1. Definitions
"Controller" means the entity that determines the purposes and means of processing personal data.
"Processor" means Genuinelink B.V., which processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Data Subject" means the natural person to whom personal data relates.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"Supervisory Authority" means the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
2. Scope and Purpose
This Data Processing Agreement ("DPA") governs the processing of personal data by Genuinelink B.V. ("Processor") on behalf of the Controller in connection with the provision of LinkedIn outreach services.
2.1 Subject Matter
The Processor provides a Software-as-a-Service platform for LinkedIn outreach campaigns, including:
- AI-generated personalized messaging
- Campaign management and analytics
- Lead management and tracking
- Team and client management features
2.2 Duration
This DPA remains in effect for the duration of the service agreement and until all personal data is returned or deleted.
2.3 Nature and Purpose of Processing
- Data Collection: Gathering personal data from LinkedIn profiles and user inputs
- Data Storage: Secure storage of personal data in encrypted databases
- Data Analysis: Processing data for AI model training and campaign optimization
- Data Transmission: Sharing data with authorized third-party integrations
- Data Deletion: Secure deletion of data upon request or contract termination
3. Categories of Data Subjects
The personal data processed relates to the following categories of data subjects:
- LinkedIn users whose profiles are accessed for outreach purposes
- Controller's employees and authorized users
- Controller's clients and their employees
- Lead contacts and prospects
4. Types of Personal Data Processed
4.1 LinkedIn Profile Data
- Name, professional title, company information
- Profile photos and public information
- Connection data and network information
- Message history and communication data
4.2 User Account Data
- Contact information (name, email, phone)
- Authentication credentials
- Usage patterns and preferences
- Payment and billing information
4.3 Campaign Data
- Lead lists and contact information
- Message content and templates
- Campaign performance metrics
- Analytics and reporting data
4.4 Technical Data
- IP addresses and device information
- Log files and system data
- Cookies and tracking data
- Error reports and diagnostics
5. Processor Obligations
5.1 Processing Instructions
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Not process personal data for any purpose other than those specified in this DPA
- Immediately inform the Controller if processing instructions violate GDPR
5.2 Confidentiality
The Processor shall:
- Ensure persons authorized to process personal data are bound by confidentiality obligations
- Maintain confidentiality of personal data and processing activities
- Not disclose personal data to third parties without Controller's authorization
5.3 Security Measures
The Processor shall implement appropriate technical and organizational measures to ensure:
- Confidentiality: Protection against unauthorized access
- Integrity: Protection against unauthorized alteration
- Availability: Protection against accidental loss or destruction
- Resilience: Regular testing and evaluation of security measures
5.4 Specific Security Measures
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access with multi-factor authentication
- Network Security: Firewalls, intrusion detection, and monitoring
- Physical Security: Secure data centers with restricted access
- Staff Training: Regular privacy and security training for all personnel
- Incident Response: Procedures for detecting, reporting, and responding to security breaches
5.5 Sub-Processing
The Processor may engage sub-processors with Controller's prior written consent. The Processor shall:
- Public Sub-Processor List: Maintain a current list of sub-processors at [SUB_PROCESSOR_LIST_URL]
- Change Notifications: Notify Controller of new sub-processors via email at least 30 days in advance
- Objection Rights: Controller may object to new sub-processors within 30 days of notification
- Remedies: If Controller objects and Processor cannot provide reasonable alternative, Controller may terminate affected services
- Sub-Processor Agreements: Ensure all sub-processors are bound by the same data protection obligations
- Liability: Processor remains fully liable for sub-processor compliance
- Audit Rights: Controller may audit sub-processor compliance through Processor
5.6 Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject rights:
- Access: Providing data subjects with copies of their personal data
- Rectification: Correcting inaccurate or incomplete data
- Erasure: Deleting personal data upon request
- Restriction: Limiting processing in certain circumstances
- Portability: Providing data in structured, machine-readable format
- Objection: Handling objections to processing
5.7 Data Protection Impact Assessments
The Processor shall assist the Controller in conducting DPIAs when required, including:
- Providing information about processing activities
- Assessing risks to data subjects
- Recommending mitigation measures
5.8 Breach Notification
The Processor shall:
- Notify the Controller of any personal data breach without undue delay
- Provide detailed information about the breach
- Assist in breach notification to supervisory authorities and data subjects
- Document all breaches and remedial actions taken
5.9 Law Enforcement and Government Access
The Processor shall:
- Immediate Notice: Notify Controller immediately of any law enforcement or government requests for personal data (unless prohibited by law)
- Narrow Disclosure: Provide only the minimum data necessary to comply with valid requests
- Legal Challenge: Contest requests that appear overbroad, invalid, or contrary to data protection law
- Transparency: Provide regular reports on government requests and responses
- Gag Order Handling: Challenge gag orders when legally permissible
5.10 Data Protection Officer
The Processor has appointed a Data Protection Officer who can be contacted at [email protected].
6. Controller Obligations
6.1 Lawfulness of Processing
The Controller shall ensure that:
- Processing has a lawful basis under GDPR Article 6
- Data subjects have been informed about processing activities
- Necessary consents have been obtained where required
6.2 Data Quality
The Controller shall ensure that:
- Personal data is accurate and up-to-date
- Data is adequate, relevant, and limited to what is necessary
- Data is kept for no longer than necessary
6.3 Instructions
The Controller shall provide clear, documented instructions for processing personal data.
6.4 Cooperation
The Controller shall cooperate with the Processor in:
- Responding to data subject requests
- Conducting DPIAs
- Investigating security breaches
- Ensuring compliance with applicable laws
7. International Transfers
7.1 Adequacy Decisions
Personal data may be transferred to countries with adequate data protection as determined by the European Commission.
7.2 Appropriate Safeguards
For transfers to countries without adequacy decisions, the Processor shall use:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules
- Certification schemes
- Codes of conduct
7.3 Specific Safeguards
- Data Processing Agreements with all sub-processors
- Regular security assessments and audits
- Data localization where required by applicable law
8. Data Retention and Deletion
8.1 Retention Periods
Personal data shall be retained only for the period necessary to fulfill the purposes outlined in this DPA:
- Account Data: While account is active + 2 years
- Campaign Data: 3 years for analytics purposes
- Log Data: 1 year for security purposes
- Backup Data: 30 days after primary deletion
8.2 Deletion Procedures
Upon expiration of retention periods or Controller's request:
- Personal data shall be securely deleted using industry-standard methods
- Deletion shall be verified and documented
- Backup copies shall be deleted within 30 days
- Deletion certificates may be provided upon request
9. Audits and Compliance
9.1 Audit Rights
The Controller has the right to:
- Audit the Processor's compliance with this DPA
- Request information about security measures
- Inspect processing facilities (with reasonable notice)
- Review security certifications and reports
9.2 Audit Procedures
- Audits shall be conducted during business hours
- Processor shall provide necessary assistance and documentation
- Audit results shall be confidential and not disclosed to third parties
- Costs of audits shall be borne by the Controller
9.3 Compliance Monitoring
The Processor shall:
- Regularly monitor compliance with this DPA
- Conduct internal audits and assessments
- Maintain records of processing activities
- Report compliance status to the Controller
10. Liability and Indemnification
10.1 Processor Liability
The Processor shall be liable for:
- Damage caused by processing that infringes GDPR
- Damage caused by processing outside Controller's instructions
- Damage caused by Processor's failure to comply with this DPA
10.2 Limitation of Liability
The Processor's total liability shall not exceed the total amount paid by the Controller in the 12 months preceding the claim.
10.3 Indemnification
The Controller shall indemnify the Processor against claims arising from:
- Controller's violation of applicable data protection laws
- Controller's failure to obtain necessary consents
- Controller's instructions that violate GDPR
11. Termination
11.1 Termination Events
This DPA may be terminated:
- Upon expiration of the service agreement
- By either party with 30 days' written notice
- Immediately upon material breach by either party
11.2 Post-Termination Obligations
Upon termination:
- All personal data shall be returned or deleted
- Confidentiality obligations shall continue
- Audit rights shall continue for 2 years
- This DPA shall remain in effect for ongoing obligations
12. Governing Law and Disputes
12.1 Governing Law
This DPA is governed by the laws of the Netherlands and GDPR.
12.2 Dispute Resolution
Disputes shall be resolved through:
- Good faith negotiations
- Mediation if negotiations fail
- Binding arbitration under Netherlands Arbitration Institute rules
12.3 Supervisory Authority
Both parties acknowledge the jurisdiction of the Dutch Data Protection Authority.
13. General Provisions
13.1 Entire Agreement
This DPA, together with the service agreement, constitutes the entire agreement between the parties.
13.2 Severability
If any provision is found unenforceable, the remaining provisions shall remain in effect.
13.3 Amendments
This DPA may only be amended by written agreement signed by both parties.
13.4 Notices
All notices shall be sent to:
- Processor: [email protected]
- Controller: [CONTROLLER EMAIL]
14. Contact Information
Genuinelink B.V. (Netherlands). Contact us at [email protected].
Annex A: EU Standard Contractual Clauses (SCCs) 2021
A.1 Module Selection
This DPA incorporates the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:
- Module 2 (Controller to Processor): For transfers from Controller to Processor
- Module 3 (Processor to Sub-processor): For transfers from Processor to Sub-processors
A.2 Annex I: Parties and Data
Data Exporter: [CONTROLLER_NAME]
Data Importer: Genuinelink B.V.
Data Categories: As specified in Section 4 of this DPA
Data Subjects: As specified in Section 3 of this DPA
Special Categories: None
Processing Operations: As specified in Section 2 of this DPA
A.3 Annex II: Technical and Organizational Measures
Security Measures: As specified in Section 5.4 of this DPA
Access Controls: Role-based access with multi-factor authentication
Encryption: TLS 1.3 in transit, AES-256 at rest
Monitoring: 24/7 security monitoring and incident response
Training: Regular privacy and security training for all personnel
A.4 Annex III: List of Sub-processors
Current Sub-processors: Available at [SUB_PROCESSOR_LIST_URL]
Change Notifications: 30 days advance notice via email
Objection Rights: 30 days to object to new sub-processors
A.5 UK Addendum (if applicable)
For transfers from the UK, the UK Addendum to the EU SCCs applies as published by the ICO.
This Data Processing Agreement is effective as of June 11, 2025 and was last updated on March 11, 2026.