Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the LocalLeads Terms of Service (the "Agreement") between the customer ("Customer") and EtherLabZ IT Solutions Private Limited, operator of LocalLeads ("LocalLeads"). It applies to the extent that, in providing the Service, LocalLeads processes personal data on behalf of Customer ("Customer Personal Data").

Capitalised terms not defined here have the meaning given in the Agreement, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), or India's Digital Personal Data Protection Act 2023 ("DPDP Act"), as applicable.

1. Roles

• Customer Personal Data (Service operation): for personal data that Customer submits into the Service (e.g. team-member emails, saved searches, suppression lists), Customer is the controller / data fiduciary and LocalLeads is the processor / data processor.
• Lead Data (downloaded by Customer): once Customer retrieves or exports lead data from the Service, Customer becomes an independent controller of that personal data for the purposes of Customer's outreach, sales and marketing activities. LocalLeads does not act as Customer's processor for those downstream activities; the parties act as separate controllers.
• CCPA: for the purposes of the CCPA, LocalLeads acts as a "service provider" with respect to Customer Personal Data and will not sell or share that data, nor use it outside the business purposes described in the Agreement.

2. Processing details

• Subject matter: provision of the LocalLeads service to Customer.
• Duration: for the term of the Agreement and for the additional retention periods described in the Privacy Policy.
• Nature and purpose: hosting, indexing, retrieving, exporting and otherwise processing Customer Personal Data to provide search, enrichment, export, API and AI-agent features.
• Categories of data: account profile, billing identifiers, usage logs, customer- uploaded suppression lists, customer-submitted prompts and configurations.
• Categories of data subjects: Customer's personnel and authorised users.

3. LocalLeads obligations

We will:

• Process Customer Personal Data only on documented instructions from Customer, including the instructions contained in the Agreement and the Service's configuration. We will inform Customer if we believe an instruction violates applicable data-protection law.
• Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational security measures consistent with Annex A below.
• Engage sub-processors only as set out in Section 5 below.
• Provide reasonable assistance to Customer in responding to data-subject requests, in performing data-protection impact assessments, and in consulting with supervisory authorities, taking into account the nature of the processing.
• Notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting Customer Personal Data.
• On termination of the Agreement, delete or return Customer Personal Data, subject to the retention periods described in the Privacy Policy and to mandatory legal-retention obligations.

4. Customer obligations

Customer shall:

• Have a valid lawful basis for the personal data Customer submits to LocalLeads, and for any downstream processing Customer performs using lead data downloaded from the Service.
• Provide all required notices to data subjects (including GDPR Articles 13 and 14, and equivalents under UK GDPR and DPDP Act) for downstream processing as controller.
• Honour data-subject rights (access, correction, deletion, objection, opt-out) with respect to data Customer downloads and processes.
• Comply with applicable anti-spam, anti-telemarketing, do-not-call, consumer-protection and sectoral laws when conducting outreach using lead data, as more fully described in Section 6 of the Terms of Service.
• Maintain records of processing where required by law.

5. Sub-processing

Customer provides general authorisation for LocalLeads to engage the sub-processors listed at /subprocessors and to add or replace sub-processors from time to time. We will update that page and, for material additions, will use commercially reasonable efforts to notify Customer by email at least 15 days in advance. Customer may object to a new sub-processor in writing within that period on reasonable data-protection grounds; if the parties cannot agree on a solution, Customer may terminate the affected portion of the Agreement, pro-rated.

We impose data-protection obligations on our sub-processors that are substantially the same as those in this DPA.

6. International data transfers

Where LocalLeads transfers Customer Personal Data originating in the EEA, UK or Switzerland to a country that has not received an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (Module 2 controller-to-processor) and, for UK transfers, the UK International Data Transfer Addendum. The parties agree that the applicable SCCs and Addendum are incorporated into this DPA by reference; LocalLeads acts as data importer and Customer as data exporter. Annex I (parties, data, transfer mechanism), Annex II (security measures, see Annex A below) and Annex III (sub-processors, see Section 5) are completed by reference to this DPA and the Privacy Policy.

7. Audits

LocalLeads will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. On Customer's request and with reasonable advance notice, no more than once per year (except after a personal-data breach), Customer may audit LocalLeads' compliance by means of a written questionnaire or, if necessary, a remote audit by an independent third-party auditor, subject to confidentiality and to LocalLeads' reasonable rules of conduct. Audit costs are borne by Customer unless a material non-compliance is identified.

8. Liability and order of precedence

Each party's liability under or in connection with this DPA is subject to, and counts towards, the limitations of liability in the Agreement. In the event of conflict between this DPA, the SCCs / UK Addendum, and the Agreement: the SCCs / UK Addendum prevail with respect to international transfers; this DPA prevails with respect to processing of personal data; the Agreement governs everything else.

Annex A — Technical and organisational security measures

• Encryption: TLS 1.2+ in transit; encryption at rest for databases and backups.
• Access control: role-based access; principle of least privilege; mandatory MFA for production access; quarterly access reviews.
• Authentication: modern memory-hard password hashing; short-lived bearer tokens with refresh rotation; optional single-sign-on with a third-party provider.
• Network security: WAF, DDoS mitigation and rate limiting at the edge; private network for inter-service traffic; secrets stored in a managed secret store, not in code.
• Logging and monitoring: application and infrastructure logs forwarded to a monitoring system with anomaly detection; access logs retained for a minimum of 90 days.
• Backups: automated encrypted backups with off-site copies; documented restore procedure and periodic restore tests.
• Vulnerability management: dependency scanning; periodic third-party security review before each major release.
• Personnel: confidentiality obligations; security training; background checks where lawful.
• Incident response: documented incident-response procedure; 72-hour breach notification to Customer; post-incident review.
• Vendor management: due diligence before engagement; written sub-processor agreements; periodic re-review.

Signing this DPA

For most customers, acceptance of the Terms of Service constitutes acceptance of this DPA. Enterprise customers who require a counter-signed paper or electronic DPA can request one from legal@postorbit.io.