Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Prospexly Inc. ("Prospexly," "Processor," "we," or "us") and the customer agreeing to these terms ("Customer," "Controller," or "you").

This DPA sets forth the parties' obligations with respect to the processing of personal data in connection with the Services, as required by applicable data protection laws including the EU General Data Protection Regulation (GDPR), UK GDPR, and California Consumer Privacy Act (CCPA).

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by Prospexly to process Personal Data on behalf of the Customer.
• "Customer Data" means Personal Data that Customer uploads or inputs into the Services.
• "Data Protection Laws" means applicable laws relating to data protection and privacy, including GDPR, UK GDPR, and CCPA.

3. Scope and Roles

3.1 Roles

For the purposes of this DPA, Customer acts as the Controller (or Business under CCPA) and Prospexly acts as the Processor (or Service Provider under CCPA) with respect to Customer Data.

3.2 Scope of Processing

Prospexly will process Customer Data only as necessary to provide the Services and as further instructed by Customer, subject to the terms of this DPA.

4. Customer Obligations

Customer agrees to:

• Ensure that it has a lawful basis for processing Personal Data through the Services
• Provide any required notices and obtain any necessary consents from Data Subjects
• Ensure Customer Data does not violate applicable laws or third-party rights
• Maintain appropriate security measures for Customer's systems and accounts
• Respond to Data Subject requests and inform Prospexly of any requests or complaints

5. Prospexly Obligations

Prospexly agrees to:

5.1 Processing Instructions

• Process Customer Data only on documented instructions from Customer
• Not process Customer Data for any purpose other than providing the Services
• Inform Customer if Prospexly believes an instruction violates Data Protection Laws

5.2 Confidentiality

• Ensure personnel authorized to process Customer Data are bound by confidentiality obligations
• Limit access to Customer Data to personnel who need access to perform the Services

5.3 Security

• Implement appropriate technical and organizational measures to protect Customer Data
• Maintain measures including encryption, access controls, and regular security testing
• Ensure the ongoing confidentiality, integrity, availability, and resilience of systems

5.4 Sub-processors

• Not engage Sub-processors without Customer's prior authorization
• Maintain a list of current Sub-processors (available upon request)
• Ensure Sub-processors are bound by data protection obligations no less protective than this DPA
• Remain liable for Sub-processors' compliance with this DPA

5.5 Assistance

• Assist Customer in responding to Data Subject requests (access, rectification, erasure, etc.)
• Assist Customer with data protection impact assessments where required
• Assist Customer with demonstrating compliance with Data Protection Laws

6. Data Subject Rights

Prospexly will assist Customer in fulfilling its obligations to respond to Data Subject requests, including requests to:

• Access their Personal Data
• Rectify inaccurate Personal Data
• Erase Personal Data ("right to be forgotten")
• Restrict processing of Personal Data
• Port their Personal Data to another service
• Object to processing of their Personal Data

Customer is responsible for responding to Data Subject requests. Prospexly will promptly notify Customer of any requests received directly from Data Subjects.

7. Security Incidents

7.1 Notification

Prospexly will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a security incident affecting Customer Data.

7.2 Incident Information

Notification will include, to the extent available:

• Description of the nature of the incident
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Likely consequences of the incident
• Measures taken or proposed to address the incident

7.3 Cooperation

Prospexly will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any security incident.

8. International Transfers

Customer Data may be transferred to and processed in countries outside of the European Economic Area (EEA), United Kingdom, or Switzerland. Prospexly will ensure appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement or UK Addendum to SCCs
• Other legally approved transfer mechanisms as applicable

9. Audits

Upon Customer's written request (no more than once per year), Prospexly will make available information necessary to demonstrate compliance with this DPA. This may include:

• Copies of relevant certifications (e.g., SOC 2 reports)
• Results of third-party security audits or assessments
• Responses to security questionnaires

Customer may request an on-site audit with reasonable advance notice, provided that such audit does not interfere with Prospexly's operations and Customer bears the costs of the audit.

10. Data Retention and Deletion

Upon termination of the Services or upon Customer's request, Prospexly will:

• Delete or return all Customer Data within 30 days, at Customer's choice
• Delete existing copies unless retention is required by applicable law
• Provide written certification of deletion upon request

Prospexly may retain Customer Data where required by law, provided that such retention is subject to the confidentiality and security obligations of this DPA.

11. CCPA Specific Terms

To the extent the California Consumer Privacy Act (CCPA) applies:

• Prospexly is a "Service Provider" as defined by the CCPA
• Prospexly will not sell Customer Data
• Prospexly will not retain, use, or disclose Customer Data except as necessary to perform the Services
• Prospexly will not combine Customer Data with data from other sources except as permitted by the CCPA
• Prospexly certifies it understands and will comply with these CCPA requirements

12. Term and Termination

This DPA will remain in effect for the duration of Customer's use of the Services and will automatically terminate upon termination of the underlying service agreement. Obligations that by their nature should survive termination will survive.

13. Amendments

Prospexly may update this DPA to reflect changes in Data Protection Laws or our processing practices. We will provide reasonable notice of material changes. Continued use of the Services after changes take effect constitutes acceptance of the updated DPA.

14. Contact Information

For questions about this DPA or to exercise data protection rights: