# Data Processing Addendum (DPA) — Template > **This is a template, not legal advice.** Have it reviewed by qualified > counsel in each jurisdiction before signing it with a customer. The > structure below covers the elements GDPR Art. 28 / CCPA / UK DPA require, > in the order most enterprise procurement teams expect. This Data Processing Addendum ("DPA") supplements the Master Services Agreement or applicable Order Form between **GeoLayer, Inc.** ("GeoLayer", "Processor") and the customer signing below ("Customer", "Controller"), together the "Parties". ## 1. Definitions Capitalized terms not defined here have the meaning given in GDPR (Regulation (EU) 2016/679), the UK GDPR, the CCPA (Cal. Civ. Code §1798.100), and other applicable data protection law (collectively, "Data Protection Laws"). - **"Personal Data"** has the meaning given in the Data Protection Laws. - **"Sub-processor"** means a third-party data processor engaged by GeoLayer that processes Customer Personal Data. ## 2. Scope and Roles The Customer is the Controller and GeoLayer is the Processor with respect to the Personal Data processed under the Service. The subject matter, nature, purpose, and duration of processing are described in **Annex A**. ## 3. Customer Instructions GeoLayer will only process Personal Data on documented instructions from the Customer, including with regard to international transfers, except where required by applicable law (in which case GeoLayer will inform the Customer of that legal requirement before processing unless prohibited by law). ## 4. Confidentiality GeoLayer ensures that personnel authorized to process Personal Data are under a duty of confidentiality. ## 5. Security Measures GeoLayer implements the technical and organizational measures described in **Annex B**, designed to ensure a level of security appropriate to the risk. ## 6. Sub-processors GeoLayer's current Sub-processors are listed in **Annex C**. GeoLayer will inform the Customer of any intended changes via the Sub-processor list at https://geolayer.io/legal/subprocessors with at least 30 days' notice. ## 7. Data Subject Rights GeoLayer assists the Customer, through appropriate technical and organizational measures and insofar as possible, in fulfilling the Customer's obligations to respond to data subject requests under the Data Protection Laws (access, rectification, erasure, restriction, portability, objection). The `/v1/suppression` endpoint constitutes the primary self-serve mechanism. ## 8. Personal Data Breach Notification GeoLayer will notify the Customer without undue delay after becoming aware of a Personal Data Breach, and in any event within 72 hours. ## 9. Data Protection Impact Assessments GeoLayer assists the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available. ## 10. Deletion or Return of Data Upon termination of the Service, GeoLayer will, at the Customer's choice, delete or return all Personal Data, and delete existing copies, unless applicable law requires storage. Default behavior is deletion within 30 days of termination. ## 11. Audits GeoLayer makes available to the Customer all information necessary to demonstrate compliance with this DPA, and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, no more than once per year and at the Customer's expense. ## 12. International Transfers To the extent processing involves the transfer of Personal Data outside the EEA / UK / Switzerland to a country not deemed adequate, the Parties will rely on the Standard Contractual Clauses incorporated by reference herein. ## 13. Liability and Term This DPA is effective on the latest date of signature and continues for the term of the underlying agreement. Liability under this DPA is subject to the limitation of liability provisions in the underlying agreement. --- ## Annex A — Description of Processing | Item | Description | |---|---| | **Categories of data subjects** | Customer's end-users (typically B2B sales targets), Customer's employees | | **Categories of Personal Data** | Business email addresses, phone numbers, names, job titles, employer name, public business address, public website URL | | **Special categories** | None processed under the Service | | **Nature of processing** | Storage, deduplication, deliverability verification, export to Customer-controlled destinations (CSV, HubSpot, Zapier) | | **Purpose** | Providing the Service per the underlying agreement | | **Duration** | For the term of the underlying agreement, plus any retention period required by law | ## Annex B — Technical and Organizational Measures 1. **Encryption in transit:** TLS 1.2+ for all customer-facing endpoints and all third-party API calls. 2. **Encryption at rest:** Database storage encrypted via Neon (AES-256). OAuth tokens encrypted with AES-256-GCM at the application layer (`utils/crypto.js`). 3. **Access controls:** API access requires a per-account token; admin access gated by JWT with brute-force lockout (5 failures / 15 min). 4. **Audit logging:** Every credit spend/grant in `credit_ledger`. Every webhook delivery attempt in `webhook_logs`. Every CRM sync in `integration_sync_log`. 5. **Vulnerability management:** Sentry-instrumented error capture; quarterly dependency upgrades. 6. **Personnel:** Background checks for engineering staff; confidentiality agreements for all personnel handling Customer data. 7. **Backup and recovery:** Postgres point-in-time recovery via Neon; RPO 5 minutes, RTO 4 hours. ## Annex C — Sub-processors | Sub-processor | Purpose | Location | |---|---|---| | Neon (Postgres hosting) | Primary database | US | | Netlify | Hosting & serverless functions | US | | Outseta | Customer authentication & billing | US | | Stripe (via Outseta) | Payment processing | US | | Cloudflare R2 (if enabled) | Asset storage | US | | OpenAI | AI content generation | US | | Public-data ingestion provider | Public business listing data (B2B only) | — | | NeverBounce / ZeroBounce | Email deliverability verification | US | | HubSpot (Customer-elected) | CRM sync | US/EU | | Sentry (if enabled) | Error monitoring | US | --- **Customer:** Name: _______________________ Title: _______________________ Signature: ___________________ Date: ________________________ **GeoLayer, Inc.:** Name: _______________________ Title: _______________________ Signature: ___________________ Date: ________________________