Data Processing Agreement
Last updated: January 14, 2025
GDPR & CCPA Compliant
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between UnlockMyLead ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by UnlockMyLead on behalf of the Customer in connection with the UnlockMyLead platform services.
This DPA is designed to ensure compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by UnlockMyLead to process Personal Data.
- "Controller" means the Customer who determines the purposes and means of processing.
- "Processor" means UnlockMyLead, which processes Personal Data on behalf of the Controller.
3. Data Processing Details
3.1 Categories of Data Subjects
- Customer's employees and authorized users
- Customer's leads and prospects
- Customer's contacts imported from CRM systems
- Recipients of communications sent through the platform
3.2 Types of Personal Data Processed
- Contact information (name, email, phone number, address)
- Business information (company, job title, industry)
- Communication data (call recordings, transcripts, messages)
- Calendar data (when Google Calendar is connected)
- CRM data (when HubSpot, Salesforce, Zoho, or Pipedrive is connected)
- Usage data and analytics
3.3 Purpose of Processing
- Providing AI-powered voice calling services
- Lead management and discovery
- Multi-channel communication (WhatsApp, Email, SMS)
- Calendar integration and meeting scheduling
- CRM synchronization and data management
- Analytics and reporting
4. Security Measures
UnlockMyLead implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- Access Control: Role-based access control with multi-factor authentication
- Token Security: OAuth tokens encrypted with AES-256-GCM before storage
- Audit Logging: Comprehensive logging of all data access and modifications
- Regular Testing: Penetration testing and vulnerability assessments
- Incident Response: 24/7 security monitoring with defined incident response procedures
- Employee Training: Regular security awareness training for all staff
- Vendor Management: Security assessments of all sub-processors
5. Sub-processors
The following sub-processors are authorized to process Personal Data:
| Sub-processor | Purpose | Location |
|---|---|---|
| Render | Cloud hosting | USA |
| Firebase | Frontend hosting | USA |
| Stripe | Payment processing | USA |
| Twilio | Voice & SMS services | USA |
| ElevenLabs | AI voice synthesis | USA |
| OpenAI | AI conversation | USA |
| SendGrid | Email delivery | USA |
| Resend | Transactional email | USA |
| Lead Data Provider | Lead discovery | USA |
Customer will be notified of any changes to sub-processors with at least 30 days notice.
6. Data Subject Rights
UnlockMyLead will assist the Customer in responding to Data Subject requests including:
- Right of Access: Provide copies of personal data upon request
- Right to Rectification: Correct inaccurate personal data
- Right to Erasure: Delete personal data ("right to be forgotten")
- Right to Restriction: Limit processing of personal data
- Right to Portability: Export personal data in machine-readable format
- Right to Object: Stop processing for direct marketing purposes
Requests will be addressed within 30 days. Contact: privacy@unlockmylead.com
7. Data Retention
Personal Data will be retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Upon termination of services:
- All Personal Data will be deleted within 30 days
- Customer may request data export before deletion
- Backups are purged within 90 days
- Anonymized analytics data may be retained indefinitely
8. International Data Transfers
When Personal Data is transferred outside the European Economic Area (EEA), UnlockMyLead ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) with all sub-processors
- Adequacy decisions where applicable
- Supplementary measures as required by Schrems II
9. Data Breach Notification
In the event of a Personal Data breach, UnlockMyLead will:
- Notify the Customer without undue delay (within 72 hours)
- Provide details of the nature of the breach
- Describe likely consequences and mitigation measures
- Cooperate with Customer's regulatory notifications
10. Audit Rights
Customer may audit UnlockMyLead's compliance with this DPA:
- Request security certifications and audit reports
- Conduct on-site audits with reasonable notice (30 days)
- Review sub-processor agreements upon request
11. Contact Information
Data Protection Officer: privacy@unlockmylead.com
General Inquiries: info@unlockmylead.com
Security Issues: security@unlockmylead.com
Website: https://unlockmylead.com