Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") is entered into between you ("Customer," "Controller," or "Data Exporter") and UnlockMyLead, operated by Amr Hatahet (sole proprietor) based in Istanbul, Turkey ("UnlockMyLead," "Processor," or "Data Importer").

This DPA forms part of the Terms of Service and governs the processing of Personal Data by UnlockMyLead on behalf of Customer in connection with the Service.

This DPA applies when:

• Customer is subject to the GDPR, UK GDPR, KVKK, UAE PDPL, CCPA, or any other applicable data protection law
• Customer Personal Data is processed by UnlockMyLead in providing the Service
• Customer transfers Personal Data to UnlockMyLead

By using the Service, Customer accepts this DPA. If Customer requires a separately signed DPA, Customer may request one at privacy@unlockmylead.com.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service or applicable data protection law.

• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means any information relating to a Data Subject, as defined under applicable law.
• "Processing" means any operation performed on Personal Data, automated or not.
• "Sub-Processor" means a third party engaged by Processor to process Personal Data on behalf of Customer.
• "Standard Contractual Clauses" or "SCCs" means the EU Standard Contractual Clauses adopted by EU Commission Decision (EU) 2021/914.
• "Personal Data Breach" means a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.

2. Roles of the Parties

2.1 Customer as Controller

Customer is the Controller of Personal Data processed through the Service. Customer determines the purposes and means of processing.

2.2 UnlockMyLead as Processor

UnlockMyLead is the Processor, processing Personal Data only on documented instructions from Customer.

2.3 White-Label Resellers

If Customer is a White-Label reseller and resells the Service to Sub-Customers, Customer remains the Controller (or joint controller with Sub-Customers, depending on facts) for purposes of this DPA. Resellers are responsible for ensuring Sub-Customers comply with applicable law.

3. Subject Matter and Duration

3.1 Subject Matter

The subject matter of processing is the provision of the Service as described in the Terms.

3.2 Duration

Processing occurs for the duration of the Service relationship and the data retention periods set out in our Privacy Policy.

3.3 Nature and Purpose

The nature and purpose of processing is to provide the Service, which may include:

• Initiating and managing voice calls and messages
• Generating and storing call recordings and transcripts
• Synchronizing data with Customer's CRM and other tools
• Providing analytics and reporting
• Supporting Customer's business operations

3.4 Categories of Data Subjects

• Customer's contacts and prospects
• Customer's employees and authorized users
• Recipients of communications initiated by Customer

3.5 Categories of Personal Data

• Names, phone numbers, email addresses
• Job titles and company information
• Voice recordings
• Conversation transcripts
• Communication metadata (timestamps, durations, outcomes)
• IP addresses and device information
• Any other data Customer chooses to upload, instruct us to process, or which Data Subjects voluntarily share during communications

3.6 Sensitive Data

Customer should not upload Special Categories of Personal Data (Art. 9 GDPR) without ensuring lawful basis. UnlockMyLead is not designed for sensitive data processing without specific configuration. Customer assumes risk for sensitive data uploads.

4. Customer's Obligations and Warranties

Customer warrants and undertakes that:

5. UnlockMyLead's Obligations as Processor

5.1 Processing on Documented Instructions

UnlockMyLead shall:

• Process Personal Data only on Customer's documented instructions, including:
  • The Terms of Service and this DPA
  • Customer's configuration and use of the Service
  • Specific instructions provided through Customer's account
• Inform Customer if instructions appear to violate applicable law (without obligation to do legal review)
• Not use Personal Data for any purpose other than providing the Service, unless required by law

5.2 Confidentiality

UnlockMyLead ensures that personnel authorized to process Personal Data are bound by confidentiality obligations.

5.3 Security Measures

UnlockMyLead implements appropriate technical and organizational measures, as set out in Annex II of this DPA.

5.4 Sub-Processors

UnlockMyLead engages Sub-Processors as set out in Annex III. Customer provides general authorization for these Sub-Processors. UnlockMyLead will:

• Notify Customer of changes to Sub-Processors at least 14 days in advance (typically by updating the published list)
• Ensure Sub-Processors are bound by data protection obligations equivalent to this DPA
• Remain liable for Sub-Processors' performance

If Customer objects to a new Sub-Processor on reasonable data protection grounds, Customer may terminate the affected portion of the Service. Continued use after the effective date of the new Sub-Processor constitutes acceptance.

5.5 Assistance with Data Subject Rights

UnlockMyLead will provide reasonable assistance to Customer in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection), to the extent possible given the technical features of the Service. Customer is primarily responsible for fulfilling these requests.

5.6 Assistance with Compliance

UnlockMyLead will provide reasonable assistance with:

• Data Protection Impact Assessments (DPIAs) under Art. 35 GDPR
• Notifications of breaches to authorities (Art. 33) and Data Subjects (Art. 34)
• Consultations with supervisory authorities (Art. 36)

Such assistance is at Customer's cost where it requires significant effort beyond what is included in the standard Service.

5.7 Data Breach Notification

UnlockMyLead will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware (typically within 72 hours), and will provide:

• Description of the breach (nature, categories of Data Subjects, approximate numbers)
• Likely consequences
• Measures taken or proposed to address the breach
• Contact for further information

Customer is responsible for breach notifications to authorities and Data Subjects.

5.8 Audits

Once per calendar year, with at least 30 days' written notice, Customer (or a third-party auditor bound by confidentiality, not a competitor of UnlockMyLead) may audit UnlockMyLead's compliance with this DPA, at Customer's expense, during business hours, in a manner that does not unreasonably interfere with operations.

UnlockMyLead may satisfy audit requests by providing existing certifications, attestations (e.g., SOC 2, when obtained), or summary reports.

5.9 Return or Deletion of Data

Upon termination of the Service, Customer has 30 days to export Personal Data. After 30 days, UnlockMyLead will delete Personal Data, except where retention is required by law or for legitimate purposes (e.g., billing records, legal claims).

UnlockMyLead may retain anonymized, aggregated data without restriction.

6. International Data Transfers

6.1 Transfer Mechanism

For transfers from the EU/EEA, UK, or Switzerland to UnlockMyLead, the Parties agree to incorporate the relevant Standard Contractual Clauses (Module Two: Controller-to-Processor) by reference, as set out in Annex IV.

For UK transfers, the UK International Data Transfer Addendum applies.

6.2 Onward Transfers

UnlockMyLead may transfer Personal Data to Sub-Processors in third countries only where appropriate safeguards are in place (SCCs, adequacy decisions, etc.).

6.3 Data Localization Requests

If Customer requires data residency in specific regions (EU, UAE, etc.), Customer should contact privacy@unlockmylead.com. UnlockMyLead may not be able to accommodate all data localization requests.

7. Liability

The liability provisions of the Terms of Service apply to this DPA. To the extent applicable law (e.g., GDPR Art. 82) imposes joint and several liability between Controller and Processor toward Data Subjects, the Parties' allocation of liability between themselves remains as set out in the Terms of Service.

8. Term and Termination

This DPA is effective on the same date as the Terms of Service and continues until termination of the Service relationship. Provisions that by their nature should survive (including obligations regarding data deletion, confidentiality, and indemnification) shall survive.

9. Conflicts and Hierarchy

In case of conflict, the order of precedence is:

• The Standard Contractual Clauses (where applicable)
• This DPA
• The Terms of Service
• Other policies

10. Governing Law

This DPA is governed by the laws of Turkey, except that, for matters governed by the Standard Contractual Clauses, the law specified in those Clauses applies.

ANNEX I — Description of Processing

ANNEX II — Technical and Organizational Measures

UnlockMyLead implements the following measures (as appropriate to the risk):

Access Control

• Role-based access control (RBAC) for personnel
• Multi-tenant data isolation
• API authentication via tokens
• Multi-factor authentication for administrative access (where supported)

Encryption

• TLS 1.2+ for data in transit
• AES-256 for sensitive data at rest
• bcrypt for password storage
• Encrypted credentials for third-party integrations

Network Security

• Firewalls and network segmentation
• Rate limiting and abuse prevention
• DDoS protection via hosting provider

Logging and Monitoring

• Application logs retained for security investigation
• Anomaly detection
• Regular review of access logs

Backup and Disaster Recovery

• Regular database backups
• Tested restoration procedures
• Geographic redundancy through cloud providers

Personnel

• Confidentiality obligations
• Security awareness training (as the team grows)
• Background checks for sensitive roles (when hiring)

Vendor Management

• Sub-processors selected based on security posture
• Data Processing Addenda with sub-processors
• Regular review of sub-processor practices

Incident Response

• Incident response plan
• Breach notification procedures
• Post-incident review

These measures will be enhanced over time. Current practices may be requested at security@unlockmylead.com.

ANNEX III — Sub-Processors

Current Sub-Processors:

The current and authoritative list is published at: unlockmylead.com/sub-processors

ANNEX IV — Standard Contractual Clauses (Where Applicable)

A. EU Standard Contractual Clauses

For transfers from the EU/EEA, the Parties incorporate the EU Commission Decision (EU) 2021/914 of 4 June 2021 SCCs, Module Two: Controller to Processor, as follows:

• Clause 7 (Docking): Optional clause not used
• Clause 9 (Sub-Processors): Option 2 — General authorization, with notice as set forth in Section 5.4
• Clause 11 (Redress): Optional independent dispute resolution body not selected
• Clause 17 (Governing Law): Law of Ireland
• Clause 18 (Forum): Courts of Ireland

The Parties agree the descriptions in Annex I and the technical measures in Annex II of this DPA serve as the SCC Annex I and Annex II.

B. UK International Data Transfer Addendum

For UK transfers, the UK International Data Transfer Addendum to the EU SCCs (Version B1.0) applies:

• Table 1: Parties as named in this DPA
• Table 2: EU SCCs as referenced above
• Table 3: Annexes from this DPA
• Table 4: No special selection (default applies)

Contact

• Privacy / Data Protection: privacy@unlockmylead.com
• Security: security@unlockmylead.com
• DPO Contact: Currently the same contact (will be updated upon company registration)

By using the Service, Customer agrees to this DPA. Where a counter-signed DPA is required (e.g., for institutional procurement), please contact privacy@unlockmylead.com.