Last Updated: March 5, 2025
This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service (the "Terms") between Primary Byte Ventures, LLC d/b/a Prospect AI ("Prospect AI," "we," "our," or "us") and the entity or person who has executed the Terms ("Customer," "you," or "your").
This DPA clarifies that Prospect AI acts as a 'service provider' and 'processor', as relevant, for the purposes of Applicable Data Protection Laws. This DPA shall only apply and bind the Parties if and to the extent that the Customer is classified as a 'controller' or 'business' or similar under Applicable Data Protection Laws.
To the extent that Prospect AI processes any Customer Personal Data on behalf of the Customer in connection with the provision of the Services, the Parties agree that Prospect AI shall do so on the terms of this DPA.
Capitalized terms used within this DPA but not defined below have the meaning given in the Terms. In addition, the following words have the following meanings:
"Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the California Consumer Privacy Act ("CCPA"), the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other state or national data protection laws as may be applicable.
"Business Purpose" has the meaning given in Schedule 1.
"Customer Personal Data" means the Personal Data processed by Prospect AI on behalf of the Customer in connection with the provision of the Services.
"Data Subject" means an identified or identifiable natural person who is the subject of Personal Data.
"Personal Data" means any information relating to an identified or identifiable individual or device, or is otherwise "personal data", "personal information", "personally identifiable information" and similar terms, and such terms shall have the same meaning as defined by the Applicable Data Protection Laws.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data.
"Services" means the services provided by Prospect AI to Customer as described in the Terms and any applicable Order Form.
"Standard Contractual Clauses (SCC)" means the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant EU Data Protection Laws.
"Sub-processor" means Prospect AI Affiliates and third-party processors appointed by Prospect AI to process Customer Personal Data.
The terms "controller", "processor", "data subject", "process", "sell", and "service provider" shall have the same meaning as set out in the Applicable Data Protection Laws.
2.1 This DPA supplements and, to the extent of any inconsistency, supersedes the Terms with respect to any processing of Customer Personal Data.
2.2 By entering into the Terms, the Customer warrants that it is duly authorized to enter into this DPA.
3.1 The Parties acknowledge and agree that for the purposes of the Applicable Data Protection Laws, Prospect AI will act as a "service provider" or "processor" in the performance of its obligations pursuant to the Terms, and Customer will act as a "business" or "controller".
3.2 Each of the Parties represents and warrants that it understands the rules, restrictions, requirements, and definitions of the Applicable Data Protection Laws and agrees to adhere to the requirements of the Applicable Data Protection Laws in respect of the processing of Customer Personal Data under the Terms.
4.1 The details of data processing (such as subject matter, nature, purpose of the processing, and categories of Personal Data) are described in the Terms and in Schedule 1 of this DPA.
4.2 Customer Personal Data will only be processed on behalf of and under the instructions of the Customer for the Business Purpose and in accordance with Applicable Data Protection Laws. The Terms and this DPA shall be the Customer's instructions for the processing of Customer Personal Data. The Customer may issue further written instructions in accordance with this DPA.
4.3 Prospect AI agrees that except as specifically permitted under Applicable Data Protection Laws: (a) it shall not process Customer Personal Data except for the specific Business Purpose, unless required by law or a government authority (in which case Prospect AI shall use reasonable efforts to notify Customer before such disclosure or as soon thereafter as reasonably possible); (b) it shall not process Customer Personal Data for any commercial purpose outside of the Business Purpose except to provide the Services; and (c) except for the Sub-processors listed in Schedule 2, it shall only transfer Customer Personal Data to a third-party as specifically directed by the Customer.
4.4 If the Customer's instructions will cause Prospect AI to process Customer Personal Data in violation of Applicable Data Protection Laws or outside the scope of the Terms or this DPA, Prospect AI shall promptly inform the Customer to that effect, unless prohibited by Applicable Data Protection Laws.
4.5 Prospect AI may store and process Customer Personal Data anywhere Prospect AI or its Sub-processors maintain facilities, subject to Section 7 of this DPA regarding cross-border transfers.
5.1 Prospect AI will only process the Customer Personal Data to the extent, and in such a manner, as is necessary for Prospect AI to comply with its obligations to the Customer under the Terms and in accordance with the Customer's instructions. Prospect AI will not process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Applicable Data Protection Laws.
5.2 Prospect AI will promptly comply with any Customer request or instruction requiring Prospect AI to amend, transfer, delete or otherwise process the Customer Personal Data, or to stop, mitigate or remedy any unauthorized processing.
5.3 Prospect AI will maintain the confidentiality of all Customer Personal Data and will not disclose Customer Personal Data to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator, or supervisory authority requires Prospect AI to process or disclose Customer Personal Data, Prospect AI must first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
5.4 Prospect AI will reasonably assist the Customer with meeting the Customer's compliance obligations under Applicable Data Protection Laws, taking into account the nature of Prospect AI's processing and the information available to Prospect AI, including in relation to Data Subject rights, data protection impact assessments, and reporting to and consulting with supervisory authorities under the Applicable Data Protection Laws.
5.1 Prospect AI must at all times implement appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
5.2 Prospect AI must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: (a) the pseudonymization and encryption of Personal Data save with the exception of Personal Data contained in emails as such Personal Data in emails is secured through the use of encrypted passwords used by Prospect AI; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.
5.3 The security measures implemented by Prospect AI include, but are not limited to: (a) Physical access controls including secured access to building premises; locked filing cabinets; visitors are accompanied at all times and there is limited access to areas where equipment is located on which data is stored; (b) System access controls including use of encryption and passwords; (c) Data access controls where access to data is restricted strictly to those staff members who have a need to access the data to perform their role; (d) Data backups where data is backed up and stored in secure cloud storage; (e) Data segregation through customer identification numbers and separate subdomains; the system is designed to ensure that data remains segregated at all times.
6.1 Prospect AI will without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.
6.2 Prospect AI will without undue delay notify the Customer if it becomes aware of: (a) any accidental, unauthorized or unlawful processing of the Personal Data; or (b) any Personal Data Breach.
6.3 Where Prospect AI becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Customer with the following information: (a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned; (b) the likely consequences; and (c) description of the measures taken or proposed measures to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
6.4 Immediately following any unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Prospect AI will reasonably co-operate with the Customer in the Customer's handling of the matter, including: (a) assisting with any investigation; (b) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (c) taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
6.5 Prospect AI will not inform any third party of any Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by law.
6.6 Prospect AI agrees that the Customer has the sole right to determine: (a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.7 Prospect AI will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to a Personal Data Breach to the extent that Prospect AI directly and solely caused such a Personal Data Breach, including all costs of notice and any remedy as set out in Section 6.6.
7.1 Prospect AI (or any subcontractor) may transfer or otherwise process Personal Data outside the European Economic Area (EEA) with Customer's consent. This Agreement, when accepted by the Customer, constitutes Customer's written consent for Prospect AI to transfer and otherwise process Customer's Personal Data.
7.2 Where such consent is granted, Prospect AI may only process, or permit the processing, of Personal Data outside the EEA in accordance with the Standard Contractual Clauses (SCCs).
7.3 If any Personal Data transfer between the Customer and Prospect AI requires execution of SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to Prospect AI outside the EEA), the parties acknowledge that SCCs shall be deemed incorporated into this DPA by reference, and the parties agree to comply with such SCCs. The parties agree to take all other actions required to legitimize the transfer.
7.4 If the Customer consents to appointment by Prospect AI of a subcontractor located outside the EEA in compliance with the provisions of Section 9, then Prospect AI shall ensure appropriate safeguards are in place, such as executing Standard Contractual Clauses with the subcontractor. Prospect AI will make the executed SCCs available to the Customer on request.
7.5 Customer acknowledges and agrees that Prospect AI stores and processes data in the United States and may use AWS and other cloud services providers as sub-processors.
8.1 The Customer may reasonably request a list of third-party processors that process Customer Personal Data. Prospect AI shall make the list available to the Customer.
8.2 By entering into this DPA, the Customer provides its general written authorization to Prospect AI to appoint sub-processors subject always to: (a) Prospect AI giving the Customer 30 business days prior written notice of any intended changes concerning the addition or replacement of a sub-processor; (b) Each such notice shall include details of the processing activities to be undertaken by the replacement sub-processor and the identity and contact details of the sub-processor; (c) Provided Prospect AI has complied with its obligations under this DPA, it shall be permitted to engage such replacement sub-processor provided that the Customer does not object to the replacement within 14 days after Prospect AI supplies the Customer with details of the sub-processor.
8.3 Where the subcontractor fails to fulfill its obligations under such written agreement, Prospect AI remains fully liable to the Customer for the subcontractor's performance of its agreement obligations.
8.4 The Parties consider Prospect AI to control any Personal Data controlled by or in the possession of its subcontractors. On the Customer's reasonable written request, and at Customer's cost, Prospect AI may audit a subcontractor's compliance with its obligations regarding the Customer's Personal Data and provide the Customer with the audit results. Such audit may be conducted by Prospect AI as it, in its sole discretion deems best.
8.5 Current Sub-processors utilized by Prospect AI are listed in Schedule 2 of this DPA. By entering into this DPA, Customer expressly consents to Prospect AI's use of these Sub-processors.
9.1 Prospect AI must, at no additional cost, take such technical and organizational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with: (a) the rights of Data Subjects under the Applicable Data Protection Laws, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and (b) information or assessment notices served on the Customer by any supervisory authority under the Applicable Data Protection Laws.
9.2 Prospect AI must notify the Customer if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Applicable Data Protection Laws.
9.3 Prospect AI must notify the Customer within 7 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Applicable Data Protection Laws. Prospect AI will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.
9.4 Prospect AI must not disclose the Personal Data to any Data Subject or to a third party other than at the Customer's request or instruction, as provided for in this DPA or as required by law.
11.1 At the Customer's request, Prospect AI will give the Customer a copy of or access to all or part of the Customer's Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
11.2 After termination of the Terms for any reason or expiry of its term, at the written direction of the Customer, Prospect AI shall delete or return all the Customer Personal Data to the Customer, and delete existing copies, unless applicable law requires retention of the Personal data. If Customer does not direct Prospect AI to delete or return the Customer Data, Prospect AI may retain the Customer Data for a period of up to 9 years or may delete the Customer Data earlier if Prospect AI determines that it no longer is required to retain the Customer Data.
11.3 If any law, regulation, or government or regulatory body requires Prospect AI to retain any documents or materials that Prospect AI would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
11.4 At Customer's request, Prospect AI will certify in writing that it has destroyed the Customer's Personal Data after it completes the destruction.
12.1 Prospect AI will keep detailed, accurate, and up-to-date written and electronic records regarding any processing of Personal Data it carries out for the Customer, including but not limited to, the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organizational security measures referred to in Section 6.1.
12.2 Prospect AI will ensure that the Records are sufficient to enable the Customer to verify Prospect AI's compliance with its obligations under this DPA, and Prospect AI will provide the Customer with copies of the Records upon request.
13.1 Prospect AI will provide reasonable assistance to the Customer and its third-party representatives to audit Prospect AI's compliance with its obligations under this DPA, on at least 30 days' notice, during the term of this DPA. Prospect AI will give the Customer and its third-party representatives all reasonably necessary assistance to conduct such audits.
13.2 The notice requirements in Section 13.1 will not apply if the Customer reasonably believes that a Security Incident occurred or is occurring, or Prospect AI is in breach of any of its obligations under this DPA or any Applicable Data Protection Laws.
13.3 If a Security Incident occurs or is occurring, or Prospect AI becomes aware of a breach of any of its obligations under this DPA or any Applicable Data Protection Laws, Prospect AI will: (a) within 28 days of the triggering event, conduct its own audit to determine the cause; (b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit; (c) provide the Customer with a copy of the written audit report; and (d) remedy any deficiencies identified by the audit within a reasonable period of time.
13.4 Prospect AI will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA.
13.5 On the Customer's written request, Prospect AI will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as Prospect AI's confidential information under this DPA and the Terms.
13.6 Prospect AI will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by Prospect AI's management.
10.1 This DPA will remain in full force and effect so long as: (a) the Terms remain in effect, or (b) Prospect AI retains any Personal Data related to the Terms in its possession or control.
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms in order to protect Personal Data will remain in full force and effect.
10.3 Prospect AI's failure to comply with the terms of this DPA is a material breach of the Terms. In such event, the Customer may terminate any part of the Terms authorizing the processing of Personal Data on written notice to Prospect AI without further liability or obligation. If a change in any Applicable Data Protection Laws prevents either party from fulfilling all or part of its Terms obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Applicable Data Protection Laws within 28 days, they may terminate the Terms on written notice to the other party.
14.1 Prospect AI warrants and represents that: (a) its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Applicable Data Protection Laws relating to the Personal Data; (b) it and anyone operating on its behalf will process the Personal Data in compliance with the Applicable Data Protection Laws and other laws, enactments, regulations, orders, standards and other similar instruments; (c) it has no reason to believe that the Applicable Data Protection Laws prevents it from providing any of the contracted services under the Terms; and (d) considering the current technology environment and implementation costs, it will take appropriate and reasonable technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to: i. the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction or damage; ii. the nature of the Personal Data protected; and iii. comply with all applicable Applicable Data Protection Laws and its information and security policies, including the security measures required in Section 5.1.
14.2 The Customer warrants and represents that: (a) it has conducted a Transfer Impact Assessment on the transfer of Personal Data to Prospect AI and Prospect AI's processing of the Customer's Personal Data under this DPA complies with the Applicable Data Protection Laws; and (b) it shall promptly notify Prospect AI of any changes to Applicable Data Protection Laws or regulations that may adversely affect Prospect AI's performance of the Terms.
15.1 Customer agrees to indemnify, keep indemnified and defend at its own expense Prospect AI against all costs, claims, damages or expenses incurred by Prospect AI or for which Prospect AI may become liable due to any failure by Customer or its employees, subcontractors or agents to comply with any of its obligations under this DPA or the Applicable Data Protection Laws.
15.2 Any limitation of liability set forth in the Terms will not apply to this DPA's indemnity or reimbursement obligations.
16.1 Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to the addresses specified in the Terms.
16.2 Section 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution which shall be served at a party's registered office address or last known address.
Subject Matter of Processing: Processing of Customer Personal Data to provide the Services, including finding contact information, email verification, and integration with CRM tools as described in the Terms.
Duration of Processing: For the duration of the Terms, unless otherwise agreed upon in writing.
Nature and Purpose of Processing: To provide the Services to Customer, which includes:
Types of Personal Data Processed:
Categories of Data Subjects:
Business Purpose: To provide the Services under the Terms, including (a) providing contact information finding services, (b) email verification, (c) CRM integration, (d) enabling the Chrome Plugin functionality, and (e) providing analytics and reporting functionality to Customer.
As of the date of this DPA, Prospect AI uses the following Sub-processors in the provision of the Services:
The Customer (as "data exporter") and Processor or Subprocessor, as appropriate, operating outside the EEA, (as "data importer"), hereby execute and enter into the Standard Contractual Clauses, in particular the Module 2 (controller to processor) and (or) Module 3 (processor to processor), as relevant, incorporated herein by reference in respect of any transfer from Customer to that Processor or Subprocess