Data Processing Agreement

Last updated: July 14, 2025

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The entity that has accepted BetterEnrich's Terms and Conditions ("Customer," "you")

Data Processor: BetterEnrich LLC, provider of BetterEnrich services ("BetterEnrich," "we," "us")

This DPA supplements and forms part of the Terms and Conditions governing your use of BetterEnrich services.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR, except:

  • "Applicable Laws": All applicable data protection laws including GDPR, CCPA, and other relevant regulations
  • "Customer Data": Personal data submitted by or on behalf of Customer for processing
  • "Data Subject": Individual to whom personal data relates
  • "Personal Data Breach": Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
  • "Processing": Any operation performed on personal data
  • "Sub-processor": Third party engaged by BetterEnrich to process Customer Data
  • "Standard Contractual Clauses": EU Commission approved clauses for international data transfers

2. Processing of Customer Data

2.1 Scope and Roles

  • Customer acts as Data Controller (or Processor when acting on behalf of its customers)
  • BetterEnrich acts as Data Processor
  • This DPA applies to all processing of Customer Data by BetterEnrich

2.2 Customer Instructions

BetterEnrich will:

  • Process Customer Data only on documented instructions from Customer
  • Inform Customer if instructions appear to violate Applicable Laws
  • Not process Customer Data for its own purposes

2.3 Nature of Processing

Data Types Processed:

  • Contact information (names, email addresses, phone numbers)
  • Professional information (job titles, company names, departments)
  • Social media profiles and professional profiles
  • Company information and firmographics
  • Any additional data Customer chooses to enrich

Categories of Data Subjects:

  • Customer's prospects and leads
  • Business professionals
  • Customer's clients or customers
  • Other individuals whose data Customer submits

Processing Activities:

  • Data enrichment and verification
  • Email and phone number finding
  • Data validation and hygiene
  • Temporary storage for service delivery
  • API processing and responses

Duration:

  • Active processing during subscription period
  • Retention as specified in our Privacy Policy
  • Deletion upon termination or Customer request

3. Security Measures

3.1 Technical and Organizational Measures

BetterEnrich implements appropriate measures including:

Technical Measures:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Access controls and authentication mechanisms
  • Regular security updates and patch management
  • Firewalls and intrusion detection systems
  • Secure API endpoints with rate limiting
  • Regular automated backups
  • Pseudonymization where appropriate

Organizational Measures:

  • Security awareness training for all staff
  • Access limited to authorized personnel
  • Confidentiality agreements with all employees
  • Incident response procedures
  • Regular security assessments
  • Data protection by design and default
  • Documented security policies

3.2 Security Certifications

BetterEnrich maintains industry-standard security practices and regularly audits security measures.

4. Sub-processors

4.1 Authorized Sub-processors

Customer authorizes BetterEnrich to engage the Sub-processors listed in Appendix A for the described purposes.

4.2 New Sub-processors

  • BetterEnrich will notify Customer of new Sub-processors 30 days in advance
  • Customer may object to new Sub-processors within 14 days of notification
  • If reasonable objection cannot be resolved, Customer may terminate affected services

4.3 Sub-processor Requirements

BetterEnrich ensures each Sub-processor:

  • Enters into written agreement with equivalent data protection obligations
  • Processes data only for specified purposes
  • Implements appropriate security measures
  • Complies with Applicable Laws

4.4 Liability

BetterEnrich remains fully liable for Sub-processor performance under this DPA.

5. Data Subject Rights

5.1 Assistance with Requests

BetterEnrich will:

  • Promptly notify Customer of data subject requests received directly
  • Assist Customer in responding to requests (access, rectification, deletion, etc.)
  • Implement technical measures to facilitate request fulfillment
  • Not respond directly to data subjects unless instructed by Customer

5.2 Data Subject Request Procedures

  • Requests forwarded to Customer within 2 business days
  • Assistance provided within scope of processing activities
  • Reasonable cooperation in request verification
  • Documentation of all requests and responses

6. Personal Data Breaches

6.1 Breach Notification

BetterEnrich will notify Customer without undue delay (within 72 hours) upon becoming aware of a breach, including:

  • Nature of the breach
  • Categories and approximate number of affected data subjects
  • Categories and approximate number of affected records
  • Likely consequences
  • Measures taken or proposed to address the breach
  • Contact point for more information

6.2 Breach Response

BetterEnrich will:

  • Investigate the cause and scope
  • Implement measures to mitigate effects
  • Cooperate with Customer's breach response
  • Document all breaches and responses
  • Review and update security measures as needed

7. Data Protection Impact Assessments

BetterEnrich will provide reasonable assistance with:

  • Data Protection Impact Assessments (DPIAs)
  • Prior consultation with supervisory authorities
  • Risk assessments related to processing activities
  • Documentation for compliance demonstrations

Assistance limited to BetterEnrich's processing activities and available information.

8. International Data Transfers

8.1 Transfer Mechanisms

For transfers outside EEA/UK/adequate countries, BetterEnrich uses:

  • Standard Contractual Clauses (Module 2: Controller to Processor)
  • Adequacy decisions where applicable
  • Other approved transfer mechanisms

8.2 Customer Authorization

Customer authorizes transfers to countries where Sub-processors operate, subject to appropriate safeguards.

8.3 Transfer Documentation

BetterEnrich maintains documentation of all international transfers and safeguards.

9. Audits and Compliance

9.1 Information Rights

BetterEnrich will provide Customer with information necessary to demonstrate compliance, including:

  • Security certifications
  • Audit reports (subject to confidentiality)
  • Compliance documentation
  • Sub-processor information

9.2 Audit Rights

Customer may conduct audits:

  • With 30 days written notice
  • During business hours
  • No more than once annually
  • At Customer's expense
  • Subject to confidentiality agreement
  • Using qualified independent auditor if required

9.3 Audit Procedures

  • Minimize disruption to operations
  • Respect confidentiality of other customers
  • Focus on BetterEnrich's processing of Customer Data
  • Provide findings to both parties

10. Data Return and Deletion

10.1 During Service

Customer may export data at any time through:

  • Self-service export features
  • API access
  • Support requests for bulk exports

10.2 Upon Termination

BetterEnrich will:

  • Provide 30-day grace period for data export
  • Delete Customer Data within 60 days
  • Certify deletion upon request
  • Retain only data required by law

10.3 Exceptions

Deletion not required for:

  • Data in automated backups (deleted per retention schedule)
  • Anonymized or aggregated data
  • Data retained for legal obligations

11. Confidentiality

11.1 Confidentiality Obligations

All BetterEnrich personnel with data access:

  • Are subject to confidentiality agreements
  • Receive data protection training
  • Access data only as needed for services
  • Must report any unauthorized access

11.2 Survival

Confidentiality obligations survive termination of this DPA.

12. Liability and Indemnification

12.1 Liability Cap

Subject to Terms and Conditions, except for:

  • Data protection law violations
  • Breach of confidentiality
  • Gross negligence or willful misconduct

12.2 Indemnification

Each party indemnifies the other for damages arising from its violation of data protection laws.

13. Term and Termination

13.1 Duration

This DPA remains in effect for duration of Terms and Conditions.

13.2 Termination Rights

Customer may terminate if BetterEnrich:

  • Violates material DPA obligations
  • Cannot provide adequate transfer safeguards
  • Fails to cooperate with audits

13.3 Survival

Sections on confidentiality, data deletion, and liability survive termination.

14. Miscellaneous

14.1 Entire Agreement

This DPA, Terms, and Privacy Policy constitute complete agreement on data processing.

14.2 Modifications

Changes require mutual written agreement, except:

  • Sub-processor updates per Section 4
  • Security improvements
  • Legal compliance updates

14.3 Severability

Invalid provisions don't affect remainder of DPA.

14.4 Governing Law

Same as Terms and Conditions: Arizona, United States

14.5 Order of Precedence

For data protection matters: DPA > Terms > Privacy Policy

Appendix A: Authorized Sub-processors

Sub-processorPurposeLocationSafeguards
Amazon Web ServicesCloud InfrastructureUSA/EUStandard Contractual Clauses
Google Cloud PlatformCloud InfrastructureUSA/EUStandard Contractual Clauses
StripePayment ProcessingUSAStandard Contractual Clauses
SendGridEmail DeliveryUSAStandard Contractual Clauses

This list is updated periodically. Current list available at betterenrich.com/sub-processors

Appendix B: Security Measures Detail

Technical Safeguards

  1. Encryption Standards

    • TLS 1.2+ for data in transit
    • AES-256 for data at rest
    • Encrypted backups
    • Secure key management

  2. Access Controls

    • Multi-factor authentication
    • Role-based access control
    • Regular access reviews
    • Automated de-provisioning

  3. Network Security

    • Firewalls and IDS/IPS
    • Network segmentation
    • DDoS protection
    • Regular vulnerability scanning

  4. Application Security

    • Secure development lifecycle
    • Regular penetration testing
    • Input validation
    • Security headers

Organizational Safeguards

  1. Personnel

    • Background checks
    • Security training
    • Confidentiality agreements
    • Clean desk policy

  2. Physical Security

    • Data center certifications
    • Access restrictions
    • Environmental controls
    • Media disposal procedures

  3. Incident Management

    • 24/7 monitoring
    • Incident response team
    • Documented procedures
    • Regular drills

  4. Business Continuity

    • Disaster recovery plan
    • Regular backups
    • Redundant systems
    • Recovery testing

By using BetterEnrich services, Customer acknowledges and agrees to this Data Processing Agreement.

Contact for DPA matters: dpa@betterenrich.com