Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween you (the "Data Controller" or "Customer") and Prospectio.io (the "Data Processor" or "Prospectio"). This DPA applies where Prospectio processes personal data on behalf of the Customer in connection with the Service.

1. Subject Matter and Duration

This DPA governs the processing of personal data by Prospectio on behalf of the Customer for the purpose of providing cold email campaign management services. The duration of processing corresponds to the term of the Customer's active subscription to the Service.

2. Nature and Purpose of Processing

Prospectio processes personal data to provide the following services on behalf of the Customer:

• Storing and managing lead contact data uploaded by the Customer
• Executing cold email outreach sequences as configured by the Customer
• Tracking email delivery, open, click, and reply events
• Managing lead pipeline stages and conversation history
• Generating campaign performance reports and analytics

3. Types of Personal Data Processed

The personal data processed under this DPA may include:

• Names (first name, last name)
• Business email addresses
• Job titles and roles
• Company names and company information
• Phone numbers (if provided by the Customer)
• LinkedIn profile URLs (if provided by the Customer)
• Any other personal data included in lead records by the Customer

4. Categories of Data Subjects

The data subjects whose personal data is processed under this DPA are business contacts (leads) uploaded by the Customer for the purpose of B2B cold email outreach campaigns.

5. Obligations of the Processor

Prospectio agrees to:

1. Process personal data only on documented instructions from the Customer, unless required to do so by applicable law
2. Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
3. Implement appropriate technical and organizational security measures, including encryption at rest and in transit, access controls, and regular security assessments
4. Not engage another processor (sub-processor) without prior written authorization from the Customer, except for those sub-processors listed at the time of entering this DPA
5. Assist the Customer in responding to data subject requests for access, rectification, erasure, data portability, restriction, and objection
6. Assist the Customer in ensuring compliance with breach notification obligations, notifying the Customer without undue delay after becoming aware of a personal data breach
7. At the choice of the Customer, delete or return all personal data to the Customer after the end of the provision of services, and delete existing copies unless applicable law requires storage
8. Make available to the Customer all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits conducted by the Customer or a mandated auditor

6. Obligations of the Controller

The Customer agrees to:

1. Ensure that the collection and processing of lead data has a valid legal basis under applicable data protection law (such as legitimate interest for B2B outreach)
2. Provide clear and documented processing instructions to Prospectio
3. Comply with all applicable data protection laws in relation to the personal data processed through the Service
4. Promptly notify Prospectio of any data subject requests that require Prospectio's assistance

7. Sub-processors

The Customer authorizes Prospectio to engage the following sub-processors:

• Database and authentication provider— Database hosting, authentication, and file storage (United States)
• Application hosting provider— Application hosting and edge network (United States)
• Payment processing provider— Payment processing (United States)
• Email delivery provider— Transactional email delivery (New Zealand)
• Error monitoring provider— Error monitoring and performance tracking (United States)

Prospectio will notify the Customer at least 30 days before engaging any new sub-processor. The Customer may object to a new sub-processor within that period. If the objection is not resolved, the Customer may terminate the affected Service.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area, Prospectio ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or reliance on an adequacy decision. Details of transfer mechanisms for each sub-processor are available upon request.

9. Security Measures

Prospectio implements the following technical and organizational measures:

• Encryption of data at rest and in transit (TLS 1.2+)
• Role-based access controls with least-privilege principle
• Row-level security (RLS) at the database layer
• Regular security assessments and dependency audits
• Audit logging of all data access and modifications
• Automated backup and disaster recovery procedures
• Incident response procedures as documented in our security policies

10. Data Breach Notification

In the event of a personal data breach, Prospectio will notify the Customer without undue delay and no later than 48 hours after becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

11. Data Deletion and Return

Upon termination of the Service, the Customer may export their data within 30 days. After this period, Prospectio will delete all personal data processed on behalf of the Customer, except where retention is required by applicable law. A certificate of deletion is available upon request.

12. Governing Law

This DPA shall be governed by the same law that governs the Terms of Service. For data subjects in the European Economic Area, this DPA is also subject to GDPR and applicable member state law.

13. Contact

For questions about this DPA or to exercise your rights, contact us at contact@prospectio.io.