Data Processing Agreement

Terms used in this Agreement have the meaning given in the GDPR. In addition, the definitions of the Terms & Conditions apply. In case of conflict, this Agreement prevails in respect of the processing of personal data.

Processor processes personal data exclusively on the instructions and for the account of Controller, in the context of providing the LeadGrid.io Service: recruitment and sales pipeline management, tracking of candidates and leads, AI-assisted CV summaries, rejection-email drafts, contact extraction, inbound and outbound email, and integrations via the public REST API.

Categories of data subjects and personal data are described in Annex 1.

This Agreement takes effect when the Subscription is concluded and runs for as long as Processor processes personal data for Controller. After termination, the provisions on confidentiality, liability and governing law remain in force to the extent necessary.

Processor processes personal data only on the written instructions of Controller. The Terms & Conditions, this Agreement and Controller’s configuration of the Service constitute such instructions. Processor will inform Controller without delay if, in its opinion, an instruction infringes the GDPR or other data-protection legislation.

Processor ensures that all persons processing personal data under its authority are bound by an obligation of confidentiality, either by statute or by contract.

Processor implements appropriate technical and organisational measures to secure personal data against loss, unauthorised access and other unlawful processing, as described in Annex 2. Processor reviews these measures periodically and updates them where appropriate, taking into account the state of the art and the risk to data subjects.

Controller grants Processor general authorisation to engage the sub-processors listed in Annex 3. Processor imposes on each sub-processor, by written agreement, the same obligations as arise from this Agreement, to the extent applicable.

Processor will inform Controller in advance of intended changes to the sub-processor list (additions or replacements). Controller may object, with reasons, within thirty (30) days of notification. If the parties cannot reach a solution, Controller may terminate the Subscription as of the effective date of the change.

Processor assists Controller by appropriate technical and organisational measures, insofar as reasonably possible, to fulfil Controller’s obligation to respond to requests from data subjects (access, rectification, erasure, restriction, portability and objection). Processor forwards any requests it receives directly to Controller.

Processor notifies Controller without undue delay, and in any event within 48 hours of discovery, of any personal-data breach. Processor provides all information reasonably available that Controller needs to fulfil its own legal notification and documentation obligations, including:

• the nature of the breach and the categories of data involved
• the (estimated) scale and possible consequences
• the measures already taken and proposed
• contact details for further information

Processor will not notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or data subjects on behalf of Controller unless expressly instructed to do so.

Processor assists Controller, upon reasonable request, with any data-protection impact assessment (DPIA) and any subsequent prior consultation of the supervisory authority, taking into account the nature of the processing and the information available to Processor.

After termination of the Subscription, Processor allows Controller a period of 30 days to export personal data (via the REST API or dashboard). Thereafter, Processor deletes all personal data, unless storage is legally required (e.g. tax retention obligations for billing records). Processor confirms deletion in writing on request.

Processor makes available to Controller, upon request, all information necessary to demonstrate compliance with this Agreement. Controller may, once per year — or more often in case of a reasonable suspicion of non-compliance — conduct (or have conducted) an audit. The audit takes place on business days, during office hours, after timely announcement, and in a manner that does not unreasonably disrupt the Service. The costs of the audit are borne by Controller, unless material deficiencies are established.

Processor may instead provide a recent independent audit report or an ISO 27001 / SOC 2 attestation from its (sub-)processors, which Controller will generally accept.

Where processing takes place outside the European Economic Area, it is based on appropriate safeguards as referred to in Art. 46 GDPR, including the European Commission’s Standard Contractual Clauses (2021/914) or the EU–US Data Privacy Framework, supplemented by technical additional measures where appropriate.

The liability of the parties under this Agreement is governed by the liability clause of the Terms & Conditions. Each party is liable under Art. 82 GDPR towards data subjects for damage caused by that party’s failure to comply with its GDPR obligations.

In case of conflict between this Agreement and other documents between the parties, this Agreement prevails in respect of the processing of personal data. Changes are valid if announced through the Service or by email, subject to a reasonable period to object or terminate the Subscription. This Agreement is governed by Dutch law; disputes are submitted to the District Court of The Hague (Rechtbank Den Haag).