Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service between WholeDatabase ("we", "us") and the customer ("Customer", "you") and forms an integral part of the service agreement.

This DPA applies whenever WholeDatabase processes personal data on behalf of customers in the course of providing our B2B lead intelligence services. It establishes the obligations and rights of both parties with respect to the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data processing matters.

The following terms have specific meanings when used in this DPA:

• Controller — The entity that determines the purposes and means of processing personal data. Depending on context, this may be WholeDatabase or the Customer.
• Processor — The entity that processes personal data on behalf of the Controller. When providing data to customers, WholeDatabase acts as a Processor.
• Data Subject — An identified or identifiable natural person whose personal data is being processed.
• Personal Data — Any information relating to a Data Subject, including business contact information such as names, email addresses, phone numbers, and job titles.
• Processing — Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, combination, erasure, or destruction.
• Sub-Processor — A third party engaged by WholeDatabase to process personal data on behalf of the Customer.

WholeDatabase operates in dual capacities depending on the context of data processing:

This section describes the nature, purpose, and scope of data processing activities under this DPA.

WholeDatabase recognizes and supports the rights of data subjects under applicable data protection laws, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

WholeDatabase will assist customers in responding to data subject requests by providing appropriate technical and organizational measures. This includes facilitating requests for access, correction, deletion, or restriction of personal data.

Where WholeDatabase receives a data subject request directly that relates to data processed on behalf of a customer, we will promptly notify the customer and await their instructions before responding, unless legally required to respond directly.

WholeDatabase will respond to legitimate data subject requests within 30 days and will not charge additional fees for reasonable assistance with such requests.

WholeDatabase engages certain third-party sub-processors to support the delivery of our services. All sub-processors are bound by data protection obligations equivalent to those set out in this DPA.

WholeDatabase will notify customers of any intended changes to sub-processors, giving customers the opportunity to object. A current list of sub-processors is available upon request.

WholeDatabase implements and maintains appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

• Encryption — All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. Database backups are also encrypted.
• Access controls — Role-based access control (RBAC) ensures that only authorized personnel can access personal data. Multi-factor authentication is required for all administrative access.
• Incident response — A documented incident response plan is maintained and tested regularly, with defined escalation procedures and communication protocols.
• Regular testing — Security measures are regularly tested through vulnerability assessments, penetration testing, and security audits to ensure ongoing effectiveness.
• Employee training — All staff with access to personal data receive regular data protection and security awareness training.
• Physical security — Data is hosted in facilities with enterprise-grade physical security controls, including 24/7 monitoring and restricted access.

In the event of a personal data breach, WholeDatabase will take the following steps to ensure timely notification and appropriate response:

• Notification timeline — WholeDatabase will notify affected customers within 48 hours of becoming aware of a confirmed personal data breach.
• Breach details — Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
• Cooperation — WholeDatabase will cooperate fully with customers in investigating the breach, mitigating its effects, and complying with any regulatory notification requirements.
• Documentation — All data breaches will be documented, including the facts, effects, and remedial actions taken, regardless of whether notification to supervisory authorities is required.

WholeDatabase may transfer personal data internationally in the course of providing its services. We ensure that all international transfers of personal data are conducted with adequate safeguards in place.

• Where personal data is transferred outside the European Economic Area (EEA), WholeDatabase relies on Standard Contractual Clauses (SCCs) approved by the European Commission as the primary transfer mechanism.
• WholeDatabase conducts transfer impact assessments to evaluate the level of data protection in the recipient country and implements supplementary measures where necessary.
• Data transfers to countries recognized by the European Commission as providing an adequate level of data protection are conducted on the basis of such adequacy decisions.
• Customers may request a copy of the applicable SCCs or details of transfer safeguards at any time by contacting our data protection team.

WholeDatabase recognizes the importance of transparency and accountability in data processing. Customers have the right to verify WholeDatabase's compliance with the obligations set out in this DPA.

• Customers may request documentation demonstrating WholeDatabase's compliance with this DPA and applicable data protection laws.
• WholeDatabase supports annual audits, which may be conducted by the Customer or an independent third-party auditor appointed by the Customer, subject to reasonable advance notice and confidentiality obligations.
• WholeDatabase will provide reasonable cooperation and access to relevant information, systems, and facilities necessary for conducting the audit.
• Where multiple customers request audits, WholeDatabase may offer a consolidated audit report prepared by an independent auditor to minimize operational disruption.

Audit requests should be submitted in writing at least 30 days in advance. WholeDatabase will bear its own costs for supporting routine annual audits.

This DPA takes effect upon the Customer's acceptance of the Terms of Service and remains in force for the duration of the service agreement between WholeDatabase and the Customer.

• This DPA will automatically terminate upon expiration or termination of the underlying service agreement.
• Upon termination, WholeDatabase will cease processing personal data on behalf of the Customer and will delete or return all personal data within 30 days, unless retention is required by applicable law.
• The Customer may request a copy of their data in a commonly used, machine-readable format prior to deletion.
• Obligations relating to confidentiality, data protection, and liability shall survive the termination of this DPA.

If you have any questions about this Data Processing Agreement, wish to exercise your rights, or need to report a data protection concern, please reach out to our data protection team.

For audit requests, sub-processor inquiries, or DPA-related matters, please include "DPA Inquiry" in your subject line to ensure prompt routing to the appropriate team.