Prospecco

Data Processing Agreement

Last updated: February 2026

1. Preamble

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between Prospecco ("Processor", "we", "us", or "our") and the customer ("Controller", "you", or "your") for the provision of the Prospecco data enrichment platform and related services (the "Agreement").

This DPA is incorporated into and subject to the terms and conditions of the Agreement. In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data.

The parties agree that this DPA shall apply where the Processor processes Personal Data on behalf of the Controller in connection with the provision of the services under the Agreement.

2. Definitions

In this DPA, the following terms shall have the meanings set out below. Capitalised terms not otherwise defined herein shall have the meanings given to them in the Agreement.

  • "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including (i) the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; (ii) Regulation (EU) 2016/679 (the "GDPR"); (iii) the Swiss Federal Act on Data Protection ("FADP"); and (iv) any other applicable data protection or privacy laws, in each case as amended, replaced, or superseded from time to time.
  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data and that has entered into the Agreement with the Processor, as defined in Applicable Data Protection Law.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "EEA" means the European Economic Area, which comprises the member states of the European Union together with Iceland, Liechtenstein, and Norway.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Agreement, as defined in Applicable Data Protection Law.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Processing" (and "Process", "Processed", and "Processes") means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Processor" means Prospecco, which processes Personal Data on behalf of the Controller in accordance with the Controller's instructions, as defined in Applicable Data Protection Law.
  • "Standard Contractual Clauses" or "SCCs" means (i) the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 for the transfer of personal data to third countries; (ii) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office; and (iii) any equivalent clauses approved under Swiss data protection law, in each case as amended, replaced, or superseded from time to time.
  • "Sub-processor" means any third party engaged by the Processor (or by any other Sub-processor of the Processor) to process Personal Data on behalf of the Controller in connection with the Agreement.

3. Processing of Personal Data

3.1 Roles of the Parties

The parties acknowledge and agree that with regard to the processing of Personal Data under this DPA, the Controller is the controller and the Processor is the processor, as those terms are defined in Applicable Data Protection Law.

3.2 Controller's Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The parties agree that this DPA, together with the Agreement and any written instructions provided by the Controller through the Processor's platform, constitute the Controller's complete and final instructions to the Processor in relation to the processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.

3.3 Notification of Infringement

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law. The Processor shall not be required to independently assess whether the Controller's instructions comply with Applicable Data Protection Law, but shall bring any reasonably apparent infringement to the Controller's attention.

3.4 Controller's Obligations

The Controller shall:

  1. Ensure that it has a lawful basis for the processing of Personal Data uploaded to or processed through the Prospecco platform, including any necessary consents or other legal grounds required under Applicable Data Protection Law.
  2. Provide all necessary notices to Data Subjects regarding the processing of their Personal Data, including information about any processing carried out by the Processor on the Controller's behalf.
  3. Ensure that instructions given to the Processor comply with Applicable Data Protection Law.
  4. Be responsible for the accuracy, quality, and legality of the Personal Data and the means by which the Controller acquired such Personal Data.

4. Rights of Data Subjects

4.1 Assistance with Requests

Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

4.2 Direct Requests

If the Processor receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Controller, the Processor shall promptly redirect the request to the Controller and shall not respond to the Data Subject directly without the Controller's prior written authorisation, unless required by Applicable Data Protection Law.

4.3 Costs

The Processor may charge the Controller a reasonable fee for any assistance provided under this Section 4 that is beyond the scope of the standard functionality of the services, to the extent permitted by Applicable Data Protection Law.

5. Personnel

5.1 Confidentiality

The Processor shall ensure that all personnel who have access to or process Personal Data are subject to binding obligations of confidentiality with respect to such Personal Data. Such obligations shall survive the termination of the individual's engagement with the Processor.

5.2 Reliability and Training

The Processor shall take reasonable steps to ensure the reliability of any personnel who have access to Personal Data, and shall ensure that such personnel receive adequate training on data protection obligations relevant to the processing they perform.

5.3 Limited Access

The Processor shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the services under the Agreement.

6. Sub-processors

6.1 General Authorisation

The Controller provides a general written authorisation to the Processor to engage Sub-processors to process Personal Data on the Controller's behalf. The Sub-processors currently authorised by the Controller are listed in Exhibit D to this DPA.

6.2 Obligations Regarding Sub-processors

Where the Processor engages a Sub-processor, the Processor shall:

  1. Enter into a written agreement with the Sub-processor that imposes data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Applicable Data Protection Law.
  2. Remain fully liable to the Controller for the performance of the Sub-processor's obligations in relation to the processing of Personal Data.

6.3 Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes.

6.4 Objection Mechanism

The Controller may object to a new or replacement Sub-processor by notifying the Processor in writing within 14 days of receiving notice of the change. The Controller's objection must be based on reasonable grounds relating to data protection. If the Controller objects, the Processor shall use commercially reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable alternative. If the Processor is unable to make such a change or alternative available within 30 days of receiving the Controller's objection, either party may terminate the affected services by providing written notice to the other party.

7. Security

7.1 Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Exhibit B to this DPA.

7.2 Updates to Security Measures

The Processor may update the security measures from time to time, provided that such updates do not result in a material degradation of the overall security of the services. The Processor shall document any material changes to the security measures and make such documentation available to the Controller upon request.

8. Personal Data Breach

8.1 Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.

8.2 Information to Be Provided

The Processor's notification shall include, to the extent reasonably available:

  1. A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
  2. The name and contact details of the Processor's data protection officer or other contact point where more information can be obtained.
  3. A description of the likely consequences of the Personal Data Breach.
  4. A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.3 Cooperation

The Processor shall cooperate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

8.4 Records

The Processor shall maintain a record of all Personal Data Breaches, comprising the facts relating to the breach, its effects, and the remedial action taken, and shall make such records available to the Controller upon request.

9. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities that the Controller is required to carry out under Applicable Data Protection Law, in each case solely in relation to the processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the processing and the information available to the Processor.

10. Deletion or Return of Personal Data

10.1 Post-Termination Obligations

Upon termination or expiry of the Agreement, or upon the Controller's written request at any time, the Processor shall, at the Controller's election:

  1. Return all Personal Data to the Controller in a commonly used, machine-readable format; or
  2. Delete all Personal Data in its possession or control, including all copies, backups, and archives thereof.

10.2 Timeline

The Processor shall complete the return or deletion of Personal Data within 30 days of the termination or expiry of the Agreement, or within 30 days of receiving the Controller's written request, whichever is earlier.

10.3 Certification

The Processor shall provide written certification to the Controller confirming the deletion of all Personal Data upon the Controller's request.

10.4 Retention Required by Law

The Processor may retain Personal Data to the extent required by Applicable Data Protection Law or other applicable law, provided that the Processor shall (i) inform the Controller of any such retention; (ii) limit the processing of such retained Personal Data to the purposes required by law; and (iii) continue to protect such Personal Data in accordance with this DPA.

11. Audit

11.1 Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a qualified third-party auditor mandated by the Controller, subject to the provisions of this Section 11.

11.2 Audit Procedures

Audits shall be subject to the following conditions:

  1. The Controller shall provide the Processor with at least 30 days' prior written notice of any proposed audit or inspection.
  2. Audits shall be limited to once per calendar year, unless a Personal Data Breach has occurred or the Controller is required to conduct an audit by a supervisory authority.
  3. Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations.
  4. The Controller and any third-party auditor shall be subject to reasonable confidentiality obligations regarding any information obtained during the audit.
  5. The Controller shall bear its own costs in connection with any audit, except where the audit reveals a material breach of this DPA by the Processor.

11.3 Third-Party Audit Reports

Where the Processor has obtained third-party audit reports or certifications relevant to the security of its processing operations (such as SOC 2 Type II or ISO 27001), the Processor may make such reports or certifications available to the Controller in lieu of an on-site audit, provided that such reports or certifications are reasonably current and address the relevant processing operations.

12. Data Transfers

12.1 Transfer Mechanisms

The Processor shall not transfer Personal Data to a country outside of the United Kingdom, the EEA, or Switzerland unless appropriate safeguards are in place in accordance with Applicable Data Protection Law. Such safeguards may include:

  1. An adequacy decision by the relevant authority (including the UK Secretary of State, the European Commission, or the Swiss Federal Data Protection and Information Commissioner).
  2. Standard Contractual Clauses as defined in Section 2 of this DPA.
  3. Any other transfer mechanism approved under Applicable Data Protection Law.

12.2 Standard Contractual Clauses

To the extent that the processing of Personal Data involves a transfer from the EEA, the United Kingdom, or Switzerland to a third country that is not the subject of an adequacy decision, the parties agree that the Standard Contractual Clauses shall apply as set out in Exhibit C to this DPA.

12.3 Additional Safeguards

The Processor shall implement supplementary measures where necessary to ensure that Personal Data transferred to a third country benefits from a level of protection that is essentially equivalent to that guaranteed within the EEA, the United Kingdom, or Switzerland, taking into account the laws and practices of the third country of destination.

13. General

13.1 Precedence

In the event of any conflict or inconsistency between this DPA, the Standard Contractual Clauses (where applicable), and the Agreement, the following order of precedence shall apply: (i) the Standard Contractual Clauses; (ii) this DPA; (iii) the Agreement.

13.2 Severability

If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The parties shall endeavour to replace the invalid or unenforceable provision with a valid and enforceable provision that achieves, to the greatest extent possible, the economic, legal, and commercial objectives of the invalid or unenforceable provision.

13.3 Limitation of Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law to the extent that such limitations are not permitted by law.

13.4 Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of laws principles. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, subject to the mandatory provisions of Applicable Data Protection Law regarding jurisdiction.

13.5 Amendments

This DPA may not be amended or modified except by a written instrument signed by both parties, provided that the Processor may update this DPA from time to time to reflect changes in Applicable Data Protection Law or supervisory authority guidance, with reasonable prior notice to the Controller.

Exhibit A: Details of Processing

A.1 Nature of Processing

The Processor will process Personal Data through automated means in connection with the provision of the Prospecco data enrichment platform. Processing activities include the automated collection, storage, organisation, retrieval, use, enrichment, verification, and deletion of Personal Data as necessary to deliver the services described in the Agreement.

A.2 Purpose of Processing

Personal Data is processed for the following purposes:

  • B2B data enrichment services, including finding and verifying professional email addresses, phone numbers, and other business contact information.
  • Company data enrichment, including enrichment of firmographic data, industry classifications, and publicly available company information.
  • Dataset management, including the storage, organisation, and management of datasets uploaded by the Controller.
  • AI-powered data analysis, including pattern recognition and data quality assessment.
  • Providing analytics, reports, and insights based on enrichment results.

A.3 Duration of Processing

Personal Data will be processed for the duration of the Agreement between the Controller and the Processor. Upon termination or expiry of the Agreement, the provisions of Section 10 (Deletion or Return of Personal Data) shall apply.

A.4 Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of Data Subjects:

  • Business contacts and prospects of the Controller (e.g., employees, officers, and representatives of the Controller's customers, prospective customers, and business partners).
  • Company officers, directors, and persons with significant control.
  • Other individuals whose Personal Data is uploaded to or processed through the Prospecco platform by the Controller.

A.5 Types of Personal Data

The Personal Data processed under this DPA may include the following types:

  • Contact information: Full name, professional email addresses, phone numbers (direct dial, mobile, office).
  • Professional information: Job title, department, role, seniority level.
  • Company information: Company name, registered address, industry, company size, company registration number, website URL.
  • Social and professional profiles: LinkedIn profile URLs and other professional network identifiers.
  • Enrichment metadata: Data quality scores, enrichment timestamps, verification status, data source identifiers.

No special categories of Personal Data (as defined in Article 9 of the GDPR) are intentionally processed under this DPA. The Controller shall not upload or otherwise make available to the Processor any special category data unless expressly agreed in writing.

Exhibit B: Security Measures

The Processor implements and maintains the following technical and organisational security measures in accordance with Section 7 of this DPA:

B.1 Organisational Management and Accountability

  • Designated personnel responsible for information security and data protection compliance.
  • Written information security policies and procedures, reviewed and updated at least annually.
  • Data processing agreements with all Sub-processors containing equivalent security obligations.
  • Regular risk assessments to identify and address security threats.

B.2 Information Security and Confidentiality

  • Encryption of Personal Data in transit using TLS 1.2 or higher.
  • Encryption of Personal Data at rest using AES-256 or equivalent encryption standard.
  • Secure key management practices with regular key rotation.
  • Confidentiality agreements for all personnel with access to Personal Data.

B.3 Physical Security Controls

  • Production infrastructure hosted with industry-leading cloud service providers (AWS, Cloudflare) that maintain comprehensive physical security controls including facility access controls, environmental protections, and redundant power systems.
  • Cloud service providers maintain SOC 2 Type II, ISO 27001, and other relevant security certifications.

B.4 Access Controls

  • Role-based access control (RBAC) to limit access to Personal Data to authorised personnel on a need-to-know basis.
  • Multi-factor authentication (MFA) required for all administrative and production system access.
  • Unique user accounts for all personnel; shared accounts are prohibited.
  • Prompt deprovisioning of access upon personnel departure or role change.
  • Regular access reviews to ensure appropriateness of access rights.

B.5 Data Recovery and Availability

  • Regular automated backups of all production data with tested recovery procedures.
  • Geographically distributed infrastructure to ensure availability and resilience.
  • Documented business continuity and disaster recovery plans.

B.6 Malicious Code Prevention

  • Automated vulnerability scanning and dependency monitoring.
  • Secure software development lifecycle practices, including code review and static analysis.
  • Timely application of security patches and updates.

B.7 Data Leak Prevention

  • Logical separation of customer data to prevent unauthorised cross-tenant access.
  • Monitoring and alerting for unusual data access patterns.
  • Restrictions on data export and transfer to unauthorised systems.

B.8 Logging and Monitoring

  • Comprehensive logging of access to systems containing Personal Data, including authentication events, data access, and administrative actions.
  • Centralised log management with appropriate retention periods.
  • Automated monitoring and alerting for security-relevant events.

B.9 Incident Management

  • Documented incident response procedures with defined escalation paths and response timelines.
  • Post-incident review process to identify root causes and implement corrective actions.
  • Notification procedures in accordance with Section 8 of this DPA.

B.10 Network Security

  • Network-level firewalls and intrusion detection/prevention systems.
  • DDoS mitigation through Cloudflare's global edge network.
  • Regular penetration testing and security assessments.
  • Segmented network architecture to isolate production systems.

B.11 Employee Security Training

  • Security awareness training for all personnel upon onboarding and at least annually thereafter.
  • Specialised training for personnel with elevated access to Personal Data or production systems.
  • Training on recognising and reporting security incidents, including phishing and social engineering attacks.

Exhibit C: Standard Contractual Clauses

C.1 EEA Transfers

For transfers of Personal Data from the EEA to a country outside the EEA that is not the subject of an adequacy decision by the European Commission, the parties agree that the Standard Contractual Clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 shall apply, as follows:

  • Module Two (Controller to Processor) shall apply where the Controller transfers Personal Data to the Processor.
  • Module Three (Processor to Sub-processor) shall apply where the Processor transfers Personal Data to a Sub-processor.
  • Clause 7 (Docking clause): The optional docking clause shall apply to allow additional controllers or processors to accede to the SCCs.
  • Clause 9 (Use of sub-processors): Option 2 (general written authorisation) shall apply, with a 30-day prior notice period for changes to Sub-processors.
  • Clause 11 (Redress): The optional language shall not apply.
  • Clause 17 (Governing law): The SCCs shall be governed by the law of the EU Member State in which the Controller is established, or, if the Controller is not established in an EU Member State, by the laws of Ireland.
  • Clause 18 (Choice of forum and jurisdiction): The courts of the EU Member State in which the Controller is established, or, if the Controller is not established in an EU Member State, the courts of Ireland.

C.2 UK Transfers

For transfers of Personal Data from the United Kingdom to a country outside the UK that is not the subject of adequacy regulations, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum"), issued by the UK Information Commissioner's Office under Section 119A of the Data Protection Act 2018, shall apply in addition to the SCCs described in Section C.1 above. Where the UK Addendum applies:

  • Table 1 of the UK Addendum shall be deemed completed with the details of the parties set out in this DPA and the Agreement.
  • Table 2 of the UK Addendum shall reference the SCCs described in Section C.1, including the selected modules and optional clauses.
  • Table 3 of the UK Addendum shall be deemed completed with the processing details set out in Exhibit A and the Sub-processor details set out in Exhibit D.
  • Table 4 of the UK Addendum: Neither party may end this DPA as set out in Section 19 of the UK Addendum.

C.3 Swiss Transfers

For transfers of Personal Data from Switzerland to a country outside Switzerland that is not the subject of an adequacy decision by the Swiss Federal Data Protection and Information Commissioner, the SCCs described in Section C.1 shall apply with the following modifications:

  • References to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss Federal Act on Data Protection ("FADP").
  • References to "EU", "Union", and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as applicable.
  • The competent supervisory authority under Clause 13 of the SCCs shall be the Swiss Federal Data Protection and Information Commissioner.
  • The SCCs shall be governed by Swiss law, and disputes shall be resolved before the courts of Switzerland.

Exhibit D: Sub-processors

The following Sub-processors are authorised by the Controller as of the effective date of this DPA. The Processor shall notify the Controller of any changes in accordance with Section 6.3.

Sub-processorLocationPurpose of Processing
Convex, Inc.United StatesBackend database, real-time data synchronisation, and serverless function execution
Cloudflare, Inc.Global (EU and US regions)Web application hosting, content delivery network (CDN), edge computing, and DDoS protection
Stripe, Inc.United StatesPayment processing, subscription management, and billing
Google LLC (Google Cloud / Google AI)United StatesAI-powered data analysis, pattern recognition, and data quality assessment via Google Generative AI
Better AuthEuropean UnionUser authentication, session management, and single sign-on (SSO) services

The Controller acknowledges that the Sub-processors listed above may themselves use sub-processors. The Processor shall ensure that all Sub-processors (and their sub-processors) are bound by data protection obligations consistent with this DPA.

14. Contact

For questions about this Data Processing Agreement or to exercise any rights under this DPA, please contact us at support@prospecco.com.