Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement governing Customer's use of the LeadArray.ai Services (the "Agreement") between LeadArray LLC ("LeadArray," "Processor") and the customer entity identified in the Agreement ("Customer," "Controller").
This DPA applies to the extent LeadArray processes Personal Data on behalf of Customer in the course of providing the Services.
1. Definitions
Capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
- "Applicable Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including but not limited to the GDPR, UK GDPR, CCPA/CPRA, and other U.S. state privacy laws.
- "Personal Data" means any information relating to an identified or identifiable natural person processed by LeadArray on behalf of Customer.
- "Processing" has the meaning given under Applicable Data Protection Laws.
- "Sub-processor" means any third party engaged by LeadArray to process Personal Data on Customer's behalf.
2. Roles of the Parties
2.1 Customer as Controller
Customer is the data controller (or "business" under CCPA/CPRA) and determines the purposes and means of processing Personal Data.
2.2 LeadArray as Processor
LeadArray acts solely as a data processor (or "service provider") and processes Personal Data only on documented instructions from Customer and as necessary to provide the Services.
3. Scope of Processing
3.1 Subject Matter
Processing of lead, contact, and related business data submitted by Customer for lead intelligence, enrichment, scoring, routing, summarization, and delivery.
3.2 Duration
For the term of the Agreement, plus any post-termination retention period defined in LeadArray's Data Retention Policy unless earlier deletion is requested and permitted by law.
3.3 Nature & Purpose of Processing
- Data ingestion (CSV, API, webhook, CRM sync)
- Normalization, deduplication, enrichment, and validation
- AI-assisted scoring, summaries, and routing recommendations
- Delivery of processed data to Customer-designated systems
- Logging, auditing, and platform analytics
3.4 Categories of Data Subjects
- Prospective customers
- Business contacts
- Leads and sales prospects
- Customer's internal users (account data)
3.5 Types of Personal Data
- Name, email address, phone number
- Business contact and firmographic information
- Lead source metadata and identifiers
- IP addresses and usage logs (platform operations)
4. Customer Obligations
Customer represents and warrants that:
- It has a lawful basis to collect and provide Personal Data to LeadArray;
- It has complied with all notice, consent, and disclosure requirements;
- It will not submit data that violates Applicable Data Protection Laws;
- It will not submit Protected Health Information (PHI) unless expressly agreed in writing.
Customer is solely responsible for downstream outreach, consent management, TCPA/CAN-SPAM compliance, and lawful use of processed data.
5. LeadArray Obligations
LeadArray shall:
- Process Personal Data only in accordance with Customer's documented instructions;
- Not sell, rent, or use Personal Data for LeadArray's own marketing purposes;
- Ensure personnel with access to Personal Data are bound by confidentiality obligations;
- Not train public or general AI models using Customer Personal Data.
6. Sub-Processors
6.1 Authorization
Customer grants LeadArray general authorization to engage Sub-processors for infrastructure, enrichment, analytics, AI services, and integrations.
6.2 Obligations
LeadArray will ensure Sub-processors are bound by data protection obligations no less protective than this DPA.
6.3 List & Changes
A current list of Sub-processors may be provided upon request. LeadArray will notify Customers of material changes where required by law.
7. Data Security
LeadArray implements reasonable and appropriate technical and organizational safeguards, including:
- Logical tenant isolation
- Access controls and authentication
- Encryption in transit and at rest (where applicable)
- Monitoring, logging, and audit trails
LeadArray does not guarantee absolute security but will maintain safeguards consistent with industry standards for SaaS platforms.
8. Data Subject Requests
Where legally required, LeadArray will assist Customer in responding to data subject requests (access, deletion, correction), provided that:
- Requests are routed through Customer as Controller; and
- LeadArray is not required to respond directly to data subjects unless required by law.
9. Data Retention & Deletion
Personal Data retention and deletion are governed by LeadArray's Data Retention Policy, incorporated by reference.
Upon termination of the Agreement, LeadArray will delete or anonymize Customer Personal Data in accordance with that policy, subject to legal or contractual retention obligations.
10. International Data Transfers
Personal Data may be processed in the United States and other jurisdictions where LeadArray or its Sub-processors operate.
Where required, LeadArray relies on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.
11. CCPA / CPRA (California)
LeadArray acts as a service provider under CCPA/CPRA and:
- Processes Personal Data solely to provide the Services;
- Does not sell or share Personal Data;
- Does not retain, use, or disclose Personal Data outside the business purpose defined by Customer.
12. Audit Rights
Upon reasonable written request and no more than once annually, LeadArray will provide information reasonably necessary to demonstrate compliance with this DPA.
On-site audits are limited to enterprise customers and subject to confidentiality, security, and scheduling constraints.
13. Liability
This DPA does not expand or modify liability provisions in the Agreement.
All liability arising from this DPA is subject to the limitations of liability set forth in the Agreement.
14. Order of Precedence
In the event of a conflict between this DPA and the Agreement, this DPA governs solely with respect to data protection obligations.
15. Governing Law
This DPA is governed by the same law and venue specified in the Agreement.
Exhibit A — Summary of Processing Details
(Provided for GDPR Article 28 compliance; incorporated above.)
| Subject Matter | Lead intelligence, enrichment, scoring, routing, summarization, and delivery services |
|---|---|
| Duration | Term of the Agreement plus applicable post-termination retention period |
| Nature & Purpose |
|
| Categories of Data Subjects |
|
| Types of Personal Data |
|
16. Restricted Processing Categories
As a data processor acting on behalf of Customer as data controller, LeadArray processes personal data in connection with lead enrichment, scoring, and delivery services. Certain categories of personal data processed or potentially accessible through LeadArray's enrichment pipeline are subject to heightened legal restrictions under applicable law. LeadArray implements the following controls with respect to restricted data categories:
Standard Processing — Excluded Fields
The following data fields are excluded from collection, storage, processing, and delivery for all Customer accounts as a default system-level control: gender, date of birth, marital status, presence of children, number of children, child age range, single parent status, household size, ethnicity, and neighborhood-level demographic percentage fields. These exclusions are enforced at the data parsing layer and are not configurable by Customer.
SpecialDataAccount Processing — Expanded Fields
Customers holding an active SpecialDataAccount designation, having executed a valid Permissible Purpose Certification Agreement, may receive a defined subset of otherwise-restricted fields as specified in the Certification Agreement. Processing of expanded fields under SpecialDataAccount designation is subject to the following restrictions:
- Expanded fields shall be processed and delivered solely for the permissible purpose certified by Customer;
- Expanded fields shall not be included in any processing activity that constitutes or supports a credit decision, insurance underwriting decision, or adverse action as defined under applicable federal law;
- LeadArray shall maintain an audit log of all processing activities involving expanded fields, including the Customer identifier, field identifiers, lead identifiers, processing timestamps, and the Permissible Purpose Certification Agreement reference; and
- The audit log shall be retained for the duration of the Customer's account term plus any applicable statutory retention period.
17. Regulatory Cooperation
In the event that LeadArray receives a regulatory inquiry, subpoena, or enforcement action relating to data processed on behalf of Customer, LeadArray will notify Customer promptly to the extent permitted by applicable law. Customer agrees to cooperate fully with LeadArray in responding to any such inquiry and to provide LeadArray with documentation of Customer's permissible purpose and compliance framework upon request.
18. Governing Compliance Frameworks
The parties acknowledge that data processed under this Agreement may be subject to the following regulatory frameworks, among others, depending on Customer's industry, geography, and use case:
- The Equal Credit Opportunity Act and Regulation B;
- The Fair Housing Act;
- The Fair Credit Reporting Act and Regulation V;
- The Telephone Consumer Protection Act;
- The CAN-SPAM Act;
- The California Consumer Privacy Act and California Privacy Rights Act; and
- Applicable state fair lending, privacy, and consumer protection laws.
Nothing in this Agreement constitutes legal advice to Customer regarding Customer's compliance obligations under any of the foregoing frameworks. Customer is solely responsible for obtaining qualified legal counsel to advise on its compliance obligations.