1. Roles of the Parties
The Customer acts as Data Controller and Prospct.io acts as Data Processor with respect to personal data uploaded into or generated inside the Customer's workspace. For its own account and business operations, Prospct.io acts as an independent Controller.
2. Nature and Purpose of Processing
Prospct.io processes personal data only to provide, secure and improve the Services in accordance with the Customer's documented instructions, as set out in the main services agreement, the product documentation and configuration options selected by the Customer.
3. Data Subjects and Categories
- Data subjects: the Customer's business contacts, prospects, employees, and end users.
- Categories: business contact details (name, work email, phone, title, employer), enrichment attributes, workspace activity and audit metadata.
4. Subprocessors
The Customer authorizes Prospct.io to engage subprocessors to help deliver the Services. A current list of subprocessors is available on request. Prospct.io remains responsible for its subprocessors' compliance with this DPA and will give the Customer prior notice of any material change.
5. International Transfers
Where personal data is transferred from the EEA, UK or Switzerland to a country not covered by an adequacy decision, the parties rely on the appropriate Standard Contractual Clauses (SCCs) and, where required, additional safeguards. EU or US-only data residency is available for enterprise customers on request.
6. Security Measures
Prospct.io implements and maintains appropriate technical and organizational measures described on our Security page, including encryption in transit and at rest, access controls, monitoring, resilience and secure software development.
7. Data Subject Rights
Prospct.io will provide the Customer with reasonable assistance, taking into account the nature of the processing, to respond to data subject requests to exercise their rights under applicable law.
8. Personal Data Breach
Prospct.io will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and provide information reasonably required for the Customer to meet its own notification obligations.
9. Return and Deletion
Upon termination of the Services, Prospct.io will delete or return personal data in accordance with the Customer's instructions, subject to any retention required by applicable law.
10. Audits
Prospct.io will make available to the Customer information necessary to demonstrate compliance with this DPA, and allow for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality and scheduling requirements.
11. Executing the DPA
Customers on an eligible plan may countersign this DPA by emailing privacy@prospct.io with their legal entity name and address.
