Customer FAQ 

This FAQ has been created to support customer due diligence and make privacy, security and operational reviews easier. It provides a clear overview of Lead Forensics’ approach and should be read alongside the applicable customer agreement, Data Processing Agreement, Privacy Notice, Technical and Organisational Measures, and any other agreed contractual documents.

This document is provided for general information only. If anything in this FAQ differs from the signed agreement or Data Processing Agreement, the signed agreement and Data Processing Agreement will take priority.

Contents

1. Quick overview
2. How the Lead Forensics platform works
3. Data roles, responsibilities and privacy choices
4. Security, access and confidentiality
5. Testing, incidents and service resilience
6. Data operations: sub-processors, transfers, retention and rights requests
7. Assurance and customer review
8. Service improvement and analytics

1. Quick overview

1.1 What is this document for?

This FAQ helps customers and prospects understand how Lead Forensics handles privacy, security, and due diligence. It is intended to support procurement, privacy, legal, IT, risk and security reviews.

1.2 What role does Lead Forensics play?

When Lead Forensics processes customer personal data through the SaaS platform, we act as a data processor. The customer acts as the data controller and decides how the service is used, including the lawful basis and any use of platform outputs.

Lead Forensics processes customer personal data in line with the customer’s documented instructions and the applicable customer agreement and Data Processing Agreement.

1.3 What documents govern the processing?

Processing is governed by the customer agreement, Data Processing Agreement, platform configuration, support requests and other documented customer instructions. These documents cover key areas such as security commitments, sub-processors, international transfers, assistance obligations, deletion or return of data and assurance rights.

1.4 How often are privacy and security materials reviewed?

Customer-facing privacy and security materials are reviewed at least annually and whenever there are significant changes to services, systems, sub-processors, legal requirements or security controls.

2. How the Lead Forensics platform works

2.1 What does the tracking code do?

When the Lead Forensics tracking code is deployed on a customer website, the service receives the IP address and standard technical request data generated by visits to that website.

Lead Forensics uses this data to identify business-level website visits by matching IP addresses against its proprietary business database. If a business match cannot be made with sufficient confidence, the data is handled in line with the applicable agreement, Data Processing Agreement and retention practices.

2.2 How is an IP address matched to a business?

A search is carried out within a B2B database owned by Lead Forensics. If the IP address can be matched, the relevant business is shown in the customer portal.

If the IP address is not already in the database, Lead Forensics may attempt to identify the business. We do not collect or share consumer details such as home addresses, and sole traders are excluded.

IP addresses that cannot be matched are securely held during the validation process and then purged.

2.3 What business information may be shown?

The customer portal may display firmographic information about the matched business, such as the business name, address, and phone number. This is business-level information and does not identify an individual website visitor.

2.4 Can visits from mobile devices be identified?

Visitors may access customer websites from mobile devices, including smartphones and tablets. Lead Forensics cannot restrict this, but the matching process is designed to identify businesses, not individuals. The information presented is business-level insight.

2.5 What is the optional Contact Data feature?

Lead Forensics offers an optional Contact Data feature that can provide B2B contact information for individuals employed by matched businesses. This may include name, job title, LinkedIn profile, phone number and email address.

These contacts are not the individuals who visited the customer’s website, as Lead Forensics does not identify individual website visitors.

Contact data is provided by approved third-party suppliers, which act as independent data controllers. Each contact record can be traced back to its original source to support transparency.

Customers using this feature are responsible for ensuring their use of the contact data complies with applicable data protection, electronic communications and calling rules. Lead Forensics acts as a processor, processing personal data on the customer’s instruction under the Data Processing Agreement or an equivalent.

2.6 Is the Lead Forensics cookie required?

It isn’t strictly required, but the Lead Forensics cookie can improve match rate. Details of the cookie are included in the Data Processing Agreement. For general information about cookies, see allaboutcookies.org.

3. Data roles, responsibilities and privacy choices

3.1 What personal data may be processed?

The types of personal data processed depend on the customer’s configuration, selected services and the applicable Data Processing Agreement. This may include business contact information, platform user data, website visit activity, technical identifiers, support information, employee account access data and CRM or integration data.

3.2 What is the purpose of processing?

Lead Forensics processes customer personal data to provide, operate, secure and support the SaaS services selected by the customer. This can include secure platform access, lead identification functionality, business data matching or enrichment, customer settings and integrations.

3.3 Does Lead Forensics require special category or sensitive personal data?

No. Lead Forensics does not require or process special category personal data under Article 9 of the UK GDPR or EU GDPR to provide its services.

3.4 Who decides the lawful basis?

The customer, as controller, is responsible for identifying and documenting the lawful basis for its use of Lead Forensics and for providing appropriate transparency information to website visitors, prospects, customers, employees or other relevant individuals.

Lead Forensics does not determine whether legitimate interests or another lawful basis is appropriate for a customer’s use case. Customers should document their own assessment within their privacy compliance framework.

3.5 Who is responsible for cookies, tracking and marketing rules?

The customer is responsible for configuring its websites, notices, consent mechanisms, opt-out processes and marketing activities in line with applicable data protection, privacy, marketing and electronic communications laws.

Lead Forensics supports customers by processing data in accordance with documented instructions and processor obligations.

3.6 Do customers need to update their privacy notices?

Customers are responsible for ensuring their privacy notices accurately explain their own processing activities, including their use of Lead Forensics, the personal data processed, the lawful basis relied upon and any requirements that apply in their jurisdictions.

Lead Forensics does not provide legal advice or prescribed wording for privacy notices, cookie banners or terms of use. Customers should involve their legal or privacy teams where required.

3.7 How does Lead Forensics support privacy law compliance?

Lead Forensics supports customers by processing customer personal data under a GDPR-compliant Data Processing Agreement, applying appropriate technical and organisational measures, managing relevant sub-processors, supporting rights requests where required and deleting or returning personal data in line with the contract.

For global privacy laws such as the CCPA/CPRA, Lead Forensics processes customer personal data in accordance with the customer agreement, the Data Processing Agreement, and documented customer instructions. Customers remain responsible for how those laws apply to their own use of the services.

4. Security, access and confidentiality

4.1 What security measures protect customer data?

Lead Forensics maintains technical and organisational measures designed to protect customer personal data against unauthorised access, accidental loss, disclosure, alteration or destruction.

Controls may include role-based access, least privilege, authentication controls, encryption in transit, appropriate protection of data at rest, secure cloud infrastructure, logging, monitoring, vulnerability management, secure development practices, backup and recovery processes and incident response procedures.

4.2 Where can customers view the Technical and Organisational Measures?

Lead Forensics publishes Technical and Organisational Measures covering key security, privacy and operational controls used to protect customer personal data when providing the SaaS services. They are available via our Trust Centre.

4.3 Does Lead Forensics have an ISMS?

Yes. Lead Forensics maintains an Information Security Management System (ISMS) to manage information security risks and protect confidentiality, integrity, and availability of customer data, company systems, and business operations.

The ISMS provides a structured framework for identifying risks, applying security controls, monitoring effectiveness and driving continual improvement.

4.4 Is Lead Forensics certified to SOC 2 or ISO/IEC 27001?

Lead Forensics is certified to ISO/IEC 27001, the internationally recognised standard for information security management systems. Lead Forensics is not currently SOC 2 certified.

4.5 Who can access customer personal data?

Access is limited to authorised personnel who need it for legitimate business purposes such as service delivery, support, security, maintenance, troubleshooting or compliance. Access is role-based, reviewed periodically and removed when personnel change roles or leave.

4.6 Are personnel subject to confidentiality obligations?

Yes. Employees, contractors and authorised third parties who process customer personal data are subject to appropriate confidentiality obligations and must only access customer data where required for their role and in line with Lead Forensics policies.

4.7 Is single sign-on available?

Yes. Lead Forensics can support Single Sign-On for customers using an identity provider. When enabled, users are redirected to the customer’s identity provider for authentication, including any MFA controls the customer has enabled.

Customers interested in SSO should speak with their Lead Forensics Sales or Customer Success representative to discuss availability, configuration and any applicable commercial terms.

5. Testing, incidents and service resilience

5.1 Does Lead Forensics perform security testing?

Yes. Lead Forensics conducts security testing and vulnerability management activities appropriate to the SaaS service. Summaries of relevant assurance materials may be made available through the Trust Centre or under NDA, subject to security and confidentiality considerations.

5.2 How are third-party software and dependencies managed?

Lead Forensics reviews and manages third-party libraries, components and suppliers based on risk. Controls may include dependency monitoring, vulnerability review, patching, supplier assessment, contractual safeguards and review of critical security updates.

5.3 How are security incidents handled?

Lead Forensics maintains procedures to identify, escalate, assess, investigate, contain, remediate and document security incidents.

5.4 How are personal data breaches handled?

If Lead Forensics becomes aware of a personal data breach affecting customer personal data processed as a processor, it will notify affected customers without undue delay, in accordance with contractual and legal requirements.

Lead Forensics will take reasonable steps to investigate and mitigate the effects of confirmed breaches. Where available, notifications may include the nature and timing of the incident, the affected data, affected individuals, likely consequences, remediation steps, recommended customer actions, and an appropriate contact point.

5.5 Does Lead Forensics maintain backups and recovery processes?

Yes. Backup data may be retained for resilience, recovery, security and business continuity purposes. Backup data is subject to appropriate access controls and security measures and is overwritten or deleted through standard backup cycles.

Lead Forensics maintains appropriate resilience, business continuity and recovery processes for the SaaS service. Availability controls may include resilient infrastructure, monitoring, alerting, backup and recovery procedures, supplier governance, incident response, capacity planning and operational support.

6. Data operations: sub-processors, transfers, retention and rights requests

6.1 Does Lead Forensics use sub-processors?

Yes. Lead Forensics may use sub-processors to support the services, including hosting, storage, authentication and B2B contact data services. The current sub-processor list is available in the Data Processing Agreement between the parties. Applicable sub-processors may vary depending on services, region and contractual terms.

6.2 How are sub-processors assessed and updated?

Before engaging relevant sub-processors, Lead Forensics assesses privacy, security, operational and compliance risks. This may include reviewing security controls, data protection terms, confidentiality obligations, international transfer mechanisms, certifications, resilience and suitability.

Where required by contract, Lead Forensics will notify customers of material sub-processor changes and provide an opportunity to object on reasonable grounds of data protection. Customers can subscribe to DPA and sub-processor update notifications at leadforensics.com/dpa-update-notification/.

6.3 Does Lead Forensics transfer personal data internationally?

Lead Forensics may process customer personal data in countries where its systems, or approved sub-processors, operate. Where restricted international transfers occur, Lead Forensics uses appropriate safeguards required by applicable data protection laws, such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum or other approved transfer mechanisms.

6.4 How long is customer personal data retained?

Lead Forensics retains customer personal data only for as long as necessary to provide the services, comply with customer instructions, meet contractual obligations, protect platform security, maintain backups, resolve disputes or satisfy legal requirements. Specific periods may vary by data type, product configuration and contract terms.

6.5 What happens when a contract ends?

When the customer agreement ends, Lead Forensics will delete or return customer personal data in line with the applicable Data Processing Agreement and customer agreement, unless continued retention is required by law or permitted by the contract.

6.6 Can customers export data?

Customers may have access to platform functionality for exporting relevant data, depending on configuration and contracted services. Where export is not self-service, customers may submit authorised support or privacy requests in line with contractual terms.

6.7 How does Lead Forensics support rights requests?

Where Lead Forensics acts as a processor, service provider or contractor, the customer is responsible for responding to data subject rights requests, consumer privacy requests and similar requests relating to customer-controlled personal data.

Lead Forensics provides reasonable assistance where required by law and contract, including for requests such as access, correction, deletion, restriction, portability, objection, suppression or opt-out. If Lead Forensics receives a rights request directly relating to customer-controlled personal data, it will generally refer the requester to the relevant customer or handle the request in accordance with the agreement, the Data Processing Agreement, and applicable law.

7. Assurance and customer review

7.1 What assurance materials are available?

Customers and prospects can request access to supporting documentation through the Lead Forensics Trust Centre. Additional materials may be made available under an NDA where appropriate, subject to review and approval.

7.2 Are certifications available?

The Lead Forensics ISO 27001 certificate is available via the Trust Centre.

7.3 Can customers conduct audits?

Customer audit and information rights are handled in accordance with the applicable customer agreement and Data Processing Agreement.

7.4 Does Lead Forensics complete security questionnaires?

Lead Forensics may respond to reasonable customer security, privacy, procurement and risk questionnaires where commercially appropriate.

7.5 Can customers review policies before contracting?

Lead Forensics may make selected Trust Centre policies and security documentation available to customers and prospects to support procurement, privacy, legal and security review. Some materials may require an NDA or access controls.

8. Service improvement and analytics

8.1 Does Lead Forensics use customer data to improve the service?

Lead Forensics may process usage data, logs, telemetry, diagnostics, and operational information to maintain, secure, support, troubleshoot, and improve services.

Where this information includes personal data, it is processed in accordance with applicable law, customer agreements and processor obligations. Aggregation, anonymisation or pseudonymisation may be used where appropriate.

.