Enterprise-grade data protection.

📋 Note: This DPA is automatically incorporated into all paid SocialEnrich subscriptions. For a countersigned copy or custom DPA terms, email legal@socialenrich.net.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by SocialEnrich on behalf of the Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, enrichment, retrieval, transmission, and deletion.
• "Sub-processor" means any third party appointed by SocialEnrich to process Personal Data on behalf of the Controller.
• "Data Protection Laws" means GDPR (EU), CCPA (California), PDPA (Vietnam), and any other applicable data protection legislation.
• "Standard Contractual Clauses" (SCCs) means the clauses adopted by the European Commission for international data transfers.

2. Scope & Purpose of Processing

2.1 Subject Matter

SocialEnrich processes Personal Data to provide social data enrichment services as described in the Terms of Service and subscription agreement.

2.2 Categories of Data Subjects

• Business contacts and leads submitted by the Controller for enrichment
• Employees and representatives of the Controller's target accounts
• Publicly available social media profile holders

2.3 Types of Personal Data

• Contact information (names, email addresses, phone numbers)
• Professional information (job titles, company names, LinkedIn profiles)
• Social profile data (publicly available social media information)
• Behavioral and intent signals (aggregated, non-directly identifying)

2.4 Duration

Processing continues for the duration of the service agreement plus 30 days for data deletion, unless a longer retention period is required by law.

3. Obligations of the Processor

SocialEnrich, as the Processor, shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 5)
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
• Make available all information necessary to demonstrate compliance and allow for audits
• Notify the Controller of any data breach without undue delay (within 72 hours)
• Delete or return all Personal Data upon termination of the service agreement
• Not engage sub-processors without prior written authorization from the Controller

4. Obligations of the Controller

The Controller shall:

• Ensure a valid legal basis exists for the processing of Personal Data submitted to SocialEnrich
• Provide clear, documented instructions for data processing
• Comply with all applicable Data Protection Laws in its use of enriched data
• Inform SocialEnrich promptly of any data subject requests requiring Processor assistance
• Ensure data submitted for enrichment does not include sensitive/special category data unless explicitly agreed

5. Security Measures

SocialEnrich implements the following technical and organizational measures:

6. Sub-processors

The Controller authorizes the use of the following sub-processors:

We will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object in writing within 14 days of notification.

7. International Data Transfers

Where Personal Data is transferred outside the EEA, we ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) as adopted by the European Commission Decision 2021/914
• Adequacy Decisions — Where the destination country has been granted an adequacy decision
• Supplementary Measures — Additional technical measures including encryption and pseudonymization where required by the Schrems II ruling

8. Data Breach Notification

• SocialEnrich will notify the Controller of any confirmed Personal Data breach within 72 hours of becoming aware.
• Notification will include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to mitigate.
• SocialEnrich will cooperate fully with the Controller's investigation and regulatory notifications.
• Breach notifications will be sent to the email address registered on the Controller's account and via the platform dashboard.

9. Audits & Compliance

• SocialEnrich will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
• The Controller may conduct audits, including inspections, no more than once per year with 30 days' written notice.
• Audit costs are borne by the Controller unless the audit reveals a material breach by SocialEnrich.
• SocialEnrich will provide SOC 2 Type II audit reports upon request under NDA (target: Year 1).

10. Data Retention & Deletion

• Upon termination of the service agreement, SocialEnrich will delete all Personal Data within 30 days.
• The Controller may request a data export in machine-readable format (JSON/CSV) before deletion.
• Backup copies will be purged within 90 days of the deletion request.
• SocialEnrich will provide written confirmation of deletion upon request.

11. Contact & Governing Law

This DPA is governed by the same laws as the underlying service agreement. For GDPR-related matters, the laws of the European Union apply.

Data Protection Contact:
SocialEnrich — Legal & Compliance
Email: legal@socialenrich.net
DPO: dpo@socialenrich.net
Trust Center: socialenrich.net/trust