintains an up-to-date list of Subprocessors available on request to privacy@leadtale.com.
• Provides Customer with prior notice of any intended addition or replacement of a Subprocessor. Customer may object on reasonable data-protection grounds within 30 days of the notice; if the parties cannot agree on a resolution, Customer may terminate the affected portion of the Service and receive a pro-rata refund of any prepaid, unused fees.

Customer Personal Data may be transferred to, and processed in, the United States and other countries where LeadTale or its Subprocessors operate. Where a transfer requires a valid transfer mechanism under Data Protection Laws, the parties agree that:

• For transfers from the European Economic Area subject to the GDPR, the EU Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference into this DPA.
• For transfers from the United Kingdom, the UK International Data Transfer Addendum is incorporated by reference.
• For transfers from Switzerland, the SCCs apply with references to the EU adapted to refer to Swiss law and the Swiss Federal Data Protection and Information Commissioner as the competent authority.

Where required, LeadTale will take supplementary measures necessary to ensure an essentially equivalent level of protection to that guaranteed in the European Economic Area or the United Kingdom.

Taking into account the nature of the Processing, LeadTale will provide reasonable assistance to Customer, by appropriate technical and organizational measures, to enable Customer to respond to requests from Data Subjects to exercise their rights under Data Protection Laws.

If LeadTale receives a Data Subject request relating to Customer Personal Data, LeadTale will promptly direct the Data Subject to Customer and will not respond to the request without Customer’s prior authorization, except as required by law.

LeadTale will notify Customer without undue delay, and in any event within 72 hours of confirming a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent then known, a description of the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the incident. LeadTale will cooperate with Customer in investigating, mitigating, and remedying the incident. Notifications do not constitute acknowledgment of fault or liability.

Upon Customer’s reasonable request, LeadTale will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Data Protection Laws, taking into account the nature of the Processing and the information available to LeadTale.

LeadTale will make available to Customer, on request, the information reasonably necessary to demonstrate compliance with this DPA, which may include security documentation, policies, third-party attestations, and responses to industry-standard security questionnaires.

Where required by Data Protection Laws and no more than once per calendar year, Customer may conduct, or appoint a mutually-agreed independent third party to conduct, an audit of LeadTale’s compliance with this DPA. Audits must be conducted during normal business hours, with at least 30 days’ prior written notice, in a manner that does not disrupt LeadTale’s operations, and subject to reasonable confidentiality obligations. Customer bears its own costs for audits; LeadTale’s reasonable costs of supporting the audit may be charged to Customer.

Upon termination of the Service or on Customer’s written request, LeadTale will, at Customer’s option, return or delete Customer Personal Data within a reasonable period, except to the extent retention is required by law, in which case LeadTale will continue to protect the information in accordance with this DPA and delete it once the retention requirement ends. Backups containing Customer Personal Data will expire in accordance with LeadTale’s standard backup retention schedule.

Where Customer is a business and LeadTale is a service provider under the CCPA or a processor under other US state privacy laws, LeadTale:

• Will not sell or share Customer Personal Data.
• Will not retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties or for any purpose other than the specific purpose of providing the Service.
• Will not combine Customer Personal Data with Personal Data obtained from other sources except as permitted under applicable law to provide the Service.
• Will notify Customer promptly if it determines that it can no longer meet its obligations under applicable US state privacy laws.

Customer has the right, on reasonable notice, to take steps to stop and remediate unauthorized use of Customer Personal Data.

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set forth in the Terms of Service.

LeadTale may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, Subprocessor arrangements, or LeadTale’s processing operations. When we make material changes, we will notify Customer via email or in-product notice before the changes take effect.

Questions about this DPA? Reach LeadTale’s Data Protection Officer at dpo@leadtale.com, privacy inquiries at privacy@leadtale.com, or security matters at security@leadtale.com.