Data Processing Agreement
Version: 1.0.2 Effective Date: 7 June 2026 Document ID: BEOLTA-DPA-v1.0.2
Changelog:
- 7 June 2026 (v1.0.2) — UK go-live readiness: named the UK GDPR in the recitals and definitions; broadened the "Restricted Transfer" definition to cover UK- and Switzerland-origin transfers; added a "UK Addendum" definition (§1.11) and an Article 13.6 governing UK and Swiss transfers (UK Addendum to the EU SCCs + transfer risk assessment, ICO as supervisory authority, UK–US Data Bridge as a supplementary layer); added a UK note to Annex II. Brings the published DPA into line with the negotiated DPA template; no change to subprocessors or processing.
- 19 May 2026 (v1.0.1) — Removed PredictLeads (4see, Inc.) as a subprocessor; service retired.
- 1 May 2026 (v1.0.0) — Initial issue.
Parties
Data Processor: Editale OÜ Registry code: 17430609 Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 7-557, 10117, Estonia Trading as: Beolta (platform at app.beolta.com) Legal contact: legal@beolta.com
(hereinafter "Processor" or "Beolta")
Data Controller: The legal entity or natural person who has accepted Beolta's Terms of Service and is registered as a user of the Beolta platform.
(hereinafter "Controller")
The Processor and the Controller are each referred to herein as a "Party" and collectively as the "Parties".
Recitals
WHEREAS, the Controller uses the Beolta platform, an AI-powered sales intelligence service operated by the Processor, and in the course of providing such services the Processor processes personal data on behalf of the Controller;
WHEREAS, the processing of personal data described herein is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR"), as well as any applicable national implementing legislation, and — where and to the extent the Controller is established in the United Kingdom or the processing is otherwise subject to it — the GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (the "UK GDPR");
WHEREAS, Article 28(3) GDPR requires that processing by a processor shall be governed by a contract or other legal act under Union or Member State law that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller;
NOW, THEREFORE, the Parties agree as follows:
Article 1 — Definitions
1.1 Terms used but not defined herein shall have the meanings ascribed to them in the GDPR.
1.2 "Agreement" means this Data Processing Agreement, including all annexes and schedules attached hereto.
1.3 "Main Agreement" means the Beolta Terms of Service accepted by the Controller, which governs the commercial relationship between the Parties.
1.4 "Services" means the Beolta platform and all related features provided by the Processor to the Controller as described in the Main Agreement.
1.5 "Sub-processor" means any processor engaged by the Processor who agrees to receive personal data from the Processor exclusively intended for processing activities to be carried out on behalf of the Controller.
1.6 "Data Subject" means an identified or identifiable natural person to whom the personal data relates.
1.7 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.8 "Restricted Transfer" means a transfer of personal data from within the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country that is not subject to an adequacy decision pursuant to Article 45 GDPR or the equivalent adequacy regulations under the UK GDPR or Swiss law, as applicable.
1.9 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Article 46(2)(c) GDPR, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, replaced or superseded from time to time.
1.10 "TOMs" means the technical and organisational measures implemented by the Processor as described in Annex III to this Agreement.
1.11 "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 (version B1.0), as may be amended, replaced or superseded from time to time.
Article 2 — Subject Matter, Duration, Nature, and Purpose of Processing
2.1 Subject Matter. The Processor shall process personal data on behalf of the Controller solely to the extent necessary to provide the Services as described in the Main Agreement and this Agreement.
2.2 Duration. The Processor shall process personal data for the duration of the Main Agreement. Upon termination or expiry of the Main Agreement, the Processor shall comply with the obligations set out in Article 10 of this Agreement regarding deletion and return of personal data.
2.3 Nature of Processing. The Processor carries out the following processing operations: collection, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure and destruction of personal data, all as necessary to deliver the Services.
2.4 Purpose of Processing. The Processor processes personal data for the following purposes:
(a) Operating and delivering the Beolta platform, including user authentication, account management, and session handling;
(b) Identifying, scoring, and presenting prospective buyer leads ("Buyers") that match the Controller's stated domain expertise, industry verticals, and service capabilities;
(c) Generating AI-powered sales intelligence briefs and outreach recommendations regarding Buyer prospects;
(d) Processing usage data and API interaction logs for platform performance, billing, and abuse prevention;
(e) Recording Terms of Service acceptance and consent records for compliance purposes;
(f) Delivering platform notifications, transactional emails, and digest reports;
(g) Providing customer support and responding to Controller enquiries.
Article 3 — Types of Personal Data and Categories of Data Subjects
3.1 Categories of Data Subjects and Types of Personal Data Processed.
The Processor processes personal data relating to the following categories of data subjects:
| Category of Data Subjects | Types of Personal Data |
|---|---|
| Controller's Users (employees, contractors, or authorised representatives of the Controller who access the Beolta platform) | Full name; work email address; job title; hashed password credential; IP address; browser and device metadata; session tokens; platform activity logs; account preferences |
| Controller's Organisational Profile Data | Company name; registered address; company description; technology stack; domain verticals; case studies; team size and composition; service capabilities |
| Buyer Prospects (decision-makers at companies identified as potential Buyers, sourced from public sources and/or third-party data providers) | Full name; job title; work email address; LinkedIn profile URL; company name; company size; industry sector; geographic location; inferred buying signals (e.g., job postings, technology adoption signals) |
| All Data Subjects | ToS acceptance record (timestamp, IP address, version accepted); API usage logs; audit trail entries |
3.2 Sensitive Data. The Parties do not anticipate that the processing will involve special categories of personal data within the meaning of Article 9 GDPR or personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR. The Controller shall not submit any such data to the Services without the express prior written consent of the Processor.
3.3 Buyer Prospect Data — Lawful Basis Responsibility. With respect to Buyer prospect data, the Controller acknowledges that: (a) such data is sourced by the Processor from public sources and/or licensed third-party data providers; (b) the Processor acts as data controller in respect of its own data collection and sourcing activities; and (c) where the Controller uses such data for outreach or sales activities in its own right, the Controller is independently responsible for identifying and relying upon an appropriate lawful basis under Article 6 GDPR, and for complying with transparency obligations under Articles 13–14 GDPR.
Article 4 — Controller's Obligations and Rights
4.1 Lawful Instructions. The Controller shall ensure that its instructions to the Processor are lawful and that the processing of personal data under this Agreement complies with applicable data protection law, including that an appropriate lawful basis under Article 6 GDPR exists for all processing.
4.2 Accuracy of Data. The Controller is responsible for the accuracy, quality, and legality of any personal data it submits to the Services, and for the means by which it acquired such personal data.
4.3 Data Subject Requests. The Controller is the primary point of contact for data subjects whose rights are exercised in relation to personal data processed under this Agreement. The Controller shall promptly communicate to the Processor any data subject request that requires action by the Processor.
4.4 Data Protection Impact Assessments. Where required under Article 35 GDPR, the Controller shall conduct data protection impact assessments (DPIAs) in relation to its use of the Services. The Processor shall provide reasonable assistance to the Controller for this purpose, including providing the information set out in this Agreement and the TOMs in Annex III.
4.5 Notification of Controller Obligations. The Controller shall promptly notify the Processor of any applicable legal requirement, supervisory authority directive, or court order that affects or may affect the Processor's processing activities under this Agreement.
4.6 Configuration and Access Controls. The Controller is responsible for implementing and maintaining appropriate access controls and permissions for its own users within the platform, including prompt deactivation of access for departed personnel.
Article 5 — Processor's Core Obligations
5.1 Processing on Instructions Only. Pursuant to Article 28(3)(a) GDPR, the Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
5.2 Instruction Scope. The Controller's instructions are set out in the Main Agreement, this Agreement, and any subsequent written instructions given in accordance with this Agreement. This Agreement itself constitutes documented instructions for the purposes of Article 28(3)(a) GDPR with respect to the processing described herein.
5.3 Notification of Unlawful Instructions. If the Processor considers that an instruction from the Controller infringes the GDPR or other applicable Union or Member State data protection law, the Processor shall immediately inform the Controller. The Processor may suspend performance of the relevant instruction pending clarification from the Controller.
5.4 No Independent Purposes. The Processor shall not process personal data for any purpose other than as set out in this Agreement without the prior written consent of the Controller, except where required by applicable law.
Article 6 — Confidentiality
6.1 Confidentiality Obligation. Pursuant to Article 28(3)(b) GDPR, the Processor shall ensure that persons authorised to process personal data on behalf of the Controller have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.2 Access Limitation. The Processor shall ensure that access to personal data is limited to those personnel who require such access to perform the Services, and that such access is on a need-to-know basis.
6.3 Personnel Obligations. The Processor shall ensure that all personnel authorised to process personal data are: (a) informed of the confidential nature of the personal data; (b) trained on applicable data protection requirements; and (c) bound by written confidentiality obligations that survive termination of their engagement.
6.4 Survival. The confidentiality obligations in this Article 6 shall survive the termination or expiry of this Agreement.
Article 7 — Security of Processing
7.1 Security Obligation. Pursuant to Article 28(3)(c) GDPR and Article 32 GDPR, the Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons.
7.2 Minimum Security Measures. Without limiting the generality of clause 7.1, the Processor shall maintain at least the technical and organisational security measures described in Annex III to this Agreement.
7.3 Security Updates. The Processor shall regularly review and, where necessary, update the TOMs to address new or changed risks to the security of personal data.
7.4 Security Assistance. The Processor shall assist the Controller, insofar as possible and taking into account the nature of the processing, in ensuring compliance with the Controller's obligations under Article 32 GDPR by providing the information set out in Annex III.
Article 8 — Sub-processors
8.1 General Authorisation. The Controller provides general written authorisation to the Processor to engage sub-processors, subject to the conditions set out in this Article 8. The current list of sub-processors is set out in Annex II to this Agreement.
8.2 Sub-processor Obligations. Pursuant to Article 28(2) and 28(4) GDPR, where the Processor engages a sub-processor, the Processor shall:
(a) impose on the sub-processor the same data protection obligations as those set out in this Agreement, in particular by way of a binding contract;
(b) ensure that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures such that the processing meets the requirements of the GDPR;
(c) remain fully liable to the Controller for the performance of the sub-processor's obligations to the extent that the sub-processor fails to fulfil its data protection obligations.
8.3 Notification of Changes. The Processor shall notify the Controller of any intended additions to or replacements of the sub-processors listed in Annex II by updating Annex II and providing written notice to the Controller via email to the address registered on the Controller's account, or via an in-platform notification, at least thirty (30) calendar days prior to any such change taking effect.
8.4 Objection Right. The Controller may object to a new or replacement sub-processor by notifying the Processor in writing within fourteen (14) calendar days of receiving notification under clause 8.3, providing the specific data protection grounds for its objection. The Processor shall, at its discretion: (a) use reasonable commercial efforts to resolve the Controller's objection; or (b) if no resolution can be reached, permit the Controller to terminate the Main Agreement upon thirty (30) days' written notice, without penalty, solely with respect to the affected Services. If the Controller does not object within the fourteen (14) day period, the Controller is deemed to have accepted the new or replacement sub-processor.
8.5 Existing Sub-processors. The Controller acknowledges and approves the sub-processors listed in Annex II as at the Effective Date of this Agreement.
Article 9 — Assistance with Data Subject Rights
9.1 Obligation to Assist. Pursuant to Article 28(3)(e) GDPR, the Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligations to respond to requests for exercising data subjects' rights under Chapter III GDPR, including:
(a) the right of access (Article 15 GDPR); (b) the right to rectification (Article 16 GDPR); (c) the right to erasure ("right to be forgotten") (Article 17 GDPR); (d) the right to restriction of processing (Article 18 GDPR); (e) the right to data portability (Article 20 GDPR); (f) the right to object (Article 21 GDPR).
9.2 Procedure. Upon receiving a data subject request that cannot be handled directly by the Controller through platform tools, the Controller shall submit a written request to legal@beolta.com. The Processor shall respond within five (5) business days with information regarding the relevant personal data and the action required to fulfil the data subject's request.
9.3 Direct Requests. If the Processor receives a data subject request directly relating to personal data processed on behalf of the Controller, the Processor shall promptly notify the Controller and shall not respond to the data subject directly unless instructed by the Controller or required by applicable law.
9.4 Regulatory Assistance. The Processor shall assist the Controller with any enquiry, investigation, or audit initiated by a supervisory authority in relation to the processing of personal data under this Agreement, to the extent such assistance is reasonably required.
Article 10 — Deletion and Return of Personal Data
10.1 End of Services. Pursuant to Article 28(3)(g) GDPR, upon termination or expiry of the Main Agreement for any reason, the Processor shall, at the Controller's election as communicated in writing within thirty (30) calendar days of termination:
(a) Return: export the Controller's personal data in a structured, commonly used, machine-readable format (CSV or JSON) and make it available for download via the platform or a secure transfer mechanism; and/or
(b) Delete: securely delete or destroy all personal data processed on behalf of the Controller from the Processor's systems and those of its sub-processors, including all copies, backups, and cached versions.
10.2 Retention Post-Termination. Where the Controller does not make an election within the thirty (30) day period referred to in clause 10.1, the Processor shall delete all Controller personal data within sixty (60) calendar days of termination or expiry of the Main Agreement, subject to clause 10.3.
10.3 Legal Retention Obligations. Notwithstanding clauses 10.1 and 10.2, the Processor may retain personal data to the extent and for the period required by applicable Union or Member State law. In such cases, the Processor shall continue to be bound by the confidentiality and security obligations of this Agreement with respect to such retained data, and shall not process such data for any other purpose.
10.4 Certification of Deletion. Upon request from the Controller, the Processor shall provide written confirmation that deletion of personal data has been completed in accordance with this Article 10.
Article 11 — Audit Rights and Information
11.1 Information Obligation. Pursuant to Article 28(3)(h) GDPR, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
11.2 Information Provision. The Processor shall, upon written request from the Controller, provide information demonstrating compliance with this Agreement, including:
(a) a description of the TOMs implemented pursuant to Article 7; (b) the current list of sub-processors and their data processing agreements; (c) records of processing activities maintained pursuant to Article 30 GDPR; (d) evidence of relevant certifications or third-party audit reports (e.g., SOC 2 Type II, ISO 27001), where available.
11.3 Audit Procedure. Where the Controller requires an on-site or remote audit beyond the documentary information provided under clause 11.2, the Controller shall:
(a) provide at least thirty (30) calendar days' prior written notice; (b) conduct (or commission) the audit during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations; (c) execute or cause the auditor to execute a confidentiality agreement with the Processor prior to the audit; (d) bear the costs of the audit, unless the audit reveals a material breach of this Agreement attributable to the Processor, in which case the Processor shall bear its own reasonable costs.
11.4 Frequency. The Controller is entitled to conduct one (1) audit per twelve (12) month period, unless a specific audit is required in response to a documented supervisory authority investigation, a confirmed Personal Data Breach, or a material compliance concern supported by reasonable evidence.
11.5 Third-Party Certifications. The Processor may satisfy the information obligations under this Article 11, in whole or in part, by providing current third-party audit reports, certifications, or attestations covering the relevant systems and controls, where the Controller considers such reports adequate.
Article 12 — Personal Data Breach Notification
12.1 Processor Notification Obligation. Pursuant to Article 28(3)(f) GDPR, the Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting personal data processed under this Agreement.
12.2 Content of Notification. The initial notification shall include, to the extent then known:
(a) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned; (b) the name and contact details of the Processor's data protection point of contact from whom more information can be obtained; (c) a description of the likely consequences of the Personal Data Breach; (d) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
12.3 Phased Notification. Where all information required under clause 12.2 is not available at the time of the initial notification, the Processor shall provide the information in phases without undue further delay as it becomes available.
12.4 Controller's Reporting Obligation. The Controller is responsible for assessing whether the Personal Data Breach requires notification to the competent supervisory authority pursuant to Article 33 GDPR and/or to affected data subjects pursuant to Article 34 GDPR. The Processor shall provide the Controller with all reasonable assistance required to make such assessment and to prepare any required notifications.
12.5 Internal Incident Records. The Processor shall maintain an internal record of all Personal Data Breaches affecting personal data processed under this Agreement, including those not required to be notified to the Controller, and shall make such record available to the Controller upon request.
12.6 No Admission. A notification made pursuant to this Article 12 shall not be construed as an admission of fault or liability by the Processor.
Article 13 — International Data Transfers
13.1 EEA-Based Processing. The Processor's primary data infrastructure is located within the European Economic Area. The Processor uses Supabase (database and authentication services) deployed in the EU region, and the Processor maintains its registered office in Estonia, an EU Member State.
13.2 Restricted Transfers by Sub-processors. Certain sub-processors listed in Annex II are established in countries outside the EEA that do not benefit from an adequacy decision under Article 45 GDPR, including the United States of America. Such Restricted Transfers are subject to appropriate safeguards pursuant to Article 46 GDPR, as further described in Annex II.
13.3 Standard Contractual Clauses. Where a Restricted Transfer occurs through a sub-processor's services, the Processor shall ensure that such transfer is governed by: (a) the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914); or (b) another appropriate safeguard mechanism pursuant to Article 46 GDPR; or (c) a derogation pursuant to Article 49 GDPR where applicable. The Processor shall maintain and provide to the Controller, upon request, copies of the relevant SCCs or equivalent transfer mechanisms with each sub-processor engaging in Restricted Transfers.
13.4 Transfer Impact Assessment. The Processor has assessed the data protection laws and practices of the third countries to which personal data is transferred through sub-processors and considers that the Standard Contractual Clauses and supplementary measures, where applicable, provide sufficient safeguards for the rights and freedoms of data subjects.
13.5 Controller-Initiated Transfers. Where the Controller instructs the Processor to transfer personal data to a recipient in a third country, the Controller warrants that an appropriate transfer mechanism is in place and shall be solely responsible for ensuring compliance with applicable transfer restrictions.
13.6 UK and Swiss Transfers. Where personal data subject to the UK GDPR is the subject of a Restricted Transfer, the transfer shall be governed by the UK Addendum to the EU SCCs (completed with the parties' and the relevant sub-processor's details), supported by a transfer risk assessment conducted in accordance with guidance of the Information Commissioner's Office ("ICO"), which is the competent supervisory authority for such data. Where a sub-processor is certified under the UK Extension to the EU–US Data Privacy Framework ("UK–US Data Bridge"), the Processor may additionally rely on that adequacy mechanism while it remains in force, but not as the sole safeguard. Where personal data subject to Swiss law is the subject of a Restricted Transfer, the SCCs apply as adapted for transfers governed by the Swiss Federal Act on Data Protection (FADP). Transfers of UK personal data to the EEA require no additional safeguard, the United Kingdom having recognised the EEA as adequate.
Article 14 — Liability
14.1 Allocation of Liability. Each Party shall be liable for the damage caused by processing that infringes the GDPR where it has acted outside of or contrary to lawful instructions given by the other Party, in accordance with Article 82 GDPR.
14.2 Processor Liability. The Processor shall be liable for damage caused by processing only where it has not complied with the obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the lawful instructions of the Controller.
14.3 Exemption from Liability. A Party shall be exempt from liability under Article 82(3) GDPR if it proves that it is not in any way responsible for the event giving rise to the damage.
14.4 Cap on Liability. To the maximum extent permitted by applicable law, the Processor's total aggregate liability under or in connection with this Agreement shall not exceed the greater of: (a) the total fees paid or payable by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the claim; or (b) EUR 5,000. This limitation shall not apply to: (i) liability for death or personal injury caused by negligence; (ii) liability for fraud or fraudulent misrepresentation; (iii) any liability that cannot be excluded or limited by applicable law.
14.5 Joint Liability. Where both Parties are responsible for the same damage in accordance with Article 82(4) GDPR, each Party shall be held liable for the entire damage, with the right of reimbursement from the other Party for the part of the damage attributable to that other Party.
14.6 Indemnification. The Controller shall indemnify and hold harmless the Processor against any claims, damages, fines, penalties, or expenses arising from the Controller's breach of applicable data protection law, including processing without a lawful basis, failure to comply with data subject rights obligations, or unlawful instructions given to the Processor.
Article 15 — General Provisions
15.1 Relationship to Main Agreement. This Agreement is incorporated into and forms part of the Main Agreement. In the event of any conflict between this Agreement and the Main Agreement with respect to the processing of personal data, this Agreement shall prevail.
15.2 Order of Precedence. In the event of any conflict or inconsistency between the body of this Agreement and any Annex, the body of this Agreement shall prevail unless the Annex expressly states that it overrides a specific provision.
15.3 Amendments. This Agreement may only be amended by a written instrument signed (including electronically) by authorised representatives of both Parties, except that the Processor may update Annex II (Sub-processor List) and Annex III (TOMs) in accordance with the procedures set out in Articles 8 and 7 respectively.
15.4 Severability. If any provision of this Agreement is found by a competent authority to be invalid, unlawful, or unenforceable, such provision shall be deemed modified to the minimum extent necessary to make it valid, lawful, and enforceable, and the remaining provisions shall continue in full force and effect.
15.5 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the Republic of Estonia, without reference to its conflict of law principles, provided that the provisions of the GDPR shall apply to the extent required by law.
15.6 Jurisdiction. Any dispute arising out of or in connection with this Agreement shall be submitted to the exclusive jurisdiction of the courts of the Republic of Estonia, subject to any mandatory jurisdiction rules applicable under applicable law.
15.7 Entire Agreement. This Agreement, together with the Main Agreement and all annexes hereto, constitutes the entire agreement between the Parties with respect to the processing of personal data and supersedes all prior and contemporaneous agreements, representations, and understandings of the Parties relating to such subject matter.
15.8 Waiver. The failure of either Party to enforce any provision of this Agreement shall not constitute a waiver of that Party's right to enforce such provision in the future.
15.9 No Third-Party Beneficiaries. This Agreement does not create any rights enforceable by any third party other than as may be required under applicable law with respect to data subjects' rights.
15.10 Execution. This Agreement is entered into by the Controller upon acceptance of the Main Agreement and by the Processor through its authorised representative. The Controller's acceptance of the Main Agreement constitutes acceptance of this Agreement as an incorporated document.
Annex I — Details of Processing
I.1 Subject Matter
The processing covers the operation of the Beolta AI-powered sales intelligence platform, including all features described in the Main Agreement.
I.2 Duration
From the date the Controller accepts the Main Agreement until termination or expiry of the Main Agreement and completion of the obligations under Article 10 of this Agreement.
I.3 Nature of Processing
Collection, storage, organisation, structuring, retrieval, consultation, use, algorithmic and AI-assisted analysis, disclosure by transmission to sub-processors, alignment and combination of datasets, restriction, erasure, and destruction of personal data.
I.4 Purpose of Processing
- User account authentication, management, and access control
- Buyer prospect matching and lead scoring using AI/ML algorithms
- Generation of sales intelligence briefs and outreach recommendations
- Platform analytics, usage monitoring, and billing
- Compliance record-keeping (ToS acceptance, consent logs, audit trails)
- Email delivery (transactional, notifications, digests)
- Error monitoring and platform reliability
I.5 Categories of Data Subjects
- Controller's Users (platform account holders and their authorised users)
- Buyer Prospects (decision-maker contacts sourced from public and third-party data)
- Incidentally captured individuals (e.g., persons named in case studies uploaded by the Controller)
I.6 Types of Personal Data
As set out in Article 3.1 of this Agreement.
I.7 Processor's Contact for Data Protection Matters
Editale OÜ Attn: Data Protection Narva mnt 7-557, 10117 Tallinn, Estonia Email: legal@beolta.com
Annex II — Authorised Sub-processors
The following sub-processors are authorised as at the Effective Date of this Agreement. The Processor will notify the Controller of changes in accordance with Article 8.3. This list is also published as the Subprocessor List and in §6.1 of the Privacy Policy.
| Subprocessor | Role | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication, file storage | All Personal Data stored in the Services (account data, usage logs, ToS acceptance records, contractor profiles, buyer-side contact data) | EU (Frankfurt, AWS eu-central-1) | Intra-EEA — no transfer outside EEA |
| Railway Corp. | Web application hosting (app.beolta.com, SSR) | HTTP request metadata, session data, application logs | US / EU | SCCs (EC Decision 2021/914) Module 3 |
| Amazon Web Services, Inc. (AWS Amplify) | Static-site hosting (beolta.com landing) | Web server access logs | EU (eu-west-1) default; CDN edges global | SCCs Module 3 for any non-EEA edge cache; otherwise intra-EEA |
| Stripe, Inc. | Payment processing and billing | Billing name and address; tokenised payment-method details; invoice records | US / EU | SCCs; PCI DSS Level 1 certified; EU–US Data Privacy Framework where applicable |
| Anthropic, PBC | AI model inference (research briefs, outreach drafts) | Prospect and company context included in prompts (no registered-user PII transmitted) | US | SCCs; EU–US Data Privacy Framework where applicable; API terms preclude training on customer data; prompts not retained beyond standard short-term operational logs |
| OpenAI, LLC | AI model inference (fallback / supplementary) | Prospect and company context included in prompts (no registered-user PII transmitted) | US | SCCs; EU–US Data Privacy Framework where applicable; API terms preclude training on customer data; prompts not retained beyond standard short-term operational logs |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracking | Stack traces; limited session context (user ID, email on error) | US | SCCs; EU–US Data Privacy Framework where applicable; data-minimisation configured |
| Trigger.dev Ltd | Background job processing (signal pipeline, retention, email digest) | Job payloads (may contain user IDs and prospect data while in flight) | EU / US | SCCs; EU–US Data Privacy Framework where applicable |
| Resend, Inc. | Transactional email delivery | Recipient email address; email content | US | SCCs; EU–US Data Privacy Framework where applicable |
| Unipile SAS | LinkedIn outreach API (connection requests, InMail, direct messages to buyer-side decision-makers) | Buyer-side decision-maker LinkedIn profile identifiers (LinkedIn URN / profile URL, display name) and the content of outreach messages sent to them; sender LinkedIn account identifiers | EU (France) | Intra-EEA — no transfer outside EEA |
| Enrich Labs FZ L.L.C. (InboxKit) | Cold-outreach mailbox provisioning and email-warmup infrastructure | Sender mailbox identity data (mailbox display names, usernames, mailbox email addresses on sender-controlled domains) and warmup peer-traffic recipient addresses; SMTP/IMAP credentials for provisioned mailboxes | UAE (Dubai); data processed in US / EU / UAE per InboxKit Privacy Policy; provisioned mailboxes on US-region Google Workspace / Microsoft 365 | Standard Contractual Clauses (EC Decision 2021/914) per InboxKit's published Privacy Policy; engaged via acceptance of InboxKit's online terms (click-wrap), no separately negotiated DPA |
| Apollo.io, Inc. | B2B contact and company data enrichment (buyer-side contact sourcing) | Business contact data of buyer-side decision-makers (name, business email, business phone, business title, employer, public LinkedIn URL) | US | SCCs; Apollo operates under its own GDPR / CCPA compliance regime |
| People Data Labs, Inc. | B2B contact and company data enrichment (corroborating coverage) | Business contact data of buyer-side decision-makers (same categories as Apollo; overlapping coverage for cross-verification) | US | SCCs; PDL operates under its own GDPR / CCPA compliance regime |
| Hunter Web Services, Inc. | Business-email enrichment (email-finder, domain-search, email-verifier); fallback to Apollo in the decision-maker email cascade | Sent: buyer-side decision-maker first name + last name + employer company domain. Received and stored: business email address, deliverability / confidence score, and domain-level email patterns | US / EU | SCCs |
| TheirStack, S.L. | Public job-posting and technology-signal aggregation | Public job postings; company-level data; hiring-manager names only where publicly listed | EU (Spain) | Intra-EEA — no transfer outside EEA |
| BuiltWith Pty Ltd | Public technology-stack scanner | Per-domain technology signals; no personal data | US / AU | SCCs |
| Apify Technologies s.r.o. | Operator of scrapers against public marketplaces (Clutch, DesignRush, TechBehemoths) | Public agency / contractor directory listings; public decision-maker profile snippets | US / EU | SCCs |
Public registries and open directories referenced in the Processor's data-source disclosures (SEC EDGAR (US public securities register), SAM.gov (US federal procurement register; company/agency-level data only, no personal data beyond named points-of-contact in public filings), GitHub topics, the Clutch / DesignRush / TechBehemoths public agency directories accessed via Apify-operated scrapers) are not sub-processors in the Article 28 GDPR sense; they are public sources from which the Processor collects conspicuously published business information.
Notes on Restricted Transfers:
All Restricted Transfers to sub-processors located in the United States or other third countries without an EU adequacy decision are made subject to Standard Contractual Clauses adopted pursuant to Commission Implementing Decision (EU) 2021/914 (Module 2: Controller-to-Processor, or Module 3: Processor-to-Processor, as applicable). The Processor maintains executed SCCs with each relevant sub-processor and shall provide copies to the Controller upon written request.
For personal data subject to the UK GDPR, each such Restricted Transfer is additionally governed by the UK Addendum to those SCCs (per Article 13.6), backed by a transfer risk assessment; where the sub-processor is certified under the UK–US Data Privacy Framework extension ("UK–US Data Bridge"), the Processor may also rely on that adequacy mechanism while in force. Sub-processors located within the EEA (e.g. Supabase, Unipile, TheirStack) involve no Restricted Transfer of UK personal data, the United Kingdom recognising the EEA as adequate.
The Processor continuously monitors adequacy decisions, transfer mechanism validity, and sub-processor compliance. Where a transfer mechanism is invalidated or otherwise ceases to be available, the Processor shall promptly implement alternative appropriate safeguards and notify the Controller.
Annex III — Technical and Organisational Security Measures
The following technical and organisational measures are implemented by the Processor pursuant to Article 7 and Article 32 GDPR. These measures represent the minimum standard maintained as at the Effective Date; the Processor reviews and updates them regularly.
III.1 Pseudonymisation and Encryption
- All personal data stored in the Supabase database is encrypted at rest using AES-256 encryption.
- All data in transit between clients and platform servers is encrypted using TLS 1.2 or higher (TLS 1.3 preferred).
- User passwords are never stored in plaintext; authentication is managed via Supabase Auth using industry-standard hashing (bcrypt/Argon2).
- API keys and secrets are stored using environment-level secret management and are never hardcoded in source code repositories.
- Sensitive fields (e.g., billing identifiers) are stored using tokenisation via Stripe; the Processor does not store raw payment card data.
III.2 Ability to Ensure Ongoing Confidentiality, Integrity, Availability, and Resilience
- Access control: Role-based access control (RBAC) is implemented at the application layer. Row-Level Security (RLS) is enabled in Supabase to enforce data isolation between Controllers at the database level.
- Least privilege: Personnel access to production systems is limited to those who require it and is reviewed periodically.
- Multi-factor authentication (MFA): MFA is required for all Processor personnel accessing production infrastructure and administrative systems.
- Monitoring: Application error monitoring (Sentry) and platform health monitoring are in place. Anomalous access patterns trigger automated alerts.
- Logging: Access logs and audit trails are maintained for material administrative actions on personal data.
III.3 Ability to Restore Availability and Access in a Timely Manner
- Supabase provides automated daily database backups with point-in-time recovery capability.
- Backup retention is a minimum of seven (7) days for standard backups.
- Application hosting (Railway) provides automated container restarts, region-level redundancy, and continuous health checks for the Beolta web service.
- Recovery time objectives (RTO) and recovery point objectives (RPO) are reviewed as part of the Processor's incident response planning.
III.4 Process for Regularly Testing, Assessing, and Evaluating Security Measures
- The Processor conducts periodic internal security reviews of platform architecture and data flows.
- Dependency and vulnerability scanning is integrated into the CI/CD pipeline (automated tooling identifies known CVEs in third-party packages).
- The Processor engages or plans to engage external penetration testing on at least an annual basis.
- Security configurations of sub-processors are reviewed in accordance with each sub-processor's published compliance programmes and certifications (e.g., SOC 2 Type II).
- This Annex III is reviewed at least annually and upon any material change to the processing activities or platform architecture.
III.5 Physical Security
- The Processor's personnel work remotely. Physical security of personal computing devices used to access production systems is governed by the Processor's internal security policies, including:
- Full-disk encryption on all devices accessing production systems;
- Screen lock policies;
- Remote-wipe capability for lost or stolen devices.
- Physical server infrastructure is managed entirely by sub-processors (Supabase, Railway, AWS), each of which maintains appropriate physical security controls at their data centre facilities (ISO 27001 / SOC 2 certified data centres).
III.6 Personnel Measures
- All personnel with access to personal data receive data protection training upon onboarding and at least annually thereafter.
- All personnel and contractors are bound by written confidentiality obligations.
- The Processor maintains an internal data protection policy and an acceptable use policy.
III.7 Data Minimisation and Retention
- The Processor collects only personal data that is necessary for the specified purpose (data minimisation principle, Article 5(1)(c) GDPR).
- Retention periods are defined for each category of personal data and are enforced through automated deletion routines where technically feasible.
- Personal data that is no longer necessary for the purposes for which it was collected is securely deleted in accordance with the Processor's data retention schedule.
III.8 Incident Response
- The Processor maintains an internal Personal Data Breach response procedure that includes:
- Detection and containment procedures;
- Internal escalation and notification workflows;
- Documentation and post-incident review;
- Notification to the Controller within 72 hours as required by Article 33 GDPR and Article 12 of this Agreement.
Annex IV — Record of Processing Activities (Processor's Article 30(2) Record)
Pursuant to Article 30(2) GDPR, the Processor maintains the following record of processing activities carried out on behalf of Controllers:
| Field | Details |
|---|---|
| Name and contact of Processor | Editale OÜ, Narva mnt 7-557, 10117 Tallinn, Estonia; legal@beolta.com |
| Name and contact of each Controller | As per account registration records in the platform |
| Categories of processing carried out on behalf of Controllers | As set out in Annex I |
| Transfers to third countries | As set out in Annex II |
| General description of TOMs | As set out in Annex III |
This record is maintained by the Processor and is made available to the supervisory authority upon request pursuant to Article 30(4) GDPR.
Signature and Acceptance
This Agreement is entered into between the Parties as follows:
On behalf of the Processor:
Editale OÜ Registry code: 17430609 Narva mnt 7-557, 10117 Tallinn, Estonia legal@beolta.com
Represented by its duly authorised representative.
On behalf of the Controller:
By accepting the Beolta Terms of Service, the Controller confirms that:
- It has read, understood, and agrees to be bound by the terms of this Data Processing Agreement;
- The individual accepting has authority to bind the Controller;
- The acceptance constitutes a valid and binding legal agreement between the Controller and Editale OÜ.
The Controller's acceptance is recorded electronically, including the timestamp and IP address of acceptance, as part of the ToS acceptance record maintained by the Processor.
This Data Processing Agreement is governed by the laws of the Republic of Estonia and the General Data Protection Regulation (EU) 2016/679.
Document reference: BEOLTA-DPA-v1.0.2 Version: 1.0.2 Effective date: 7 June 2026 Issued by: Editale OÜ, legal@beolta.com