This Data Processing Agreement ("DPA") is entered into between:
This DPA supplements the iLeadX Terms of Service and Privacy Policy and governs the processing of Personal Data by iLeadX on behalf of the Controller in connection with the Platform. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.
This DPA is designed to comply with the requirements of Article 28 of the General Data Protection Regulation (GDPR) and equivalent provisions in other applicable data protection laws, including the CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), and NDPR (Nigeria).
This DPA applies to all processing of Personal Data by iLeadX in the course of providing the Platform to the Controller under the Enterprise plan or a separately executed subscription agreement.
This DPA shall remain in effect for the duration of the Controller's subscription to the Platform. Upon termination or expiration of the subscription, this DPA shall automatically terminate, subject to Section 10 (Data Retention & Deletion).
iLeadX processes Personal Data to provide the lead-generation, enrichment, AI scoring, and data export services described in the Terms of Service.
| Category | Examples |
|---|---|
| Business Contact Information | Business email addresses, business phone numbers, job titles, company names |
| Public Professional Profiles | LinkedIn profiles, professional social media accounts |
| Business Metadata | Company address, industry, ratings, reviews, technology stack |
| User Account Data | Controller employee names, email addresses, login credentials (hashed) |
| AI-Generated Insights | Lead scores, urgency assessments, pitch angles, pain point analyses |
iLeadX agrees to:
The Controller authorizes iLeadX to engage the following Sub-Processors for the purposes described below:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Paystack | Payment processing | Transaction data, email | Nigeria |
| Stripe | Payment processing (alternative) | Transaction data, email | United States |
| NowPayments | Cryptocurrency payment processing | Transaction data, wallet addresses | Estonia |
| Google (OAuth) | User authentication | Email, name, profile picture | United States |
| Google Sheets API | Lead export (user-initiated) | Lead Data selected for export | United States |
| Ollama (Local) | AI scoring and enrichment | Lead Data for analysis | Self-hosted (Controller's region) |
| SMTP Service | Transactional emails | Email address, email content | Configured by Controller |
iLeadX shall notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors at least 14 days in advance. The Controller may object to such changes within 7 days of notification. If the Controller objects and iLeadX cannot accommodate the objection, the Controller may terminate the subscription without penalty.
iLeadX shall impose on all Sub-Processors data protection obligations substantially similar to those set forth in this DPA. iLeadX shall remain fully liable to the Controller for the performance of any Sub-Processor's obligations.
iLeadX shall implement and maintain the following technical and organizational measures to protect Personal Data:
| Measure | Description |
|---|---|
| Encryption in Transit | TLS 1.3 for all data transmitted between the Platform and Users |
| Password Hashing | Argon2 algorithm with per-password salting |
| Authentication | JWT-based access tokens with refresh token rotation |
| Two-Factor Authentication | TOTP-based 2FA (mandatory for admin accounts, optional for users) |
| Access Controls | Role-based access (user, admin, super_admin) with least-privilege principle |
| Audit Logging | Comprehensive logging of administrative actions with immutable records |
| Rate Limiting | API rate limiting to prevent abuse and brute-force attacks |
| Session Management | Per-device session tracking with IP logging and remote revocation |
iLeadX shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including:
If iLeadX receives a Data Subject request directly, it shall promptly forward the request to the Controller and shall not respond to the request except at the Controller's documented instruction.
iLeadX shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting Personal Data.
The notification shall, to the extent reasonably available:
iLeadX shall cooperate with the Controller and take such reasonable steps as the Controller directs to assist in the investigation, mitigation, and remediation of any Data Breach.
Personal Data shall be retained for the duration of the Controller's subscription to the Platform, unless earlier deletion is requested by the Controller.
Within 30 days of termination or expiration of the subscription, iLeadX shall, at the Controller's election:
Thereafter, iLeadX shall delete all existing copies of Personal Data, except where retention is required by applicable law. iLeadX shall certify the completion of deletion to the Controller in writing upon request.
Shared business data (company names, addresses, ratings) that has been stripped of Controller-specific enrichment data may be retained in anonymized form for Platform improvement purposes.
iLeadX shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
The Controller may, no more than once per calendar year and upon 30 days' written notice, conduct an on-site audit of iLeadX's data processing facilities during normal business hours. The Controller shall bear all costs of such audit. The Controller shall use a mutually agreed-upon independent third-party auditor for any on-site audit.
In lieu of an on-site audit, iLeadX may provide the Controller with a summary of a recent third-party audit report or certification (such as a SOC 2 Type II report, once available) demonstrating compliance with this DPA.
Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions to a country not deemed to provide an adequate level of protection, iLeadX shall ensure appropriate safeguards are in place, including:
Enterprise Controllers may request specific data residency accommodations. iLeadX will make commercially reasonable efforts to accommodate such requests, subject to technical feasibility and mutual agreement.
Each party's liability under this DPA shall be subject to the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA shall limit either party's liability for: (a) breach of its confidentiality obligations; (b) intentional misconduct or gross negligence; or (c) any liability that cannot be limited or excluded under applicable law.
This DPA shall be governed by the laws specified in the Terms of Service. For data processing activities subject to GDPR, the laws of the relevant EU Member State shall also apply to the extent required by GDPR.
This DPA is incorporated by reference into the Terms of Service and becomes effective upon the Controller's subscription to the iLeadX Enterprise plan or execution of a separate Order Form referencing this DPA. No separate signature is required for this DPA to take effect.
For the Processor (iLeadX):
iLeadX — a subsidiary of Wako Digital Hub Ltd
Email: [email protected]
Subject: "DPA — Enterprise Agreement"
For the Controller:
As set forth in the applicable Enterprise Order Form or subscription agreement.
© 2026 iLeadX — a subsidiary of Wako Digital Hub Ltd. All rights reserved.
← Back to iLeadX