This Data Processing Agreement (“DPA”) forms part of, and is hereby incorporated into, the Agreement between Lead Forensics (herein “Lead Forensics” or the “Data Processor”) and Customer (herein the “Customer” or “Data Controller”) for the purchase of services from Lead Forensics pursuant to the “Agreement”. Hereinafter jointly referred to as the “Parties”.
Under the main “Agreement” between the parties, “Lead Forensics” may refer to either Lead Forensics Limited or Lead Forensics, Inc.
It is entered into in accordance with the “DP Laws” defined below. While providing Services to the Customer under the Agreement, Lead Forensics will process Customer Personal Data on behalf of the Customer.
This DPA shall prevail in the event of a contradiction between its provisions and the provisions of related Agreements.
The parties agree to comply with the provisions of this DPA regarding Customer Personal Data processed under the Agreement. By signing the Agreement, unless explicitly signed as a standalone DPA, the Customer agrees to this DPA on behalf of itself and its affiliates if and to the extent Lead Forensics processes Customer Personal Data for such affiliates.
1. Introduction
1.1 This DPA sets out the provisions concerning Customer Personal Data and the Service that will apply between the parties. Lead Forensics shall be a Data Processor, and the Customer shall be a Data Controller.
2. Definitions
2.1 The terms in this DPA shall have the following meanings:
a. “Agreement” refers to the contract between the parties in relation to the Service.
b. “Authorised Business Purposes” refers to the business-to-business activities described in the Agreement.
c. “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data Breach”, and “Processing” shall each have the meanings ascribed to them under the DP Laws.
d. “Customer Personal Data” shall mean the applicable personal data processed as part of the Services set out in Appendix A.
e. “Compliant Privacy Policy” means a clear, comprehensive, accurate, fully implemented, prominently posted statement of a Data Controller’s information and processing practices, which complies with DP Laws and any applicable contractual commitments regarding the collection, use, handling, sale, share, security, or other processing of Customer Personal Data.
f. “Data Protection Supervisory Authority” means the relevant supervisory authorities with responsibilities for data protection and/or privacy in the applicable jurisdiction in which the Services will be deployed.
g. “DP Laws” means, to the extent applicable to the activities or obligations of the parties under or pursuant to this Agreement, which shall include the EU GDPR, the UK GDPR, and the Data Protection Act 2018. Including without limitation, as applicable, the California Consumer Privacy Act of 2018, (“CCPA”), the Virginia Consumer Data Protection Act (from and after January 1, 2023) (the “VCDPA”), the Colorado Privacy Act (from and after July 1, 2023) (the “CoPA”), the European Union General Data Protection Regulation, (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), Canada’s Personal Data Protection and Electronic Documents Act (“PIPEDA”), all state and local laws requiring notice of breaches involving Personal Data and any and all orders, rules and regulations promulgated under any of the foregoing, all as the same have been amended and may be amended in the future.
h. “EEA” means all member states of the European Union, Iceland, Liechtenstein, Norway, and, for the purposes of this DPA, Switzerland.
i. “Lead Forensics Proprietary Data” means data for which Lead Forensics wholly owns the ownership rights and may be provided as part of the service to the Customer.
j. “Personal Data” means any data or information processed by Lead Forensics pursuant to this DPA which may be used, alone or in conjunction with any other data or information, to identify a living person or household or to make a living person or household identifiable. Including, without limitation, any business or personal contact data, unique electronic identification number, address, or routing code, telecommunication identifying information, or access device, such as a MAID. “Personal Data” includes, without limitation, any and all data or information that constitutes “Personal Data”, “personally identifiable information” or similar term under any applicable DP law, and for the avoidance of doubt, includes all data processed under Appendix A of this DPA.
k. “Services” as defined in the Agreement.
l. “Standard Contractual Clauses” or “EU SCCs” means the 2021 EU Standard Contractual Clauses (EU) 2021/914) available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.
m. “State of the art” means best practices and technologies relating to the security of IS and the information derived from them, in particular, the ISO 27001 standard.
n. “Sub-Processors” means approved sub-processors appointed by Lead Forensics to process Customer Personal Data as part of the Services, which shall be deemed to include https://www.leadforensics.com/sub-processors/.
o. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf.
3. Instruction to Process
3.1 The parties acknowledge that for the purposes of DP Laws, the Customer is the Data Controller, and Lead Forensics is the Processor.
3.2 Lead Forensics will only Process Customer Personal Data in accordance with the Customer’s instructions (which may be specific or general) to perform the Services in accordance with the Agreement, except to the extent Lead Forensics is required by DP Laws to process or share that Customer Personal Data. In this case, Lead Forensics shall inform the Customer of this requirement, unless the law prohibits it.
3.3 The parties agree that the Agreement incorporates this DPA unless the parties agree in writing otherwise.
3.4 The parties agree that the terms may be updated. Lead Forensics shall provide at least fourteen (14) days’ notice. If an objection is not received within 14 days, the terms shall be deemed binding between the parties.
3.5 Notwithstanding any other provision in this DPA, Lead Forensics may process Customer Data for analysis as part of the Service, including creating, compiling, and producing aggregated data sets and/or statistics to assist Customers’ reporting.
3.6 Lead Forensics Proprietary Data is excluded from the terms of this DPA.
4. Customer Personal Data
4.1 The processing particulars are set out in Appendix A of this DPA.
4.2 The duration of the Customer Personal Data processing is continuous and shall terminate as set forth in clause 12.
5. Records of Processing
5.1 In accordance with DP Laws, Lead Forensics shall maintain a record of processing activities undertaken on behalf of the Customer regarding the Customer Personal Data processed. The Records shall contain:
5.1.1 The name and contact information of each Sub-Processor.
5.1.2 The categories of processing of Customer Personal Data carried out on behalf of the Customer.
5.1.3 Details of any transfers of Customer Personal Data to any country or territory outside the UK/EEA, including suitable safeguards in accordance with DP Laws.
6. International Transfers
6.1 Lead Forensics shall not transfer Customer Personal Data to countries outside the UK or European Economic Area (EEA) without notifying the Data Controller. If Customer Personal Data Processed under this DPA is transferred onward to a sub-processor outside the UK or EEA, Lead Forensics shall ensure that the Customer Personal Data is adequately protected. The parties recognise the Standard Contractual Clauses of the European Union and the UK Addendum, or equivalent as deemed by DP Laws, shall be implemented where appropriate.
6.2 If a Customer is based in the UK/EU and contracts with Lead Forensics, Inc. (a US entity), a transfer mechanism is required under UK/EU data protection law, which the Customer is responsible for implementing. Please send the relevant terms to [email protected] for review.
6.3 In the processing scenario whereby Lead Forensics UK, as a UK Processor, returns data to its Customer/Controller in a country without adequacy, this is not a restricted transfer, and a safeguard mechanism is not required.
7. Security of Processing
7.1 Technical and Organisational Measures
7.1.1 Lead Forensics shall implement and maintain technical and organisational measures in the context of processing Customer Personal Data to ensure a level of security appropriate to the risk. This includes protecting Customer Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data. In assessing the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risks involved for the Data Subjects.
7.1.2 The Customer shall review the Technical and Organisational Measures (Appendix B). The Technical and Organisational Measures provided are subject to review and further development. The supplier may implement a revised version without reducing the security level. It shall provide the Customer with an updated copy as soon as reasonably practicable.
7.2 Access and Confidentiality
7.2.1 Lead Forensics shall ensure that personnel with access to Customer Personal Data for the performance of the Service is limited, and such personnel are subject to relevant contractual terms of confidentiality.
7.3 Personal Data Breach
7.3.1 Lead Forensics shall notify the Customer without undue delay and, in any event, within 48 hours upon becoming aware of a Personal Data Breach impacting the Customer’s Personal Data.
7.3.2 Lead Forensics shall cooperate with the Customer as necessary and take such reasonable commercial steps to assist in the investigation, mitigation, and remediation of, and notifications related to, each such Personal Data Breach impacting Customer’s Personal Data, unless required by DP laws with respect to the impacted Customer Personal Data, Lead Forensics will not inform or notify any third party of the Personal Data Breach without the prior consent of the Customer.
8. Sub-Processors
8.1 Lead Forensics may use any sub-processors already engaged by Lead Forensics as part of the Services prior to the effective date of this DPA, which shall be deemed to include https://www.leadforensics.com/sub-processors/.
8.2 Personal Personal Data may be fulfilled by an Approved Sub-Processor outside the UK and EEA that is not subject to a competent binding adequacy decision. For any such sub-processing, Lead Forensics shall (i) participate in a valid data transfer mechanism under the DP Law and (ii) take such steps as are required by the DP Laws (which may include the implementation of the IDTA, the Standard Contractual Clauses together with, to the extent the UK GDPR applies to the relevant transfer, the UK Addendum, or any successor standard contractual clauses adopted by the ICO) to ensure that the level of protection afforded to the Customer Personal Data is equivalent to the level of protection required by the DP Laws of the UK and/or European Union (as applicable) and the transfer is otherwise compliant with the DP Laws.
8.3 Lead Forensics shall publish the details of any new or alternative sub-processor at https://www.leadforensics.com/sub-processors/, which shall be deemed notice to the Customer. If, within 14 working days of the date of such notice:
8.3.1 The Customer has not notified Lead Forensics in writing of any reasonable objections, the Customer shall be deemed to have approved the list of Sub-processors, including the use of alternative/new sub-processors.
8.4 When Lead Forensics engages a sub-processor to process personal data, Lead Forensics will;
8.4.1 Remain liable to the Customer for the performance of the sub-processor in accordance with this DPA.
8.4.2 Have a contract with the sub-processor that offers substantially the same level of protection for Personal Data as those set out in this DPA.
9. Assistance to the Customer
9.1 Insofar as the Customer is subject to an inspection by a Data Protection Supervisory Authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the personal data processed by the Lead Forensics, Lead Forensics make every reasonable effort to support the Customer.
9.2 Data Subject Rights
9.2.1 Lead Forensics will promptly notify the Customer upon awareness of any request it has received from a Data Subject. Lead Forensics will not respond to the request itself unless authorised to do so by the Customer.
9.3 Lead Forensics shall assist the Customer in fulfilling its obligations to respond to the data subject’s requests to exercise their rights, taking into account the nature of the processing.
9.4 Data Protection Impact Assessment
9.4.1 Lead Forensics will provide reasonable assistance to the Customer concerning any data protection impact assessments required under Articles 35 or 36 of EU/UK GDPR or equivalent DP Laws, taking into account the nature of the data processing.
9.5 Audit Rights
9.5.1 Lead Forensics shall allow the Customer to audit compliance with its obligations under this DPA upon giving reasonable written notice. The Customer shall bear the costs of such an audit. If the Customer mandates a third party to conduct the audit on its behalf, the third-party auditor shall agree to comply with reasonable confidentiality terms issued by Lead Forensics.
9.5.2 An audit may only be carried out concerning the Customer’s Personal Data processed by Lead Forensics as defined in Appendix A and as relevant to the processing activities under this DPA.
10. General Obligations on the Customer
10.1 The Customer agrees to comply with DP Laws concerning its obligations as a Data Controller of the Personal Data insofar as they relate to processing under this DPA.
10.1.1 The Customer shall, in relation to any Personal Data (as defined in Appendix A), provide all notices, such as a Compliant Privacy Policy, obtain all consents and take all other steps required by applicable DP Laws concerning this DPA and under the Agreement. The Customer represents and warrants that it has not violated any applicable DP law, regulation, or the rights of any third party by instructing the processing of Personal Data.
10.1.2 The Customer is solely responsible for complying with obligations under applicable DP laws and determining the thresholds for any DP laws that may apply to their processing activities, including, but not limited to, the territorial scope of GDPR. For the avoidance of doubt, Lead Forensics assumes no responsibility for the Customer not meeting its obligations under applicable DP laws and/or the provisions of this DPA.
10.1.3 The Customer represents and states that, before disclosing Personal Data to Lead Forensics or instructing its processing, it has obtained all necessary rights and permissions from data subjects under all DP Laws for any processing to be performed by Lead Forensics to allow the parties to carry out the Authorised Business Purposes.
10.1.4 To the extent that the Customer shares or provides access to data, including access to the Lead Forensics portal, the Customer is responsible for ensuring compliance under DP laws is met.
10.1.5 The Customer remains solely responsible for its use of the product/service or portions thereof.
10.1.6 To the extent that the Customer provides data, the Customer shall ensure that data shall not contain ‘health’ or ‘sensitive’ data as defined by DP Laws.
10.1.7 Customer Personal Data, as set forth in Appendix A, shall be processed by Lead Forensics in compliance with this DPA and for Authorised Business Purposes only.
11. Lawful Jurisdiction
11.1 The lawful jurisdiction specified in the Agreement shall govern this DPA.
11.2 A Data Subject may bring legal proceedings against Lead Forensics or the Customer before the courts of the Member State in which they have their habitual residence.
11.3 The parties acknowledge they may be compelled to the jurisdiction of such courts.
12. Commencement and Termination
12.1 This DPA shall become effective in alignment with the Agreement and in accordance with updates https://www.leadforensics.com/dpa-update-notification/. The Customer is responsible for ensuring the correct contact for DPA notifications is provided.
12.2 Notwithstanding any provision to the contrary in this DPA, the terms and conditions set forth in this DPA shall supersede and take precedence over any conflicting or inconsistent provisions contained in any other section or clause or previous versions. In the event of a conflict, the provisions of this DPA shall govern and control.
12.3 Personal Data, as defined by Appendix A, is deleted from the Services within thirty (30) days after expiration or the termination of the Agreement or Customers written request.
12.4 The Customer is responsible for removing the Lead Forensics code from its website.
12.5 Except as otherwise required by DP laws, Lead Forensics retains backup data via Sub-Processors, as described in clause 6, for 2 (two) years.
12.6 The Customer may retrieve (via self-serve options via the Service) all required data within thirty (30) days of the confirmed termination of the contract.
12.7 This DPA shall be considered terminated when the Customer’s Personal Data has been deleted per Lead Forensics’ retention policy or upon the Customer’s written request (whichever is first).
12.8 Upon the termination or expiration of the Agreement, all provisions of this DPA, shall automatically terminate, and no provisions shall survive, except as expressly agreed between the parties or as otherwise required by law.
APPENDIX A (Customer Personal Data)
The following categories of Customer Personal Data are necessary to be processed as part of the service:
| Category | Data | Data Subjects | Comments |
| Online Identifier | IP Address, to the extent that it is considered personal data. | Website visitors. | See IP Processing Policy. |
| Contact Data | First name, surname, email. | Customer employee. | Login credentials, Single Sign-on. |
Our standard code has enhanced matching capabilities. This means that we process additional data, as stated in Appendix A, that may be considered personal data. This version of code is on by default. However, upon instruction, we can replace it with a basic version of code.
The name of code and identifiers contained within the JavaScript we provide may vary from Customer to Customer for security and compliance reasons.
The following personal data are optional features, provided as standard and processed as part of the service:
| Category | Data | Data Subjects | Comments/Purpose |
| Contact Data | For example, first name, surname, job title, LinkedIn URL (as provided by Customer). | As defined by the Customer.
It may also apply to an integration. |
Applies if data is uploaded or PURLs used (purpose defined by the Customer). |
| B2B Contact Data | First name, surname, job title, LinkedIn URL. | Employees of a matched business. For example, prospects, customers, and leads (as defined by Customer).
It may also apply to an integration. |
Contact data of employees of a matched business.
This applies to the ‘search’ and ‘add’ functionality, instructing an API call to an approved third-party contact data provider. See Sub-Processors. |
| Advanced Cookie | Lead Forensics Cookie (lfuuid). | Website visitors. | This is not standard for all customers in the UK/EU/ROW, but it is standard in the US.
May increase matching capabilities. |
| Online Identifiers | An identifier, webpage endpoints, and other attributes within our standard code may be processed, including reading for the presence of cookies and mobile device identifiers. | US website visitors only. | LF, Inc. is either the processor (if the contract is with LF, Inc.) or the sub-processor (if the contract is with LF Limited, UK). |
| HEM (Hashed email) | A HEM may be processed. | Website Visitors. | LF, Inc. is either the processor (if the contract is with LF, Inc.) or the sub-processor (if the contract is with LF Limited, UK). |
| Search Terms | Variable. | Website visitors. | Freestyle text input by the website visitor to the extent that it may be considered personal data. |
APPENDIX B (Technical and Organisational Measures)
Click this link to access the Technical and Organisational Measures:
https://www.leadforensics.com/toms/
| V7.1 | Last reviewed July 2025 |