Data Processing Agreement V7

This Data Processing Agreement (“DPA”) forms part of the agreement between Lead Forensics Limited, registered in England and Wales with company number 07158006 and a registered office at 3000 Lakeside Western Road, Hampshire, PO6 3EN. (herein “Lead Forensics” or the “Data Processor”) and Customer (herein the “Customer” or “Data Controller” for the purchase of services from Lead Forensics pursuant to (the “Agreement”). Hereinafter jointly referred to as the “Parties”.

It is entered into in accordance with the “DP Laws” defined below. While providing Services to the Customer under the Agreement, Lead Forensics may process Personal Data on behalf of the Customer.

This DPA shall prevail in the event of a contradiction between its provisions and the provisions of related Agreements.

The parties agree to comply with the provisions of this DPA regarding Personal Data processed under the Agreement. By signing the Agreement, the Customer agrees to this DPA on behalf of itself and its affiliates if and to the extent Lead Forensics processes Personal Data for such affiliates.

1. Introduction

1.1 DPA sets out the provisions concerning Personal Data and the Service that will apply between the parties. Lead Forensics shall always be a Data Processor, and the Customer shall be a Data Controller.

2. Definitions

2.1 The terms in this DPA shall have the following meanings:

a. “Agreement” refers to the contract between the parties in relation to the Service.

b. “Authorised Business Purposes” refers to the business-to-business activities described in the Agreement.

c. “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data Breach”, and “Processing” shall each have the meanings ascribed to them under the DP Laws.

d. “Customer Personal Data” shall mean the applicable personal data processed as part of the Services set out in Appendix A.

e. “Compliant Privacy Policy” means a clear, comprehensive, accurate, fully implemented, prominently posted statement of a Data Controller’s information and processing practices, which complies with DP Laws and any applicable contractual commitments regarding the collection, use, handling, sale, share, security, or other processing of Personal Data.

f. “Data Protection Supervisory Authority” means the relevant supervisory authorities with responsibilities for data protection and/or privacy in the applicable jurisdiction in which the Services will be deployed.

g. “Data Controller” and “Data Processor” as ascribed in DP Laws.

h. “DP Laws” means, to the extent applicable to the activities or obligations of the parties under or pursuant to this Agreement, which shall include the EU GDPR, the UK GDPR, and the Data Protection Act 2018. Including without limitation, as applicable, the California Consumer Privacy Act of 2018, (“CCPA”), the Virginia Consumer Data Protection Act (from and after January 1, 2023) (the “VCDPA”), the Colorado Privacy Act (from and after July 1, 2023) (the “CoPA”), Washington My Health My Data Act (as effective), the European Union General Data Protection Regulation, (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), Canada’s Personal Data Protection and Electronic Documents Act (“PIPEDA”), all state and local laws requiring notice of breaches involving Personal Data and any and all orders, rules and regulations promulgated under any of the foregoing, all as the same have been amended and may be amended in the future.

i. “EEA” means all member states of the European Union, Iceland, Liechtenstein, Norway, and, for the purposes of this DPA, Switzerland.

j. “Lead Forensics Proprietary Data” means data for which Lead Forensics wholly owns the ownership rights and may be provided as part of the service to the Customer.

k. “Personal Data” means any data or information processed by Lead Forensics pursuant to this DPA which may be used, alone or in conjunction with any other data or information, to identify a living person or household or to make a living person or household identifiable. Including, without limitation, any business or personal contact data, unique electronic identification number, address or routing code, telecommunication identifying information or access device such as MAID. “Personal Data” includes, without limitation, any and all data or information that constitutes “Personal Data”, “personally identifiable information” or similar term under any applicable DP law, and for the avoidance of doubt, includes all data processed under Appendix A of this DPA.

l. “Services” as defined in the Agreement.

m “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as adapted for the UK or such alternative as may be approved by the European Commission or by the UK from time to time.

n “State of the art” means best practices and technologies relating to the security of IS and the information derived from them, in particular, the ISO 27001 standard.

o “Sub-Processors” means approved sub-processors appointed by Lead Forensics to process Personal Data as part of the Services, which shall be deemed to include https://www.leadforensics.com/sub-processors/.

p “UK Addendum” means the ICO’s addendum to the Standard Contractual Clauses issued in accordance with section 119A of the Data Protection Act 2018.

3. Instruction to Process

3.1 The parties acknowledge that for the purposes of DP Laws, the Customer is the Data Controller, and Lead Forensics is the Processor.

3.2 Lead Forensics will only Process Personal Data in accordance with the Customer’s instructions (which may be specific or general) to perform the Services in accordance with the Agreement, except to the extent Lead Forensics is required by DP Laws to process or share that Personal Data. In this case, Lead Forensics shall inform the Customer of that requirement unless the law prohibits this.

3.3 The parties agree that the Agreement incorporates this DPA unless the parties agree in writing otherwise.

3.4 The parties agree that the terms may be updated. Lead Forensics shall provide at least fourteen (14) days’ notice. If an objection is not received within 14 days, the terms shall be deemed binding between the parties.

3.5 Notwithstanding any other provision in this DPA, Lead Forensics may process Personal Data and Customer Data for analysis as part of the Service, including creating, compiling, and producing aggregated data sets and/or statistics to assist Customers’ reporting.

3.6 Lead Forensics Proprietary Data is excluded from the terms of this DPA.

4. Personal Data

4.1 The processing particulars are set out in Appendix A of this DPA.

4.2 The duration of the Personal Data processing shall be subject to clause 12.

5. Records of Processing

5.1 In accordance with DP Laws, Lead Forensics shall maintain a record of processing activities undertaken on behalf of the Customer regarding the Personal Data processed. The Records shall contain:

5.1.1 The name and contact information of each Sub-Processor.

5.1.2 The categories of processing of Customer Personal Data carried out on behalf of the Customer.

5.1.3 Details of any transfers of Customer Personal Data to any country or territory outside the UK/EEA, including suitable safeguards in accordance with DP Laws.

6. International Transfers

6.1 Lead Forensics shall not transfer Personal Data to countries outside the UK or European Economic Area (EEA) without notifying the Data Controller. If Personal Data Processed under this DPA is transferred onward to a sub-processor outside the UK or EEA, Lead Forensics shall ensure that the Personal Data is adequately protected. The parties recognise the Standard Contractual Clauses of the European Union and the UK Addendum, or equivalent as deemed by DP Laws, shall be implemented where appropriate.

6.2 If a Customer is based in the UK/EU and contracts with Lead Forensics, Inc. (a US entity), a transfer mechanism is required under UK/EU data protection law, which the Customer is responsible for implementing. Please send the relevant terms to [email protected] for review.

6.3 In the processing scenario whereby Lead Forensics UK, as a UK Processor, returns data to its Customer/Controller in a country without adequacy, this is not a restricted transfer, and a safeguard mechanism is not required.

6.4 Lead Forensics UK and Lead Forensics, Inc. have a transfer mechanism between the entities.

7. Security of Processing

7.1 Technical and Organisational Measures

7.1.1 Lead Forensics shall implement and maintain technical and organisational measures in the context of processing Personal Data to ensure a level of security appropriate to the risk. This includes protecting personal data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the Data Subjects.

7.1.2 The Customer shall review the Technical and Organisational Measures (Appendix B). The Technical and Organisational Measures provided are subject to review and further development. The supplier may implement a revised version without reducing the security level. It shall provide the Customer with an updated copy as soon as reasonably practicable.

7.2 Access and Confidentiality

7.2.1 Lead Forensics shall ensure that personnel with access to Customer Data for the performance of the Service is limited, and such personnel are subject to relevant contractual terms of confidentiality.

7.3 Personal Data Breach

7.3.1 Lead Forensics shall notify the Customer without undue delay and, in any event, within 48 hours upon becoming aware of a Personal Data Breach impacting the Customer’s Personal Data.

7.3.2 Lead Forensics shall assist the Customer in notifying the Personal Data Breach to the competent supervisory authority/ies unless DP Laws do not require such notification.

8. Sub-Processors

8.1 Lead Forensics may continue to use any sub-processors already engaged by Lead Forensics as part of the Services prior to the effective date of this DPA, which shall be deemed to include https://www.leadforensics.com/sub-processors/.

8.2 Without prejudice to any other provisions of this DPA, Lead Forensics may use the Approved Sub-Processors to process Personal Data as part of the services

8.3 Personal Data may be fulfilled by an approved sub-processor outside the UK and EEA that is not subject to a competent binding adequacy decision. For any such sub-processing, Lead Forensics shall (i) participate in a valid data transfer mechanism under the DP Law and (ii) take such steps as are required by the DP Laws (which may include the implementation of the IDTA, the Standard Contractual Clauses together with, to the extent the UK GDPR applies to the relevant transfer, the UK Addendum, or any successor standard contractual clauses adopted by the ICO) to ensure that the level of protection afforded to the Personal Data is equivalent to the level of protection required by the DP Laws of the UK and/or European Union (as applicable) and the transfer is otherwise compliant with the DP Laws.

8.4 Lead Forensics shall publish the details of any new or alternative sub-processor at https://www.leadforensics.com/sub-processors/, which shall be deemed notice to the Customer. If, within 14 working days of the date of such notice:

8.4.1 The Customer has not notified Lead Forensics in writing of any reasonable objections, the Customer shall be deemed to have approved the list of Sub-processors, including the use of alternative/new sub-processors.

8.5 When Lead Forensics engages a sub-processor to process personal data, Lead Forensics will;

8.5.1 Remain liable to the Customer for the performance of the sub-processor in accordance with this DPA.

8.5.2 Have a contract with the sub-processor that offers substantially the same level of protection for Personal Data as those set out in this DPA.

9. Assistance to the Customer

9.1 Insofar as the Customer is subject to an inspection by a Data Protection Supervisory Authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the personal data processed by the Lead Forensics, Lead Forensics make every reasonable effort to support the Customer.

9.2 Data Subject Rights

9.2.1 Lead Forensics will promptly notify the Customer upon awareness within two (2) working days of any request it has received from a Data Subject. Lead Forensics will not respond to the request itself unless authorised to do so by the Customer.

9.3 Lead Forensics shall assist the Customer in fulfilling its obligations to respond to the data subject’s requests to exercise their rights, taking into account the nature of the processing.

9.4 Data Protection Impact Assessment

9.4.1 Lead Forensics will provide reasonable assistance to the Customer concerning any data protection impact assessments required under Articles 35 or 36 of EU/UK GDPR or equivalent DP Laws, taking into account the nature of the data processing.

9.5 Audit Rights

9.5.1 Lead Forensics shall allow the Customer to audit compliance with its obligations under this DPA upon giving reasonable written notice. The Customer shall bear the costs of such an audit. If the Customer mandates a third party to conduct the audit on its behalf, the third-party auditor shall agree to comply with reasonable confidentiality terms issued by Lead Forensics.

9.5.2 An audit may only be carried out concerning the Customer’s Personal Data processed by Lead Forensics as defined in Appendix A and as relevant to the processing activities under this DPA.

10. General Obligations on the Customer

10.1 The Customer agrees to comply with DP Laws concerning its obligations as a Data Controller of the Personal Data insofar as they relate to processing under this DPA.

10.1.1 The Customer shall, in relation to any Personal Data (as defined in Appendix A), provide all notices, such as a Compliant Privacy Policy, obtain all consents and take all other steps required by applicable DP Laws concerning this DPA and under the Agreement. The Customer represents and warrants that it has not violated any applicable DP law, regulation, or the rights of any third party by instructing the processing of Personal Data.

10.1.2 The Customer is solely responsible for complying with obligations under applicable DP laws and determining the thresholds for any DP laws that may apply to their processing activities, including, but not limited to, the territorial scope of GDPR. For the avoidance of doubt, Lead Forensics assumes no responsibility for the Customer not meeting its obligations under applicable DP laws and/or the provisions of this DPA.

10.1.3 The Customer represents and states that, before disclosing Personal Data to Lead Forensics or instructing its processing, it has obtained all necessary rights and permissions from data subjects under all DP Laws for any processing to be performed by Lead Forensics to allow the parties to carry out the Authorised Business Purposes.

10.1.4 To the extent that the Customer shares or provides access to data, including access to the Lead Forensics portal, the Customer is responsible for ensuring compliance under DP laws is met.

10.1.5 The Customer remains solely responsible for its use of the product/service or portions thereof.

10.1.6 To the extent that the Customer provides data, the Customer shall ensure that data shall not contain ‘health’ or ‘sensitive’ data as defined by DP Laws.

10.1.7 Data, as processed in Appendix A, shall be Processed in compliance with this DPA and for Authorised Business Purposes only.

11. Lawful Jurisdiction

11.1 The lawful jurisdiction specified in the Agreement shall govern this DPA.

11.2 A Data Subject may bring legal proceedings against Lead Forensics or the Customer before the courts of the Member State in which they have their habitual residence.

11.3 The parties acknowledge they may be compelled to the jurisdiction of such courts.

12. Commencement and Termination

12.1 This DPA shall become effective in alignment with the Agreement and in accordance with updates https://www.leadforensics.com/dpa-update-notification/.

12.2 Notwithstanding any provision to the contrary in this DPA, the terms and conditions set forth in this DPA shall supersede and take precedence over any conflicting or inconsistent provisions contained in any other section or clause or previous versions. In the event of a conflict, the provisions of this DPA shall govern and control.

12.3 Personal Data, as defined by Appendix A, is deleted from the Services as described in the Agreement within thirty (30) days of the termination of the Agreement.

12.4 The Customer is responsible for removing the Lead Forensics code from its website.

12.5 Lead Forensics retains backup data via Sub-Processors, as described in clause 6, for 2 (two) years unless the Customer submits a written request or DP Laws require storage of the Personal Data.

12.6 The Customer may retrieve (via self-serve options via the Service) all required data within thirty (30) days of the confirmed termination that the contract has been terminated.

12.7 This DPA shall be considered terminated when the Customer’s Personal Data has been deleted per Lead Forensics’ retention policy or upon the Customer’s written request (whichever is first).

12.8 Upon the termination or expiration of this DPA, including all provisions of the DPA, shall automatically terminate, and no provisions shall survive, except as expressly agreed between the parties or as otherwise required by law.

APPENDIX A (Personal Data)

The following personal data are optional features, provided as standard and processed as part of the service:

Category	Data	Data Subjects	Comments
Contact Data	For example, first name, surname, job title, LinkedIn URL (as provided by Customer).	As defined by the Customer. It may also apply to an integration.	This may apply to uploaded data and PURLs (purpose defined by the Customer).
B2B Contact Data	First name, surname, job title, LinkedIn URL.	Employees of a matched business. For example, prospects, customers, and leads (as defined by Customer). It may also apply to an integration.	This applies to the ‘search’ and ‘add’ functionality, instructing an API call to an approved third-party contact data provider. See Sub-Processors.
Advanced Cookie	Lead Forensics Cookie (lfuuid)	Website visitors.	This is not standard for all customers in the UK/EU/ROW, but is standard in the US.
Online Identifiers	An identifier and other attributes within our standard code may be processed, including cookies and mobile device identifiers.	US website visitors only.	See Sub-Processors.
HEM (Hashed email)	A HEM may be processed.	Website Visitors.	See Sub-Processors.

The following personal data are necessary to process as part of the service:

Category	Data	Data Subjects	Comments
Online Identifier	IP Address, to the extent that it is considered personal data.	Website Visitors.	See IP Processing Policy.
Contact Data	First name, surname, email.	Customer employee	Login credentials, Single Sign-on.

APPENDIX B (Technical and Organisational Measures)

Click this link to access the Technical and Organisational Measures: https://www.leadforensics.com/toms/

V7	Last modified 2th February 2025

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__zlcmid	1 year	__zlcmid is a cookie set by Zopim to help identify a user's chat session between page loads.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__gtm_campaign_url	session	This cookie is used to collect campaign information from the referring URL, used to improve campaign relevance.
__gtm_referrer	session	This cookie is used to identify and store the referring URL to improve the quality of campaigns.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_M827Q9YV22	2 years	This cookie is installed by Google Analytics.
_gat_UA-22580480-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_session_id	14 days	Cookie set by G2 to store the visitor’s navigation by recording the landing pages. This allows the website to present products and indicate the efficiency of the website.
Hotjar	1 year	In order to process data about your visit to a website, Hotjar stores first-party cookies on your browser.
lfuuid	9 years 8 months 7 days 9 hours	This cookie is used to store information on user preferences, to provide offers that are targeted to individual interests.
site_identity	1000 days	This cookie is set when the email recipient clicks through a Live Web Tracking tracked link. This cookie is for scout.salesloft.com. We do this to allow multi-site tracking.
sli_token	30 days	This cookie is set when the email recipient clicks through a Live Web Tracking tracked link.
sliguid	12 months	This cookie provides an anonymous user identifier across multiple requests.
slireg	7 days	This cookie identifies the Salesloft server region that the Team’s data is on.
slirequested	12 months	Once the sliguid cookie has been confirmed against a central server, this cookie is set for every request that comes in.
Unbounce	Session	Cookies to track page stats and attribute a conversion event back to a specific page using the page ID and variant letter. Unbounce cookies do not store any personally identifiable information and cannot be used to identify an individual based on the information stored in them directly.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.

Cookie	Duration	Description
_ccpx_u	1 year	Unique ID to facilitate advertising
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_li_ss – liadm.com	29 Days	Unique ID to facilitate advertising
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
lidid – liadm.com	1 year	Unique ID to facilitate advertising
NextRoll	13 months	NextRoll cookies are being used for the purpose of advertising.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuid – usbrowserspeed.com	1 year	Unique ID to facilitate advertising

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description
loglevel	never	No description available.
zte2095	session	No description

Data Processing Agreement V7

Product

Customers

Resources

About Us