Data Processing Agreement

Data Processing Agreement (DPA)

Last Updated: January 2025

This Data Processing Agreement (“DPA”) is entered into by and between LeadLegend Ltd, registered at 63-66 Hatton Garden, London, United Kingdom (“Processor”), and you, the client (“Controller”), and is incorporated by reference into any agreements or terms between the parties.

This DPA outlines the terms for the processing of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), EU GDPR, and applicable global data protection laws.

1. Definitions

- “Controller”: The party that determines the purposes and means of processing personal data.

- “Processor”: The party that processes personal data on behalf of the Controller.

- “Personal Data”: Any information relating to an identified or identifiable natural person.

- “Data Subject”: The individual to whom the personal data relates.

- “Processing”: Any operation performed on personal data (e.g., collection, storage, use, erasure).

- “Subprocessor”: Any third party engaged by the Processor to process personal data.

2. Scope

This DPA applies to all processing of personal data carried out by LeadLegend Ltd on behalf of the Controller via the LeadLegend CRM platform.

3. Roles and Responsibilities

- The Controller is responsible for ensuring all data collection and usage is lawful and for obtaining any required consents.

- The Processor acts only on the documented instructions of the Controller.

- The Processor shall:

- Implement appropriate technical and organizational measures for data protection.

- Assist the Controller in responding to data subject rights requests.

- Notify the Controller without undue delay in the event of a personal data breach.

4. Subprocessors

The Processor uses subprocessors solely for infrastructure and platform performance purposes. Current subprocessors include:

- GoHighLevel Inc. (USA)

- LeadConnector LLC (USA)

- Amazon Web Services (AWS) (USA)*

- Google Cloud Platform (GCP) (USA)*

*AWS and GCP are infrastructure providers used by GoHighLevel and LeadConnector and act as indirect subprocessors.

The Controller gives general authorization to the Processor to use these subprocessors. The Processor ensures all subprocessors are bound by data protection terms consistent with this DPA and applicable laws.

5. International Data Transfers

Data may be transferred outside the UK/EU to countries with appropriate safeguards. All transfers are governed by Standard Contractual Clauses (SCCs) or participation in the Data Privacy Framework (DPF).

All subprocessors listed above comply with the EU-U.S. and UK-U.S. Data Privacy Framework and use SCCs for lawful data transfer.

6. Data Subject Rights

Upon Controller’s instruction, Processor shall assist with:

- Right of access

- Right to rectification

- Right to erasure (“right to be forgotten”)

- Right to data portability

- Right to object to processing

Requests may be submitted to: [email protected]

7. Security

The Processor and its subprocessors implement:

- Data encryption at rest (AES-256) and in transit (TLS)

- Role-based access controls

- 24/7 monitoring and logging

- Regular audits and backups

8. Data Retention and Deletion

Personal data is retained only as long as required for service delivery or as instructed by the Controller. Upon termination, the Controller may request:

- Full deletion of data

- Secure export of data

9. Breach Notification

The Processor will notify the Controller without undue delay if a personal data breach occurs, providing details and assisting in mitigation and regulatory obligations.

10. Governing Law

This DPA shall be governed by the laws of England and Wales, with jurisdiction in London, United Kingdom.

11. Contact

LeadLegend Ltd

63-66 Hatton Garden

London, United Kingdom

[email protected]

By using the LeadLegend platform, you agree to the terms outlined in this DPA.