Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and SDR Agent ("Processor") for the provision of the SDR Agent platform (the "Service"). This DPA applies to all processing of personal data by the Processor on behalf of the Controller in connection with the Service. The Processor shall process personal data only to the extent necessary to provide the Service and in accordance with the Controller's documented instructions.

2. Data Processing Details

• Categories of data subjects: Business contacts (leads and prospects), end users of the Service, and team members of the Controller's organization.
• Types of personal data: Name, business email address, job title, company name, company domain, LinkedIn URL, IP address, and any additional data imported or generated through the Service.
• Purpose of processing: Lead sourcing and enrichment, email campaign creation and delivery, reply classification, meeting scheduling, analytics, and compliance reporting.
• Duration of processing: For the duration of the agreement between Controller and Processor, plus any retention period required by applicable law or as specified in the data retention policy.

3. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect personal data, including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+).
• Row-level tenant isolation ensuring each Controller's data is logically separated from other tenants.
• Access controls with role-based permissions and multi-factor authentication for administrative access.
• Audit logging of all data access and modifications for accountability and forensic analysis.
• Regular vulnerability assessments and penetration testing of infrastructure.
• Automated backups with point-in-time recovery capability.

4. Sub-Processors

The Processor may engage sub-processors to assist in providing the Service. The Controller grants general authorization for the use of sub-processors, subject to the following conditions:

• The Processor will maintain an up-to-date list of sub-processors, currently including: Amazon Web Services (cloud infrastructure and compute), Stripe (payment processing), and AI model providers (email generation and classification).
• The Processor will impose equivalent data protection obligations on all sub-processors through written contracts.
• The Processor will notify the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
• The Processor remains fully liable for the acts and omissions of its sub-processors.

5. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to data subject requests under applicable data protection laws, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor provides self-service tools for data export and deletion through the Service's Settings page. Where a data subject contacts the Processor directly, the Processor will promptly redirect the request to the Controller unless otherwise instructed. The Processor will respond to Controller assistance requests within 10 business days.

6. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. The notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach. The Processor will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

7. International Data Transfers

The Processor may transfer personal data to countries outside the Controller's jurisdiction only where appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms. The Processor will inform the Controller of any transfer and the safeguards applied.

8. Audits and Inspections

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws. The Controller may conduct audits, including inspections, either directly or through a mandated third-party auditor, upon reasonable notice and during normal business hours. The Processor will cooperate with such audits and provide reasonable access to facilities, equipment, and records.

9. Termination and Data Return

Upon termination of the agreement, or upon the Controller's request, the Processor will, at the Controller's choice, return all personal data to the Controller in a structured, commonly used, machine-readable format or securely delete all personal data within 30 days. The Processor will certify deletion in writing upon request. The Processor may retain personal data only to the extent required by applicable law, in which case the data will remain subject to the protections of this DPA.

10. Contact

Questions about this Data Processing Agreement should be sent to legal@getcoldagent.com.