Data Processing Agreement

This DPA template is suitable for most European customers but should be reviewed by legal counsel before signing. For a counter-signed copy, email dpo@leadconneqt.com.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between LeadConneqt, operating the ConneqtOS service ("Processor"), and the Customer ("Controller"). It governs the processing of Personal Data by Processor on behalf of Controller.

1. Definitions

Terms not defined here have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR"). "Personal Data" means personal data that Controller uploads to or generates in ConneqtOS.

2. Subject matter, nature, and purpose of processing

Processor provides a cloud-based work management service. Processing consists of hosting, storing, transmitting, and making available to authorized users the Personal Data the Controller uploads, for the purpose of operating the service Controller has contracted for.

3. Duration of processing

For as long as Controller maintains an active account, plus up to 30 days after account termination to allow for reactivation and data export. Some data retained longer where required by law (see retention schedule in our Privacy Policy).

4. Categories of data subjects and personal data

• Data subjects: Controller's employees, customers, prospects, or other contacts whose data Controller uploads.
• Data types: Names, emails, phone numbers, addresses, notes/comments, files uploaded, any other data Controller chooses to upload as column values.

Controller is responsible for not uploading special categories of data (health, biometric, political views etc.) unless they have a lawful basis and have informed Processor.

5. Controller's obligations

• Ensure Controller has a lawful basis for processing and any onward transfer to Processor
• Only upload data Controller is authorized to process
• Respond to data subject requests about their own data (Processor will assist where possible)
• Inform data subjects about Processor's role per Articles 13/14

6. Processor's obligations

• Process Personal Data only on documented instructions from Controller (the Terms + this DPA)
• Ensure persons authorized to process have committed to confidentiality
• Implement appropriate technical and organizational security measures (Article 32), see our Security page
• Assist Controller with data subject rights requests (Arts. 15–22)
• Assist Controller with notifications under Arts. 33 & 34 (data breach)
• Make available to Controller all information necessary to demonstrate compliance with Art. 28
• Allow and contribute to audits, including inspections, conducted by Controller or auditor mandated by Controller (with reasonable notice, typically 30 days)

7. Subprocessors

Processor engages third-party subprocessors to help deliver the Service. The current list is published at conneqtcrm.com/subprocessors. Controller gives general authorization for Processor to use these subprocessors.

Processor will give Controller at least 14 days' notice (via email to account owners + notice on subprocessors page) before adding or replacing subprocessors. If Controller has a reasonable objection, Controller may terminate the Service with a pro-rata refund of any prepaid unused period.

Processor imposes on each subprocessor the same data protection obligations that apply to Processor under this DPA.

8. Data breach notification

In case of a Personal Data Breach, Processor will notify Controller without undue delay, and in any event within 72 hours of becoming aware. The notification will describe: the nature of the breach (including categories and approximate number of data subjects / records), likely consequences, and measures taken.

9. Data subject requests

Processor will, to the extent technically possible, assist Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection). In many cases Controller can self-serve via the in-app tools (Profile → Privacy & Data).

10. International transfers

Where Processor transfers Personal Data outside the EEA, UK, or Switzerland to a country not deemed adequate by the European Commission, transfers are governed by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and/or the UK International Data Transfer Addendum, incorporated by reference here.

11. Return or deletion after end of services

At the end of provision of services, Processor will, at Controller's choice, delete or return all Personal Data. Controller can export all data at any time via the in-app export tool.

12. Technical and organizational measures (Art. 32)

Summary (full details on our Security page):

• Encryption in transit (TLS 1.2+) and at rest
• Multi-tenant isolation with org-scoped queries
• Password and API key hashing with bcrypt
• Access controls, role-based permissions
• Daily automated backups, 30-day retention
• Audit logging
• Rate limiting, WAF protection via Cloudflare
• Annual security review + dependency patching

13. Signing this DPA

By using the Service with an active subscription, you and Processor are deemed to have signed this DPA. For a counter-signed PDF copy, email dpo@leadconneqt.com.