This Data Processing Agreement ("DPA") forms part of the Terms and Conditions of Use and Sale between Quantile Corp ("Processor", "we", "us", or "our") and the Client ("Controller"). This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.
1. Definitions
Personal Data means any information relating to an identified or identifiable natural person processed under this Agreement.
Processing means any operation performed on Personal Data, including collection, enrichment, storage, and deletion.
Data Subject means the identified or identifiable natural person to whom the Personal Data relates.
Subprocessor means any third party engaged by Processor to process Personal Data.
Data Protection Laws means all applicable laws relating to data protection and privacy including the GDPR, UK GDPR, and CCPA.
Security Incident means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Purpose
This DPA applies to the Processing of Personal Data by Quantile in providing lead generation and enrichment services. The Processing includes:
Collection and verification of business contact information
Enrichment of lead data through verified providers
Delivery of processed data to the Controller
Temporary storage for quality assurance (up to 30 days)
Processing for analytics and service improvement
3. Duration and Data Retention
This DPA is effective for the duration of our lead generation services to the Controller. We implement the following retention periods:
Processed lead data: Up to 30 days after delivery
Order details: As required by law for financial records
Support communications: Duration of the business relationship
Technical logs: Up to 90 days for security purposes
4. Nature of Processing
Categories of Data Subjects:
Business professionals
Company employees
Corporate decision-makers
Types of Personal Data:
Professional contact information (business email, name, title)
Professional social media profiles
Company affiliation and role
Business-related experience and background
Processing Operations:
Collection from public and licensed sources
Verification and enrichment
Organization and structuring
Storage and deletion
Transfer to Controller
5. Obligations of the Processor
Quantile commits to:
Process Personal Data only on documented instructions from the Controller
Ensure confidentiality of processing
Implement appropriate technical and organizational security measures
Assist the Controller in responding to Data Subject requests
Notify the Controller of any Personal Data breaches without undue delay
Maintain records of processing activities
Support the Controller in conducting impact assessments
Delete or return Personal Data at the end of processing
6. Subprocessing
The Controller authorizes Quantile to engage Subprocessors for data processing. Our subprocessing arrangements include:
Enrow - Professional Email & Email Deliverability
Icypeas - Professional Email & Email Deliverability
Hunter - Professional Email & Email Deliverability
Anymailfinder - Professional Email & Email Deliverability
Dropcontact - Professional Email & Email Deliverability
Snov - Professional Email & Email Deliverability
Prospeo - Email, Phone, LinkedIn Data
Apollo - Email, Phone, LinkedIn Data
PeopleDataLabs - Email, Phone, LinkedIn Data
ContactOut - Email, Phone, LinkedIn Data
LeadMagic - Email, Phone, LinkedIn Data
Pipl (US Only) - Email, Phone, LinkedIn Data
Hetzner - Infrastructure and hosting
Anthropic and OpenAI - AI services
PostHog - Analytics
Notion Labs, Inc. - Operations
Google LLC - Business operations
Crisp SAS - Customer support
We will inform the Controller of any intended changes concerning Subprocessors, giving the Controller the opportunity to object to such changes.
7. Security Measures
We implement appropriate technical and organizational measures including:
Encryption of data in transit (TLS) and at rest (AES-256)
Multi-factor authentication for system access
Regular security patches and updates
Network segmentation and firewalls
Intrusion detection and prevention systems
Regular security scanning and testing
Regular employee security training
Access control and authorization procedures
Data protection impact assessments
Incident response procedures
Regular compliance audits
Confidentiality agreements
8. Data Subject Rights
We will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object to processing
9. International Transfers
Any transfer of Personal Data to countries outside the EEA will be done in compliance with Chapter V of the GDPR. We ensure appropriate safeguards through:
Standard Contractual Clauses (SCCs)
Binding Corporate Rules (where applicable)
Adequacy decisions
Additional technical and organizational measures
10. Security Incidents
In the event of a Security Incident, we will:
Notify the Controller without undue delay
Provide detailed information about the incident
Implement measures to mitigate impacts
Document and investigate the incident
Support the Controller's notification obligations
11. Audit Rights
The Controller has the right to audit our data processing activities. We will:
Provide necessary information to demonstrate compliance
Allow for and contribute to audits and inspections
Provide access to processing facilities
Make available our data protection officer
12. Liability
Each party shall be liable for damages caused by their processing activities that infringe applicable data protection laws. Subprocessors shall be liable to the Controller for the performance of their data protection obligations.
13. Termination
Upon termination of processing services:
All Personal Data will be deleted or returned as specified by the Controller
Copies will be deleted unless legally required to retain
Subprocessors will be instructed to delete data
Confirmation of deletion will be provided upon request
14. Contact
For any questions about this DPA or our data processing activities, please contact us at:
Email: support@quantileleads.com
Address: 166 Geary Street, 15th Floor, San Francisco California 94108, United States
This Data Processing Agreement was last updated on 1/8/2025.