← All legal documents

⚠ DRAFT — LAWYER REVIEW REQUIRED

This is an AI-generated first draft for internal review only. It is not legal advice and must be reviewed, edited, and approved by qualified counsel before it is relied upon or shown to customers.

Data Processing Addendum

Version 2026-06-16-draft · Last updated June 16, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between the customer (“Controller”) and [LEGAL ENTITY NAME] (“Processor,” “ApexReach”) and applies where ApexReach processes personal data on the Controller’s behalf. Where the GDPR, UK GDPR, or CCPA/CPRA applies, this DPA governs that processing.

1. Roles & scope

The Controller determines the purposes and means of processing; ApexReach processes personal data only as a processor, on documented instructions from the Controller, including for the lead data the Controller obtains and sends through the Service.

2. Subject matter, duration, nature & purpose

  • Subject matter: provision of the ApexReach lead-generation and outbound Service.
  • Duration: for the term of the subscription plus any retention/deletion period.
  • Nature & purpose: collection, enrichment, verification, storage, AI-assisted drafting, and transmission of outbound communications.
  • Categories of data subjects: business contacts / decision-makers at target organizations.
  • Categories of personal data: business name, email, phone, address, job title, public social/profile data. [COUNSEL: confirm no special-category data is processed.]

3. Processor obligations

  • Process only on documented Controller instructions.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see §6).
  • Assist the Controller with data-subject requests and with DPIAs and regulator consultations.
  • Notify the Controller without undue delay on becoming aware of a personal-data breach.
  • Delete or return personal data at the end of the engagement, subject to legal retention.
  • Make available information necessary to demonstrate compliance and allow for audits. [COUNSEL: define audit scope/frequency.]

4. Subprocessors

The Controller authorizes ApexReach to engage the subprocessors listed on our Subprocessors page. ApexReach imposes data-protection obligations on each subprocessor and remains liable for their performance. [COUNSEL: define change-notification and objection rights.]

5. International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on [Standard Contractual Clauses / UK IDTA — COUNSEL to attach as an exhibit].

6. Security measures

ApexReach maintains measures including access controls, encryption in transit, tenant isolation via row-level security, and least-privilege service credentials. [ENG/COUNSEL: enumerate the full TOMs as Annex II.]

7. CCPA/CPRA

To the extent CCPA/CPRA applies, ApexReach acts as a “service provider,” processes personal information only for the business purposes specified, and does not sell or share it or retain/use it outside the direct business relationship.

8. Liability & execution

Liability under this DPA is subject to the limitations in the Terms. [COUNSEL: add signature/acceptance mechanism and Annexes I–III (details of processing, TOMs, subprocessor list).]