Terms

Data Processing Addendum

Article 28 UK/EU GDPR terms governing Leadey's processing of Customer personal data

Go back

Forms part of: the Leadey Terms and Conditions between the Customer and Octogle Technologies CO. L.L.C

Processor: Octogle Technologies CO. L.L.C (Establishment No. 2881346; Trade Licence No. 1419977), Office 2020 Parklane Tower, Business Bay, Dubai, United Arab Emirates

Controller: the Customer identified in the Order / account

Version: 1.0 Effective date: 18 June 2026

About this Addendum. This Data Processing Addendum (“DPA”) reflects the requirements of Article 28 of the UK GDPR and the EU GDPR and is incorporated into the Terms. Where Leadey processes personal data within Customer Data on the Customer's behalf, the Customer is the controller and Leadey is the processor. This DPA prevails over the Terms in respect of such processing.

1. Definitions and roles

Terms such as “controller”, “processor”, “personal data”, “processing”, “data subject”, “personal data breach” and “supervisory authority” have the meanings given in Data Protection Law. “Data Protection Law” means the UK GDPR, the EU GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025, PECR, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “UAE PDPL”), and any other applicable data-protection or privacy law, in each case as amended. Capitalised terms not defined here have the meaning in the Terms.

The parties agree that, in respect of the processing of personal data contained in Customer Data, the Customer is the controller and Leadey is the processor. The subject matter, duration, nature, purpose, types of personal data and categories of data subjects are set out in Annex A.

2. Processing on documented instructions

Leadey will process Customer personal data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Leadey will, where legally permitted, inform the Customer first). The Terms, this DPA, the Customer's use and configuration of the Service, and any written instructions the Customer gives constitute the Customer's complete instructions. Leadey will inform the Customer if, in its opinion, an instruction infringes Data Protection Law (without obligation to provide legal advice).

The Customer warrants that it has a lawful basis and all required notices, consents and authority for the personal data it processes through the Service, and that its instructions comply with Data Protection Law.

3. Confidentiality

Leadey will ensure that persons authorised to process Customer personal data are bound by appropriate confidentiality obligations and are trained on their data-protection responsibilities, and will limit access to those who need it to provide the Service.

4. Security

Taking account of the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to data subjects, Leadey will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex B. Leadey may update its measures provided the level of protection is not materially reduced.

5. Sub-processors

The Customer grants Leadey general authorisation to engage sub-processors to process Customer personal data, subject to this Section. A current list of sub-processors is set out in Annex C and maintained by Leadey. Leadey will: (a) impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, by written contract; and (b) remain fully liable to the Customer for each sub-processor's performance.

Leadey will give the Customer at least 30 days' prior notice of any intended addition or replacement of a sub-processor (for example by updating Annex C or via email or an in-app notice). If the Customer reasonably objects on data-protection grounds within that period, the parties will work in good faith to resolve the concern; if it cannot be resolved, the Customer may terminate the affected part of the Service.

6. Assistance to the Customer

Taking into account the nature of the processing, Leadey will assist the Customer by appropriate technical and organisational measures, insofar as possible, to:

  • respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability and objection), including by providing tools within the Service to access, correct, export and delete Customer Data;
  • ensure compliance with the Customer's obligations on security, breach notification, data protection impact assessments and prior consultation with supervisory authorities (Articles 32 to 36), taking into account the information available to Leadey.

If a data subject contacts Leadey directly regarding Customer Data, Leadey will, where lawful, refer them to the Customer and promptly inform the Customer, and will not respond to the request itself except on the Customer's instruction or as required by law.

7. Personal data breach

Leadey will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer personal data. The notification will, to the extent available, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Leadey will cooperate with the Customer and take reasonable steps to mitigate the breach. Notification is not an acknowledgement of fault.

8. International transfers

Customer personal data is hosted primarily in the EU (Frankfurt, Germany). Where Leadey or a sub-processor transfers Customer personal data outside the UK or EEA, it will ensure an appropriate transfer mechanism is in place, such as an adequacy decision/regulation, the EU Standard Contractual Clauses with the UK International Data Transfer Addendum (or the UK IDTA), or another lawful mechanism, together with any supplementary measures required following a transfer risk assessment. The relevant clauses are incorporated by reference and summarised in Annex D.

9. Audits

Leadey will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To minimise disruption, the Customer will first accept Leadey's available certifications, reports and security documentation; further audits will be on reasonable prior notice (at least 30 days), no more than once per year (unless required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and at the Customer's cost.

10. Return and deletion

On expiry or termination of the Service, and at the Customer's choice, Leadey will return and/or delete Customer personal data within 30 days, and delete existing copies, unless Data Protection Law requires storage. The Customer may export Customer Data using the Service before termination. Backup copies are deleted in the ordinary course of Leadey's backup cycle.

11. Liability and general

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms. This DPA is governed by the same law and jurisdiction as the Terms. If any provision conflicts with the EU/UK Standard Contractual Clauses, the Clauses prevail in respect of restricted transfers. If any provision is invalid, the remainder continues in effect.

Annex A: Details of processing

  • Subject matter: Provision of the Leadey outbound sales platform to the Customer.
  • Duration: The Subscription Term plus the return/deletion period in Section 10.
  • Nature and purpose: Hosting, storage, organisation, retrieval, transmission, recording, transcription, enrichment, analysis and other processing necessary to provide the Service and its features (dialling, sequencing, CRM, pipeline, analytics, integrations).
  • Types of personal data: Names; business and personal contact details (email, telephone); job titles and employer information; LinkedIn profile data; lead/contact status, notes and activity; call recordings, transcripts and AI summaries; email, SMS, WhatsApp and LinkedIn message content and engagement metrics; and any custom fields and other data the Customer chooses to process.
  • Categories of data subjects: The Customer's leads, prospects, contacts and End Contacts; the Customer's Authorised Users; and other individuals whose data the Customer chooses to process.
  • Special category data: Not intended to be processed. The Customer must not submit special category data unless lawful and specifically configured; if it does, it remains responsible for the additional Article 9 conditions.
  • Frequency: Continuous, for the duration of the Service.

Annex B: Technical and organisational security measures

Leadey maintains, at minimum, the following measures (which may be updated provided protection is not materially reduced):

  • Encryption of personal data in transit (TLS) and at rest;
  • Role-based access control, least-privilege access, and multi-factor authentication for administrative and privileged access;
  • Logical separation of customers' data within multi-tenant infrastructure;
  • Network security controls, firewalls and monitoring; protections against malware and intrusion;
  • Secure software development lifecycle, change management, code review and dependency management;
  • Logging, monitoring and alerting to detect and respond to security events;
  • Regular backups and tested restoration; business continuity and disaster recovery;
  • Vulnerability management and periodic security testing;
  • Vendor and sub-processor due diligence and contractual safeguards;
  • Personnel confidentiality undertakings, background checks where lawful, and data-protection training;
  • Documented incident-response and breach-notification procedures;
  • Data retention and secure deletion processes.

Certification. Leadey’s information security management system is certified to ISO/IEC 27001:2022 (certificate number GH30XXIV62024802, issued by Globus Certifications Private Limited and accredited by the United Accreditation Foundation), covering the protection of information and data assets related to clients and end-users.

Annex C: Authorised sub-processors

  • Cloud hosting (EU, Frankfurt): Application and database hosting EU (Germany)
  • Twilio: Telephony, numbers, call connectivity and recording UK / EU / US
  • Clerk: Authentication and identity US / EU
  • Stripe: Payments and billing UK / EU / US
  • Lead-sourcing provider: Lead sourcing (job boards) EU / US
  • Contact-enrichment provider: Contact enrichment EU / US
  • Messaging integration provider: LinkedIn / messaging integration EU
  • CRM integrations you connect: Customer-enabled CRM integrations UK / EU / US
  • Team-chat integration you connect: Customer-enabled alerts US / EU
  • Scheduling provider: Demo scheduling EU / US
  • Analytics / error monitoring: Product analytics and diagnostics EU / US

Annex D: International transfer mechanism

For restricted transfers of Customer personal data outside the UK/EEA, the parties incorporate the following, as applicable: (a) the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller to processor) and Module Three (processor to sub-processor) where relevant; and (b) the UK International Data Transfer Addendum to the EU SCCs (or the standalone UK IDTA). Where the parties complete the Clauses, the Customer is the data exporter and Leadey (or its relevant sub-processor) is the data importer; Annex A serves as the description of processing, Annex B as the technical and organisational measures, and Annex C as the list of sub-processors. Optional clauses, docking and governing law/jurisdiction follow the Terms unless the Clauses require otherwise.

Stop juggling five tools. Start booking meetings.

Start free trial
Book a demo

Explore

Pages
Buy