Data Processing Agreement

Effective: June 11, 2025

Last updated: March 11, 2026

1. Definitions

"Controller" means the entity that determines the purposes and means of processing personal data.

"Processor" means Genuinelink B.V., which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Subject" means the natural person to whom personal data relates.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

"Supervisory Authority" means the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

2. Scope and Purpose

This Data Processing Agreement ("DPA") governs the processing of personal data by Genuinelink B.V. ("Processor") on behalf of the Controller in connection with the provision of LinkedIn outreach services.

2.1 Subject Matter

The Processor provides a Software-as-a-Service platform for LinkedIn outreach campaigns, including:

  • AI-generated personalized messaging
  • Campaign management and analytics
  • Lead management and tracking
  • Team and client management features

2.2 Duration

This DPA remains in effect for the duration of the service agreement and until all personal data is returned or deleted.

2.3 Nature and Purpose of Processing

  • Data Collection: Gathering personal data from LinkedIn profiles and user inputs
  • Data Storage: Secure storage of personal data in encrypted databases
  • Data Analysis: Processing data for AI model training and campaign optimization
  • Data Transmission: Sharing data with authorized third-party integrations
  • Data Deletion: Secure deletion of data upon request or contract termination

3. Categories of Data Subjects

The personal data processed relates to the following categories of data subjects:

  • LinkedIn users whose profiles are accessed for outreach purposes
  • Controller's employees and authorized users
  • Controller's clients and their employees
  • Lead contacts and prospects

4. Types of Personal Data Processed

4.1 LinkedIn Profile Data

  • Name, professional title, company information
  • Profile photos and public information
  • Connection data and network information
  • Message history and communication data

4.2 User Account Data

  • Contact information (name, email, phone)
  • Authentication credentials
  • Usage patterns and preferences
  • Payment and billing information

4.3 Campaign Data

  • Lead lists and contact information
  • Message content and templates
  • Campaign performance metrics
  • Analytics and reporting data

4.4 Technical Data

  • IP addresses and device information
  • Log files and system data
  • Cookies and tracking data
  • Error reports and diagnostics

5. Processor Obligations

5.1 Processing Instructions

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Not process personal data for any purpose other than those specified in this DPA
  • Immediately inform the Controller if processing instructions violate GDPR

5.2 Confidentiality

The Processor shall:

  • Ensure persons authorized to process personal data are bound by confidentiality obligations
  • Maintain confidentiality of personal data and processing activities
  • Not disclose personal data to third parties without Controller's authorization

5.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure:

  • Confidentiality: Protection against unauthorized access
  • Integrity: Protection against unauthorized alteration
  • Availability: Protection against accidental loss or destruction
  • Resilience: Regular testing and evaluation of security measures

5.4 Specific Security Measures

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and monitoring
  • Physical Security: Secure data centers with restricted access
  • Staff Training: Regular privacy and security training for all personnel
  • Incident Response: Procedures for detecting, reporting, and responding to security breaches

5.5 Sub-Processing

The Processor may engage sub-processors with Controller's prior written consent. The Processor shall:

  • Public Sub-Processor List: Maintain a current list of sub-processors at [SUB_PROCESSOR_LIST_URL]
  • Change Notifications: Notify Controller of new sub-processors via email at least 30 days in advance
  • Objection Rights: Controller may object to new sub-processors within 30 days of notification
  • Remedies: If Controller objects and Processor cannot provide reasonable alternative, Controller may terminate affected services
  • Sub-Processor Agreements: Ensure all sub-processors are bound by the same data protection obligations
  • Liability: Processor remains fully liable for sub-processor compliance
  • Audit Rights: Controller may audit sub-processor compliance through Processor

5.6 Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject rights:

  • Access: Providing data subjects with copies of their personal data
  • Rectification: Correcting inaccurate or incomplete data
  • Erasure: Deleting personal data upon request
  • Restriction: Limiting processing in certain circumstances
  • Portability: Providing data in structured, machine-readable format
  • Objection: Handling objections to processing

5.7 Data Protection Impact Assessments

The Processor shall assist the Controller in conducting DPIAs when required, including:

  • Providing information about processing activities
  • Assessing risks to data subjects
  • Recommending mitigation measures

5.8 Breach Notification

The Processor shall:

  • Notify the Controller of any personal data breach without undue delay
  • Provide detailed information about the breach
  • Assist in breach notification to supervisory authorities and data subjects
  • Document all breaches and remedial actions taken

5.9 Law Enforcement and Government Access

The Processor shall:

  • Immediate Notice: Notify Controller immediately of any law enforcement or government requests for personal data (unless prohibited by law)
  • Narrow Disclosure: Provide only the minimum data necessary to comply with valid requests
  • Legal Challenge: Contest requests that appear overbroad, invalid, or contrary to data protection law
  • Transparency: Provide regular reports on government requests and responses
  • Gag Order Handling: Challenge gag orders when legally permissible

5.10 Data Protection Officer

The Processor has appointed a Data Protection Officer who can be contacted at [email protected].

6. Controller Obligations

6.1 Lawfulness of Processing

The Controller shall ensure that:

  • Processing has a lawful basis under GDPR Article 6
  • Data subjects have been informed about processing activities
  • Necessary consents have been obtained where required

6.2 Data Quality

The Controller shall ensure that:

  • Personal data is accurate and up-to-date
  • Data is adequate, relevant, and limited to what is necessary
  • Data is kept for no longer than necessary

6.3 Instructions

The Controller shall provide clear, documented instructions for processing personal data.

6.4 Cooperation

The Controller shall cooperate with the Processor in:

  • Responding to data subject requests
  • Conducting DPIAs
  • Investigating security breaches
  • Ensuring compliance with applicable laws

7. International Transfers

7.1 Adequacy Decisions

Personal data may be transferred to countries with adequate data protection as determined by the European Commission.

7.2 Appropriate Safeguards

For transfers to countries without adequacy decisions, the Processor shall use:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules
  • Certification schemes
  • Codes of conduct

7.3 Specific Safeguards

  • Data Processing Agreements with all sub-processors
  • Regular security assessments and audits
  • Data localization where required by applicable law

8. Data Retention and Deletion

8.1 Retention Periods

Personal data shall be retained only for the period necessary to fulfill the purposes outlined in this DPA:

  • Account Data: While account is active + 2 years
  • Campaign Data: 3 years for analytics purposes
  • Log Data: 1 year for security purposes
  • Backup Data: 30 days after primary deletion

8.2 Deletion Procedures

Upon expiration of retention periods or Controller's request:

  • Personal data shall be securely deleted using industry-standard methods
  • Deletion shall be verified and documented
  • Backup copies shall be deleted within 30 days
  • Deletion certificates may be provided upon request

9. Audits and Compliance

9.1 Audit Rights

The Controller has the right to:

  • Audit the Processor's compliance with this DPA
  • Request information about security measures
  • Inspect processing facilities (with reasonable notice)
  • Review security certifications and reports

9.2 Audit Procedures

  • Audits shall be conducted during business hours
  • Processor shall provide necessary assistance and documentation
  • Audit results shall be confidential and not disclosed to third parties
  • Costs of audits shall be borne by the Controller

9.3 Compliance Monitoring

The Processor shall:

  • Regularly monitor compliance with this DPA
  • Conduct internal audits and assessments
  • Maintain records of processing activities
  • Report compliance status to the Controller

10. Liability and Indemnification

10.1 Processor Liability

The Processor shall be liable for:

  • Damage caused by processing that infringes GDPR
  • Damage caused by processing outside Controller's instructions
  • Damage caused by Processor's failure to comply with this DPA

10.2 Limitation of Liability

The Processor's total liability shall not exceed the total amount paid by the Controller in the 12 months preceding the claim.

10.3 Indemnification

The Controller shall indemnify the Processor against claims arising from:

  • Controller's violation of applicable data protection laws
  • Controller's failure to obtain necessary consents
  • Controller's instructions that violate GDPR

11. Termination

11.1 Termination Events

This DPA may be terminated:

  • Upon expiration of the service agreement
  • By either party with 30 days' written notice
  • Immediately upon material breach by either party

11.2 Post-Termination Obligations

Upon termination:

  • All personal data shall be returned or deleted
  • Confidentiality obligations shall continue
  • Audit rights shall continue for 2 years
  • This DPA shall remain in effect for ongoing obligations

12. Governing Law and Disputes

12.1 Governing Law

This DPA is governed by the laws of the Netherlands and GDPR.

12.2 Dispute Resolution

Disputes shall be resolved through:

  • Good faith negotiations
  • Mediation if negotiations fail
  • Binding arbitration under Netherlands Arbitration Institute rules

12.3 Supervisory Authority

Both parties acknowledge the jurisdiction of the Dutch Data Protection Authority.

13. General Provisions

13.1 Entire Agreement

This DPA, together with the service agreement, constitutes the entire agreement between the parties.

13.2 Severability

If any provision is found unenforceable, the remaining provisions shall remain in effect.

13.3 Amendments

This DPA may only be amended by written agreement signed by both parties.

13.4 Notices

All notices shall be sent to:

14. Contact Information

Genuinelink B.V. (Netherlands). Contact us at [email protected].

Annex A: EU Standard Contractual Clauses (SCCs) 2021

A.1 Module Selection

This DPA incorporates the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:

  • Module 2 (Controller to Processor): For transfers from Controller to Processor
  • Module 3 (Processor to Sub-processor): For transfers from Processor to Sub-processors

A.2 Annex I: Parties and Data

Data Exporter: [CONTROLLER_NAME]
Data Importer: Genuinelink B.V.
Data Categories: As specified in Section 4 of this DPA
Data Subjects: As specified in Section 3 of this DPA
Special Categories: None
Processing Operations: As specified in Section 2 of this DPA

A.3 Annex II: Technical and Organizational Measures

Security Measures: As specified in Section 5.4 of this DPA
Access Controls: Role-based access with multi-factor authentication
Encryption: TLS 1.3 in transit, AES-256 at rest
Monitoring: 24/7 security monitoring and incident response
Training: Regular privacy and security training for all personnel

A.4 Annex III: List of Sub-processors

Current Sub-processors: Available at [SUB_PROCESSOR_LIST_URL]
Change Notifications: 30 days advance notice via email
Objection Rights: 30 days to object to new sub-processors

A.5 UK Addendum (if applicable)

For transfers from the UK, the UK Addendum to the EU SCCs applies as published by the ICO.


This Data Processing Agreement is effective as of June 11, 2025 and was last updated on March 11, 2026.