This Data Processing Addendum ("DPA") forms part of the agreement between OutreachOps Inc. ("Datakart," "Processor," "we") and the customer that subscribes to the Services ("Customer," "Controller," "you") (the "Agreement"). It applies where Datakart processes personal data on behalf of Customer in providing the Datakart contact intelligence Services. In the event of a conflict with the Agreement on data protection matters, this DPA prevails.

1. Definitions

"Applicable Data Protection Law" means all laws relating to data protection and privacy applicable to the processing under this DPA, including the EU and UK GDPR and the CCPA/CPRA. "Controller," "Processor," "Personal Data," "Processing," "Data Subject," and "Personal Data Breach" have the meanings given in Applicable Data Protection Law. "Sub-processor" means any third party engaged by Datakart to process Customer Personal Data. "Customer Personal Data" means personal data Customer submits to or generates through the Services and that Datakart processes on Customer’s behalf.

2. Roles and Scope of Processing

Customer acts as the Controller (or as a processor on behalf of its own controllers), and Datakart acts as the Processor, with respect to Customer Personal Data. The subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1.

This DPA does not apply to personal data that Datakart independently collects from public and third-party sources into its own database. For that data, Datakart acts as an independent controller, and the processing is governed by the Datakart Privacy Policy, not this DPA.

3. Processing Instructions

Datakart processes Customer Personal Data only on Customer’s documented instructions, including the Agreement, this DPA, and Customer’s use of the Services, unless required to act otherwise by law. Datakart will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Confidentiality

Datakart ensures that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and have received suitable training on their data protection responsibilities.

5. Security Measures

Datakart implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as described in Annex 2, taking into account the state of the art and the nature of the processing.

6. Sub-processors

Customer provides general authorization for Datakart to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors is set out in Annex 3. Datakart imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for its Sub-processors’ performance. Datakart will give Customer notice of any intended addition or replacement of a Sub-processor and a reasonable opportunity to object on reasonable data protection grounds.

7. Assistance to Customer

Taking into account the nature of the processing, Datakart assists Customer through appropriate measures in responding to Data Subject requests, and in meeting Customer’s obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

8. Personal Data Breach

Datakart notifies Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides information reasonably available to it to help Customer meet its own notification obligations.

9. International Transfers

Where processing of Customer Personal Data involves a transfer outside the EEA or the UK, the parties rely on a valid transfer mechanism, such as the Standard Contractual Clauses, which are incorporated by reference. Processing locations are consistent with those described in the Datakart Privacy Policy and exclude countries subject to applicable sanctions or trade restrictions.

10. Deletion and Return of Data

Upon termination or expiry of the Agreement, Datakart deletes or returns Customer Personal Data at Customer’s choice, and deletes existing copies, unless retention is required by law. Standard processes apply within a reasonable period following termination.

11. Audits

Datakart makes available to Customer information reasonably necessary to demonstrate compliance with this DPA, and allows for and contributes to audits, including inspections, conducted by Customer or an auditor it mandates, on reasonable prior notice, during business hours, and subject to confidentiality obligations.

12. Liability and Term

This DPA takes effect on the effective date above and continues for the term of the Agreement and for as long as Datakart processes Customer Personal Data. Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

13. Governing Law

This DPA is governed by the law and subject to the jurisdiction set out in the Agreement. Where the Agreement is silent, it is governed by the laws of the State of Texas, United States, without regard to conflict of laws principles.

Annex 1 — Details of Processing

Subject matter: provision of the Datakart contact intelligence Services to Customer (search, enrichment, and validation).

Duration: the term of the Agreement and any period during which Datakart processes Customer Personal Data.

Nature and purpose: enrichment, validation, search, storage, and related processing of Customer-submitted data as instructed by Customer through the Services.

Types of personal data: names, business email addresses, business phone numbers, job titles, employer, and professional profile data submitted by Customer.

Categories of data subjects: Customer’s prospects, leads, and business contacts, who are professionals acting in a business capacity.

Annex 2 — Technical and Organizational Measures

Encryption of Customer Personal Data in transit, and at rest where supported;
Role-based access controls, least-privilege access, and authentication for systems handling Customer Personal Data;
Logging, monitoring, and alerting for security-relevant events;
Secure software development practices and change management;
Vendor and Sub-processor security review;
Documented incident response and breach handling procedures;
Physical and environmental security provided by underlying cloud infrastructure providers;
Periodic review of these measures, which may be updated provided protection is not reduced.

Annex 3 — Approved Sub-processors

The following Sub-processors are authorized to process Customer Personal Data. During waterfall enrichment, identifiers that Customer submits, such as a name and company domain, may be transmitted to third-party email and phone enrichment providers, which act as Sub-processors for that processing.

Sub-processors

Akamai Linode
Purpose: Cloud hosting infrastructure for application hosting and related services.
Location: India — Mumbai Expansion region, in-bom-2 / BOM2.

Intercom
Purpose: Email / support platform for customer support, messaging, and support workflows.
Location: United States by default, unless a regional hosting option has been separately enabled.

PostHog
Purpose: Product analytics and event analytics.
Location: United States.

Findymail / Findy
Purpose: Work email enrichment, including finding and verifying B2B work email addresses.
Location: Germany for processing noted in its privacy policy; company public profile lists France.

DropContact
Purpose: Work email enrichment, including finding, verifying, cleaning, deduplicating, and updating B2B contact data.
Location: France.

Forager
Purpose: Mobile / phone enrichment and B2B contact data enrichment.
Location: United States.

Wiza
Purpose: Mobile / phone enrichment and B2B contact enrichment, including emails, phone numbers, job titles, and company information.
Location: United States.