This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms and Conditions, any Order, master services agreement, or other written or electronic agreement between LeadBeam, Inc. (“Processor” or “LeadBeam”) and the customer identified therein (“Controller” or “Customer”) that governs Customer’s access to and use of the Services (the “Agreement”).  Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement or, where applicable, the GDPR.

This DPA reflects the parties’ agreement with respect to the processing of Personal Data by LeadBeam on behalf of Customer in connection with the Services and is intended to satisfy the requirements of Article 28 of the GDPR and other applicable data protection laws.

In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA will control. Except as expressly modified by this DPA, the Agreement remains in full force and effect.

1. Definitions

• “Applicable Data Protection Laws” means all laws, regulations, and regulatory requirements, to the extent applicable to the processing of Personal Data under the Agreement, including the GDPR, the UK GDPR and Data Protection Act 2018.
• "Data Transfer" means a transfer of the Personal Data from the Controller to the Processor, or between two establishments of the Processor, or with a Sub-processor by the Processor.
• “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
• “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
• “Personal Data,” “Personal Data Breach,” “Process/Processing,” and “Supervisory Authority” have the meanings given in the GDPR.
• “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
• “SCCs” means the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries, as set out in Commission Implementing Decision (EU) 2021/914, as amended or replaced from time to time.
• “Sub-processor” means a processor/ sub-contractor appointed by the Processor for the provision of all or parts of the Services and Processes the Personal Data as provided by the Controller.

2. Role of the Parties and Processing Instructions

• For purposes of this DPA, Customer is the Controller and LeadBeam is the Processor.
• LeadBeam will Process Personal Data only on documented instructions from Customer, including as set forth in the Agreement and this DPA, unless required to do so by Applicable Data Protection Laws.  In such case, LeadBeam will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
• Customer is responsible for (a) the accuracy, quality, and lawfulness of Personal Data and the means by which Customer acquired Personal Data; (b) establishing the legal basis for Processing; (c) providing all necessary notices to, and obtaining all necessary consents from, data subjects where required; and (d) ensuring its instructions to LeadBeam comply with Applicable Data Protection Laws.  LeadBeam has no obligation to obtain data subject consents on Customer’s behalf.
• The Agreement, this DPA, and Customer’s configuration and use of the Services constitute Customer’s complete and final instructions to LeadBeam for Processing Personal Data.  LeadBeam will promptly inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

3. Scope, Nature, and Duration of Processing

• LeadBeam will Process Personal Data solely to provide, secure, support, and improve the Services, perform its obligations under the Agreement, and as otherwise instructed by Customer in accordance with this DPA.

• The categories of Personal Data and data subjects are described in Annex I, Part B.

• LeadBeam will Process Personal Data for the duration of the Agreement and any post-termination period during which LeadBeam provides transition assistance or performs deletion/return activities in accordance with Section 10.

4. Security

• Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to data subjects, LeadBeam will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data as described in Annex II. LeadBeam may update such measures from time to time provided that such updates do not materially diminish the overall security of the Services.

• LeadBeam will ensure that persons authorized to Process Personal Data are bound by appropriate confidentiality obligations and receive appropriate training regarding data protection and security.

5. Sub-processors  

• Customer generally authorizes LeadBeam to engage Sub-processors for the Processing of Personal Data. LeadBeam’s current Sub-processors are listed in Annex III.

• LeadBeam will: (a) enter into a written contract with Sub-processors imposing data protection obligations no less protective than those set out in this DPA; and (b) remain responsible for each Sub-processor’s performance of its obligations and for any acts or omissions of such Sub-processor that cause LeadBeam to breach its obligations under this DPA.

• LeadBeam will provide Customer with advance notice of any intended changes to Sub-processors, including the addition or replacement of Sub-processors, via email or by publishing updates to a Sub-processor page referenced in the DPA. Customer may object on reasonable, documented grounds relating to data protection within fifteen (15) days of such notice.  If the parties cannot resolve the objection in good faith within a reasonable time, Customer may, as its sole and exclusive remedy, terminate the affected Services by written notice and receive a pro rata refund of any prepaid fees for the terminated portion.

6. Assistance and Data Subject Requests

• Taking into account the nature of the Processing, LeadBeam will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as possible, to enable Customer to respond to requests from data subjects to exercise their rights under Applicable Data Protection Laws. LeadBeam will promptly notify Customer if LeadBeam receives a request directly from a data subject, and will not respond to such request except on documented instructions from Customer or as required by law.

• LeadBeam will, to the extent legally permitted, promptly inform Customer if LeadBeam receives a legally binding request from a governmental or regulatory authority relating to Personal Data Processed under this DPA and will, at Customer’s cost, provide reasonable cooperation to assist Customer in responding to such inquiries. 

• LeadBeam will, taking into account the nature of the Processing and the information available to LeadBeam, provide reasonable assistance to Customer with data protection impact assessments and consultations with Supervisory Authorities, at Customer’s cost, as required by Applicable Data Protection Laws.

7. Controller’s Obligations

• The Controller warrants that it has all necessary rights to provide the Personal Data to the Processor for the Processing to be performed in relation to the agreed Services. To the extent required by Data Privacy Laws, Controller is responsible for ensuring that it provides such Personal Data to Data Processor based on an appropriate legal basis allowing lawful processing activities, including any necessary Data Subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such consent be revoked by the Data Subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor. 

• The Data Controller shall provide all natural persons from whom it collects Personal Data with the relevant privacy notice. 

• The Data Controller shall immediately advise the Data Processor in writing if it receives or learns of any: 
  
  • Complaint or allegation indicating a violation of Data Privacy Laws regarding Personal Data;
  • Request from one or more individuals seeking to access, correct, or delete Personal Data; 
  • Inquiry or complaint from one or more individuals relating to the collection, processing, use, or transfer of Personal Data; and 
  • Any regulatory request, search warrant, or other legal, regulatory, administrative, or governmental process seeking Personal Data

8. Personal Data Breach

• LeadBeam will notify Customer after becoming aware of a Personal Data Breach affecting Personal Data Processed by LeadBeam under this DPA, without undue delay and in any event within seventy-two (72) hours after becoming aware of the Personal Data Breach. Such notification may be provided in phases as information becomes available and will include information reasonably available to LeadBeam to assist Customer in meeting its breach notification obligations.
• LeadBeam will take reasonable steps to mitigate the effects of the Personal Data Breach and to prevent a recurrence. LeadBeam’s notification of or response to a Personal Data Breach will not be construed as an acknowledgment of fault or liability.

9. Audits and Compliance

• Upon reasonable written request no more than once annually, and subject to confidentiality obligations, LeadBeam will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws, which may include third-party audit reports, certifications, or summaries thereof.
• If such information is insufficient, Customer may conduct an onsite audit, directly or through an independent third-party auditor bound by confidentiality, during normal business hours, on reasonable prior written notice (at least fifteen (15) days), and in a manner that does not disrupt LeadBeam’s business or compromise the security or confidentiality of other customers’ data.  Audits are limited to facilities and records relevant to the Processing of Personal Data under this DPA.
• Customer will bear its costs and LeadBeam’s reasonable costs associated with audits.  If an audit reveals a material non-compliance with this DPA, LeadBeam will promptly address such non-compliance at its own cost.

10. International Transfers

• Where LeadBeam’s Processing involves an International Transfer of Personal Data originating in the EEA, the parties agree that the SCCs incorporated in Annex I (including the annexes and appendices completed therein) will apply and are hereby incorporated by reference, with Customer as the “data exporter” and LeadBeam as the “data importer.”

  11. Return and Deletion of Personal Data

• Upon termination or expiration of the Agreement, or upon Customer’s written request, LeadBeam will make available to Customer for thirty (30) days a copy of the Personal Data in a commonly used, machine-readable format.
• Following the return period, LeadBeam will delete Personal Data within ninety (90) days, unless LeadBeam is required by law to retain some or all Personal Data (in which case LeadBeam will ensure the confidentiality of, and will not actively Process, the Personal Data other than as required by such law). Upon written request, LeadBeam will provide a written confirmation of deletion.
• Deletion from backup systems will occur in accordance with LeadBeam’s standard backup deletion schedules.

12. Liability  

• The parties agree that the limitations and exclusions of liability in the Agreement apply to all claims under this DPA and the SCCs (subject to any mandatory provisions of Applicable Data Protection Laws), taken in the aggregate with claims under the Agreement.

• Nothing in this DPA limits a party’s liability for intentional misconduct or that cannot be limited under Applicable Data Protection Laws.

  13. Miscellaneous

• In case of conflict between this DPA and the Agreement as to the Processing of Personal Data, this DPA prevails.  In case of conflict between this DPA and the SCCs, the SCCs prevail for transfers governed thereby.
• This DPA is governed by the governing law set forth in the Agreement, provided that the SCCs will be governed by the laws specified therein.
• LeadBeam may modify this DPA as required to comply with Applicable Data Protection Laws or to reflect updates to the SCCs or other transfer mechanisms, with notice to Customer where required by law.

‍

ANNEX I

STANDARD CONTRACTUAL CLAUSES

A. LIST OF PARTIES

Data exporter(s): The Customer identified in the Agreement and applicable Order.

Address: As set forth in the Order.

Contact person’s name, position, and contact details: As set forth in the Order.

Role Controller: Controller

• Data importer (Processor): LeadBeam, Inc.

Address: 2835 Brewster Ave Redwood City, CA, 94062-2830 United States

Contact details: privacy@leadbeam.ai .

Role (controller/processor): Processor.

‍

B. DESCRIPTION OF TRANSFER

• Categories of data subjects: Customer’s authorized users and such other end users whose Personal Data Customer submits to the Services.
• Categories of personal data: Contact data (e.g., name, email, phone), account identifiers (e.g., username, user ID), usage and activity data, device and technical data, and any other Personal Data Customer elects to submit or configure within the Services
• Nature and purpose of Processing: Hosting, storage, transmission, enrichment, cleansing, standardization, analytics, support, security, and other Processing necessary to provide and improve the Services as described in the Agreement.
• Retention: As set forth in Section 10 of this DPA and the Agreement.
• Sub-processing: As described in Section 5 and Annex III.
• Competent supervisory authority: Determined under Clause 13 of the SCCs based on the data exporter’s location.

Categories of personal data transferred

• Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, Username.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• No sensitive data collected.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

‍

PART C - COMPETENT SUPERVISORY AUTHORITY

• Data exporter is established in an EEA country.
• The competent supervisory authority is as determined by application of Clause 13 of the EU SCCs.‍

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES 

LeadBeam maintains an information security program aligned to ISO/IEC 27001:2022 and industry best practices, including without limitation:

• Security

• Security Management System.
  
  • Organization. LeadBeam, Inc. designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Program.
  • Policies. Management reviews and supports all security related policies to ensure the security, availability, integrity and confidentiality of Customer Personal Data.  These policies are updated at least once annually.
  • Assessments. LeadBeam, Inc. engages a reputable independent third-party to perform risk assessments of all systems containing Customer Personal Data at least once annually.
  • Risk Treatment. LeadBeam, Inc. maintains a formal and effective risk treatment program that includes penetration testing, vulnerability management and patch management to identify and protect against potential threats to the security, integrity or confidentiality of Customer Personal Data.
  • Vendor Management. LeadBeam, Inc. maintains an effective vendor management program
  • Incident Management. LeadBeam, Inc. reviews security incidents regularly, including effective determination of root cause and corrective action.
  • Standards. LeadBeam, Inc. operates an information security management system that complies with the requirements of ISO/IEC 27001:2022 standard.

• Personnel Security.
  
  • LeadBeam, Inc. personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. LeadBeam, Inc. conducts reasonably appropriate background checks on any employees who will have access to client data under this Agreement, including in relation to employment history and criminal records, to the extent legally permissible and in accordance with applicable local labor law, customary practice and statutory regulations.
  • Personnel are required to execute a confidentiality agreement in writing at the time of hire and to protect Customer Personal Data at all times. Personnel must acknowledge receipt of, and compliance with, LeadBeam, Inc.’s confidentiality, privacy and security policies. Personnel are provided with privacy and security training on how to implement and comply with the Information Security Program. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role (e.g., certifications). LeadBeam, Inc.’s personnel will not process Customer Personal Data without authorization.

• Access Controls
  
  • Access Management. LeadBeam, Inc. maintains a formal access management process for the request, review, approval and provisioning of all personnel with access to Customer Personal Data to limit access to Customer Personal Data and systems storing, accessing or transmitting Customer Personal Data to properly authorized persons having a need for such access. Access reviews are conducted periodically to ensure that only those personnel with access to Customer Personal Data still require it.
  • Infrastructure Security Personnel. LeadBeam, Inc. has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. LeadBeam, Inc.’s infrastructure security personnel are responsible for the ongoing monitoring of LeadBeam, Inc.’s security infrastructure, the review of the Services, and for responding to security incidents.
  • Access Control and Privilege Management. LeadBeam, Inc.’s and Customer’s administrators and end users must authenticate themselves via a Multi-Factor authentication system or via a single sign on system in order to use the Services
  • Internal Data Access Processes and Policies – Access Policy. LeadBeam, Inc.’s internal data access processes and policies are designed to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data. LeadBeam, Inc. designs its systems to only allow authorized persons to access data they are authorized to access based on principles of “least privileged” and “need to know”, and to prevent others who should not have access from obtaining access.  LeadBeam, Inc. requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; a need to know basis; and must be in accordance with LeadBeam, Inc.’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies follow industry standard practices. These standards include password complexity, password expiry, password lockout, restrictions on password reuse and re-prompt for password after a period of inactivity

• Data Center and Network Security
  
  • Data Centers.
    
    • Infrastructure. LeadBeam, Inc. has AWS as its data center.
    • Resiliency. Multi Availability Zones are enabled on AWS and LeadBeam, Inc. conducts Backup Restoration Testing on a regular basis to ensure resiliency.
    • Server Operating Systems. LeadBeam, Inc.’s servers are customized for the application environment and the servers have been hardened for the security of the Services. LeadBeam, Inc. employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.
    • Disaster Recovery. LeadBeam, Inc. replicates data over multiple systems to help to protect against accidental destruction or loss. LeadBeam, Inc. has designed and regularly plans and tests its disaster recovery programs.
    • Security Logs. LeadBeam, Inc.’s systems have logging enabled to their respective system log facility in order to support the security audits, and monitor and detect actual and attempted attacks on, or intrusions into, LeadBeam, Inc.’s systems.
    • Vulnerability Management. LeadBeam, Inc. performs regular vulnerability scans on all infrastructure components of its production and development environment.  Vulnerabilities are remediated on a risk basis, with Critical, High and Medium security patches for all components installed as soon as commercially possible.

• Networks and Transmission.
  
  • Data Transmission. Transmissions on production environment are transmitted via Internet standard protocols.
  • External Attack Surface. AWS Security Group which is equivalent to virtual firewall is in place for the Production environment on AWS.
  • Incident Response. LeadBeam, Inc. maintains incident management policies and procedures, including detailed security incident escalation procedures. LeadBeam, Inc. monitors a variety of communication channels for security incidents, and LeadBeam, Inc.’s security personnel will react promptly to suspected or known incidents, mitigate harmful effects of such security incidents, and document such security incidents and their outcomes.
  • Encryption Technologies. LeadBeam, Inc. makes HTTPS encryption (also referred to as SSL or TLS) available for data in transit.

• Data Storage, Isolation, Authentication, and Destruction. LeadBeam, Inc. stores data in a multi-tenant environment on AWS servers. Data, the Services database and file system architecture are replicated between multiple availability zones on AWS. LeadBeam, Inc. logically isolates the data of different customers. A central authentication system is used across all Services to increase uniform security of data. LeadBeam, Inc. ensures secure disposal of Client Data through the use of a series of data destruction processes.