FeaturesIndustriesPricingCompliance
LoginStart now

Data Processing Agreement (DPA)

EU and UK Data Processing Agreement

This EU and UK Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service (the "Terms") entered into between the customer accepting this DPA ("Customer") and LINKUPAPI, operating under the brand name DataForB2B ("DataForB2B" or "Company").

By accepting this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws.

This DPA incorporates the Terms, and any terms not defined herein shall have the meaning set forth in the Terms.

1. DEFINITIONS

"Authorized Sub-Processor" means a third party authorized by DataForB2B to process Customer Personal Data to enable DataForB2B to perform its obligations under this DPA or the Terms, and who is either (1) listed in Schedule B or (2) subsequently authorized under Section 4 of this DPA.

"Customer Personal Data" means personal data that Customer submits, stores, sends, or receives via the Services, including contact information, company data, and any other data provided by Customer through the API or platform.

"Customer Account Data" means personal data related to Customer's account with DataForB2B, including names, email addresses, and contact information of individuals authorized by Customer to access the Services, as well as billing and payment information.

"Customer Usage Data" means technical data collected by DataForB2B regarding Customer's use of the Services, including API call logs, query patterns, usage statistics, IP addresses, and performance metrics.

"Data Exporter" means Customer.

"Data Importer" means DataForB2B.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The UK GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018
  • The UK Data Protection Act 2018
  • The Swiss Federal Act on Data Protection ("FADP")
  • The California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA")
  • Any successor or replacement legislation

The terms "Data Subject", "Personal Data", "Personal Data Breach", "processing", "processor", "controller", and "supervisory authority" have the meanings set forth in the GDPR.

"EU SCCs" means the standard contractual clauses approved by the European Commission in Decision 2021/914 dated 4 June 2021 for transfers of Personal Data to third countries.

"Services" means the DataForB2B API, platform, and related services as described in the Terms.

"Standard Contractual Clauses" or "SCCs" means the EU SCCs and the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

2. SCOPE AND ROLES

2.1 Parties' Roles

The parties acknowledge that:

  • With respect to Customer Personal Data, Customer acts as a controller (or processor where Customer processes data on behalf of its own customers), and DataForB2B acts as a processor on behalf of Customer.
  • With respect to Customer Account Data and Customer Usage Data, DataForB2B acts as an independent controller.

2.2 Customer Instructions

Customer instructs DataForB2B to process Customer Personal Data:

  • In accordance with this DPA and the Terms
  • As necessary to provide the Services
  • As further instructed by Customer through its use of the Services and any written instructions provided to DataForB2B

Customer represents and warrants that:

  • It has obtained all necessary consents and established all legal bases required under Data Protection Laws to provide Customer Personal Data to DataForB2B for processing
  • Its instructions comply with all applicable Data Protection Laws
  • It will not provide any Personal Data in violation of Data Protection Laws or the Terms

2.3 Processing Limitations

DataForB2B shall process Customer Personal Data only:

  • In accordance with Customer's documented instructions
  • As necessary to provide the Services
  • As required by applicable law (in which case DataForB2B shall inform Customer of such legal requirement before processing, unless prohibited by law)

DataForB2B shall immediately inform Customer if, in its opinion, Customer's instructions violate Data Protection Laws.

2.4 Details of Processing

The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Schedule A to this DPA.

2.5 Data Retention and Deletion

Upon termination or expiration of the Services, DataForB2B shall, at Customer's choice and written request:

  • Delete all Customer Personal Data, or
  • Return all Customer Personal Data to Customer in a standard format

Such deletion or return shall occur within thirty (30) days unless applicable law requires continued storage. DataForB2B shall certify in writing the deletion of Customer Personal Data upon Customer's request.

2.6 CCPA Compliance

Where the CCPA applies, the parties acknowledge and agree that:

  • DataForB2B is a "service provider" as defined in the CCPA
  • DataForB2B receives Personal Data from Customer solely to provide the Services
  • DataForB2B shall not "sell" or "share" (as those terms are defined in the CCPA) Customer Personal Data
  • DataForB2B shall not retain, use, or disclose Customer Personal Data except as necessary to provide the Services or as otherwise permitted by the CCPA and this DPA
  • DataForB2B certifies that it understands and will comply with these restrictions

3. CONFIDENTIALITY

DataForB2B shall ensure that all persons authorized to process Customer Personal Data:

  • Are bound by obligations of confidentiality (whether contractual or statutory)
  • Have received appropriate training on data protection

DataForB2B may disclose Customer Personal Data to its advisers, auditors, insurers, or other third parties as reasonably necessary to perform its obligations under this DPA, provided such parties are bound by equivalent confidentiality obligations.

4. SUB-PROCESSORS

4.1 General Authorization

Customer provides general written authorization for DataForB2B to engage sub-processors to process Customer Personal Data, subject to the requirements of this Section 4.

4.2 Sub-Processor List and Notification

DataForB2B maintains a current list of Authorized Sub-Processors at: dataforb2b.ai/subprocessors

DataForB2B shall provide Customer with at least fourteen (14) calendar days' prior written notice before:

  • Engaging any new sub-processor, or
  • Making material changes to an existing sub-processor's role

4.3 Objection Rights

Customer may object to the engagement of a new sub-processor on reasonable data protection grounds by notifying DataForB2B in writing within seven (7) calendar days of receiving notice.

4.4 Sub-Processor Obligations

DataForB2B shall:

  • Enter into a written agreement with each sub-processor imposing data protection obligations substantially equivalent to those in this DPA
  • Ensure that each sub-processor complies with the obligations of this DPA
  • Remain fully liable to Customer for the performance of each sub-processor's obligations

5. SECURITY MEASURES

5.1 Technical and Organizational Measures

Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, DataForB2B shall implement and maintain appropriate technical and organizational measures to:

  • Ensure a level of security appropriate to the risk
  • Protect Customer Personal Data against Personal Data Breaches
  • Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems

Such measures are described in Schedule C to this DPA.

6. INTERNATIONAL DATA TRANSFERS

Customer acknowledges that DataForB2B may transfer and process Customer Personal Data in countries outside the European Economic Area, the United Kingdom, and Switzerland as necessary to provide the Services.

DataForB2B's primary processing operations are located in the European Union. Where DataForB2B engages sub-processors located outside the EEA, UK, or Switzerland, DataForB2B shall ensure appropriate safeguards are in place as required by Data Protection Laws.

For transfers not covered by an adequacy decision, the parties agree that such transfers shall be governed by the Standard Contractual Clauses as detailed in the full DPA document.

7. DATA SUBJECT RIGHTS

DataForB2B shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws (including rights of access, rectification, erasure, data portability, restriction of processing, or objection).

DataForB2B shall provide commercially reasonable assistance to enable Customer to respond to Data Subject requests.

8. AUDITS

Upon Customer's written request and subject to reasonable confidentiality controls, DataForB2B shall provide copies of relevant certifications, audit reports, or assessments demonstrating DataForB2B's compliance with this DPA and Data Protection Laws.

9. PERSONAL DATA BREACHES

In the event of a Personal Data Breach affecting Customer Personal Data, DataForB2B shall, without undue delay and no later than seventy-two (72) hours after becoming aware:

  • Notify Customer of the Personal Data Breach
  • Provide available information about the breach
  • Take reasonable steps to remediate the breach

10. DATAFORB2B AS CONTROLLER

With respect to Customer Account Data and Customer Usage Data, DataForB2B processes such data as an independent controller for managing customer relationships, billing, improving the Services, security, and compliance purposes.

DataForB2B's processing of data as a controller is governed by its Privacy Policy, available at: https://www.dataforb2b.ai/privacy

11. CONTACT

For questions regarding this DPA, please contact:

LINKUPAPI (DataForB2B)

58 RUE DE MONCEAU

75008 PARIS, FRANCE

Email: dpo@dataforb2b.ai

SIREN: 995 238 540

SIRET: 995 238 540 00018

SCHEDULE A – DETAILS OF PROCESSING

Subject Matter and Duration

Subject Matter: Provision of B2B data enrichment and API services as described in the Terms.

Duration: For the duration of the Services and as necessary to fulfill DataForB2B's obligations under the Terms and this DPA.

Nature and Purpose of Processing

DataForB2B processes Customer Personal Data to:

  • Provide access to the DataForB2B API and platform
  • Execute Customer's queries and return requested B2B data
  • Provide customer support and technical assistance
  • Maintain and improve the Services

Categories of Data Subjects

  • Customer's employees, agents, and authorized users
  • Business contacts and leads provided by Customer or collected through the Services
  • Representatives of companies queried through the Services

Types of Personal Data

  • Contact Information: Names, email addresses, phone numbers, job titles, company names
  • Professional Information: LinkedIn profiles, company affiliations, work history
  • Technical Data: IP addresses, API keys, usage logs
  • Account Information: Usernames, account settings, billing information

Special Categories of Data

Customer is prohibited from submitting Special Categories of Personal Data (as defined in Article 9 of the GDPR) or data relating to criminal convictions and offenses to DataForB2B. If Customer does so, it shall be solely responsible for ensuring compliance with applicable Data Protection Laws.

SCHEDULE B – SUB-PROCESSORS AND PARTIES

Data Exporter (Customer)

  • Name: As specified in Customer's account
  • Address: As specified in Customer's account
  • Contact: As specified in Customer's account
  • Role: Controller (or Processor when acting on behalf of its own customers)

Data Importer (DataForB2B)

  • Name: LINKUPAPI (operating as DataForB2B)
  • SIREN: 995 238 540
  • SIRET: 995 238 540 00018
  • Address: 58 RUE DE MONCEAU, 75008 PARIS, FRANCE
  • Email: dpo@dataforb2b.ai
  • DPO Contact: dpo@dataforb2b.ai
  • Role: Processor

Authorized Sub-Processors

A current list of Authorized Sub-Processors is maintained at: dataforb2b.ai/subprocessors

As of the date of this DPA, Authorized Sub-Processors include cloud infrastructure providers, data storage providers, and other service providers necessary to deliver the Services.

Supervisory Authority

The competent supervisory authority shall be determined in accordance with Article 55 of the GDPR (the supervisory authority of the Data Exporter's establishment or habitual residence).

SCHEDULE C – SECURITY MEASURES

DataForB2B implements and maintains the following categories of technical and organizational security measures:

1. Access Control

  • User Authentication: Multi-factor authentication for administrative access
  • Role-Based Access Control: Principle of least privilege for employee access to systems and data
  • Access Logging: Comprehensive logging of access to Customer Personal Data
  • Credential Management: Secure storage and regular rotation of credentials and API keys

2. Data Security

  • Encryption in Transit: TLS 1.2 or higher for all data transmissions
  • Encryption at Rest: Industry-standard encryption for data stored in databases and file systems
  • Data Segregation: Logical separation of Customer data in multi-tenant environments
  • Secure Deletion: Secure methods for permanent deletion of data

3. Network Security

  • Firewalls: Network-level and application-level firewalls
  • Intrusion Detection: Monitoring and alerting for unauthorized access attempts
  • Network Segmentation: Isolation of production environments from other networks
  • DDoS Protection: Measures to prevent and mitigate denial-of-service attacks

4. Application Security

  • Secure Development: Security-focused software development lifecycle
  • Vulnerability Management: Regular security testing and vulnerability scanning
  • Patch Management: Timely application of security patches
  • Input Validation: Protection against injection attacks and malicious input

5. Organizational Measures

  • Employee Training: Regular data protection and security awareness training
  • Background Checks: Screening of employees with access to Customer Personal Data (where legally permitted)
  • Confidentiality Agreements: Contractual confidentiality obligations for all employees
  • Incident Response: Documented procedures for detecting and responding to security incidents
  • Business Continuity: Backup and disaster recovery procedures

6. Physical Security

  • Data Center Security: Use of certified data center providers with physical access controls, surveillance, and environmental protections
  • Equipment Disposal: Secure destruction or wiping of hardware containing Personal Data

7. Monitoring and Testing

  • Security Monitoring: Continuous monitoring of systems for security events
  • Regular Testing: Periodic penetration testing and security audits
  • Compliance Reviews: Regular assessment of security controls and compliance with this DPA

8. Vendor Management

  • Sub-Processor Due Diligence: Assessment of sub-processors' security practices
  • Contractual Protections: Requirements for sub-processors to maintain equivalent security measures

DataForB2B reviews and updates its security measures regularly to address evolving threats and maintain alignment with industry standards and best practices.

By using the Services, Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Agreement.

Last updated: January 2026