Data Processing Agreement (DPA)

Last Updated: January 20, 2026

GDPR Compliance: This Data Processing Agreement (DPA) is entered into accordance with Article 28 of the General Data Protection Regulation (GDPR) and applies to all personal data processing performed by LeadDeus.io on behalf of our customers.

1. Definitions

For the purposes of this DPA:

  • "Controller": You, the customer, who determines the purposes and means of processing personal data.
  • "Processor": LeadDeus.io, which processes personal data on behalf of the Controller.
  • "Personal Data": Email recipient data uploaded by you (email addresses, names, custom fields).
  • "Processing": Any operation performed on Personal Data (storing, sending emails, tracking, etc.).
  • "Data Subject": Email recipients whose personal data is processed.
  • "Sub-processor": Third parties engaged by LeadDeus.io to assist in processing.
  • "GDPR": EU General Data Protection Regulation (EU) 2016/679.

2. Scope and Applicability

2.1 Roles

  • You act as the Data Controller for all email recipient data
  • LeadDeus.io acts as the Data Processor
  • This DPA supplements our Terms of Service

2.2 Types of Personal Data Processed

  • Email addresses
  • Names (first name, last name)
  • Custom fields (company, job title, location, etc.)
  • Email engagement data (opens, clicks, replies)
  • Unsubscribe and bounce status

2.3 Categories of Data Subjects

  • Business contacts (B2B)
  • Prospects and leads
  • Customers and clients
  • Any individuals whose data you upload to the Platform

3. Controller's Instructions

LeadDeus.io will process Personal Data only:

  • On your documented instructions (via Platform UI or API)
  • For the purposes specified in our Terms of Service
  • In accordance with applicable data protection laws

Your Instructions Include:

  • Uploading and storing recipient lists
  • Sending email campaigns
  • Tracking email engagement
  • Managing unsubscribes and bounces
  • Exporting or deleting data

If we believe an instruction violates GDPR or other laws, we will inform you immediately.

4. Controller's Obligations

As the Data Controller, you are responsible for:

  • Lawful basis: Ensuring you have a legal basis to process recipient data (consent, legitimate interest, contract)
  • Consent: Obtaining proper consent from recipients (double opt-in recommended)
  • Transparency: Informing recipients about data processing in your privacy policy
  • Rights requests: Handling data subject requests (access, deletion, portability)
  • Data quality: Ensuring data is accurate and up-to-date
  • Unsubscribes: Honoring unsubscribe requests within 10 business days
  • Compliance: Complying with GDPR, CAN-SPAM, CASL, and other applicable laws

5. Processor's Obligations

5.1 Confidentiality (Art. 28(3)(b))

  • All personnel with access to Personal Data are bound by confidentiality obligations
  • Access is granted on a need-to-know basis only
  • Employees sign confidentiality agreements

5.2 Security Measures (Art. 32)

We implement appropriate technical and organizational measures:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access controls: Role-based access, multi-factor authentication
  • Data segregation: Your data is isolated from other customers
  • Regular backups: Encrypted backups with 30-day retention
  • Vulnerability management: Regular security audits and penetration tests
  • Incident response: 24/7 monitoring and breach notification procedures

5.3 Sub-processors (Art. 28(2))

We may engage the following sub-processors:

Sub-processor Service Location
Google LLC Gmail API, Email sending USA (SCCs in place)
Render Services Inc. Cloud hosting EU (Frankfurt)
PostgreSQL Database hosting EU (Frankfurt)
OpenRouter / Anthropic AI email generation USA (SCCs in place)

We will:

  • Notify you of any changes to sub-processors (via email, 30 days' notice)
  • Ensure all sub-processors sign DPAs with equivalent protections
  • Remain liable for sub-processor compliance

5.4 Data Subject Rights (Art. 28(3)(e))

We will assist you in responding to data subject requests:

  • Access: Provide tools to export recipient data (CSV, JSON)
  • Rectification: Allow you to update or correct data
  • Erasure: Enable deletion of individual recipients or campaigns
  • Portability: Export data in machine-readable formats
  • Restriction: Pause processing for specific recipients

If a data subject contacts us directly, we will forward the request to you within 2 business days.

5.5 Breach Notification (Art. 33-34)

In the event of a personal data breach:

  • We will notify you within 72 hours of becoming aware
  • Notification will include: nature of breach, affected data, potential impact, mitigation measures
  • We will assist you in fulfilling your notification obligations to supervisory authorities and data subjects

5.6 Data Protection Impact Assessment (Art. 35)

If requested, we will provide information to assist you in conducting DPIAs.

5.7 Audits and Inspections (Art. 28(3)(h))

You have the right to:

  • Request information about our security measures
  • Conduct audits (with reasonable notice, max once per year)
  • Review our security certifications (ISO 27001, SOC 2 - if applicable)

6. International Data Transfers

Personal Data is primarily stored in the EU (Frankfurt, Germany).

For transfers to third countries (USA), we use:

  • Standard Contractual Clauses (SCCs): Approved by EU Commission
  • Additional safeguards: Encryption, access controls, contractual obligations
  • Transfer Impact Assessment: Conducted for all third-country transfers

7. Data Retention and Deletion

7.1 Retention

  • Personal Data is retained as long as you keep campaigns active
  • You can delete data at any time via Platform UI or API

7.2 Deletion Upon Termination

  • Within 30 days of account closure, all Personal Data will be deleted
  • Backups will be deleted within 90 days
  • We will provide written confirmation of deletion upon request

7.3 Legal Retention

We may retain data longer if required by law (e.g., tax records, legal holds).

8. Liability and Indemnification

  • Each party is liable for its own GDPR violations
  • LeadDeus.io is liable for violations caused by our failure to meet Processor obligations
  • You are liable for violations related to lack of consent, unlawful instructions, or Controller obligations
  • Total liability is subject to limitations in our Terms of Service

9. Term and Termination

  • This DPA is effective as of your account creation date
  • It remains in effect as long as we process Personal Data on your behalf
  • Upon termination of Services, this DPA terminates after all data is deleted (max 90 days)

10. Amendments

  • We may update this DPA to reflect legal changes or new sub-processors
  • Material changes will be notified via email (30 days' notice)
  • If you object to changes, you may terminate the Services

11. Governing Law

  • This DPA is governed by EU law and the laws of Germany
  • GDPR provisions take precedence in case of conflict
  • Disputes will be resolved in Frankfurt, Germany

12. Contact for DPA Matters

For questions or concerns about data processing:

✓ GDPR Compliant: This DPA meets the requirements of Article 28 GDPR and ensures that personal data is processed lawfully, fairly, and transparently.
Related Documents: