Skip to main content
SignalSprint
Privacy policy
Legal · Article 28 GDPR

Data Processing Agreement

The standing data-processing terms between SignalSprint Ltd (as Processor) and you (as Controller) when you use SignalSprint Speed To Lead or SignalEngine. This template is published as the default agreement that applies under the Subscription Agreement; a signed copy is available on request at the address at the foot of the page.

Version 1.0 · Effective 2026-05-14
01

Parties

This Data Processing Agreement (DPA) forms part of, and is incorporated into, the SignalSprint Subscription Agreement between SignalSprint Ltd, trading as SignalSprint and SignalEngine (the Processor), and the customer entity that has executed an order or signed up for a paid SignalSprint or SignalEngine subscription (the Controller).

Where the Controller acts as a processor on behalf of its own end customer, this DPA shall apply to the Controller's processor role; the Controller represents that it has the necessary authority to enter into this DPA on behalf of the underlying controller.

02

Subject matter and duration

Subject matter: the processing of Personal Data by the Processor solely to provide the SignalSprint and SignalEngine services to the Controller in accordance with the Subscription Agreement.

Duration: this DPA applies for as long as the Processor processes Personal Data on behalf of the Controller. Sections concerning confidentiality, return or deletion of Personal Data, and liability survive termination.

03

Nature and purpose of processing

The Processor processes Personal Data only to operate the contracted services, which include: discovery of prospect contact data from publicly available sources; enrichment of prospect records (technographics, firmographics, contact information, dossier composition); generation and quality review of outbound messages; transmission of outbound messages across configured channels; ingestion and threading of inbound replies; storage of interaction logs, signals, and performance metrics; analytics and reporting accessible to the Controller within the product.

04

Types of Personal Data

Categories of Personal Data processed include: business contact information (full name, business email address, business telephone number, job title, employer name, employer domain, business postal address); professional profile information (LinkedIn URL, Twitter handle, public profile content); company-level data that may indirectly identify individuals (such as hiring signals tied to a named role); communication content (subject lines, message bodies, replies, click and open events); behavioural metadata (timestamps, engagement signals, lead temperature scoring).

The Processor does not knowingly process special categories of personal data (as defined in Article 9 GDPR). The Controller agrees not to instruct the Processor to do so without a separate written agreement.

05

Categories of data subjects

Prospects, leads, and other business contacts that the Controller imports, or that the Processor discovers from public business sources on the Controller's instructions, for the purpose of business-to-business outreach.

End users of the Controller's account: employees, contractors, and agents authorised by the Controller to access the services.

06

Controller obligations and instructions

The Controller is responsible for: establishing a lawful basis for processing Personal Data of prospects under applicable data protection law (typically legitimate interest for business-to-business outreach under GDPR Article 6(1)(f)); providing required transparency notices to data subjects when required; honouring data subject rights requests received directly by the Controller.

The Processor will process Personal Data only on the documented instructions of the Controller, which include the standing instructions reflected in the Controller's account configuration (target niches, target geographies, channel mix, message templates) and any further instructions given in writing.

If the Processor believes an instruction violates applicable law, the Processor will notify the Controller and is not obliged to act on the instruction until the matter is resolved.

07

Confidentiality

The Processor ensures that personnel authorised to process Personal Data are bound by an obligation of confidentiality (either contractual or statutory) and have received appropriate training on data protection requirements.

08

Security of processing

The Processor implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, including, at minimum:

Encryption: TLS 1.2 or higher for data in transit. AES-256 or equivalent for data at rest in the primary database (Convex).

Access control: role-based access enforced via Clerk authentication; principle of least privilege for engineering access to production systems; multi-factor authentication required for staff with production access; audit log of administrative actions retained for at least 90 days.

Network: production systems behind firewall and reverse proxy; dedicated per-customer compute on Hetzner with isolation between instances; no shared production database tenancy at the row level across customers.

Integrity: continuous monitoring of error rates and unauthorised access attempts; cron-based health and security checks; quality gate that reviews every outbound message before send.

Resilience: nightly backups of customer data with point-in-time recovery available through the Convex platform; documented incident response procedure.

Vulnerability management: dependency scanning on continuous integration; documented patching cadence for production hosts.

These TOMs may be updated from time to time provided the level of security is not materially reduced.

09

Sub-processors

The Controller authorises the Processor to engage the sub-processors listed below to process Personal Data in connection with the services. The current list is also maintained on this page and will be updated when changes occur.

The Processor will provide at least 14 days written notice (via email and an update to this page) of any addition or replacement of a sub-processor. The Controller may object on reasonable data protection grounds; if the parties cannot agree on a resolution, the Controller may terminate the affected service with a pro-rata refund of any prepaid fees attributable to the period after termination.

The Processor remains liable to the Controller for the performance of its sub-processors' obligations.

10

International transfers

Personal Data is primarily processed within the European Economic Area (Convex in Ireland, Hetzner in Germany). Where Personal Data is transferred to a sub-processor outside the EEA, the Processor relies on the European Commission's Standard Contractual Clauses (Decision 2021/914) or another lawful transfer mechanism. The transfer basis for each sub-processor is set out in the sub-processor list.

The Processor will provide a copy of the relevant transfer safeguards on request.

11

Data subject rights

The Controller is responsible for responding to data subject requests under GDPR Articles 12 to 22. The Processor will assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to such requests, taking into account the nature of the processing.

In practice: the Controller can locate, export, correct, or delete an individual prospect's data using the in-product CRM. For requests that cannot be fulfilled through the in-product tooling, the Controller may email the contact address below and the Processor will respond within five business days.

12

Personal data breaches

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's Personal Data. The notice will include the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

13

Data Protection Impact Assessments

On request, the Processor will provide reasonable assistance to the Controller with any Data Protection Impact Assessment (Article 35) or prior consultation with a supervisory authority (Article 36) relating to the processing carried out under this DPA. The Processor may charge a reasonable fee for assistance that exceeds standard support, agreed in advance.

14

Audit rights

The Controller may, on at least 30 days' written notice and not more than once in any twelve-month period (unless required by a supervisory authority or after a confirmed breach), request information reasonably necessary to demonstrate the Processor's compliance with this DPA. The Processor will respond within 30 days and may, at its election, satisfy this obligation by providing a current security questionnaire or independent audit summary in lieu of an on-site audit.

15

Return or deletion of Personal Data

On termination of the Subscription Agreement, or on the Controller's written request, the Processor will delete or return all Personal Data processed on behalf of the Controller, including by destroying existing copies, unless law requires storage. Deletion follows the self-service Danger Zone in the dashboard: a 7-day grace window during which the Controller may cancel the deletion, after which a daily cron cascades the delete across all related tables (prospects, messages, actions, dossiers, stats, campaigns).

On request, the Processor will provide written confirmation of completed deletion.

16

Liability

Liability under this DPA is subject to the limitations of liability set out in the Subscription Agreement.

17

Order of precedence and governing law

In case of conflict between this DPA and the Subscription Agreement, this DPA prevails on matters of data protection. This DPA is governed by the same law as the Subscription Agreement.

18

Contact

For data protection queries, signed-copy requests, or audit information, contact [email protected].

Sub-processors

Current as of the effective date above. Changes are notified at least 14 days in advance, by email and by update to this page.

Sub-processorPurposeRegionTransfer basis
ConvexDatabase and backend platform (prospects, messages, dossiers)eu-west-1, IrelandWithin EEA
ClerkAuthentication and session managementUnited StatesStandard Contractual Clauses (Module 2)
ResendOutbound email deliveryUnited StatesStandard Contractual Clauses (Module 2)
Hetzner Online GmbHEngine compute (per-customer container hosting)Nürnberg, GermanyWithin EEA
StripePayments and subscription billingIreland and United StatesStandard Contractual Clauses (Module 2) for US transfers
CloudflareCDN, DDoS protection, edge routingGlobal edge; primary processing in EEAStandard Contractual Clauses for non-EEA edge nodes
Anthropic, Google (Gemini), OpenRouterLLM inference for drafting, enrichment, quality gateUnited States and EEA depending on modelStandard Contractual Clauses (Module 2) and zero-retention API mode where available
Serper, FirecrawlWeb search and scraping for prospect discoveryUnited StatesStandard Contractual Clauses (Module 2)
Signed copy

Need a counter-signed version for your records?

Email your legal contact and the entity name you want on the agreement. We countersign and return within two business days.

Request signed copy