Controller (Customer): the legal entity that creates a LeadFlow account and/or accepts this DPA via clickwrap, as identified in the Customer's account registration details (the "Customer").
Processor: KSTUDIO SIA , Reg. No. 40203140189, VAT LV40203140189, Skolas Iela 36, Jurmala, LV-2016, Latvia ("KSTUDIO", "LeadFlow", or "Processor").
Contact: [email protected]
Effective date: the earlier of (i) Customer's first acceptance of this DPA by clickwrap, or (ii) the date of a fully executed written agreement (the "Effective Date").
1. Background
Customer uses the lead generation and enrichment services, including on-demand discovery, enrichment, verification, and export of lead data provided via LeadFlow platform provided by the Processor (the "Services") under the LeadFlow Terms of Service or other written agreement with Processor (the "Agreement"). To the extent Processor Processes Personal Data on behalf of Customer as part of the Services, the parties agree that this DPA will apply.
2. Definitions
- "Applicable Data Protection Law" means the GDPR and any other data protection laws applicable to the Processing under the Agreement.
- "Controller" has the meaning given in the GDPR.
- "Processor" has the meaning given in the GDPR.
- "Personal Data" has the meaning given in the GDPR.
- "Customer Personal Data" means any Personal Data Processed by Processor on behalf of Customer under this DPA, as further described in Annex 1.
- "Process"/"Processing" has the meaning given in the GDPR.
- "Sub-processor" means a Processor engaged by Processor to Process Customer Personal Data.
- "EEA" means the European Economic Area.
- "Personal Data Breach" has the meaning given in the GDPR.
3. Scope and Roles
3.1. Subject matter, duration, nature and purpose of Processing, type of Personal Data and categories of Data Subjects are described in Annex 1.
3.2. Customer is the Controller of Customer Personal Data and Processor acts as Processor on Customer's behalf.
3.3. This DPA does not apply to Personal Data that KSTUDIO processes as an independent Controller (for example, but not limited to account administration, billing, website analytics, and security/anti-fraud). Such Processing is described in KSTUDIO's Privacy Policy.
4. Documented Instructions
4.1. Processor will Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country, unless required to do so by Applicable Data Protection Law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2. The parties agree that Customer's documented instructions include: (i) the Agreement; (ii) Customer's configuration and use of the Services (including the features selected such as lead enrichment, export formats, and integrations); and (iii) any additional written instructions agreed in writing via email to [email protected] (or any other e-mail address notified by Processor). 4.3. The processor will immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Applicable Data Protection Law.
4.4. The Processor will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Controller, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organizational security measures implemented.
5. Confidentiality
5.1. Processor ensures that the employees or subcontractors authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2. Processor will restrict access to Customer Personal Data to employees or subcontractors who need access to perform the Services.
6. Security Measures
6.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, the Processor maintains appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of the Controller's customer Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of the Customer's Personal Data as described in Annex 2 ("TOMs").
6.2. Processor may update the TOMs from time to time, provided that such updates do not materially decrease the overall security of the Services.
7. Sub-processing
7.1. Customer grants Processor a general authorisation to engage Sub-processors to Process Customer Personal Data, subject to the conditions in this Section 7.
7.3. Processor will provide prior notice of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, including by updating the sub-processor page and/or by email notification.
7.4. Customer may object to a new Sub-processor on reasonable grounds related to data protection by notifying Processor within 10 days of the notice. In such an event, the parties will discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Customer may suspend or terminate the affected Services or the Agreement (without prejudice to any fees incurred by the Customer prior to suspension or termination).
7.5. Processor will impose data protection obligations on Sub-processors that are no less protective than those in this DPA, including by written agreement.
8. Assistance with Data Subject Rights
8.1. Taking into account the nature of the Processing, Processor will assist Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subject's rights under Applicable Data Protection Law.
8.2. If Processor receives a request from a Data Subject relating to Customer Personal Data, Processor will, to the extent permitted by law, notify Customer without undue delay and will not respond to the request except on Customer's documented instructions.
9. International Data Transfers
9.1. Customer acknowledges that, depending on the configuration of the Services and the Sub-processors used, Customer Personal Data may be transferred outside the EEA.
9.2. Where such transfers occur, Processor will ensure an appropriate transfer mechanism is in place, such as: (i) an adequacy decision; (ii) the EU Standard Contractual Clauses ("SCCs"); and/or (iii) participation in the EU-U.S. Data Privacy Framework where applicable.
9.3. Where SCCs are used, they are incorporated by reference and will apply as between Customer (as data exporter) and the relevant recipient (as data importer), with Processor acting as Customer's agent to facilitate such arrangements where necessary. Copies of relevant transfer safeguards (e.g., SCCs or a confirmation of adequacy/DPF reliance where applicable) will be made available to Customer upon reasonable request.
10. Personal Data Breach Notification
10.1. Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any event within 72 hours of such awareness.
10.2. Processor's notification will include, to the extent available: (i) a description of the nature of the Personal Data Breach; (ii) categories and approximate number of Data Subjects and Personal Data records concerned; (iii) likely consequences; and (iv) measures taken or proposed to address the breach.
10.3. Processor will cooperate with Customer and provide reasonable assistance to enable Customer to comply with its breach notification obligations under Applicable Data Protection Law.
10.4. The Processor will not inform any third party of any Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by law.
10.5. The Processor agrees that the Customer has the sole right to determine:10.5.1. whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
10.5.2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
11. Return and Deletion
11.1. Upon termination or expiry of the Services, and at Customer's choice, Processor will return or delete Customer Personal Data, unless Applicable Data Protection Law requires storage. Customer may request return or deletion by contacting [email protected]. Processor will complete such return/deletion within 30 days, subject to the retention terms in Annex 1. 11.2. Backups. Customer acknowledges that Customer Personal Data may remain in encrypted backups for a limited period, after which it will be overwritten or deleted in accordance with Processor's backup retention cycle.
12. Audits and Compliance
12.1. Processor will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, in accordance with this Section 12.
12.2. Audits will be: (i) conducted no more than once per 12-month period; (ii) subject to at least 30 days' prior written notice; (iii) limited to the Processing of Customer Personal Data; and (iv) subject to reasonable confidentiality and security requirements.
12.3. Where appropriate, Processor may satisfy audit requests by providing recent third-party audit reports, security summaries, or other documentation instead of permitting an on-site audit.
12.4. Customer will bear the costs of any audit and reimburse Processor's reasonable costs incurred in responding to an audit.
13. Assistance with Compliance
Taking into account the nature of Processing and the information available to Processor, Processor will provide reasonable assistance to Customer in ensuring compliance with Customer's obligations under Articles 32 to 36 GDPR, including security, breach notifications, DPIAs, and prior consultation, to the extent such assistance relates to the Services and Customer Personal Data.
14. Customer's Obligations and Warranties
14.1. Customer warrants that it has a valid legal basis under Article 6(1) of the GDPR and provides the required privacy notices under Article 14 of the GDPR necessary to Process Customer Personal Data and to instruct the Processor to Process Customer Personal Data.
14.2. Customer is solely responsible for: (i) the lawfulness of its outreach, marketing, and communications; (ii) compliance with ePrivacy/telemarketing and anti-spam laws; (iii) managing opt-outs and suppression lists; and (iv) ensuring that any recipients of communications receive required information and opt-out mechanisms.
14.3. Customer warrants that it will not: (i) use the Services for B2C activities; (ii) use or request data for unlawful purposes; (iii) represent KSTUDIO/LeadFlow as the sender of Customer's communications; or (iv) resell or share lead data with third parties except as permitted by the Agreement.
15. Liability
15.1. The parties' liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent liability cannot be limited under Applicable Data Protection Law.
15.2. Nothing in this DPA limits or excludes either party's liability with respect to a Data Subject's rights under Article 82 GDPR or any other liability that cannot lawfully be limited.
16. Indemnification
The Customer agrees to indemnify, keep indemnified and defend at its own expense the Processor against all costs, claims, damages or expenses incurred by the Processor or for which the Processor may become liable due to any failure by the Customer or its employees, subcontractors or agents to comply with any of its obligations under this Data Processing Addendum or the Applicable Data Protection Law.
17. Term and Order of Precedence
17.1. This DPA remains in effect for the duration of Processor's Processing of Customer Personal Data under the Agreement.
17.2. In the event of conflict between this DPA and the Agreement regarding data protection matters, this DPA will prevail. In the event of conflict between Annexes, Annex 1 prevails for scope of Processing, Annex 2 prevails for security measures, and Annex 3 prevails for Sub-processors.
18. Governing Law
Unless otherwise specified in the Agreement, this DPA is governed by the laws of the Republic of Latvia, and the courts of Riga, Latvia will have exclusive jurisdiction.
19. Execution
This DPA may be executed by: (i) a written signature; or (ii) electronic acceptance (clickwrap) by Customer's authorised representative. Where accepted electronically, Processor will record the acceptance timestamp, IP address, user agent, and the version of this DPA.
| For Customer (Controller) | For Processor (KSTUDIO SIA) |
| Customer is the legal entity that creates a LeadFlow account and/or accepts this DPA via clickwrap, as identified in the Customer's account registration details. No wet-ink signature is required for clickwrap acceptance. | KSTUDIO SIA Skolas iela 36 Jurmala, LV-2016, Latvia Reg. No. 40203140189 VAT LV40203140189 |
| Clickwrap evidence is recorded by Processor (including DPA version, timestamp (UTC), IP address, and user agent). If the parties execute an Order Form or a separate signature page, it will form part of this DPA. | Executed electronically. If a qualified e-signature is used, the signature page or Order Form will prevail for signature evidence. |
ANNEX 1: DESCRIPTION OF PROCESSING
A. Subject matter: Provision of LeadFlow lead generation and enrichment services, including on-demand discovery, enrichment, verification, and export of lead data.
B. Duration: For the term of the Agreement and as further described in Section 11 and the retention terms below.
C. Nature of Processing: Collection, organisation, structuring, storage (temporary), consultation, retrieval, use, disclosure by transmission (exports), and deletion.
D. Purpose(s) of Processing: To generate and enrich B2B lead lists on Customer's documented instructions and deliver results to Customer via the platform and/or exports.
E. Categories of Data Subjects: Business professionals and other individuals whose business contact details are included in lead results; Customer's users to the extent included in request metadata.
F. Categories of Personal Data: Lead/contact data may include: first name, last name, job title/position, business email address, business phone number, LinkedIn URL, employer/company name, company website, company size, industry, location/region/country, and verification/enrichment fields (score, rating, notes, employment status).
G. Special categories of data: Not intended to be processed.
H. Retention (Processor side): Processor stores lead results in the Customer account for up to 90 days from completion of a request (or such shorter period as configured in the Services), after which lead records and related exports are deleted or anonymised. Encrypted backups may retain data for up to 60 days as part of the backup cycle.
I. Recipients: Authorised Customer users; and Sub-processors listed in Annex 3 (as applicable).
ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)
Processor maintains a security program designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. The TOMs include, as appropriate:
- Access controls: role-based access control (RBAC), least privilege, and segregation of duties.
- Authentication security: multi-factor authentication (MFA) for administrative access where available; strong password policies for internal systems.
- Tenant isolation: logical separation of Customer data (e.g., database row-level security / RLS) to prevent cross-tenant access.
- Encryption in transit: TLS 1.2+ for communications between browsers, APIs, and services.
- Encryption at rest: encryption for stored data where supported by infrastructure providers (e.g., managed database encryption).
- Logging and monitoring: audit logging for administrative actions and system events; monitoring for abnormal access patterns.
- Secure development: change control, code review, and separation of environments where feasible; secrets managed via server-side environment variables.
- Vulnerability management: periodic dependency updates and remediation of high-risk vulnerabilities; security testing as appropriate for the organisation's size.
- Backups and availability: regular backups and disaster recovery procedures; access to backups restricted.
- Incident response: documented incident response process with escalation paths; breach notification workflow.
- Data minimisation: only the data needed to fulfil Customer requests is processed; lead data is not reused for other customers.
- Export controls: export links (e.g., Google Sheets/PDF) are generated per request and access is restricted to authorised users.
- Webhook security: webhook endpoints protected by authentication tokens and server-side validation.
- Bot protection: reCAPTCHA (or equivalent) for signup/login and abuse prevention where configured.
ANNEX 3: APPROVED SUB-PROCESSORS
The following Sub-processors may be used to provide the Services. Some Sub-processors are optional and only apply if the corresponding feature is enabled. Certain service providers may process personal data outside the scope of this DPA where Processor acts as an independent controller (e.g., billing and transactional email providers); such processing is described in Processor's Privacy Policy.
| Sub-processor | Service / Purpose | Processing location | Transfer mechanism (if outside EEA) | Optional? |
|---|
| Supabase | Database, Auth, managed Postgres (platform data and lead results storage) | See https://leadflow.lv/subprocessors for current region / data center. | SCCs and/or DPF (if applicable) | No |
| Apollo | Contact enrichment via API | USA / Global | SCCs and/or DPF (if applicable) | No |
| Apify | Website/LinkedIn enrichment workflows | EU / Global | SCCs (if outside EEA) | Optional (enrichment) |
| MillionVerifier | Email verification | EU (Hungary, Sweden) | N/A (EEA) | Optional (verification) |
| Google (Sheets/Drive) | Export delivery (Google Sheets) and file storage for exports | Global (may include USA) | SCCs and/or DPF (if applicable) | Optional (export) |