Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of and supplements the Terms of Service, order form, or other agreement governing Customer’s use of the Services (collectively, the “Agreement”). This DPA applies where Leadline processes personal data on behalf of Customer as a processor or service provider.

If there is a conflict between this DPA and the Agreement with respect to processing of personal data, this DPA controls to the extent of that conflict. This DPA does not replace any controller obligations Customer may have under applicable Data Protection Laws.

As between the parties, Customer is the controller or business, and Leadline is the processor or service provider, for Customer Data processed through the Services on Customer’s behalf. Customer remains responsible for determining the purposes and lawful basis for processing Customer Data and for providing any notices required by applicable law.

Leadline will process Customer Data only on documented instructions from Customer, including instructions reflected in the Agreement, this DPA, Customer’s in-product configuration, Customer’s API or workflow settings, and other written instructions accepted by Leadline.

Leadline provides software and related services that help customers monitor public buyer-intent signals, score and summarize relevant conversations, manage lead workflows, and draft or automate outreach-related actions where enabled. Processing may include collection, storage, organization, retrieval, analysis, enrichment, routing, export, deletion, and other processing operations required to provide the Services.

Processing will continue for the duration of the Agreement and for any additional period required to complete post-termination deletion, comply with law, resolve disputes, enforce contractual obligations, or maintain limited backup and security records consistent with Leadline’s retention policies.

Depending on Customer’s use of the Services, data subjects may include Customer’s personnel, workspace users, billing contacts, support contacts, and natural persons whose public Reddit content is identified, summarized, or routed through Customer workflows.

If Customer connects Reddit accounts or uses outreach automation features, data subjects may additionally include the operators of connected Customer accounts, recipients of replies or messages initiated at Customer’s direction, and third parties who interact with that connected account through Reddit.

Customer Data may include contact details, user identifiers, billing information, workspace settings, Reddit usernames, public post or comment content, inbox message content, generated summaries, fit scores, reply drafts, and related operational metadata such as timestamps, URLs, subreddit references, device/browser information, and audit logs.

Customer agrees not to use the Services to intentionally submit or process special categories of personal data or other highly sensitive data unless expressly authorized in writing by Leadline and supported by appropriate safeguards.

Customer instructs Leadline to process Customer Data to provide, secure, support, and improve the Services; to authenticate users; to monitor public Reddit content selected by Customer; to process connected Reddit account data when such connection is enabled; to generate summaries, routing outputs, and reply drafts; and to perform other processing reasonably necessary to deliver the Services under the Agreement.

Customer is responsible for: (a) ensuring it has all necessary rights and legal bases to provide Customer Data to Leadline; (b) configuring the Services in compliance with applicable law and platform rules; (c) determining whether and when outreach or automation should be used; and (d) reviewing generated outputs where review is necessary for compliance, accuracy, or suitability.

Leadline will ensure that persons authorized to process Customer Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and will limit access to Customer Data to personnel and contractors who need such access to provide, secure, support, or improve the Services.

Leadline will maintain internal access controls designed to reduce unnecessary exposure of Customer Data and will apply least-privilege principles where reasonably practicable.

Taking into account the state of the art, costs of implementation, nature, scope, context, and purposes of processing, and the risks to individuals, Leadline will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Such measures may include encrypted transport, encryption of certain stored secrets or credentials, access controls, authentication safeguards, environment separation, logging and monitoring, vendor access restrictions, and procedures for incident investigation and remediation. Customer acknowledges that no security measure can eliminate all risk.

If Leadline becomes aware of a Security Incident affecting Customer Data, Leadline will notify Customer without undue delay and provide information reasonably available to Leadline regarding the nature of the incident, affected data, likely consequences, and measures taken or proposed to address the incident.

Leadline’s notification of a Security Incident is not an admission of fault or liability. Customer remains responsible for assessing any regulatory or contractual notification obligations that apply to Customer as controller.

Customer authorizes Leadline to engage subprocessors to support delivery of the Services, including providers of cloud hosting, database infrastructure, authentication, analytics, billing, customer communications, AI inference, and other operational tooling reasonably necessary to provide the Services.

Leadline will impose data protection obligations on subprocessors that are no less protective, in all material respects, than the obligations set out in this DPA as applicable to the nature of the services provided. Leadline remains responsible for the acts and omissions of subprocessors to the extent required by applicable law.

To the extent Customer Data is transferred outside the jurisdiction in which Customer is established, Leadline will use a lawful transfer mechanism recognized under applicable Data Protection Laws, which may include the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another approved mechanism.

Where SCCs or a comparable mechanism are required and not otherwise separately executed, the parties intend this DPA and the Agreement to be interpreted and supplemented as necessary to support such lawful transfer framework to the extent permitted by law.

Taking into account the nature of processing, Leadline will provide reasonable assistance to Customer, through appropriate technical and organizational measures where feasible, to enable Customer to respond to requests from data subjects exercising rights under applicable Data Protection Laws.

Leadline will also provide reasonable assistance to Customer with data protection impact assessments, prior consultations, and security-related inquiries where such assistance is legally required and Customer does not otherwise have access to the relevant information.

Upon termination or expiration of the Agreement, and subject to legal retention obligations, Leadline will delete or return Customer Data at Customer’s election where such election is technically feasible and commercially reasonable. If no election is made, Leadline may delete Customer Data in accordance with its standard retention schedule.

Leadline may retain limited Customer Data to comply with law, enforce the Agreement, maintain security records, preserve backup integrity for a reasonable period, and prevent fraud or abuse, provided such retained data remains protected under this DPA for as long as retained.

Leadline will make available to Customer information reasonably necessary to demonstrate Leadline’s compliance with this DPA, taking into account the nature of the Services and the confidentiality of Leadline’s security and business information.

If applicable Data Protection Laws require an audit, the parties will work together in good faith to agree on a reasonable process, timing, scope, and confidentiality protections for that review. Customer will bear its own costs and any third-party audit costs unless otherwise required by law.

Customer represents and warrants that it will not instruct Leadline to process data in violation of law, platform rules, or third-party rights. Customer is solely responsible for the legality, accuracy, and appropriateness of Customer Data and for the legality of Customer’s outreach, routing, and workflow decisions.

Customer will not use the Services to build unlawful surveillance, discriminate unlawfully against individuals, process data of minors in violation of law, or submit regulated or highly sensitive data for which the Services are not designed.

Except as expressly modified by this DPA, the Agreement remains in full force and effect. Any liability arising out of or relating to this DPA is subject to the liability limitations, exclusions, and procedural terms set out in the Agreement, unless prohibited by applicable law.

This DPA will be governed by the governing law and dispute-resolution provisions in the Agreement, unless applicable Data Protection Laws require otherwise.