Enterprise DPA Available
This page contains our standard DPA terms. Enterprise customers requiring a countersigned DPA, custom sub-processor addenda, or SCCs should contact legal@trustleads.ai. We aim to return countersigned agreements within 5 business days.
1. Definitions
In this DPA:
- Controller means the Customer who determines the purposes and means of processing Personal Data.
- Processor means Trust Leads Ltd, acting on the instructions of the Controller.
- Personal Data means any information relating to an identified or identifiable natural person contained in data uploaded by the Controller.
- Processing means any operation performed on Personal Data, including validation, enrichment, storage, and deletion.
- Data Protection Law means the UK GDPR, EU GDPR 2016/679, and any applicable national implementing legislation.
- Sub-processor means any third party engaged by Trust Leads to process Personal Data on behalf of the Controller.
2. Subject Matter & Duration
Trust Leads processes Personal Data on behalf of the Controller for the purpose of providing lead validation and enrichment services as described in the Terms of Service.
This DPA is effective for the duration of the Customer's subscription and for the period required to fulfil deletion obligations (30 days after account termination or lead file expiry).
3. Nature, Purpose & Categories of Data
Nature: Validation (email deliverability, phone verification), enrichment (domain resolution, lead scoring), and temporary file storage.
Purpose: Solely to fulfil the Controller's enrichment requests. Trust Leads does not use the data for any other commercial purpose.
Categories of data subjects: Business contacts (leads) contained in files uploaded by the Controller.
Categories of personal data: Business email addresses, first and last names, phone numbers, job titles, company names, and company domains. No special categories of data (Art. 9 GDPR) are processed.
4. Processor Obligations
Trust Leads (as Processor) undertakes to:
- Process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA)
- Ensure that all personnel with access to Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures as described in Article 32 GDPR (see Section 7)
- Not engage new sub-processors without prior notification to the Controller (see Section 5)
- Assist the Controller in responding to data subject rights requests, to the extent reasonably practicable
- Notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach
- Make available all information necessary to demonstrate compliance with this DPA and support Controller audits
- Delete or return Personal Data upon termination of the service
5. Sub-processors
The Controller grants general authorisation to engage the following sub-processors:
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt) | SCCs |
| Stripe Inc. | Payment processing (billing data only — not lead data) | USA / EU | SCCs + PCI DSS L1 |
| Vercel Inc. | Frontend hosting and CDN | Global (edge) | SCCs |
Trust Leads will notify the Controller via email of any intended changes to this sub-processor list at least 14 days in advance. The Controller may object in writing within that period. A full and current sub-processor list is available at legal@trustleads.ai.
6. International Data Transfers
Where Personal Data is transferred to a country outside the UK or EEA, Trust Leads ensures appropriate safeguards under Chapter V GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and UK IDTA addenda where applicable.
7. Technical & Organisational Security Measures
Trust Leads implements the following measures in accordance with Art. 32 GDPR:
- Encryption in transit: TLS 1.2 or higher for all data transmissions
- Encryption at rest: AES-256 for all stored data and backups
- Access control: Role-based access control (RBAC) with least-privilege principles; MFA required for production access
- Authentication: Bcrypt password hashing (cost factor 10); short-lived JWTs with rotating refresh tokens
- Audit logging: Immutable logs of all security-relevant events retained for 12 months
- Data isolation: Customer data is isolated at the organisation level; cross-tenant data access is architecturally prevented
- Penetration testing: Annual external penetration testing
- Backup security: Backups encrypted with AES-256; physical media destroyed at end of life
- Incident response: Documented and tested semi-annually
8. Data Deletion
Lead files (input CSVs and enriched outputs) are automatically deleted 30 days after job completion. Upon account or organisation deletion, all associated data is permanently deleted within 30 days. Backup media containing deleted data is overwritten or destroyed within 30 days.
Billing records are retained for 7 years for legal compliance and are not considered Personal Data under this DPA beyond the minimum required by law.
9. Audit Rights
The Controller may audit Trust Leads' compliance with this DPA no more than once per year, with 30 days' written notice, and at the Controller's cost. Audits must not unreasonably disrupt our operations. Trust Leads may satisfy audit obligations by providing relevant third-party audit reports (ISO 27001, SOC 2) where available.
10. Contact & Execution
To request a countersigned DPA, additional addenda, or to discuss enterprise data processing terms:
Email: legal@trustleads.ai
Subject: DPA Request — [Your Company Name]
By continuing to use the Trust Leads platform, the Customer acknowledges and agrees to the terms of this standard DPA. Enterprise customers requiring additional protections or countersignature should contact us before uploading any Personal Data.