Data Processing Agreement

This DPA applies whenever prospiq processes Personal Data on Customer's behalf as a Processor. Customer is the Controller of that Personal Data and determines the purposes and means of its processing. prospiq processes Personal Data only on Customer's documented instructions, as set out in this DPA, the Terms of Service, and Customer's use of the Services.

Customer warrants that it has a valid lawful basis under applicable Data Protection Laws for instructing prospiq to process Personal Data, and that its instructions to prospiq comply with such laws.

If prospiq believes that an instruction from Customer infringes Data Protection Laws, prospiq will inform Customer without undue delay and may suspend processing the affected data until the issue is resolved.

The subject matter of the processing is the provision of B2B contact-enrichment services to Customer.

Processing continues for the duration of Customer's subscription to the Services and for any retention period described in Section 11 below.

prospiq processes Personal Data to deliver the Services, including: matching name + company inputs to verified work email addresses; finding direct-dial phone numbers; maintaining a search and result history; billing credits accurately; and providing customer support. Aggregated and anonymised data may also be used to improve the accuracy of prospiq's verification systems.

Categories of Personal Data typically processed include: business email addresses, full names, job titles, employer names, work phone numbers, professional social-media identifiers, and Customer-uploaded prospect lists.

Data Subjects typically include the business contacts whom Customer is researching for sales, recruiting, or business-development purposes.

prospiq processes Personal Data only as necessary to provide the Services and in accordance with Customer's documented instructions, except where required to do otherwise by applicable law. Customer's use of the Services constitutes its instructions to prospiq.

prospiq does not sell Personal Data, share it with third parties for advertising, or use it to train external artificial-intelligence models.

prospiq ensures that all personnel authorised to process Personal Data are bound by appropriate obligations of confidentiality, whether by contract or by statutory duty.

Access to Personal Data within prospiq is limited to personnel who require it to perform their duties under this DPA. Access by personnel is logged and reviewed.

prospiq implements appropriate technical and organisational measures designed to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. These measures are described in detail at prospiq.net/security and include, at minimum: TLS 1.3 encryption in transit; AES-256 encryption at rest; database-level row-level security to enforce account isolation; passwordless authentication via OAuth or magic link; daily encrypted backups; and limited, audited internal administrative access.

prospiq reviews and updates its security measures regularly in light of evolving threats, applicable laws, and the state of the art. The current security overview at the URL above is incorporated by reference into this DPA.

Customer authorises prospiq to engage Sub-processors to process Personal Data on Customer's behalf in connection with the Services. prospiq uses Sub-processors for cloud database hosting, application hosting, transactional email delivery, contact-data verification, phone-number lookup, customer support communications, and AI-assisted features when used.

prospiq carefully selects Sub-processors and ensures, by way of written agreement, that each Sub-processor is bound by data-protection obligations no less protective than those set out in this DPA.

prospiq will notify Customer at least 30 days before adding or replacing any Sub-processor in a way that materially affects the processing of Personal Data. Notice will be given by email to the address associated with Customer's account.

If Customer reasonably objects to a new or replacement Sub-processor on data-protection grounds, Customer may terminate its subscription without penalty by giving written notice within 30 days of prospiq's notification, and prospiq will refund any prepaid fees covering the unused portion of the subscription.

A current list of categories of Sub-processors and the services they perform is available to Customer upon request, subject to confidentiality obligations.

prospiq stores Personal Data primarily in the United States. To the extent that providing the Services involves transfers of Personal Data to other jurisdictions (for example, when Customer accesses prospiq from a different country, or when a Sub-processor is located elsewhere), such transfers are made on the basis of recognised legal mechanisms, including the European Commission's Standard Contractual Clauses (where the transfer is from the EEA) and equivalent safeguards under applicable law.

Where required, prospiq will, on request, provide Customer with the relevant transfer mechanisms in place between prospiq and its Sub-processors.

prospiq will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as is possible, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

If prospiq receives a request directly from a Data Subject relating to Personal Data processed on Customer's behalf, prospiq will, where lawful, redirect the Data Subject to Customer or notify Customer so that Customer can respond.

Independently, prospiq operates a public opt-out mechanism at prospiq.net/opt-out through which any Data Subject may request that their contact information be excluded from prospiq's enrichment results.

prospiq will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of any Personal Data breach affecting Customer's Personal Data.

The notification will include, to the extent then known: the nature of the breach; the categories and approximate number of Data Subjects and records affected; the likely consequences; and the measures taken or proposed by prospiq to address the breach and mitigate its effects. prospiq will continue to update Customer as further information becomes available.

Notification will be made to the email address on file for Customer's primary account contact, and where appropriate also to any security or compliance contact Customer has designated.

Customer may delete its account and the Personal Data associated with it at any time through the in-product account-deletion flow. Once Customer confirms deletion, prospiq removes Customer's account record and all directly associated Personal Data from its production database immediately, with foreign-key cascade deletion across all dependent records.

On termination of Customer's subscription for any reason, prospiq will, at Customer's choice, return or delete Personal Data processed on Customer's behalf, unless retention is required by applicable law. Where Customer does not communicate a preference within 30 days of termination, prospiq will delete the data.

Encrypted backups containing Personal Data are retained for up to seven days from the time of deletion, after which they are permanently destroyed in the ordinary course of operations.

prospiq retains a one-way cryptographic hash of the email address and remaining credit count of deleted accounts solely for the purpose of preventing abuse of free credit allocations through repeated account creation. The hash cannot be reversed to recover the email address or any other Personal Data.

prospiq makes available to Customer all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.

On reasonable prior written notice, and not more than once per calendar year (except where required by a competent supervisory authority or in response to a Personal Data breach), Customer may request that prospiq complete a reasonable security questionnaire and provide written confirmation of compliance with the obligations under this DPA. prospiq will respond within 30 days.

Where prospiq holds independent third-party audit reports (such as SOC 2) in the future, those reports will be made available to Customer under appropriate confidentiality obligations, in lieu of a bespoke audit.

In the event of any conflict between this DPA and the Terms of Service or any other agreement between the parties, the terms of this DPA prevail in respect of the processing of Personal Data.

prospiq may update this DPA from time to time to reflect changes in law, the Services, or industry practice. Material changes will be notified to Customer by email at least 30 days before they take effect.

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

This DPA is governed by the laws of India. The courts of Pune, Maharashtra have exclusive jurisdiction over any dispute arising from or in connection with this DPA, unless applicable Data Protection Laws require otherwise.