Data Processing Addendum
Last updated: 2026-05-19
This Data Processing Addendum ("DPA") supplements the LeadRails Terms of Service between LeadRails Inc. ("Processor") and the customer ("Controller") and reflects the parties' agreement with respect to the processing of Personal Data under applicable Data Protection Laws.
1. Defined terms
- Personal Data — any information relating to an identified or identifiable natural person processed under the Agreement.
- Data Protection Laws — the EU GDPR, UK GDPR, the California Consumer Privacy Act, and other applicable privacy laws.
- Sub-processor — a third party engaged by Processor to process Personal Data on Controller's behalf.
2. Scope of processing
Processor will process Personal Data only on documented instructions from Controller, including with regard to international transfers, and only to provide the Service. The subject matter, duration, nature, and purpose of processing are described in the Agreement. Categories of data subjects include Controller's leads, prospects, customers, and end users; categories of data include contact details, lead metadata, and any data Controller chooses to transmit.
3. Sub-processors
Controller authorises Processor to engage the sub-processors listed at /legal/subprocessors. Processor will give Controller at least 30 days notice of any addition or replacement of sub-processors and an opportunity to object on reasonable grounds.
4. Security measures
- encryption in transit (TLS 1.2+) and at rest (envelope encryption with rotated wrap keys);
- HMAC signing on all ingress and egress paths;
- least-privilege access controls and audit logging of administrative actions;
- regular dependency updates and vulnerability monitoring;
- incident response procedures and backups for the operational database.
5. Data subject rights
Processor will assist Controller in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection, taking into account the nature of the processing and the information available.
6. Breach notification
Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach involving Customer Data, and provide information reasonably required for Controller to meet its own notification obligations.
7. International transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to a third country not deemed adequate, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller to Processor) and, where applicable, the UK International Data Transfer Addendum.
8. Audits
Processor will make available to Controller information necessary to demonstrate compliance with this DPA. On reasonable notice and no more than once per year, Controller may audit Processor's relevant policies and controls, with the scope and methodology agreed in advance.
9. Term and termination
This DPA is effective for the term of the Agreement. On termination, Processor will, at Controller's election, return or delete Personal Data within a reasonable period, except where retention is required by law.