This Data Processing Agreement (“DPA”) is made as of the commencement date of the trial period and shall be considered fully terminated as of the termination date of the trial period, fourteen (14) days after the start of the trial period.
It is entered into in accordance with Applicable Data Protection Laws (as defined below, “DP Laws”). While providing a Trial Agreement to the Customer, Lead Forensics may process Personal Data on behalf of the Customer.
The parties agree to comply with the provisions of this DPA regarding Personal Data processed under the Trial Agreement. By signing the Trial Agreement, the Customer enters the terms of this DPA on behalf of itself and its affiliates if and to the extent Lead Forensics processes Personal Data for such affiliates.
1. Introduction
1.1 This DPA sets out the provisions concerning Personal Data and the Trial Agreement that will apply between the parties. For the purposes of DP Laws, Lead Forensics shall always be a Data Processor, and the Customer shall be a Data Controller.
2. Definitions
2.1 The terms in this DPA shall have the following meanings:
a. “Data Controller”,“Data Processor”,“Data Subject”,“Personal Data”,“Personal Data Breach”, and“Processing”shall each have the meanings ascribed to them under the DP laws.
b. “Customer Data” shall mean the applicable personal data processed as part of the Trial DPA set out in Appendix A.
c. “DP Laws”means, to the extent applicable to the activities or obligations of the parties under or pursuant to this trial, which shall include the EU GDPR, the UK GDPR, and the Data Protection Act 2018.
d. “EU GDPR”or “UK GDPR” means the European Union General Data Protection Regulation 2016/679, and the “UK GDPR”is defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
e. “ICO”means the Information Commissioner’s Office.
f. “Standard Contractual Clauses”means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as adapted for the UK or such alternative as may be approved by the European Commission or by the UK from time to time.
g. “Sub-Processors”means approved sub-processors appointed by Lead Forensics to process Personal Data as part of the Trial, which shall be deemed to include those cited in Annex C Sub-Processors.
h. “Third Country” means a country in respect of which there has not been an Adequacy Decision.
i. “Trial Agreement”means potential customer deploys the Lead Forensics code on their website for a limited time at no cost to experience the prospective value and benefits.
j. “UK Addendum”means the ICO’s addendum to the Standard Contractual Clauses issued in accordance with section 119A of the Data Protection Act 2018.
3. Instruction to Process
3.1 Lead Forensics will only use Personal Data in accordance with the Customer’s instructions (which may be specific or general) to perform the Trial Agreement in accordance with this trial, except to the extent Lead Forensics is required by DP Laws to process or share that Personal Data. In this case, Lead Forensics shall inform the Customer of that requirement unless the law prohibits this on important grounds of public interest.
3.2 Notwithstanding any other provision in this DPA, Lead Forensics may process Customer Data for analysis as part of the Trial Agreement, including creating, compiling, and producing aggregated data sets and/or statistics to assist Customers’ reporting, provided that such aggregated datasets and statistics will not enable any living individual to be identified.
3.3 If the Customer is based in a country that does not have an adequacy decision with the US and is contracting with Lead Forensics, Inc., an international safeguard mechanism will be required for the transfer of personal data. The Customer will need to contact [email protected].
4. Personal Data
4.1 The processing particulars are set out in Appendix A of this DPA.
4.2 The duration of the Personal Data processing shall be limited to fourteen (14) days from the commencement date.
5. Security of Processing
5.1 Technical and Organisational Measures
5.1.1 Lead Forensics shall implement and maintain technical and organisational measures in the context of processing Personal Data to ensure a level of security appropriate to the risk. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data (Personal Data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
5.1.2 The Customer shall review the Technical and Organisational Measures (Appendix B). The Technical and Organisational Measures provided are subject to review and further development. The supplier may implement a revised version without reducing the security level. It shall provide the Customer with an updated copy as soon as reasonably practicable.
5.2 Access and Confidentiality
5.2.1 Lead Forensics shall ensure that personnel with access to Customer data for the performance of this trial is limited, and such personnel are subject to contractual terms of confidentiality.
5.3 Personal Data Breach
5.3.1 Lead Forensics shall notify the Customer without undue delay and, in any event, within 48 hours upon becoming aware of a Personal Data Breach impacting the Customer’s Personal Data.
5.3.2 Lead Forensics shall assist the Customer in notifying the Personal Data Breach to the competent supervisory authority/ies unless DP laws do not require such notification.
6. Sub-Processors
6.1 Lead Forensics may continue to use any sub-processors already engaged by Lead Forensics as part of the Trial Agreement prior to the effective date of this DPA.
6.2 Personal Data may be fulfilled by an approved sub-processor outside the UK and European Economic Area that is not subject to a competent binding adequacy decision. For any such sub-processing, Lead Forensics shall (i) participate in a valid data transfer mechanism under the DP Law and (ii) take such steps as are required by the DP Laws (which may include the implementation of the IDTA, the Standard Contractual Clauses together with, to the extent the UK GDPR applies to the relevant transfer, the UK Addendum, or any successor standard contractual clauses adopted by the ICO) to ensure that the level of protection afforded to the Personal Data is equivalent to the level of protection required by the DP Laws of the UK and/or European Union (as applicable) and the transfer is otherwise compliant with the DP Laws.
6.3 Lead Forensics shall not introduce/change a sub-processor during this trial without informing the Customer of such intention.
6.4 Lead Forensics shall remain liable to the Customer for the performance of the sub-processor in accordance with this DPA.
6.5 Lead Forensics shall have a contract with the sub-processor that offers substantially the same level of protection for Personal Data as those set out in this DPA.
7. Assistance to the Customer
7.1 Lead Forensics shall inform the Customer if, in its opinion, the Customer’s instructions could infringe DP laws.
7.2 Insofar as the Customer is subject to an inspection by a competent supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the personal data processed by the Supplier, the Supplier shall make every reasonable effort to support the Customer.
7.3 Data Subject Rights
7.3.1 Lead Forensics will promptly notify the Customer of any request it has received from a data subject. Lead Forensics will not respond to the request itself unless authorised to do so.
7.4 Lead Forensics shall assist the Customer in fulfilling its obligations to respond to the data subject’s requests to exercise their rights, taking into account the nature of the processing.
7.5 Data Protection Impact Assessment
7.5.1 Lead Forensics will provide reasonable assistance to the Customer concerning any data protection impact assessments required under Articles 35 or 36 of EU/UK GDPR or equivalent DP Laws, taking into account the nature of the data processing.
7.6 Audit Rights
7.6.1 Lead Forensics shall allow the Customer to audit compliance with its obligations under this DPA upon giving reasonable written notice. The Customer shall bear the costs of such an audit. If the Customer mandates a third party to conduct the audit on its behalf, the third-party auditor shall agree to comply with a Non-Disclosure Agreement issued by Lead Forensics.
7.6.2 An audit may only be carried out concerning the Customer’s Personal Data processed by Lead Forensics as defined in Appendix A and as relevant to the Customer’s processing activities.
8. General Obligations on the Customer
8.1 The Customer agrees to comply with DP Laws concerning its obligations as a Data Controller of the Personal Data.
8.1.1 The Customer shall be responsible for ensuring that any notification is provided to Data Subjects, that any required consent is obtained, and that there is a lawful basis, in accordance with DP laws, for the Personal Data that Lead Forensics is instructed to process.
8.2 Lawful Jurisdiction. The laws of England and Wales shall govern this DPA.
8.3 A Data Subject may bring legal proceedings against Lead Forensics or the Customer before the courts of the Member State in which they have their habitual residence. .
8.4 Lead Forensics and the Customer are compelled to the jurisdiction of such courts.
9. Commencement and Termination
9.1 Personal Data, processed on behalf of the customer for this trial, as described in Appendix A, is retained in backups via Sub-Processors, for 2 (two) years unless the Customer submits a written request or DP Laws require storage of the Personal Data.
9.2 This DPA shall be considered terminated when the Customer’s Personal Data has been deleted per Lead Forensics’ retention policy or upon the Customer’s written request (whichever is first).
APPENDIX A (Personal Data)
| Category | Data | Data Subjects | Comments |
| Online Identifier | IP Address, to the extent that it is considered personal data | Website visitors | See IP Processing Policy |
APPENDIX B (Technical and Organisational Measures)
Click this link to access the Technical and Organisational Measures:
https://www.leadforensics.com/technical-and-organisational-measures-toms/
APPENDIX C (Sub-Processors)
| Name of sub-processor | Address/Location | Purpose/Type of Service | The location where the sub-processor will process PII | Retention Period |
| IOMART | Headquarters address: Kelvin Campus, West of Scotland Science Park, Lister Pavillion, Glasgow, G20 OSP | Data storage (backup facility) | Gosport, UK | 2 (two)years |
| AMAZON AWS | AWS Ireland | Data storage (backup facility) | EU-West-1 Region | 2 (two) years |
| V1.2 | Last modified March 2025 |