Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service between Customer and Codas Labs, LLC, doing business as LeadTale (“LeadTale”) and applies when LeadTale processes Customer Personal Data on Customer’s behalf in the course of providing the Service.

This DPA reflects the parties’ agreement regarding compliance with the EU General Data Protection Regulation (“GDPR”), the UK GDPR and Data Protection Act 2018 (“UK Data Protection Laws”), the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and other applicable US state privacy laws (collectively, “Data Protection Laws”). In the event of a conflict between this DPA and the Terms of Service, this DPA prevails solely with respect to the processing of Customer Personal Data.

Capitalized terms not defined here have the meaning given in the Terms of Service or in applicable Data Protection Laws.

“Customer Personal Data” means Personal Data that LeadTale processes on behalf of Customer in the course of providing the Service.

“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings given in the GDPR.

“Subprocessor” means any third party engaged by LeadTale to process Customer Personal Data.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission in Decision 2021/914 and, where applicable, the UK International Data Transfer Addendum issued by the UK Information Commissioner.

The parties acknowledge that, with respect to the Processing of Customer Personal Data in the course of providing the Service:

• Customer is the Controller (or, where Customer is itself a Processor, the intermediate Processor acting on behalf of a third-party Controller).
• LeadTale is the Processor, processing Customer Personal Data on Customer’s documented instructions.

This DPA does not apply to LeadTale’s processing of business-contact information in the LeadTale database, which LeadTale processes as an independent Controller under the terms of the Privacy Policy. Additional detail about the sources and verification methods used for LeadTale Data is available on the Our Data page.

Customer is responsible for the lawful collection of Customer Personal Data, for obtaining all necessary consents and providing all required notices, and for determining the purposes and means of Processing.

Subject matter: the provision of the Service as described in the Terms of Service, including data enrichment, verification, lookup, export, and related features.

Nature and purpose of processing: to provide, secure, support, and improve the Service for Customer.

Duration:for the term of the Customer’s Subscription and any post-term period during which LeadTale continues to hold Customer Personal Data for return or deletion, subject to applicable retention requirements.

Categories of Data Subjects:Customer’s employees and authorized users; business contacts (leads, prospects, customers) whose information Customer submits to the Service; and any other Data Subjects whose Personal Data Customer chooses to process using the Service.

Types of Personal Data: name, business email address, business phone number, job title, employer, professional profile identifiers, work location, and any other Personal Data Customer chooses to upload or enrich. Customer agrees not to use the Service to process special categories of Personal Data (for example, health, biometric, racial, or financial data) unless expressly agreed in writing.

LeadTale will process Customer Personal Data only on Customer’s documented instructions, including as set out in this DPA, the Terms of Service, Customer’s configuration of the Service, and any additional written instructions accepted by LeadTale.

LeadTale will notify Customer if, in its opinion, an instruction violates Data Protection Laws. LeadTale may be required to process Customer Personal Data for its own legitimate business operations (such as billing, account management, and product improvement in de-identified or aggregated form), and to comply with legal obligations.

LeadTale ensures that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and receive training on data protection and security practices.

LeadTale implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

• Encryption of Customer Personal Data in transit and at rest.
• Role-based access controls, least-privilege access, and centralized secret management.
• Network segmentation, firewalling, and DDoS protection at the infrastructure layer.
• Audit logging, monitoring, and anomaly detection on production systems.
• Vulnerability scanning, dependency scanning, and regular security reviews.
• Incident response procedures and business continuity planning.
• Background checks and confidentiality agreements for personnel with data access.

Additional detail on LeadTale’s security program is available on the Security page. LeadTale may update its security measures from time to time, provided that any such update does not materially diminish the overall level of protection.

Customer authorizes LeadTale to engage Subprocessors to process Customer Personal Data, provided that LeadTale:

• Imposes on each Subprocessor, by written contract, data protection obligations substantially equivalent to those in this DPA.
• Remains liable to Customer for each Subprocessor’s performance of its obligations.
• Maintains an up-to-date public list of Subprocessors at leadtale.com/subprocessors. Customer may subscribe to notifications of changes to the list by emailing privacy@leadtale.com.
• Provides Customer with at least 30 days’ prior notice (via the subscribable list and in-product notice) of any intended addition or replacement of a Subprocessor. Customer may object on reasonable data-protection grounds within 30 days of the notice; if the parties cannot agree on a resolution, Customer may terminate the affected portion of the Service and receive a pro-rata refund of any prepaid, unused fees.

Customer Personal Data may be transferred to, and processed in, the United States and other countries where LeadTale or its Subprocessors operate. Where a transfer requires a valid transfer mechanism under Data Protection Laws, the parties agree that:

• For transfers from the European Economic Area subject to the GDPR, the EU Standard Contractual Clauses are incorporated by reference into this DPA, with Module Two (Controller to Processor) applying where Customer acts as Controller, and Module Three (Processor to Processor) applying where Customer acts as a Processor on behalf of a third-party Controller. Optional clauses of the SCCs apply as set out in Annex I.
• For transfers from the United Kingdom, the UK International Data Transfer Addendum (“IDTA”) issued by the UK Information Commissioner, with Tables 1–4 completed in Annex III, is incorporated by reference.
• For transfers from Switzerland subject to the Swiss Federal Act on Data Protection, the SCCs apply with references to the GDPR read as references to the FADP, references to “Member State” read as “Switzerland,” and the Swiss Federal Data Protection and Information Commissioner as the competent supervisory authority.
• Docking clause. Additional parties may accede to the SCCs as data exporters or importers by executing the relevant Annex.

Where required, LeadTale will take supplementary technical, organizational, and contractual measures designed to ensure an essentially equivalent level of protection to that guaranteed in the European Economic Area or the United Kingdom.

Taking into account the nature of the Processing, LeadTale will provide reasonable assistance to Customer, by appropriate technical and organizational measures, to enable Customer to respond to requests from Data Subjects to exercise their rights under Data Protection Laws.

If LeadTale receives a Data Subject request relating to Customer Personal Data, LeadTale will promptly direct the Data Subject to Customer and will not respond to the request without Customer’s prior authorization, except as required by law.

LeadTale will notify Customer without undue delay and, in any event, within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent then known, a description of the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the incident. LeadTale will cooperate with Customer in investigating, mitigating, and remedying the incident. Notifications do not constitute acknowledgment of fault or liability.

Upon Customer’s reasonable request, LeadTale will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Data Protection Laws, taking into account the nature of the Processing and the information available to LeadTale.

LeadTale will make available to Customer, on request, the information reasonably necessary to demonstrate compliance with this DPA, which may include security documentation, policies, third-party attestations, and responses to industry-standard security questionnaires. Once LeadTale obtains a SOC 2 Type II report (or equivalent recognized independent attestation), LeadTale’s then-current report will satisfy Customer’s audit rights under this DPA as primary evidence of compliance.

Where required by Data Protection Laws and not more than once per calendar year, Customer may conduct, or appoint a mutually-agreed independent third party (bound by equivalent confidentiality obligations) to conduct, an audit of LeadTale’s compliance with this DPA, limited to what the then-current SOC 2 Type II (or equivalent) attestation does not adequately address. Audits must be conducted during normal business hours, with at least 30 days’ prior written notice, in a manner that does not disrupt LeadTale’s operations, and subject to reasonable confidentiality obligations. Customer bears its own costs for audits; LeadTale’s reasonable costs of supporting the audit may be charged to Customer.

More frequent audits may occur only in response to a documented Personal Data Breach or a regulator’s specific written request.

Upon termination of the Service or on Customer’s written request, LeadTale will, at Customer’s option, return or delete Customer Personal Data from active production systems within thirty (30) days. Backups containing Customer Personal Data will expire in accordance with LeadTale’s standard backup retention schedule, and in no event later than ninety (90) days after termination or written request. Where retention is required by law, LeadTale will continue to protect the information in accordance with this DPA and delete it once the retention requirement ends.

This section applies where Customer is a business and LeadTale processes Customer Personal Data on its behalf under:

• California Consumer Privacy Act, as amended by the CPRA (“CCPA”).
• Virginia Consumer Data Protection Act (“VCDPA”).
• Colorado Privacy Act (“CPA”).
• Connecticut Data Privacy Act (“CTDPA”).
• Utah Consumer Privacy Act (“UCPA”).
• Texas Data Privacy and Security Act (“TDPSA”).
• Oregon, Montana, Delaware, Iowa, New Hampshire, and New Jersey consumer-privacy laws effective in or after 2026.
• Other US state consumer-privacy laws of substantially similar scope as enacted.

The obligations below operate as the “service provider,” “processor,” or analogous obligations required by each of those laws, as applicable:

• LeadTale will not sell or share Customer Personal Data.
• LeadTale will not retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties or for any purpose other than the specific purpose of providing the Service (including for the business’s operational purposes permitted by law).
• LeadTale will not combine Customer Personal Data with Personal Data obtained from other sources except as permitted under applicable law to provide the Service to Customer.
• LeadTale will not use Customer Personal Data to perform cross-context behavioral advertising or targeted advertising.
• LeadTale will notify Customer promptly if it determines that it can no longer meet its obligations under applicable US state privacy laws, and Customer may, on reasonable notice, take steps to stop and remediate unauthorized use of Customer Personal Data.
• Subprocessors engaged under this DPA are bound by contractual obligations substantially equivalent to those in this section and are treated as “service providers” / “processors” under each such law as applicable.

For the avoidance of doubt, this Section applies solely to LeadTale’s role as a processor of Customer Personal Data. LeadTale’s role as an independent business in operating the LeadTale database is governed by the Privacy Policy.

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set forth in the Terms of Service, including the data-breach super-cap in Section 13 of the Terms of Service (3× the fees paid or payable in the twelve (12) months immediately preceding the event giving rise to the claim) for claims arising from a Personal Data Breach caused by LeadTale’s breach of its security obligations under this DPA.

The carveouts in the Terms of Service (including gross negligence, willful misconduct, and fraud) apply equally to claims under this DPA.

LeadTale may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, Subprocessor arrangements, or LeadTale’s processing operations. When we make material changes, we will notify Customer via email or in-product notice before the changes take effect.

Where required by Article 27 of the GDPR, LeadTale has appointed a representative in the European Union:

[EU REPRESENTATIVE NAME — to be appointed]
[Address]
[Contact email]

Where required by Article 27 of the UK GDPR, LeadTale has appointed a representative in the United Kingdom:

[UK REPRESENTATIVE NAME — to be appointed]
[Address]
[Contact email]

Data subjects in the EU or UK may contact the relevant representative on matters concerning the processing of their Personal Data, in addition to contacting LeadTale directly at privacy@leadtale.com.

The following annexes form an integral part of this DPA. A complete copy (including Customer details where applicable) is available on request to privacy@leadtale.com and is provided as part of any signed Data Processing Agreement executed at the Order Form stage.

Annex I — Description of processing

• Data exporter: Customer, as identified in the applicable Order Form.
• Data importer: Codas Labs, LLC (d/b/a LeadTale), a Delaware limited liability company, with offices in North Carolina, United States.
• Categories of data subjects, types of Personal Data, sensitive data (if any), frequency of transfer, nature of the processing, purpose, duration, and recipients: as set out in Section 4 (Subject matter, nature, and duration) of this DPA.
• Competent supervisory authority:the supervisory authority of the EU Member State in which the Customer’s EU Representative is established, or if the Customer has no EU establishment, the supervisory authority indicated in the Order Form.
• Optional clauses of the SCCs:Clause 7 (docking clause) applies; Clause 11(a) optional redress is not elected; Clause 17 option 1 (governing law: Ireland) applies for Module Two and Module Three; Clause 18(b) forum: the courts of Ireland.

Annex II — Technical and organizational measures

The technical and organizational security measures adopted by LeadTale to protect Customer Personal Data are described in Section 7 (Security measures) of this DPA and are incorporated here as Annex II. Additional detail is available on the Security page.

Annex III — List of Subprocessors and UK IDTA tables

The current list of approved Subprocessors is maintained at leadtale.com/subprocessors. For transfers subject to the UK IDTA, the Tables 1–4 of the IDTA are populated using the data exporter and importer details from Annex I, the processing description from Annex I, the TOMs from Annex II, and the Subprocessor list from this Annex III.

Questions about this DPA? Reach LeadTale’s Data Protection Officer at dpo@leadtale.com, privacy inquiries at privacy@leadtale.com, or security matters at security@leadtale.com.