Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between SalesSheet Inc. ("Processor," "we," or "us") and the entity or individual agreeing to the Terms of Service ("Controller," "you," or "Customer"). This DPA applies to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the SalesSheet.ai platform and related services (the "Service").

This DPA is designed to ensure compliance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable Data Protection Laws. By using the Service, the Controller enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its authorized affiliates.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement or in applicable Data Protection Laws.

• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act ("CCPA"), the Swiss Federal Act on Data Protection ("FADP"), and any successor or amending legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor (or by any subsequent Sub-processor) to process Personal Data on behalf of the Controller.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by the Processor.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries, as set out in Commission Implementing Decision (EU) 2021/914, as may be amended or replaced from time to time.
• "Supervisory Authority" means an independent public authority established by an EU or EEA Member State pursuant to Article 51 of the GDPR.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only on behalf of and in accordance with the Controller's documented instructions, as described in this DPA and the Agreement. The purpose of processing is to provide the Service, which includes:

• Storing and managing contact records, company records, and associated relationship data
• Processing email data synced from connected email accounts for display, association, and AI-powered features
• Providing AI-powered analysis including email summarization, contact enrichment, and intelligent suggestions
• Managing sales pipeline data, deal records, and activity logs
• Facilitating communication features including email sending, calling, and voicemail
• Generating analytics, reports, and forecasts based on CRM data
• Providing team collaboration features and shared workspace functionality

The Controller instructs the Processor to process Personal Data to the extent necessary to provide the Service in accordance with the Agreement. The Controller may issue additional documented instructions consistent with the terms of this DPA and the Agreement.

The Processor shall not process Personal Data for any purpose other than those specified in this DPA and the Agreement, unless expressly instructed by the Controller in writing or required by applicable law. If the Processor is required by applicable law to process Personal Data for another purpose, it shall inform the Controller of that legal requirement prior to processing, unless prohibited from doing so by law.

3. Data Processing Details

Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of Data Subjects:

• Controller's customers, prospects, leads, and business contacts stored in the CRM
• Controller's employees, contractors, and team members who use the Service
• Individuals whose information appears in synced emails, imported data, or call records
• Third-party individuals referenced in notes, tasks, or deal records

Types of Personal Data

The types of Personal Data processed may include:

• Contact information: names, email addresses, phone numbers, job titles, company names, and mailing addresses
• Communication data: email content and metadata, call logs, voicemail recordings, and meeting notes
• Business relationship data: deal values, pipeline stages, activity history, tags, and custom field values
• Account data: usernames, authentication credentials (hashed), IP addresses, and usage logs
• Files and attachments: documents, images, and other files uploaded to the Service

Special Categories of Data

The Processor does not intentionally process special categories of Personal Data (as defined in Article 9 of the GDPR) on behalf of the Controller. Special categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. The Controller shall not submit special categories of Personal Data to the Service without prior written agreement with the Processor establishing appropriate additional safeguards.

Duration of Processing

Processing shall continue for the duration of the Agreement. Upon termination or expiration of the Agreement, the Processor shall handle Personal Data in accordance with the termination provisions of Section 11 of this DPA.

Legal Basis for Processing

The Controller is responsible for ensuring that there is a valid legal basis under applicable Data Protection Laws for the processing of Personal Data instructed by the Controller. The Processor processes Personal Data on behalf of the Controller as a data processor, and the Controller remains the data controller responsible for determining the purposes and means of processing.

4. Controller's Obligations

The Controller shall:

• Ensure that there is a lawful basis for the processing of Personal Data as required by applicable Data Protection Laws, including obtaining any necessary consents from Data Subjects where required.
• Provide documented instructions for the processing of Personal Data that comply with applicable Data Protection Laws.
• Ensure that the Personal Data provided to the Processor is accurate, relevant, and limited to what is necessary for the purposes of processing.
• Inform the Processor without undue delay of any changes to applicable Data Protection Laws that may affect the Processor's obligations under this DPA.
• Implement appropriate technical and organizational measures to protect Personal Data within its own systems and when transmitting data to the Processor.
• Respond to Data Subject requests in a timely manner, utilizing the tools and assistance provided by the Processor where appropriate.

5. Obligations of the Processor

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing unless the law prohibits such information on important grounds of public interest.
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement and maintain appropriate technical and organizational security measures as described in Section 8 of this DPA.
4. Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller, subject to the provisions of Section 6.
5. Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR.
6. Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor, including obligations related to security of processing, notification of Security Incidents, data protection impact assessments, and prior consultation with Supervisory Authorities.
7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
9. Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable Data Protection Laws.

6. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors for the processing of Personal Data, subject to the following conditions:

• The Processor shall maintain a current list of Sub-processors, which is available upon request by contacting andres@salessheets.ai.
• The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object to such changes.
• If the Controller objects to a new Sub-processor on reasonable grounds related to data protection, the parties shall discuss the concern in good faith. If the parties cannot reach a resolution within 30 days, the Controller may terminate the affected Service component without penalty.
• The Processor shall impose data protection obligations on each Sub-processor by way of a written contract that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.
• The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

Current categories of Sub-processors include:

• Cloud Infrastructure Providers: For hosting, storage, database services, and computing resources necessary to operate the Service
• AI Model Providers: For processing data through AI-powered features such as email summarization, smart suggestions, and contact enrichment (not applicable to BYOK customers who connect directly to their own AI provider)
• Payment Processors: For secure subscription billing, payment handling, and invoice generation
• Email Delivery Services: For transactional email delivery including account notifications and system alerts
• Communication Providers: For built-in calling, voicemail, and telephony functionality
• Monitoring and Analytics: For infrastructure monitoring, error tracking, performance optimization, and service reliability
• Security Services: For threat detection, vulnerability scanning, and security monitoring

The Controller may request the complete, current list of specific Sub-processors at any time by contacting andres@salessheets.ai. The Processor shall provide such list within five (5) business days of the request.

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including:

• Right of access to their Personal Data (Article 15 GDPR)
• Right to rectification of inaccurate data (Article 16 GDPR)
• Right to erasure, also known as the "right to be forgotten" (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object to processing (Article 21 GDPR)
• Rights related to automated decision-making and profiling (Article 22 GDPR)

If the Processor receives a request from a Data Subject directly, it shall promptly notify the Controller within five (5) business days and shall not respond to the request without the Controller's instructions, unless required by law. The Service provides self-service tools that enable the Controller to access, export, correct, and delete Personal Data, which the Controller may use to fulfill Data Subject requests independently.

The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests, taking into account the nature of the processing. Such assistance may include providing technical support for data export, facilitating record deletion, and supplying information about the Personal Data processed. The Processor may charge a reasonable fee for assistance that is manifestly unfounded, excessive, or repetitive.

8. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

• Encryption: AES-256 encryption for data at rest; TLS 1.2 or higher for data in transit
• Access Control: Role-based access controls, multi-factor authentication for internal systems, and strict enforcement of the principle of least privilege
• Network Security: Firewalls, intrusion detection and prevention systems, VPC isolation, and DDoS protection
• Monitoring: Continuous monitoring and logging of access to systems containing Personal Data with automated alerting
• Vulnerability Management: Regular vulnerability scanning, penetration testing by independent third parties, and timely patch management
• Personnel Security: Background checks, confidentiality agreements, and security awareness training for all employees with access to Personal Data
• Business Continuity: Regular encrypted backups, disaster recovery procedures with documented RTO and RPO, and incident response planning
• Data Isolation: Logical separation of customer data within multi-tenant infrastructure with application-level tenant isolation enforcement
• Physical Security: Data center physical security controls managed by our cloud infrastructure providers, including access controls, surveillance, and environmental protections

The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary to address evolving security threats and changes in best practices. The Processor shall ensure that security measures provide a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

For a detailed overview of the Processor's security practices, infrastructure, and controls, please refer to the Security page.

9. Data Breach Notification

The Processor maintains a comprehensive incident response plan and takes all Security Incidents seriously. In the event of a Security Incident involving Personal Data processed under this DPA, the Processor shall:

1. Notify the Controller without undue delay, and in any event within 48 hours after becoming aware of the Security Incident.
2. Provide the Controller with sufficient information to enable the Controller to meet any obligations to report or inform Data Subjects or Supervisory Authorities under Data Protection Laws. This information shall include, to the extent available:
   • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected
   • The likely consequences of the Security Incident
   • The measures taken or proposed to address the Security Incident, including measures to mitigate its adverse effects
   • The name and contact details of a point of contact for further information
3. Take immediate steps to contain and remediate the Security Incident and to minimize any harm to Data Subjects.
4. Cooperate with the Controller and provide reasonable assistance in relation to any investigation, mitigation, remediation, or notification obligations related to the Security Incident.
5. Not notify any third party of a Security Incident without first obtaining the Controller's consent, unless required by applicable law.
6. Document the Security Incident, including the facts relating to it, its effects, and the remedial action taken, and make this documentation available to the Controller upon request.

10. International Data Transfers

The Processor may transfer Personal Data outside the European Economic Area ("EEA"), United Kingdom, or Switzerland only where appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection under Article 45 of the GDPR.
• Standard Contractual Clauses: Where no adequacy decision exists, the parties shall rely on the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), which are incorporated by reference into this DPA. Module Two (Controller to Processor) shall apply.
• Supplementary Measures: Where required by applicable law or guidance from Supervisory Authorities, additional technical, contractual, or organizational safeguards shall be implemented to ensure an essentially equivalent level of protection for Personal Data.
• Transfer Impact Assessment: The Processor shall, upon request, provide the Controller with information necessary to conduct a transfer impact assessment for international transfers.

The Processor shall promptly inform the Controller if, in its opinion, an instruction relating to data transfer infringes applicable Data Protection Laws.

The Processor shall monitor developments in data transfer law and guidance from relevant Supervisory Authorities, and shall inform the Controller if any changes may affect the lawfulness of international data transfers under this DPA. In the event that an existing transfer mechanism is invalidated by a court or regulatory authority, the parties shall cooperate in good faith to implement an alternative lawful transfer mechanism.

11. Term and Termination

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon the termination or expiration of the Agreement, subject to the obligations set forth below regarding data deletion and return.

Upon termination or expiration of the Agreement:

• The Processor shall cease processing Personal Data on behalf of the Controller, except as required by applicable law.
• The Controller may request the return or export of all Personal Data within 30 days of termination. The Service provides data export functionality that the Controller may use during this period.
• After the 30-day period (or upon earlier written instruction from the Controller), the Processor shall securely delete all Personal Data in its possession, including all copies and backups, unless retention is required by applicable law.
• The Processor shall provide written confirmation of data deletion upon the Controller's request.
• Obligations relating to confidentiality, data protection, Security Incident notification, and liability shall survive termination of the Agreement and this DPA.

12. Audit Rights

The Controller has the right to verify the Processor's compliance with this DPA through the following mechanisms. The Processor acknowledges that the Controller's ability to audit the Processor's compliance is an important element of the trust relationship and commits to supporting reasonable audit activities.

• Documentation: The Processor shall make available upon request relevant documentation, certifications (such as SOC 2 Type II reports), and summaries of third-party audit results.
• Questionnaires: The Processor shall respond to reasonable security and compliance questionnaires from the Controller in a timely manner.
• On-Site Audits: The Controller may conduct on-site audits or inspections, or appoint an independent third-party auditor to do so, subject to:
  • Reasonable prior written notice of at least 30 days
  • Audits being conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations
  • The auditor executing a confidentiality agreement acceptable to the Processor before being granted access
  • Audits being limited to once per 12-month period unless a Security Incident has occurred or a Supervisory Authority requires additional audits
  • The scope of the audit being limited to the Processor's compliance with this DPA

The costs of any audit shall be borne by the Controller, except where the audit reveals material non-compliance by the Processor with the terms of this DPA, in which case the Processor shall bear the reasonable costs of the audit. The Processor shall promptly remediate any non-compliance identified during an audit and provide the Controller with evidence of remediation within a mutually agreed timeframe.

12. Cooperation with Supervisory Authorities

The Processor shall cooperate with and assist the Controller in dealings with Supervisory Authorities in connection with the processing of Personal Data under this DPA. If the Processor receives an inquiry or request from a Supervisory Authority relating to Personal Data processed on behalf of the Controller, it shall promptly notify the Controller and shall not respond to the Supervisory Authority without the Controller's prior consent, unless required by applicable law.

13. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments ("DPIAs") and prior consultations with Supervisory Authorities that the Controller reasonably considers to be required under Article 35 or Article 36 of the GDPR, in each case solely in relation to the processing of Personal Data under this DPA. Such assistance shall take into account the nature of the processing and the information available to the Processor.

The Processor's assistance may include:

• Providing information about the Processor's processing activities, technical measures, and organizational safeguards
• Assisting with the assessment of the necessity and proportionality of the processing operations
• Helping to evaluate the risks to the rights and freedoms of Data Subjects
• Supporting the identification of measures to address those risks, including safeguards, security measures, and mechanisms to ensure the protection of Personal Data

14. Confidentiality

The Processor shall treat all Personal Data as confidential information. The Processor shall not disclose Personal Data to any third party except as expressly permitted under this DPA, the Agreement, or as required by applicable law. The Processor shall ensure that all personnel who have access to Personal Data are subject to appropriate obligations of confidentiality, whether by contract or by statute.

The obligations of confidentiality set forth in this section shall survive the termination of this DPA and the Agreement. The Processor shall maintain the confidentiality of Personal Data for as long as it remains in the Processor's possession, including during the data deletion period following termination.

15. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall limit either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law. Each party shall be liable for damages caused by its processing of Personal Data in violation of this DPA or applicable Data Protection Laws.

The Processor shall indemnify the Controller for any losses, damages, or expenses arising directly from the Processor's breach of this DPA or its obligations under applicable Data Protection Laws. The Controller shall indemnify the Processor for any losses, damages, or expenses arising directly from the Controller's instructions that infringe applicable Data Protection Laws, provided the Processor has informed the Controller of such infringement in accordance with this DPA.

16. General Provisions

• Conflict: In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
• Severability: If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be replaced with a valid provision that achieves the original intent as closely as possible.
• Amendments: This DPA may be amended by mutual written agreement of the parties. The Processor may update this DPA to reflect changes in Data Protection Laws, with at least 30 days' notice to the Controller. If the Controller does not object within 30 days, the updated DPA shall take effect automatically.
• Governing Law: This DPA shall be governed by the same law that governs the Agreement, except where Data Protection Laws require otherwise. For EU Data Subjects, the GDPR shall apply regardless of the governing law of the Agreement.
• Notices: All notices under this DPA shall be in writing and delivered to the email addresses specified in the Agreement. Notices shall be deemed received upon confirmation of delivery or, in the case of email, upon transmission without bounce-back.
• No Third-Party Beneficiaries: This DPA does not confer any rights on any third party, except that Data Subjects may enforce their rights under the Standard Contractual Clauses as third-party beneficiaries where applicable.
• Entire DPA: This DPA, together with its annexes and the Standard Contractual Clauses incorporated by reference, constitutes the complete data processing agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings relating thereto.

17. Contact

For questions about this Data Processing Agreement or to exercise any rights described herein, please contact:

• Email: andres@salessheets.ai
• Company: SalesSheet Inc.

To request the current list of Sub-processors, to receive notification of Sub-processor changes, or to initiate an audit request, please contact us at the email address above. We will respond to all inquiries within five (5) business days.

This DPA is effective as of the date the Controller accepts the Agreement and shall remain in effect until all Personal Data has been deleted or returned in accordance with the provisions of this DPA.

By using the Service, the Controller acknowledges that it has read and understood this Data Processing Agreement and agrees to be bound by its terms. This DPA supplements and forms an integral part of the Terms of Service and should be read in conjunction with the Privacy Policy and Security overview.