Data Processing Addendum

Data Controller: The customer using ProspectFlow services

Data Processor: BLATT SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ

This Data Processing Addendum ("DPA") forms part of the Terms of Service and applies when ProspectFlow processes personal data on behalf of business customers under the GDPR.

Subject Matter:

Processing of LinkedIn profile data for lead generation and scoring purposes

Duration:

For the duration of the service agreement and as specified in our retention policy

Nature and Purpose:

• AI-powered analysis and scoring of LinkedIn profiles
• Lead extraction and CSV export generation
• Profile view tracking and analytics

Categories of Personal Data:

• Professional contact information (names, job titles, companies)
• Public LinkedIn profile data
• Professional experience and education information

Categories of Data Subjects:

• LinkedIn users whose profiles are processed
• Business professionals and decision-makers

BLATT SP. Z O.O. undertakes to:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Only engage sub-processors with Controller's consent
• Assist the Controller in responding to data subject requests
• Assist with data protection impact assessments when required
• Delete or return personal data at the end of processing
• Maintain records of processing activities

Technical Measures:

• Encryption of data in transit and at rest
• Regular security updates and patches
• Access controls and authentication systems
• Secure hosting on EU-based servers

Organizational Measures:

• Staff training on data protection
• Regular security audits and assessments
• Incident response procedures
• Data minimization practices

The following sub-processors are authorized to process personal data:

We will notify Controllers of any changes to sub-processors with 30 days advance notice.

When personal data is transferred outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): For transfers to the US (OpenAI, Stripe)
• Adequacy Decisions: Where available from the European Commission
• Additional Safeguards: Technical measures like encryption and access controls

Copies of relevant SCCs are available upon request.

We will assist Controllers in fulfilling data subject requests within 30 days, including:

• Access: Providing copies of personal data
• Rectification: Correcting inaccurate data
• Erasure: Deleting personal data when required
• Portability: Providing data in machine-readable format
• Restriction: Limiting processing when requested

Data subjects can contact us directly at:privacy@prospectflow.ai

In case of a personal data breach, we will:

• Notify the Controller without undue delay (within 72 hours when possible)
• Provide all relevant information about the breach
• Assist with breach notification to supervisory authorities
• Implement measures to mitigate the breach
• Document the breach and response measures

• Controllers may audit our compliance with this DPA
• We will provide necessary information and cooperation
• Audits must be conducted with reasonable notice and during business hours
• Controllers are responsible for audit costs unless significant non-compliance is found

• Each party is liable for damages caused by its breach of GDPR obligations
• Liability is limited to direct damages up to the annual service fees
• We maintain appropriate professional liability insurance
• Controllers remain responsible for lawfulness of processing instructions

• This DPA remains in effect while we process personal data for the Controller
• Upon termination, we will delete or return all personal data within 30 days
• We may retain data longer if required by law
• Termination does not affect liability for processing before termination

For DPA-related questions or requests: