Data Processing Addendum

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by SwiftLeadz on behalf of the Customer.
• "Processing" has the meaning given under applicable data protection law (GDPR Article 4(2), or equivalent).
• "Data Subject" means the individual whose Personal Data is being processed.
• "Applicable Data Protection Law" means GDPR, CCPA/CPRA, and any other applicable data protection legislation.
• "Controller" means the Customer, who determines the purposes and means of processing.
• "Processor" means SwiftLeadz, who processes Personal Data on behalf of the Controller.

2. Scope and Roles

The parties acknowledge that with respect to Personal Data submitted by the Customer to SwiftLeadz (including lead records, contact information, and SMS message content):

• The Customer is the Controller and is responsible for the lawfulness of the processing, including obtaining necessary consents
• SwiftLeadz is the Processor and processes Personal Data only on documented instructions from the Customer

3. Processing Instructions

SwiftLeadz shall process Personal Data only on documented instructions from the Customer, including those set forth in the Terms of Service and this DPA. SwiftLeadz shall promptly inform the Customer if it believes any instruction infringes applicable data protection law.

Customer instructions include: storing lead data, routing leads to team members, sending and receiving SMS messages on behalf of the Customer, generating analytics reports, and providing access to authorized Customer users.

4. Confidentiality

SwiftLeadz shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under appropriate statutory obligations of confidentiality.

5. Security Measures

SwiftLeadz implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and role-based permissions
• Regular security reviews and vulnerability assessments
• Incident response and breach notification procedures
• Data isolation between customers via Row-Level Security

See our Security & Data Protection page for full details.

6. Subprocessors

The Customer provides general authorization for SwiftLeadz to engage subprocessors listed in our Subprocessor List. SwiftLeadz shall ensure each subprocessor is bound by data protection obligations at least as protective as this DPA.

SwiftLeadz shall notify the Customer of any material changes to the subprocessor list with at least 10 days' notice. The Customer may object to a new subprocessor within 10 days; if the parties cannot resolve the objection, the Customer may terminate the relevant services.

7. Data Subject Rights

SwiftLeadz shall, to the extent legally permitted, promptly notify the Customer of any Data Subject requests received by SwiftLeadz. SwiftLeadz shall assist the Customer in fulfilling its obligations to respond to Data Subject requests, including:

• Right of access — SwiftLeadz provides tools for the Customer to export data
• Right to rectification — Customers can update data via the platform
• Right to erasure — Customers can delete lead records and contact privacy@swiftleadz.com for full deletion
• Right to restriction — Customers can use suppression lists to stop processing
• Right to data portability — Data export functionality is available

8. Data Breach Notification

SwiftLeadz shall notify the Customer without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting Customer data. The notification shall include:

• Nature of the breach, including categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Report security incidents to: security@swiftleadz.com

9. Data Protection Impact Assessments

SwiftLeadz shall provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) where required by applicable law, taking into account the nature of processing and information available to SwiftLeadz.

10. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA) or United Kingdom, the parties rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Module Two: Controller to Processor), which are incorporated into this DPA by reference.

For UK transfers, the UK International Data Transfer Addendum (IDTA) to the EU SCCs applies.

11. Deletion of Data

Upon termination of the Terms of Service, SwiftLeadz shall, at the Customer's choice, delete or return all Personal Data and delete existing copies, unless storage is required by applicable law. Customers may request data export prior to termination via support@swiftleadz.com.

SwiftLeadz will complete deletion within 90 days of account termination. Opt-out/suppression records may be retained longer as required by law.

12. Audits

SwiftLeadz shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits and inspections conducted by the Customer or an auditor mandated by the Customer, subject to reasonable advance notice (minimum 30 days) and confidentiality obligations.

SwiftLeadz may satisfy audit requests by providing SOC 2 reports, security questionnaire responses, or third-party audit certifications in lieu of direct inspections.

13. Executing a Custom DPA

Enterprise customers requiring a signed DPA may request one by contacting legal@swiftleadz.com. Signed DPAs are available for customers on Growth and Team plans.

This published DPA is effective for all customers as part of the Terms of Service. A signed DPA may modify specific provisions for enterprise arrangements.