Data Processing Agreement (DPA)
In accordance with Article 28 of the GDPR (EU 2016/679)
Between the Undersigned:
The Data Controller (The Client)
- Company Name: _______________
- Address: _______________
- Registration Number: _______________
- Represented by: _______________
- Email: _______________
The Data Processor (Leadsia)
- Company Name: Leadsia — Tony Yonke
- Contact: tonyvaldezyonke4@gmail.com
- Website: https://leadsia.io
- Hosting: Hetzner Online GmbH, Germany (EU)
1. Purpose
The purpose of this agreement is to define the conditions under which Leadsia agrees to carry out, on behalf of the Client, the personal data processing operations defined below, in accordance with Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (GDPR). It supplements and specifies the terms of the main service agreement concluded between the Parties.
2. Description of Processing
2.1 Nature and Purpose of Processing
Leadsia deploys on behalf of the Client a conversational AI agent that:
- Receives incoming messages from the Client's prospects and customers via multiple channels (email, web chat, WhatsApp, LinkedIn, Meta Lead Ads).
- Generates automated responses and/or suggestions for the human operator using language models (LLMs).
- Qualifies prospects (scoring) and updates the Client's CRM.
- Sends responses via the configured channels after automatic or human approval depending on the configuration.
2.2 Categories of Processed Data
- Identification Data: first name, last name, email, phone number, company.
- Conversation Data: text or audio messages exchanged between the prospect and the AI agent.
- Technical Data: IP, user-agent, channel identifiers (WhatsApp ID, LinkedIn ID, etc.).
- Business Metadata: lead status, score, interaction history, internal notes.
2.3 Categories of Data Subjects
- Prospects and customers of the Client (individuals contacting or contacted via the connected channels).
- Internal users of the Client (employees with a Leadsia account).
2.4 Duration of Processing
Processing continues for the entire duration of the main service agreement and ceases upon termination. Leadsia undertakes to delete the data within 30 days after termination, unless there is a legal obligation to retain it.
3. Obligations of Leadsia
3.1 Compliance with the GDPR
Leadsia undertakes to:
- Process the data only on documented instructions from the Client.
- Guarantee the confidentiality of persons authorized to process the data (confidentiality agreement signed by employees).
- Implement appropriate technical and organizational measures (see Annex 1).
- Assist the Client in responding to data subjects' rights requests (access, rectification, erasure, portability).
- Notify the Client of any personal data breach within 72 hours of becoming aware of it (Art. 33 GDPR).
- Cooperate with the supervisory authority (CNIL/relevant DPA) in case of inquiry.
3.2 Record of Processing Activities
Leadsia maintains a record of processing activities in accordance with Article 30 of the GDPR, available on written request from the Client.
3.3 Audits and Reviews
The Client may, at its own expense and subject to 30 days' notice, conduct a compliance audit (either itself or via an appointed third party, excluding direct competitors of Leadsia), limited to once a year except in the event of a major security incident.
4. Sub-processors
Leadsia uses the sub-processors listed in Annex 2. The Client authorizes these sub-processors by signing this agreement. Any change in sub-processors will be notified to the Client with 30 days' notice. The Client may object on legitimate grounds; in the event of unresolved disagreement, the main contract may be terminated without penalty.
5. Rights of Data Subjects
Leadsia provides the Client with technical tools to respond to exercise of rights requests:
- Access and Portability: JSON export downloadable from the dashboard.
- Erasure: dedicated button in the dashboard (physical purge after 30 days).
- Rectification: direct editing in the dashboard or via the API.
- Objection: consent toggles in the dashboard.
Leadsia undertakes to notify the Client of any request received directly from a data subject within 5 business days.
6. Data Transfers Outside the EU
6.1 Main Hosting
Data is hosted on Hetzner Online GmbH servers located exclusively in Germany (EU).
6.2 Occasional Transfers — LLM Calls
Certain requests to LLM models may involve transfers to:
- Moonshot AI (Kimi K2.5) — China. Only anonymized data (identification data replaced by generic identifiers) is transmitted.
- Groq — United States (DPF or standard contractual clauses).
The Client may, upon written request, require an exclusive switch to a European LLM (Mistral, Claude via EU proxy); a tariff amendment may apply.
6.3 Safeguards
For all transfers outside the EU, Leadsia applies:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Systematic anonymization of sensitive identification data before transmission.
- Encryption in transit (TLS 1.3).
Annex 1 — Technical and Organizational Measures (TOM)
Access Control: Strong authentication (bcrypt passwords, signed JWTs, HttpOnly cookies). Strict role-based permissions. Multi-tenancy (mandatory organization filtering).
Encryption: In transit via TLS 1.3. At rest via AES-GCM for third-party credentials.
Backups: Daily, encrypted, with a 14-day rolling retention period.
Logging: Application logs (JSON structured) kept for 90 days. No plain-text personal data is recorded in logs.
Network Isolation: VPS servers accessible via Tailscale only. Incoming ports open only on HTTPS (443).
Annex 2 — List of Sub-processors
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting | Germany (EU) | DPA, ISO 27001 |
| Moonshot AI | Main LLM | China | SCCs + anonymization |
| Groq | Whisper + fallback LLM | United States | DPF / SCCs |
| Stripe | Invoicing & billing | Ireland (EU) | Stripe DPA |