Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the agreement between CapLeads (“CapLeads”, “we”, “us”) and the customer (“Customer”, “you”) and governs the processing of personal data in connection with CapLeads’ services.

This DPA is designed to support compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA), where applicable.

1. Roles of the Parties

For the purposes of applicable data protection laws:

• Customer acts as the Data Controller, determining the purposes and means of processing any data provided or used.

• CapLeads acts as the Data Processor, processing data solely on documented instructions from the Customer.

CapLeads does not determine how Customer data is used once delivered.

2. Scope of Data Processing

CapLeads processes business-to-business (B2B) contact data only, which may include:

• Professional names

• Business email addresses

• Job titles

• Company names

• Publicly listed business contact details

CapLeads does not process:

• Sensitive personal data

• Consumer marketing data

• Private or confidential personal information

All data is sourced from publicly available business sources.

3. Purpose of Processing

CapLeads processes data solely for the purpose of:

• Aggregating, organizing, and formatting publicly available B2B data

• Delivering datasets requested by the Customer

• Supporting Customer-initiated testing, analysis, or outreach workflows

CapLeads does not use Customer data for its own marketing or independent purposes.

4. Lawful Basis

CapLeads processes B2B contact data under the lawful basis of legitimate interest, as permitted under applicable data protection regulations.

Customers are responsible for ensuring that their own use of the data complies with all relevant laws in their jurisdiction.

5. Data Security Measures

CapLeads implements reasonable technical and organizational measures designed to protect data against unauthorized access, disclosure, alteration, or loss.

While CapLeads takes data security seriously, no method of transmission or storage is guaranteed to be 100% secure.

6. Sub-processors

CapLeads may engage trusted third-party service providers (such as hosting or payment processors) strictly for business operations.

Where sub-processors are used:

• They are bound by confidentiality obligations

• They process data only to the extent necessary to provide their services

7. Data Retention

CapLeads retains processed data only for as long as necessary to:

• Deliver the requested services

• Meet legal, tax, or accounting obligations

• Resolve disputes

Customers are responsible for managing and deleting data within their own systems.

8. Data Subject Rights & Opt-Out

CapLeads supports data subject rights, including requests for access, deletion, or suppression.

Any individual may request removal or suppression of their data by contacting:

admin@capleads.org

CapLeads will honor valid requests promptly.

9. International Data Transfers

CapLeads may process data using globally distributed infrastructure. Where applicable, appropriate safeguards are applied to support cross-border data transfers in accordance with relevant regulations.

10. Liability & Responsibility

CapLeads is not responsible for how Customers use data after delivery.

Customers assume full responsibility for:

• Compliance with applicable laws

• Outreach practices

• Data storage and usage within their own systems

11. Termination

This DPA remains in effect for the duration of CapLeads’ services.

Upon termination, CapLeads will cease processing Customer data except where retention is required by law.

12. Contact

For questions related to this DPA or data processing practices, contact:

Email: admin@capleads.org