Effective Date: March 11, 2026
To the extent that the Company processes personal data contained in leads, contacts, submissions, or other customer-provided data made available through the Services ("Customer Data"), the Customer acts as the Data Controller and the Company acts as the Data Processor, processing such Customer Data on behalf of and in accordance with the documented instructions of the Customer.
The Company shall process Customer Data solely for the purpose of providing, operating, maintaining, supporting, and securing the Services, including hosting, storage, display, organization, synchronization, search, filtering, deduplication, customer account management, technical support, and other processing activities necessary to deliver the functionality of the Services to the Customer.
The Customer represents and warrants that it has all necessary rights, permissions, and lawful bases required under applicable data protection laws to collect, transfer, and instruct the processing of Customer Data through the Services. The Customer is solely responsible for:
(a) the legality of the collection of Customer Data;
(b) providing all legally required notices to data subjects;
(c) obtaining any consents required under applicable law;
(d) responding to requests from data subjects; and
(e) ensuring that its use of the Services complies with applicable privacy and data protection laws.
The Company processes Customer Data only on the Customer's documented instructions, unless otherwise required by applicable law. The categories of personal data processed may include, depending on the Customer's use of the Services, names, phone numbers, email addresses, form contents, campaign-related lead information, communication records, status tags, notes, and other data submitted by or on behalf of the Customer. The categories of data subjects may include leads, prospects, customers, and other individuals whose data the Customer uploads or makes available through the Services.
The Company shall not sell Customer Data and shall not use Customer Data for its own independent marketing purposes. The Company shall not use Customer Data for any purpose other than providing the Services to the Customer, complying with legal obligations, enforcing its agreements, preventing fraud or security incidents, or as otherwise expressly agreed in writing with the Customer.
The Company may use service usage data, metadata, and operational data relating to the performance, reliability, and use of the Services for analytics, security, troubleshooting, and service improvement, provided that such use does not identify the Customer's individual leads or otherwise involve Customer Data in a manner inconsistent with applicable law. Where the Company uses aggregated or de-identified data, such data will not be used to identify any individual.
The Company shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures may include, where appropriate, access controls, authentication controls, encryption in transit and at rest, logging, tenant isolation, backup procedures, and internal confidentiality obligations.
The Company shall ensure that persons authorized to process Customer Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
The Customer authorizes the Company to engage subprocessors as reasonably necessary for the provision of the Services, including cloud hosting, infrastructure, support, communications, analytics, and security providers. The Company shall impose data protection obligations on subprocessors that are substantially similar to those set out herein and shall remain responsible for their processing to the extent required by applicable law.
Where Customer Data is transferred outside the European Economic Area, the United Kingdom, or other jurisdictions requiring transfer safeguards, the Company shall ensure that such transfers are subject to a lawful transfer mechanism under applicable data protection law, including adequacy decisions, standard contractual clauses, or other legally recognized safeguards, as applicable.
Taking into account the nature of the processing and the information available to the Company, the Company shall provide reasonable assistance to the Customer in relation to:
(a) requests by data subjects to exercise their rights under applicable data protection law;
(b) personal data breach notifications, where required;
(c) data protection impact assessments, where applicable; and
(d) consultations with supervisory authorities, where applicable.
Such assistance may be subject to reasonable administrative charges where permitted by law and where the request exceeds the standard functionality of the Services.
If the Company becomes aware of a personal data breach affecting Customer Data, the Company shall notify the Customer without undue delay and provide reasonably available information necessary for the Customer to meet any obligations under applicable law.
The Company shall retain Customer Data only for as long as necessary to provide the Services, comply with the Customer's instructions, and meet applicable legal, tax, accounting, or regulatory obligations. Upon termination of the Services or upon written request by the Customer, the Company shall delete or return Customer Data, unless retention is required by applicable law.
The Customer remains responsible for determining what Customer Data is submitted to the Services, for configuring user access permissions within its account, and for deleting Customer Data where necessary through the functionality made available by the Company.
Upon reasonable written request, the Company may make available information reasonably necessary to demonstrate compliance with its obligations under this section, including summaries of its technical and organizational measures. Any audit rights shall be exercised in a manner that does not unreasonably interfere with the Company's business operations, compromise the security or confidentiality of other customers, or require disclosure of confidential internal information.
Where required by applicable law, the parties may enter into a separate Data Processing Agreement ("DPA"). In the event of any conflict between this section and the DPA, the DPA shall prevail with respect to the processing of Customer Data.