Leadoro Data Processing Agreement (DPA)

Last Updated: November 8, 2025

This Data Processing Addendum (“DPA”) forms part of the Agreement between Customer and Leadoro (“Leadoro”, “we”, “our”, “us”) relating to the provision of Services.

---

1. Definitions and Interpretation

Unless otherwise defined in this DPA, capitalized terms shall have the meanings given in Applicable Data Protection Laws.

“Applicable Data Protection Laws” means all applicable privacy and data protection laws, including but not limited to the EU GDPR, UK GDPR, Swiss FADP, CCPA/CPRA and similar US state laws, and any applicable laws in India (DPDP Act 2023) and other relevant jurisdictions.

“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller; includes “service provider” and “contractor” under US privacy laws.

“Customer Personal Data” means any Personal Data Processed by Leadoro on behalf of Customer under the Agreement.

“Data Subject” means the individual to whom Personal Data relates.

“Data Subject Rights” means rights granted to data subjects under Applicable Laws, including access, correction, deletion, restriction, portability, objection, and withdrawal of consent.

“Personal Data” has the meaning assigned to it under Applicable Data Protection Laws.

“Processing” has the meaning assigned to it under Applicable Data Protection Laws.

“Sub-processor” means any third party engaged by Leadoro to Process Customer Personal Data.

“SCCs” means the Standard Contractual Clauses of the European Commission (2021).

“UK Addendum” means the UK Addendum to SCCs issued by the UK Information Commissioner.

“Data Transfer” means transfer of Personal Data from Customer (subject to EEA/UK/Swiss laws) to a country outside those regions.

The terms “Sell,” “Share,” “Business Purpose,” and similar expressions shall be interpreted per US state privacy laws.

---

2. Scope

1. This DPA applies to Leadoro’s Processing of Customer Personal Data under the Agreement.
2. Customer acts as Data Controller. Customer is responsible for compliance with Controller obligations, including lawful collection, notices, and consents.
3. If Customer acts as a Data Processor for a Third-Party Controller, Customer represents that it has obtained all required permissions and is solely responsible for flow-down obligations.

---

3. Processing of Customer Personal Data

4. Leadoro will Process Customer Personal Data only per Customer’s documented instructions.
5. Customer’s instructions include this DPA, the Agreement, and any written instructions submitted to Leadoro.
6. Under US State Laws (e.g., CCPA):
   Leadoro will not:
   • Sell or Share Customer Personal Data
   • Use Customer Personal Data for purposes other than the Services
   • Combine Customer Personal Data with third-party data unless permitted by law
7. If Leadoro becomes subject to a legal requirement conflicting with Customer instructions, Leadoro will notify Customer unless prohibited by law.

---

4. Personnel

Leadoro ensures that personnel accessing Customer Personal Data are under confidentiality obligations and access only what is necessary.

---

5. Security

8. Leadoro will implement appropriate technical and organizational measures (“TOMs”) to protect Customer Personal Data.
9. Leadoro will assess risks arising from Processing, including risks of Personal Data Breach.
10. In the event of a security risk or incident, the relevant Customer will be notified.
    Leadoro may take preventive actions, including deletion of unlawful/unauthorized data, and Leadoro bears no liability for such deletions if they were required for compliance.

---

6. Sub-processing

11. Customer authorizes Leadoro to use Sub-processors.
    A list is available at: https://compliance.leadoro.net/ (placeholder — you can give me correct URL)
12. Sub-processors are bound by agreements ensuring equal obligations as in this DPA.
13. Leadoro will notify Customer before adding or replacing a Sub-processor. Customer may object within 30 days. If no resolution is achieved, either party may terminate the affected Services.

---

7. Data Subject Rights

14. Leadoro will assist Customer in responding to Data Subject rights requests.
15. Leadoro will:
    a. Notify Customer if it receives a Data Subject request relating to Customer Personal Data
    b. Not respond except under Customer’s instructions or legal obligation

---

8. Personal Data Breach

16. Leadoro will notify Customer without undue delay after becoming aware of a Personal Data Breach.
17. Leadoro will assist with investigation, mitigation, remediation, and notifications required by law.

---

9. Data Protection Impact Assessments

Leadoro will assist Customer with DPIAs and prior consultations with authorities where required and only regarding Processing performed by Leadoro.

---

10. Deletion or Return of Customer Personal Data

18. This DPA terminates with the Agreement.
19. Customer may request return of Customer Personal Data for 90 days after termination.
    Leadoro will delete remaining Personal Data within 180 days unless required by law to retain it.

---

11. Audit Rights

20. Leadoro will provide documentation to demonstrate compliance.
21. Customer may conduct an audit or designate an independent auditor, provided it does not disrupt Leadoro’s operations. If no violations are found, Customer bears audit costs.
22. Customer’s information rights apply only to the extent not already covered in the Agreement.
23. Under CCPA, if Leadoro determines it cannot meet its requirements, it will notify Customer.

---

12. Data Transfers

Customer authorizes Leadoro to transfer Personal Data internationally using any lawful mechanism, including:

• Countries with adequacy decisions
• SCCs
• UK Addendum
• Standard safeguards
• Customer consent (where required)

24. By entering this DPA, parties agree to the SCCs Module 2 (Controller–Processor) and Module 3 (Processor–Subprocessor).
25. UK Addendum applies to transfers from the United Kingdom.

---

ANNEX I – Details of Processing

A. Parties

• Data Exporter: Customer
• Data Importer: Leadoro (acting as Processor or Sub-processor)

B. Description

Data Subjects: Individuals whose data Customer uploads or uses in Leadoro services.

Personal Data: Lead data, contact info, notes, attachments, CRM data, communication logs, and any other uploaded content.

Sensitive Data: Not expected. Customer must not upload such data unless expressly permitted by the Agreement.

Frequency: Continuous.

Purpose: Delivery of Services under the Agreement.

Retention: As per Section 10.

Sub-processors: As listed in Leadoro’s Sub-processor list.

C. Supervisory Authorities

Based on location of Data Subjects (EEA, UK, Switzerland, India, etc.)

---

ANNEX II – Technical and Organizational Measures (TOMs)

Leadoro maintains robust security measures, including:

Physical Access Control

• Restricted facilities
• Access badges
• Security zones and logging

Virtual Access Control

• Strong authentication
• Password/credential policies
• Session timeout
• MFA (where applicable)

Data Access Control

• Role-based access
• Logging and monitoring
• Encryption at rest and in transit

Data Transmission Control

• TLS encryption
• Secure APIs
• Encrypted backups

Input & Change Logging

• Detailed audit trails
• Change management processes

Instruction Control

• Binding contracts
• Formal instruction channels

Availability & Resilience

• Backups
• Disaster recovery plan
• Redundancy

Separation of Processing

• Logical separation of customer data
• Separate environments for testing and production

Testing & Evaluation

• Regular security testing
• Vulnerability scanning
• Penetration testing (internal/external)

IT Governance

• Data minimization
• Retention policies
• Security policies and awareness training