Data Processing Addendum
Last updated: January 22, 2026
1. DEFINITIONS
In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings ascribed to them herein:
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
"AI Model Provider" means third-party providers of artificial intelligence, machine learning, or large language models that Provider uses to deliver the Services, including but not limited to OpenAI, Anthropic, and other similar providers.
"Business" and "Controller" shall have the meanings ascribed to in Data Protection Law and shall be used interchangeably herein.
"Consumer" and "Data Subject" shall have the meanings ascribed to in Data Protection Law and shall be used interchangeably herein.
"Covered Data" means the data provided by Data Provider to Data Receiver as detailed in the Agreement and for the purposes described in the Agreement.
"Data Protection Laws" means all applicable laws and regulations applicable, including, as applicable, laws and regulations of the United States, including without limitation, the California Consumer Privacy Act of 2018 and its amendments including the California Privacy Rights Act (collectively, the "CCPA"), Virginia's Consumer Data Protection Act ("VCDPA"), Colorado Privacy Act ("CPA"), Connecticut Data Privacy Act ("CTDPA"), Utah Consumer Privacy Act ("UCPA"), Oregon Consumer Privacy Act ("OCPA"), Texas Data Privacy and Security Act ("TXDPSA"), Montana Consumer Data Privacy Act ("MTCDPA"), Iowa Consumer Data Protection Act ("IACDPA"), Delaware Personal Data Privacy Act ("DEPDPA"), Nebraska Data Privacy Act ("NEDPA"), New Hampshire Privacy Act ("NHPA"), New Jersey Data Privacy Act ("NJDPA"), Tennessee Information Protection Act ("TNIPA"), Minnesota Consumer Data Privacy Act ("MNCDPA"), Maryland Online Data Privacy Act ("MDODPA"), Indiana Consumer Data Protection Act ("INCDPA"), Kentucky Consumer Data Protection Act ("KYCDPA"), Rhode Island Data Transparency and Privacy Protection Act ("RIDTPPA"), the European Union General Data Protection Regulation ("GDPR"), and the UK GDPR.
"Data Provider" means the Party providing Covered Data to the other Party as part of the Services.
"Data Receiver" means the Party receiving Covered Data as part of the Services from the Data Provider.
"Personal Data" and "Personal Information" shall have the meanings ascribed in Data Protection Laws and shall be used interchangeably herein.
"Processor" and "Service Provider" shall have the meanings ascribed to it in Data Protection Law and shall be used interchangeably herein.
"Processing" means any operation or set of operations which is performed on Covered Data or on sets of Covered Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Services" shall have the meaning ascribed to it in the Agreement.
"Subprocessor" means any third party (including AI Model Providers and cloud infrastructure providers) authorized by Service Provider to process Covered Data on behalf of Controller in connection with the Services.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
"AI Model Provider" means third-party providers of artificial intelligence, machine learning, or large language models that Provider uses to deliver the Services, including but not limited to OpenAI, Anthropic, and other similar providers.
"Business" and "Controller" shall have the meanings ascribed to in Data Protection Law and shall be used interchangeably herein.
"Consumer" and "Data Subject" shall have the meanings ascribed to in Data Protection Law and shall be used interchangeably herein.
"Covered Data" means the data provided by Data Provider to Data Receiver as detailed in the Agreement and for the purposes described in the Agreement.
"Data Protection Laws" means all applicable laws and regulations applicable, including, as applicable, laws and regulations of the United States, including without limitation, the California Consumer Privacy Act of 2018 and its amendments including the California Privacy Rights Act (collectively, the "CCPA"), Virginia's Consumer Data Protection Act ("VCDPA"), Colorado Privacy Act ("CPA"), Connecticut Data Privacy Act ("CTDPA"), Utah Consumer Privacy Act ("UCPA"), Oregon Consumer Privacy Act ("OCPA"), Texas Data Privacy and Security Act ("TXDPSA"), Montana Consumer Data Privacy Act ("MTCDPA"), Iowa Consumer Data Protection Act ("IACDPA"), Delaware Personal Data Privacy Act ("DEPDPA"), Nebraska Data Privacy Act ("NEDPA"), New Hampshire Privacy Act ("NHPA"), New Jersey Data Privacy Act ("NJDPA"), Tennessee Information Protection Act ("TNIPA"), Minnesota Consumer Data Privacy Act ("MNCDPA"), Maryland Online Data Privacy Act ("MDODPA"), Indiana Consumer Data Protection Act ("INCDPA"), Kentucky Consumer Data Protection Act ("KYCDPA"), Rhode Island Data Transparency and Privacy Protection Act ("RIDTPPA"), the European Union General Data Protection Regulation ("GDPR"), and the UK GDPR.
"Data Provider" means the Party providing Covered Data to the other Party as part of the Services.
"Data Receiver" means the Party receiving Covered Data as part of the Services from the Data Provider.
"Personal Data" and "Personal Information" shall have the meanings ascribed in Data Protection Laws and shall be used interchangeably herein.
"Processor" and "Service Provider" shall have the meanings ascribed to it in Data Protection Law and shall be used interchangeably herein.
"Processing" means any operation or set of operations which is performed on Covered Data or on sets of Covered Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Services" shall have the meaning ascribed to it in the Agreement.
"Subprocessor" means any third party (including AI Model Providers and cloud infrastructure providers) authorized by Service Provider to process Covered Data on behalf of Controller in connection with the Services.
2. DESIGNATION
The Parties acknowledge and agree that with regard to the Covered Data, Customer is a Business and a Controller, and that Provider is a Service Provider and a Processor ("Service Provider").
3. OBLIGATIONS
3.1 Compliance with Law
With respect to the Covered Data, the Parties shall comply with Data Protection Law.
With respect to the Covered Data, the Parties shall comply with Data Protection Law.
3.2 Limitations on Processing
Service Provider shall at all times comply with Controller's written instructions pursuant to the Agreement, this DPA, and all applicable laws, rules and regulations, including but not limited to, all applicable Data Protection Law. Service Provider shall only process the Covered Data for the limited purposes specified in the Agreement.
Service Provider shall at all times comply with Controller's written instructions pursuant to the Agreement, this DPA, and all applicable laws, rules and regulations, including but not limited to, all applicable Data Protection Law. Service Provider shall only process the Covered Data for the limited purposes specified in the Agreement.
3.3 CCPA Obligations
To the extent any Covered Data is deemed "Personal Information" (as such term is defined under the CCPA) and is subject to the CCPA, Service Provider agrees not to:
To the extent any Covered Data is deemed "Personal Information" (as such term is defined under the CCPA) and is subject to the CCPA, Service Provider agrees not to:
- "Sell" or "share" the Personal Information as such terms are defined under the CCPA;
- Retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services or as otherwise expressly permitted under the Agreement including retaining, using or disclosing the Personal Information for a commercial purpose other than the business purposes specified in this DPA or the Agreement, or as otherwise permitted by the CCPA;
- Retain, use or disclose the Personal Information outside of the direct business relationship with Controller;
- Combine Personal Information it receives from Controller with Personal Information it receives from or on behalf of another person or collects from its own interactions with consumers, except where required to provide the Service provided it is permitted under the CCPA.
3.4 Business Purposes
In accordance with the CCPA and other applicable Data Protection Laws, Service Provider may engage in the following Business Purposes:
In accordance with the CCPA and other applicable Data Protection Laws, Service Provider may engage in the following Business Purposes:
- Providing AI-powered CRM enrichment services through natural language processing and data retrieval;
- Detecting and protecting against malicious, deceptive, fraudulent, or illegal activity;
- Identifying and repairing errors that impair existing intended functionality;
- Short-term, transient use of Personal Information, provided that the personal information is not disclosed to another third party and is not used to build a profile about a user;
- Providing analytic services related to Service performance and usage; or
- Undertaking internal research for technological development and demonstration.
3.5 AI Model Provider Restrictions
Service Provider shall ensure that all AI Model Providers used in connection with the Services:
Service Provider shall ensure that all AI Model Providers used in connection with the Services:
- Are contractually prohibited from using Covered Data to train, improve, or develop their AI models;
- Agree to delete or return Covered Data upon completion of processing;
- Maintain appropriate security measures as required under applicable Data Protection Laws;
- Process Covered Data solely for the purpose of providing the Services to Controller; and
- Are listed in the Subprocessor Schedule attached as Exhibit B.
4. DATA SUBJECT RIGHTS
Service Provider shall promptly notify Controller if Service Provider receives a request from a Data Subject exercising a Data Subject Request. Upon Controller's request, Service Provider shall assist Controller in responding to such Data Subject Requests within the timeframes required by applicable Data Protection Law.
5. SECURITY
5.1 Security Measures
Service Provider will maintain appropriate measures to protect the integrity, security and confidentiality of all personal information against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include at a minimum those set forth in Exhibit A of this Agreement.
Service Provider will maintain appropriate measures to protect the integrity, security and confidentiality of all personal information against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include at a minimum those set forth in Exhibit A of this Agreement.
5.2 Access Controls
The Parties shall take reasonable steps to ensure that access to the Covered Data is limited on a need to know/access basis and that all personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Covered Data.
The Parties shall take reasonable steps to ensure that access to the Covered Data is limited on a need to know/access basis and that all personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Covered Data.
5.3 Security Breach Notification
Service Provider shall notify Controller without undue delay (and, in any event, within seventy-two (72) hours) upon Service Provider or any Subprocessor becoming aware of:
Service Provider shall notify Controller without undue delay (and, in any event, within seventy-two (72) hours) upon Service Provider or any Subprocessor becoming aware of:
- A breach of security measures leading to any actual or reasonably suspected unauthorized, accidental or unlawful use, destruction, loss, or unauthorized disclosure of, or alteration or access to, Personal Data;
- Any security breach (or substantially similar term) as defined by applicable Data Protection Law; or
- Any incident that impacts the Processing of Personal Data including a Data Subject Request, an investigation into or seizure of the Personal Data by government officials, or where implementing an instruction received from Controller would violate applicable Data Protection Law.
Service Provider shall include in such notification sufficient information to allow Controller to meet any obligations to report or inform Data Subjects or any government regulators or other independent public authorities of the security breach under Data Protection Law.
6. SUBPROCESSORS
6.1 Authorized Subprocessors
Controller grants Service Provider general authorization to engage Subprocessors to process Covered Data, provided that Service Provider:
Controller grants Service Provider general authorization to engage Subprocessors to process Covered Data, provided that Service Provider:
- Maintains a current list of Subprocessors in Exhibit B;
- Ensures each Subprocessor is bound by written agreement imposing substantially the same data protection obligations as those imposed on Service Provider under this DPA; and
- Remains fully liable to Controller for any breach of this DPA caused by any Subprocessor.
6.2 Objection Rights
Controller may object to the engagement of a new Subprocessor within fifteen (15) days of receiving notice, provided such objection is based on reasonable grounds relating to data protection. If Controller objects, the Parties shall work together in good faith to find a mutually acceptable solution. If no solution can be found, Controller may terminate the Agreement with respect to those Services that cannot be provided without the use of the objected-to Subprocessor.
Controller may object to the engagement of a new Subprocessor within fifteen (15) days of receiving notice, provided such objection is based on reasonable grounds relating to data protection. If Controller objects, the Parties shall work together in good faith to find a mutually acceptable solution. If no solution can be found, Controller may terminate the Agreement with respect to those Services that cannot be provided without the use of the objected-to Subprocessor.
7. DATA RESIDENCY AND INTERNATIONAL TRANSFERS
7.1 Data Storage Location
Service Provider shall store Covered Data primarily in data centers located in the United States. Service Provider may temporarily transfer Covered Data to other jurisdictions for processing purposes, provided such transfers comply with applicable Data Protection Laws.
Service Provider shall store Covered Data primarily in data centers located in the United States. Service Provider may temporarily transfer Covered Data to other jurisdictions for processing purposes, provided such transfers comply with applicable Data Protection Laws.
7.2 International Transfers
To the extent Service Provider transfers Covered Data from the European Economic Area, United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission, Service Provider shall implement appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum where applicable.
To the extent Service Provider transfers Covered Data from the European Economic Area, United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission, Service Provider shall implement appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum where applicable.
8. RETURN OR DELETION OF PERSONAL DATA
Upon the expiration or termination of the Agreement, Service Provider shall, at Controller's request within thirty (30) days, either (i) securely return to Controller, or (ii) securely destroy, all Personal Data obtained by Service Provider in connection with the Agreement. Service Provider will provide written confirmation to Controller of its compliance with this provision. Service Provider may retain Personal Data to the extent required by applicable law, provided such Personal Data remains subject to confidentiality obligations and is deleted once the retention period expires.
9. AUDIT RIGHTS
Upon reasonable request of the Controller (not more than once annually except in the case of a suspected data breach), Service Provider shall make available to Controller all information in its possession necessary to demonstrate Service Provider's compliance with the obligations described in this Agreement and shall allow for, and cooperate with, reasonable assessments by Controller or Controller's designated assessor. Such assessments shall be conducted during normal business hours with reasonable advance notice and in a manner that does not unreasonably interfere with Service Provider's business operations. Controller shall not use such an audit report for any other purpose than to assess Service Provider's compliance with this Agreement.
10. AUTOMATED DECISION-MAKING
Service Provider shall not engage in automated decision-making, including profiling, that produces legal or similarly significant effects concerning Data Subjects, without Controller's prior written consent and implementation of appropriate safeguards for Data Subject rights.
11. GENERAL TERMS
11.1 Term and Survival
This DPA and all provisions herein shall remain in effect so long as the Agreement is in effect and for such period thereafter as Service Provider retains any Covered Data.
This DPA and all provisions herein shall remain in effect so long as the Agreement is in effect and for such period thereafter as Service Provider retains any Covered Data.
11.2 Counterparts
This DPA may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this DPA by executing a counterpart.
This DPA may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this DPA by executing a counterpart.
11.3 Non-compliance
Each Party shall promptly inform the other if it is unable to comply with this DPA. If the non-complying Party cannot comply within a reasonable period of time, or is in substantial or persistent breach of this DPA, the complying Party shall be entitled to remediate the non-compliant action and/or terminate the DPA and the Agreement insofar as it concerns processing of Covered Data.
Each Party shall promptly inform the other if it is unable to comply with this DPA. If the non-complying Party cannot comply within a reasonable period of time, or is in substantial or persistent breach of this DPA, the complying Party shall be entitled to remediate the non-compliant action and/or terminate the DPA and the Agreement insofar as it concerns processing of Covered Data.
11.4 Ineffective Clause
If individual provisions of this DPA are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.
If individual provisions of this DPA are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.
11.5 Conflicts
In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data.
In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data.
11.6 Applicable Law and Jurisdiction
The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.
The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.
EXHIBIT A
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
1. Organizational/Administrative Security Measures
Service Provider has implemented, and will maintain and update as appropriate throughout its Processing of Personal Information:
Service Provider has implemented, and will maintain and update as appropriate throughout its Processing of Personal Information:
- A written and comprehensive information security program in compliance with applicable Data Protection Laws.
- A data loss prevention program that reflects reasonable policies or procedures designed to detect, prevent, and mitigate the risk of data security breaches or identity theft, which shall include at a minimum: (a) appropriate policies and technological controls designed to prevent loss of Personal Information; and (b) a disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Personal Information as well as security needs for back-up sites and alternate communication networks.
- Policies and procedures to limit access to Personal Information to those who require such access to perform their roles and responsibilities in connection with the Agreement, including regular updates to such access based on changes to Service Provider's personnel, policies or procedures.
- Procedures to verify all access rights through effective authentication methods including multi-factor authentication for administrative access.
- A government agency data access policy that refuses government access to data, except where such access is required by law, or where there is imminent risk of serious harm to individuals.
- Policies and procedures for assessing legal basis for, and responding to, government agency requests for data.
- Specific training of personnel responsible for managing government agency requests for access to data, which may include requirements under applicable Data Protection Laws.
- Regular training for all employees and contractors who process Personal Data, conducted at least annually.
- Processes to document and record government agency requests for data, the response provided, and the government authorities involved.
- Procedures to notify Controller about any request or requirement for government agency access to data, unless legally prohibited.
2. Physical Security Measures
Service Provider has implemented, and will maintain and update as appropriate throughout its Processing of Personal Information, appropriate, reasonable physical security measures for any facility used to Process personal information and continually monitor any changes to the physical infrastructure, business, and known threats, including:
Service Provider has implemented, and will maintain and update as appropriate throughout its Processing of Personal Information, appropriate, reasonable physical security measures for any facility used to Process personal information and continually monitor any changes to the physical infrastructure, business, and known threats, including:
- Secured facilities with restricted access controls, badge systems, and visitor logs.
- 24/7 surveillance and monitoring of data center facilities.
- Environmental controls including fire suppression, climate control, and power redundancy.
3. Technical Security Measures
Service Provider shall throughout its Processing of Personal Information:
Service Provider shall throughout its Processing of Personal Information:
- Perform reasonable vulnerability scanning and assessments on applications and infrastructure used to Process personal information on at least a quarterly basis.
- Reasonably secure its computer networks using multiple layers of access controls including firewalls, intrusion detection systems, and network segmentation to protect against unauthorized access.
- Restrict access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.
- Identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files for at least ninety (90) days.
- Use reasonably up-to-date, industry standard, commercial virus/malware scanning software that identifies malicious code on all of its systems that Process Personal Information.
- Encrypt personal information in transit using TLS 1.2 or higher.
- Encrypt sensitive personal information at rest using AES-256 or equivalent encryption and solely manage and secure all encryption keys (i.e. no other third party shall have access to these encryption keys, including Subprocessors).
- Implement secure software development practices including code reviews, security testing, and vulnerability remediation.
- Maintain security patch management processes to ensure timely application of security updates.
4. AI-Specific Security Measures
For AI-powered processing activities, Service Provider shall:
For AI-powered processing activities, Service Provider shall:
- Implement input validation and sanitization to prevent prompt injection attacks.
- Monitor AI model outputs for potential data leakage or unauthorized disclosure.
- Maintain segregation between customer data and AI model training data.
- Implement rate limiting and abuse prevention mechanisms for AI services.
- Ensure AI Model Providers comply with substantially similar security requirements.
5. Compliance Frameworks
Service Provider maintains compliance with the following frameworks:
Service Provider maintains compliance with the following frameworks:
SOC 2 Type II
This Addendum aligns with the following Common Criteria:
This Addendum aligns with the following Common Criteria:
- CC6.1: Establishes that the Company consistently identifies and assesses risks to the security, availability, processing integrity, confidentiality, and privacy of the data it controls or processes.
- CC6.2: Demonstrates that the Company evaluates and responds to risks, ensuring that the controls in place effectively mitigate potential threats to achieving data security objectives.
- CC7.1: Reflects the Company's commitment to implementing control activities that contribute to the achievement of data protection objectives.
- CC7.2: Ensures that the Company communicates information regarding responsibilities and expected outcomes associated with the data protection Addendum effectively across the organization.
- CC7.3: By employing continuous monitoring procedures, the Addendum aligns with SOC2's criteria for the ongoing evaluation of the effectiveness of control activities.
ISO 27001
This Addendum implements security measures that address the following ISO 27001 control objectives:
This Addendum implements security measures that address the following ISO 27001 control objectives:
- A.7.1.1. Roles and Responsibilities: Provider maintains clear documentation of roles and responsibilities related to information security.
- A.9.1.1. Access Control Policy: Provider implements role-based access controls and least-privilege principles to restrict access to personal data
- A.10.1.1. Cryptographic Controls: Provider implements suitable cryptographic controls for protecting the confidentiality, integrity, and availability of data.
- A.12.4.1. Event Logging: Provider maintains security event monitoring and logging systems to record user activities and security events.
Provider maintains documentation mapping its security controls to these frameworks and will provide such documentation to Controller upon reasonable request, subject to confidentiality obligations.
EXHIBIT B
SUBPROCESSOR SCHEDULE
See Trust Center - Freckle for a complete up-to-date list of subprocessors utilized by Provider.
See Trust Center - Freckle for a complete up-to-date list of subprocessors utilized by Provider.