Data Processing Agreement

Last updated: April 12, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and LeadsGen (“Processor”) and governs the processing of personal data under the GDPR, UK GDPR, and applicable data protection laws. This DPA applies whenever LeadsGen processes personal data on behalf of a customer subscribed to a paid plan.

1. Definitions

• Controller — the customer using LeadsGen who determines the purposes and means of processing personal data
• Processor — LeadsGen, acting on the Controller's documented instructions
• Data Subject — an identified or identifiable natural person whose personal data is processed
• Personal Data — any information relating to a Data Subject as defined in Article 4 GDPR
• Sub-processor — any third party engaged by LeadsGen to process personal data on Controller's behalf

2. Subject matter and duration

The subject matter of processing is the provision of the LeadsGen SaaS platform, including lead scraping, email verification, AI personalization, and cold email automation. Processing continues for the duration of the subscription plus a 90-day retention period after termination.

3. Nature and purpose of processing

LeadsGen processes personal data for the following purposes on Controller's instructions:

• Storing Controller's account and workspace data
• Executing lead generation jobs via n8n workflows
• Storing scraped business contact data in Controller's workspace
• Generating AI-personalized outreach content
• Providing analytics, error logging, and audit trails

4. Categories of data subjects and personal data

Controller's personnel: name, email, password hash, IP address, device info, usage logs

Scraped business contacts: publicly available business name, address, phone, business email, website, social links, decision-maker name and role

Special categories: LeadsGen does not knowingly process special category data (health, political opinions, religious beliefs, etc.) and Controller warrants it will not upload such data.

5. Processor obligations

LeadsGen agrees to:

1. Process personal data only on Controller's documented instructions (the Main Agreement and this DPA)
2. Ensure persons authorized to process personal data are bound by confidentiality obligations
3. Implement appropriate technical and organizational measures (see Section 9 below) to ensure a level of security appropriate to the risk
4. Assist Controller in responding to Data Subject requests (access, rectification, erasure, portability, objection)
5. Notify Controller without undue delay — and in any case within 48 hours — of any personal data breach
6. Make available all information necessary to demonstrate compliance with GDPR Article 28 obligations
7. On termination, delete or return all personal data to Controller within 90 days, unless retention is required by law

6. Sub-processors

Controller grants LeadsGen general authorization to engage the following sub-processors, subject to the safeguards in Article 28(4) GDPR. We maintain written agreements imposing the same data protection obligations on each sub-processor.

LeadsGen will notify Controller at least 30 days before adding or replacing sub-processors. Controller may object to such changes and terminate the Agreement if the objection cannot be resolved.

7. International data transfers

Where personal data is transferred outside the EEA/UK to a country without an adequacy decision, LeadsGen relies on the European Commission's Standard Contractual Clauses (2021/914/EU) and UK IDTA where applicable. These clauses are incorporated by reference into this DPA.

8. Data subject rights

LeadsGen provides Controller with self-service tools at /legal/gdpr to respond to Data Subject requests, including:

• Full data export in machine-readable JSON format
• Permanent account and data deletion
• Rectification via workspace settings
• Suppression list for scraped contacts who request removal

For requests that cannot be fulfilled via self-service, LeadsGen will respond within 10 business days of Controller's written request.

9. Security measures

LeadsGen implements the following technical and organizational measures:

• Encryption: TLS 1.2+ in transit; AES-256 for backups; bcrypt (cost 12) for passwords
• Access control: role-based access (OWNER, ADMIN, MEMBER, VIEWER); admin 2FA required
• Audit logging: all sensitive actions logged with actor, IP, user agent, 2-year retention
• Webhook security: HMAC-SHA256 signatures on all inbound webhooks
• Idempotency: all mutating operations support idempotency keys to prevent replay
• Row-level locks: credit transactions use SELECT ... FOR UPDATE to prevent races
• Rate limiting: per-IP and per-API-key throttling
• Backups: daily encrypted off-site backups with 7-day retention
• Incident response: documented 48-hour breach notification procedure
• Vendor due diligence: annual review of all sub-processors

10. Audits

Controller may, upon 30 days' written notice and no more than once per year, audit LeadsGen's compliance with this DPA. Audits are conducted during business hours and must not disrupt operations. LeadsGen reserves the right to provide third-party audit reports (e.g. SOC 2) in lieu of on-site audits.

11. Liability and governing law

Liability for breaches of this DPA is subject to the limitations set out in the Main Agreement. This DPA is governed by the same law as the Main Agreement.

12. Signing this DPA

This DPA is automatically incorporated into every LeadsGen subscription. If you require a signed copy for your records or vendor management process, contact us at dpa@leadsgen.app and we will provide a countersigned PDF via DocuSign within 3 business days.

Disclaimer: this document is a template and must be reviewed by qualified legal counsel before production use.