N
NudgeLink
Legal

Data Processing Agreement

Last updated: April 15, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the NudgeLink team (“Processor”) and the customer (“Controller”). It applies to the processing of Personal Data under applicable data protection laws, including GDPR and CCPA.

1. Subject matter and duration

The subject matter is the processing of Personal Data necessary to provide the Services. This DPA remains in effect for the duration of the Controller's subscription to the Services.

2. Nature and purpose

Processor processes Personal Data for the purpose of operating the NudgeLink outreach platform on behalf of the Controller. This includes: fetching LinkedIn profile data, scoring lead relevance, generating outreach messages, and managing campaign state.

3. Categories of data subjects and personal data

  • Controller's end users — employees of the Controller who use the Services. Data includes: name, email, authentication credentials.
  • Leads — individuals targeted by the Controller via the Services. Data includes: public LinkedIn profile data (name, role, company, public posts and activity).

4. Obligations of the Processor

  • Process Personal Data only on documented instructions from the Controller;
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations;
  • Implement appropriate technical and organizational measures, including AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, and annual security audits;
  • Assist the Controller in responding to data subject requests and in meeting GDPR obligations (Articles 32–36);
  • Notify the Controller of any Personal Data breach within 48 hours of discovery.

5. Sub-processors

Processor uses the following sub-processors to deliver the Services:

  • Amazon Web Services — infrastructure hosting (US)
  • Stripe — payment processing (US)
  • Anthropic — AI message generation (US)
  • Unipile — LinkedIn API integration (FR)
  • Sentry — error monitoring (US)

We provide 30 days' notice of new sub-processors. Controllers may object in writing; if an objection cannot be resolved, the Controller may terminate the subscription.

6. International transfers

Where Personal Data is transferred outside the EEA or UK, Processor relies on Standard Contractual Clauses approved by the European Commission (2021/914) and, for UK data, the UK IDTA addendum.

7. Audit

Controller may request an audit of Processor's compliance with this DPA once per year, upon 30 days' written notice. Processor may satisfy audit requests by providing SOC 2 Type II reports or equivalent.

8. Return and deletion of data

Upon termination of the Services, Processor will delete or return all Personal Data within 30 days, unless retention is required by law.

9. Liability

Liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

10. Contact

For DPA execution or questions, email dpa@nudgelink.co.