Data Processing Agreement

1. Definitions

1.1. "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.

1.2. "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

1.3. "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

1.4. "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.5. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.6. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission.

2. Scope and Purpose of Processing

2.1. The Processor shall process Personal Data only on behalf of the Controller and in accordance with the Controller's documented instructions, as set out in this DPA and the Agreement.

2.2. The details of Processing are as follows:

2.3. Clarification on Discovered Contact Data. With respect to third-party business contact data discovered through the platform ("Discovered Contact Data"), SalesHunt acts as an independent controller, not as a processor. SalesHunt is responsible for the lawful collection and enrichment of this data. Once Customer accesses, exports, or integrates Discovered Contact Data into its own systems, Customer becomes an independent controller for its subsequent use of that data. This DPA governs the processing where SalesHunt acts as a processor on behalf of Customer.

3. Controller Obligations

3.1. The Controller warrants that:

• It has a lawful basis for the processing of Personal Data instructed under this DPA
• It has provided appropriate notices to Data Subjects as required by GDPR Art. 13/14
• It shall comply with GDPR and applicable data protection laws in its use of the Service

3.2. The Controller is responsible for the accuracy and lawfulness of Personal Data provided to the Processor.

4. Processor Obligations

4.1. Instructions. The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

4.2. Confidentiality. The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Security Measures. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• (a) Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• (b) Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
• (c) Role-based access control with principle of least privilege
• (d) Multi-factor authentication for system access
• (e) Regular security assessments and vulnerability scanning
• (f) Automated backups with tested restoration procedures
• (g) Logging and monitoring of access to Personal Data
• (h) Incident response procedures

4.4. Data Subject Requests. The Processor shall promptly assist the Controller in responding to Data Subject requests to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, objection). The Processor shall notify the Controller without undue delay upon receiving a Data Subject request directly.

4.5. Assistance. The Processor shall assist the Controller in ensuring compliance with GDPR obligations relating to:

• Security of processing (Art. 32)
• Notification of Data Breaches (Art. 33 and 34)
• Data protection impact assessments (Art. 35)
• Prior consultation with supervisory authorities (Art. 36)

5. Subprocessors

5.1. The Controller provides general authorization for the Processor to engage Subprocessors, subject to the requirements of this Section.

5.2. Current Subprocessors. The current list of Subprocessors is set out in Annex B of this DPA.

5.3. Notification of Changes. The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of Subprocessors, providing the name, location, and purpose of the Subprocessor.

5.4. Objection Right. The Controller may object to a new Subprocessor within 14 days of notification. If the Controller objects on reasonable grounds and the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service.

5.5. Subprocessor Agreements. The Processor shall enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA.

5.6. Liability. The Processor remains fully liable for the acts and omissions of its Subprocessors.

6. Data Breach Notification

6.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

6.2. The notification shall include, to the extent available:

• (a) A description of the nature of the Data Breach, including categories and approximate number of Data Subjects and records concerned
• (b) The name and contact details of the Processor's point of contact
• (c) A description of the likely consequences of the Data Breach
• (d) A description of the measures taken or proposed to address the Data Breach, including measures to mitigate possible adverse effects

6.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

6.4. The Processor shall document all Data Breaches, including the facts, effects, and remedial actions taken.

7. International Data Transfers

7.1. The Processor shall not transfer Personal Data to a country outside the European Economic Area ("EEA") unless adequate safeguards are in place as required by GDPR Chapter V.

7.2. For transfers to Subprocessors outside the EEA, the Processor shall ensure that one of the following mechanisms is in place:

• (a) An adequacy decision by the European Commission
• (b) Standard Contractual Clauses (Module 3: processor-to-processor)
• (c) Other approved transfer mechanism under GDPR Art. 46

7.3. The Processor shall conduct transfer impact assessments where required and implement supplementary measures as necessary.

8. Audit Rights

8.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR Art. 28.

8.2. The Processor shall allow for and contribute to audits and inspections conducted by the Controller or a mandated third-party auditor, subject to the following conditions:

• (a) The Controller shall provide at least 30 days' written notice
• (b) Audits shall be conducted during normal business hours
• (c) Audits shall not unreasonably disrupt the Processor's operations
• (d) The auditor shall be bound by confidentiality obligations
• (e) No more than one audit per 12-month period, unless required by a supervisory authority or in response to a Data Breach

8.3. As an alternative to on-site audits, the Processor may provide:

• (a) SOC 2 Type II reports or equivalent certifications
• (b) Results of independent third-party security assessments
• (c) Completed security questionnaires

9. Data Return and Deletion

9.1. Upon termination of the Agreement, the Processor shall, at the Controller's choice:

• (a) Return all Personal Data to the Controller in a structured, commonly used, machine-readable format; or
• (b) Delete all Personal Data and certify such deletion in writing

9.2. The Controller shall communicate its choice within 30 days of termination. If no instruction is received, the Processor shall delete all Personal Data within 60 days of termination.

9.3. The Processor may retain Personal Data to the extent required by EU or Member State law, in which case the Processor shall inform the Controller and ensure continued confidentiality.

10. Liability

10.1. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

10.2. Nothing in this DPA limits either party's liability for breaches of GDPR to the extent such limitation is not permitted under applicable law.

11. Term

11.1. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon the completion of data return or deletion as described in Section 9.

11.2. Provisions that by their nature should survive termination (including confidentiality, data deletion, and audit rights for processing that occurred during the term) shall survive.

12. Governing Law and Contact

12.1. This DPA is governed by Dutch law. Any disputes arising from this DPA are subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.

12.2. For all matters relating to this DPA, the Processor may be contacted at: support@saleshunt.ai

Annex A — Technical and Organizational Security Measures

The Processor implements the following security measures:

Infrastructure Security

• Cloud hosting on Google Cloud Platform (GCP) (EU region)
• Network-level firewalls and DDoS protection
• Infrastructure provisioning with version-controlled configuration

Access Control

• Role-based access control (RBAC) for all systems
• Multi-factor authentication (MFA) required for all employee access
• Principle of least privilege enforced
• Regular access reviews (quarterly)
• Automated deprovisioning upon employee offboarding

Data Protection

• Encryption in transit: TLS 1.2+ for all communications
• Encryption at rest: AES-256 for databases and storage
• Database row-level security policies
• Automated daily backups with point-in-time recovery

Monitoring and Incident Response

• Centralized logging and monitoring
• Automated alerting for security anomalies
• Documented incident response plan with defined roles and escalation procedures
• Regular security training for all employees

Development Practices

• Secure software development lifecycle (SDLC)
• Code review requirements for all changes
• Dependency vulnerability scanning
• Staging environment testing before production deployment

Annex B — Subprocessor List

For transfers outside the EEA: Apollo.io (US) is certified under the EU-US Data Privacy Framework, an adequacy mechanism recognized by the European Commission.

Last updated: 1 March 2026

Annex C — Controller Instructions

The Controller instructs the Processor to process Personal Data for the following purposes:

1. Providing and maintaining the Service as described in the Agreement
2. Authenticating and managing Customer user accounts
3. Processing and storing Customer Data uploaded to the Service
4. Generating analytics and reports for the Controller
5. Communicating with Controller's authorized users regarding the Service
6. Providing technical support
7. Ensuring Service security and preventing fraud

The Controller may issue additional documented instructions, provided they are consistent with the Agreement and applicable law.