Data Processing Addendum

1. Introduction

This Data Processing Addendum (the “DPA”) supplements the agreement between the customer (“you” or “Controller”) and Leafer Ltd. (“Leafer” or “Processor”) for use of the Leafer service (the “Agreement”). It applies whenever Leafer processes Personal Data on your behalf in the course of providing the Service.

Where you require a counter-signed version of this DPA, email privacy@leafer.io with your company name, signing address, and the signatory’s details. We respond within two business days with a DocuSign envelope. The countersigned DPA carries the same legal effect as if it had been signed in wet ink.

2. Definitions

Capitalised terms used but not defined in this DPA have the meaning given in the Agreement or, where relevant, in the GDPR. The following definitions also apply:

• GDPR. Regulation (EU) 2016/679 (General Data Protection Regulation), as amended, and the equivalent UK regime (UK-GDPR + DPA 2018) where applicable.
• KVKK. Türkiye Kişisel Verilerin Korunması Kanunu (Law No. 6698).
• Personal Data. Any information relating to an identified or identifiable natural person, as that term is defined in Art. 4(1) GDPR.
• Processing. Any operation performed on Personal Data, as defined in Art. 4(2) GDPR.
• Standard Contractual Clauses (SCCs). The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.
• Sub-processor. Any third party engaged by Leafer to process Personal Data on the Controller’s behalf. The current list is maintained at /trust/subprocessors.

3. Roles & scope

For Personal Data processed under this DPA the Controller is the Controller, and Leafer is the Processor. The Controller determines the purposes and means of the Processing; Leafer Processes the Personal Data only on the Controller’s documented instructions.

The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data and categories of data subjects are set out in Annex 1.

4. Processing on instruction

Leafer shall Process Personal Data only on the Controller’s documented instructions, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do otherwise by Union or Member State law. In such a case, Leafer shall inform the Controller of that legal requirement before the Processing, unless the law prohibits such information on important grounds of public interest.

The Controller’s use of the Service, including the configuration of campaigns, suppression lists, and country routing through the Service interfaces, constitutes documented instructions for the purposes of this DPA. Additional instructions outside the Service’s normal scope may be agreed in writing.

Leafer shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection provisions.

5. Confidentiality of personnel

Leafer ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to a small named set of engineers, is granted on a need-to-know basis, and is fully logged.

6. Security measures

Leafer implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate, those set out in Art. 32 GDPR. A description of these measures is set out in Annex 2.

Leafer reviews and updates the measures regularly. Material changes do not lower the overall level of protection and are reflected in Annex 2.

7. Sub-processors

The Controller gives Leafer a general written authorisation to engage Sub-processors. The current list of Sub-processors is published at /trust/subprocessors and forms Annex 3 of this DPA.

Leafer shall give the Controller at least thirty (30) days’ prior notice of any intended changes concerning the addition or replacement of a Sub-processor, thereby giving the Controller the opportunity to object. Notification is sent by email to the address registered on the Controller’s account and published on the Sub-processors page.

Where the Controller objects, Leafer will work in good faith with the Controller to find a workable alternative. If no alternative is found, the Controller may terminate the Agreement for convenience with a pro-rated refund of any prepaid fees attributable to the unused part of the term.

Leafer enters into a written contract with each Sub-processor that imposes data-protection obligations no less onerous than those set out in this DPA. Leafer remains fully liable to the Controller for the performance of each Sub-processor’s obligations.

8. Data subject rights

Taking into account the nature of the Processing, Leafer assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR — access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

Where a data subject sends a request directly to Leafer, Leafer will forward it to the Controller within five (5) business days and will not respond to the request directly unless the Controller asks us to.

9. Personal data breach notification

Leafer notifies the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data breach affecting the Controller’s Personal Data. The notification is sent to the security contact registered on the Controller’s account and includes, to the extent known at the time:

• The nature of the breach, including categories and approximate number of data subjects affected;
• The categories and approximate volume of Personal Data records affected;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and mitigate its adverse effects.

Leafer provides further information as it becomes available. The notification under this clause does not constitute an admission of fault or liability.

10. DPIA & prior consultation

Leafer provides reasonable assistance to the Controller with any data-protection impact assessment, and prior consultations with supervisory authorities, that the Controller is required to carry out under Art. 35 or 36 GDPR, where such assessment relates to the Processing carried out under this DPA. Leafer will respond to such requests within ten (10) business days.

11. International transfers

Personal Data is primarily stored in the European Union (Frankfurt, eu-central-1). Where Personal Data is transferred from the EEA, the UK, or Switzerland to a third country that is not subject to an adequacy decision, the transfer is made pursuant to the Standard Contractual Clauses, which the parties hereby incorporate by reference and enter into.

For the purposes of the SCCs:

• Module Two (Controller-to-Processor) is selected;
• The optional docking clause does not apply;
• Option 1 of Clause 9(a) applies, with the time period set at thirty (30) days;
• The supervisory authority in the Controller’s lead jurisdiction acts as competent supervisory authority for the purposes of Clause 13;
• The Annexes to the SCCs are populated by Annexes 1, 2, and 3 of this DPA.

Where the UK-GDPR applies, the parties enter into the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner’s Office. Where the Swiss FADP applies, the SCCs are adapted in line with the FDPIC’s guidance.

12. Audits & evidence

Leafer makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR. Leafer’s primary evidence comprises:

• The SOC 2 Type I / Type II reports (once issued — current target Q3 2026);
• The annual external penetration test report (under NDA);
• The published Security FAQ at /trust/faq;
• The published Trust Centre at /trust;
• This DPA and the documents it references.

Where the Controller’s regulator requires an on-site audit, Leafer will cooperate in good faith, subject to a mutually agreed protocol that does not compromise the security or confidentiality of other customers. The Controller bears the cost of any on-site audit unless the audit reveals material non-compliance attributable to Leafer.

13. Return & deletion of data

At the choice of the Controller, on termination of the Agreement Leafer shall return or delete all Personal Data to the Controller, and delete existing copies, unless Union or Member State law requires storage of the Personal Data.

Leafer makes Customer Content available for export through the dashboard for thirty (30) days following termination. After this window, Personal Data is deleted from production systems on a rolling schedule and purged from backups within ninety (90) days. Hashed suppression records and audit-log entries are retained for the statutory periods identified in the Privacy Policy.

14. Liability & termination

Each party’s liability under this DPA is subject to the limitation of liability in the Agreement. Nothing in this DPA or the Agreement limits liability where it cannot lawfully be limited.

This DPA takes effect on the date the Agreement starts and continues until the Agreement ends, after which the obligations relating to return and deletion of data and to confidentiality continue to apply until the relevant Personal Data has been returned or deleted.

15. Order of precedence

If there is any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA prevail with regard to the parties’ data-protection obligations. If there is any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

Annex 1 · Details of processing

A. Subject matter and duration

Subject matter. Processing of Personal Data for the purpose of providing the Leafer Service to the Controller under the Agreement.

Duration. For the term of the Agreement, plus the return / deletion window described in Clause 13.

B. Nature and purpose of processing

Discovery of business prospects from public sources; enrichment of those prospects with verified business contact information; classification of buying-intent signals; drafting of outbound messages; delivery of approved messages on the Controller’s instruction; recording of engagement (sent, opened, clicked, replied, bounced, opted-out) for the Controller’s use; running compliance preflight checks (suppression list, country routing, IYS); maintaining an audit log.

C. Categories of data subjects

• Employees, agents, and contractors of the Controller authorised to use the Service.
• Business contacts at organisations the Controller targets through the Service — typically individuals in commercial, technical, or operational roles.

D. Categories of Personal Data

• Account-related. Name, work email address, organisation name, role, optional avatar, authentication identifiers, IP address, device fingerprint.
• Lead-related. Name and role of prospect at employer; work email address; work LinkedIn / professional-profile identifier; business phone number; company name, industry, headcount, and other firmographic attributes; public posts, comments, reviews where they indicate buying intent; engagement events with messages sent through the Service.

E. Sensitive categories

None. The Service is configured to refuse special-category Personal Data under Art. 9 GDPR. The Controller undertakes not to upload or process such data through the Service.

F. Frequency of transfer

Continuous, for the term of the Agreement.

Annex 2 · Technical and organisational measures

A. Encryption & key management

• TLS 1.2 or higher on every connection.
• AES-256 on backups at rest.
• Field-level encryption on personally identifiable fields using workspace-scoped key material managed by the cloud provider’s KMS.
• Key material rotated annually or on suspected compromise. Day-to-day operations have no access to raw keys.

B. Access control

• Multi-factor authentication enforced on every account.
• Production access restricted to a small named set of engineers, granted on a need-to-know basis, fully logged.
• Customer support never reads workspace data without explicit consent. A break-glass path exists, requires multi-party approval, and is audited.
• Internal access reviews carried out quarterly.

C. Network & infrastructure

• Primary storage in the European Union (Frankfurt, eu-central-1).
• Backups within the same region. No cross-region replication by default.
• DDoS protection at the edge.
• Private networking between application and data layers.

D. Monitoring & logging

• Centralised application + system logs, retained 30 days hot, 1 year cold.
• Personally identifiable fields stripped at intake before reaching the observability layer.
• Anomaly detection on authentication, sending, and admin actions.
• Immutable audit log retained for seven (7) years.

E. Resilience

• Database backups every six hours, encrypted at rest with AES-256, 30-day rolling retention.
• Restorability tested quarterly under a documented procedure.
• Target RTO 4 hours, target RPO 1 hour. Formal figures published under NDA once SOC 2 issues.

F. Personnel

• Confidentiality obligations in employment contracts.
• Annual security training for engineering and customer-facing staff.
• Background checks for personnel with production access where lawful.

G. Vendor management

• Written DPA with every Sub-processor.
• Sub-processor security posture reviewed before engagement and re-reviewed annually.
• Public Sub-processor list with thirty-day change notice.

H. Incident response

• 72-hour breach-notification commitment.
• Documented incident-response runbook exercised quarterly.
• Public security disclosure address: security@leafer.io.

Annex 3 · Sub-processors

The current list of Sub-processors authorised under this DPA is maintained at /trust/subprocessors. The list shows, for each Sub-processor:

• The vendor name;
• The category of Processing carried out;
• The location of Processing;
• A link to the vendor’s own Data Processing Addendum.

Changes are notified to the Controller’s registered email at least thirty (30) days in advance, in accordance with Clause 7.