Data Processing Agreement
Schedule to the Service Agreement between [Client name] (Controller) and Oliver Lythe Sales (Processor)
1 Introduction and Scope
This Data Processing Agreement (the "DPA") is entered into as of the date of signature between:
- [Client name], of [registered address], [country] (the "Controller", "you"); and
- Oliver Lythe, trading as Oliver Lythe Sales, a registered Individual Entrepreneur with Small Business Status, based in Tbilisi, Georgia, contactable at [email protected] (the "Processor", "we", "us").
Each a "party" and together the "parties".
This DPA forms an integral schedule to, and is governed by, the Service Agreement between the parties for done-for-you LinkedIn outbound and B2B appointment-setting services (the "Service Agreement", and the services provided under it, the "Services"). It sets out the terms on which the Processor processes personal data on behalf of the Controller in connection with the Services.
Where this DPA and the Service Agreement conflict on the subject of the processing of personal data, this DPA prevails. In all other respects the Service Agreement continues in full force. Capitalised terms not defined here have the meaning given in the Service Agreement.
2 Definitions
In this DPA:
- "Data Protection Law" means all applicable laws and regulations relating to the processing and protection of personal data, including, where applicable, the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR together with the Data Protection Act 2018, in each case as amended or replaced from time to time.
- "personal data", "processing", "controller", "processor", "data subject", "personal data breach" and "supervisory authority" have the meanings given in the GDPR.
- "Controller Personal Data" means the personal data described in the Schedule that the Processor processes on behalf of the Controller under the Services.
- "Sub-processor" means any third party engaged by the Processor to process Controller Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the standard data protection clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), and/or the UK International Data Transfer Agreement or Addendum, as applicable to a given transfer.
3 Roles of the Parties
The parties acknowledge and agree that, for the purposes of Data Protection Law and in relation to the processing of Controller Personal Data under the Services:
- The Controller is the controller. The Controller determines the purposes and means of the processing, and is responsible for the lawfulness of its instructions and of the personal data it provides or directs the Processor to source, including having a valid lawful basis for the B2B outreach conducted on its behalf.
- The Processor is a processor. The Processor processes Controller Personal Data only on the Controller's documented instructions to deliver the Services, and does not determine the purposes of the processing.
The Controller warrants that it has all necessary rights, permissions and lawful bases to provide the Controller Personal Data to the Processor and to instruct the processing described in this DPA, including operation of the Controller's own LinkedIn account by the Processor with the Controller's authorisation.
4 Subject-Matter, Duration, Nature and Purpose of Processing
- Subject-matter: the processing of Controller Personal Data as necessary to provide the Services.
- Duration: the term of the Service Agreement, plus any period thereafter during which the Processor retains Controller Personal Data pending its return or deletion under Section 13.
- Nature of processing: collection, sourcing and enrichment of B2B prospect data, storage, organisation, use within outreach and inbox management, drafting of messaging, transmission of messages via the Controller's authorised LinkedIn account, and recording of pipeline and meeting outcomes.
- Purpose: to run LinkedIn outbound outreach and book qualified sales meetings on the Controller's behalf, and to administer, report on and support that Service.
Further detail is set out in the Schedule to this DPA.
5 Types of Personal Data and Categories of Data Subjects
Types of personal data:
- Business contact details of B2B prospects: name, job role or title, employer, public LinkedIn profile, and business email address where sourced.
- The Controller's own users: name, role, business contact details and account information necessary to configure and operate the seat.
Categories of data subjects:
- The Controller's targeted B2B prospects (the intended audience of the outreach); and
- The Controller's own personnel and authorised users.
No special-category personal data (as defined in Article 9 GDPR) and no data relating to criminal convictions or offences is processed under the Services. The Controller shall not instruct or provide such data for processing.
Payment and billing data processed via Wise for the purpose of invoicing the Controller is processed by the Processor as an independent controller in its own right and falls outside the scope of this DPA.
6 Processor Obligations
The Processor shall:
- Documented instructions: process Controller Personal Data only on the Controller's documented instructions, including as set out in this DPA and the Service Agreement, unless required to do otherwise by law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure on important grounds of public interest. The Controller's documented instructions include the international transfers of Controller Personal Data described in Section 8 and the engagement of the Sub-processors listed in Part C of the Schedule.
- Unlawful instructions: promptly inform the Controller if, in its opinion, an instruction infringes Data Protection Law. The Processor is not obliged to carry out an instruction it reasonably considers unlawful.
- Confidentiality: ensure that any person authorised to process Controller Personal Data (which, given the Processor is an individual entrepreneur, is principally the Processor personally, together with any authorised personnel) is bound by an appropriate obligation of confidentiality and processes the data only as instructed.
- Security: implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. The measures currently in place are described in Part B of the Schedule.
- Assistance: taking into account the nature of the processing and the information available to it, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to: (a) respond to data-subject requests under Section 10; (b) address personal data breaches under Section 11; (c) carry out data protection impact assessments (DPIAs) and any prior consultation with a supervisory authority under Articles 35 and 36 GDPR.
- Records: maintain records of processing carried out on behalf of the Controller to the extent required by Data Protection Law, and make them available to the Controller on reasonable request.
7 Sub-processors
The Controller grants the Processor general authorisation to engage Sub-processors to process Controller Personal Data for the purpose of delivering the Services. The Sub-processors currently engaged are listed in Part C of the Schedule:
- HeyReach (LinkedIn automation, message sending, unified inbox, and provision of a dedicated static residential proxy per connected account);
- Prospeo (prospect data sourcing and enrichment);
- HubSpot (pipeline and reporting);
- Anthropic (AI drafting assistance for messaging);
- Cloudflare (hosting and edge key-value storage for the client portal and the documents served from a private link); and
- Google (Gmail delivery for correspondence sent on your behalf, and encrypted offsite storage of the Processor's backups).
The Processor shall:
- impose on each Sub-processor, by written contract, data protection obligations that are, in substance, no less protective than those set out in this DPA, in particular appropriate security measures, it being acknowledged that such obligations may be satisfied by each Sub-processor's standard data processing terms which the Processor accepts;
- remain fully liable to the Controller for the performance of each Sub-processor's obligations; and
- give the Controller prior notice of any intended addition or replacement of a Sub-processor, so as to give the Controller the opportunity to object on reasonable, data-protection-related grounds within a reasonable period (and in any event within 14 days of notice). If the Controller objects on reasonable grounds and the parties cannot agree a resolution, the Controller may, as its sole remedy, terminate the affected part of the Services in accordance with the Service Agreement.
LinkedIn (Microsoft) operates the underlying platform under its own terms and, in respect of that platform, acts as an independent controller and the Controller's own platform provider rather than as a Sub-processor engaged by the Processor.
No client confidential data is used to train any third-party AI model, and all AI-drafted output is reviewed by the Processor before use.
8 International Transfers
The Processor is based in Georgia, and the Sub-processors may process Controller Personal Data outside the Controller's own region, including outside the European Economic Area or the United Kingdom. Georgia does not currently benefit from an EU or UK adequacy decision, so an appropriate transfer safeguard applies as set out below.
Where Controller Personal Data is transferred to a country not benefiting from an adequacy decision applicable to the Controller, the Processor shall ensure that the transfer is subject to appropriate safeguards within the meaning of Data Protection Law, such as the Standard Contractual Clauses (and, for UK data, the UK International Data Transfer Agreement or Addendum), or another lawful transfer mechanism.
Where the Controller is established in the European Economic Area or the United Kingdom, the transfer of Controller Personal Data to the Processor and its Sub-processors is made subject to the SCCs as operationalised in Part D of the Schedule. In summary: the EU SCCs apply on a controller-to-processor basis (Module Two), and the UK International Data Transfer Addendum applies to UK data; the Controller is the data exporter and Oliver Lythe Sales is the data importer; the optional docking clause (Clause 7) applies; Schedule Part A completes Annex I to the SCCs (parties, description of the transfer and competent supervisory authority), Schedule Part B completes Annex II (technical and organisational measures), and Schedule Part C completes Annex III (sub-processors).
Where the SCCs apply between the parties, they are incorporated into this DPA by reference and completed by the details in the Schedule, and in the event of conflict the SCCs prevail on the subject of the transfer. The Processor shall, on request, provide the Controller with reasonable information about the safeguards relied upon.
9 The Controller's Instructions and Obligations
- The Controller shall issue all instructions lawfully and shall ensure it has provided all notices to, and obtained any consents or established any other lawful basis in respect of, data subjects as required by Data Protection Law for the processing contemplated by the Services.
- The Controller is responsible for the accuracy, quality and legality of the Controller Personal Data and of the target-audience criteria it provides.
- The Controller shall not provide or instruct the processing of any special-category personal data or any data of individuals located in jurisdictions where the intended outreach would be unlawful.
10 Data-Subject Rights Assistance
Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller, by appropriate technical and organisational measures and insofar as possible, to enable the Controller to respond to requests from data subjects exercising their rights under Data Protection Law, including rights of access, rectification, erasure, restriction, portability and objection.
If the Processor receives a request directly from a data subject in respect of Controller Personal Data, it shall not respond to the request itself (except to confirm receipt or as legally required) and shall, without undue delay, forward the request to the Controller so the Controller can handle it. The Processor may charge the Controller its reasonable costs for assistance that goes beyond what is required by Data Protection Law or that is disproportionate in volume.
11 Personal Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data.
The notification shall, to the extent then known and insofar as reasonably available to the Processor, describe: the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects. Where the information cannot be provided at once, it may be provided in phases without further undue delay.
The Processor shall cooperate with the Controller and take reasonable steps as directed by the Controller to assist in the investigation, mitigation and remediation of the breach. Notification of a breach is not, and shall not be construed as, an acknowledgement by the Processor of fault or liability.
12 Audit and Information Rights
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with its obligations under this DPA and Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
Such audits are subject to reasonable conditions: they shall be conducted on reasonable prior written notice (not less than 30 days save where a supervisory authority or a live breach requires sooner), no more than once in any 12-month period save for cause or where required by a supervisory authority, during normal business hours, in a manner that does not unreasonably disrupt the Processor's operations, and subject to confidentiality. The Controller shall bear its own and the Processor's reasonable costs of any audit that goes beyond the provision of information. The Processor may satisfy audit requests, where appropriate, by providing existing documentation and responses to a reasonable information request rather than an on-site inspection.
13 Return or Deletion of Data on Termination
On termination or expiry of the Services, and at the Controller's choice, the Processor shall return the Controller Personal Data to the Controller and/or delete it, together with existing copies, unless retention is required by law to which the Processor is subject.
The Controller may specify its choice in writing within 30 days of termination. Absent instruction within that period, the Processor may delete the Controller Personal Data in the ordinary course. The Processor shall confirm deletion in writing on request. The Processor may retain Controller Personal Data to the limited extent, and for the limited period, required by applicable law, in which case the terms of this DPA continue to apply to that retained data. Data held within Sub-processor platforms will be deleted in accordance with the deletion functionality and standard retention practices of those platforms.
14 Liability, Term and General
- Term: this DPA takes effect on the date of signature and continues for as long as the Processor processes Controller Personal Data on behalf of the Controller.
- Liability: each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Service Agreement.
- Governing law: this DPA is governed by the laws of Georgia, save that, where the Standard Contractual Clauses apply, those Clauses are governed by the law of the EU member state designated in Part D of the Schedule (or, absent designation, the Republic of Ireland), to the extent required for their validity. Disputes shall be resolved first amicably and then as provided in the Service Agreement, without prejudice to any mandatory rights of data subjects or the powers of a competent supervisory authority under Data Protection Law.
- Severability and survival: if any provision of this DPA is held invalid, the remainder continues in effect. Provisions that by their nature should survive termination (including Sections 6 (confidentiality), 8, 11, 13 and 14) survive.
Dated: the date of signature
15 Schedule to the DPA
Part A. Details of Processing
- Controller (data exporter): [Client name], [registered address], [country]. Contact: [contact name], [contact email].
- Processor (data importer): Oliver Lythe, trading as Oliver Lythe Sales, Tbilisi, Georgia. Contact: [email protected].
- Subject-matter: processing of B2B business contact data and Controller user data to deliver done-for-you LinkedIn outbound and appointment-setting under the agreed plan (the agreed number of seat(s), up to 2 ICPs per seat).
- Duration: the term of the Service Agreement plus any wind-down or retention period under Section 13.
- Nature and purpose: sourcing and enrichment of prospect data, message drafting, running LinkedIn outreach (a connection request and individually written messages) via the Controller's authorised LinkedIn account, unified-inbox management, and pipeline and meeting tracking.
- Types of personal data: B2B prospect name, role, employer, public LinkedIn profile, business email where sourced; the Controller's own users' names, roles and business contact details. No special-category data.
- Categories of data subjects: the Controller's targeted B2B prospects; the Controller's own personnel and authorised users.
- Frequency: continuous for the duration of the Services.
- Competent supervisory authority (where the SCCs apply): the supervisory authority of the EEA member state, or the UK Information Commissioner's Office for UK data, of the place in which the Controller (data exporter) is established, being [country] where applicable.
Part B. Technical and Organisational Security Measures
- Access control and authentication: access to accounts and platforms restricted to the Processor and any authorised personnel, protected by strong, unique credentials and, where available, multi-factor authentication.
- Least privilege: access granted only to the data and systems necessary to deliver the Services; no LinkedIn passwords are requested or stored, the Controller's account being connected via the official HeyReach browser extension.
- Dedicated proxies: each connected LinkedIn account is assigned a dedicated static residential proxy that is not shared between accounts, and the inbox-privacy configuration is enabled so that only campaign conversations are worked and the Controller's private messages stay private.
- Encryption in transit: data is transmitted over encrypted connections (TLS/HTTPS) to and between the platforms used.
- Reputable vendors: processing is carried out using established, security-conscious platforms (see Part C), relying on their own security controls and data-centre protections.
- Confidentiality: personnel are bound by confidentiality obligations; client confidential data is not used to train third-party AI models and AI output is reviewed before use.
- Data minimisation and retention: only business contact data necessary for the Services is processed, and data is returned or deleted in accordance with Section 13.
Part C. Approved Sub-processors (SCC Annex III)
- HeyReach:LinkedIn automation, message sending, unified inbox, and dedicated static residential proxy per connected account.
- Prospeo:prospect data sourcing and enrichment.
- HubSpot:pipeline and reporting.
- Anthropic (Claude):AI drafting assistance for messaging; no client confidential data used for third-party model training.
- Cloudflare:hosting and edge key-value storage for the client portal and the documents served to you from a private link.
- Google:email delivery via Gmail for correspondence sent on your behalf, and encrypted offsite storage of the Processor's backups.
The current list may be updated in accordance with Section 7 (Sub-processors). For the avoidance of doubt, LinkedIn (Microsoft) is not a Sub-processor engaged by the Processor but the platform provider under the Controller's own account relationship, and Wise (payment processing of the Controller's billing-contact data) falls outside the scope of this DPA per Section 5.
Part D. Operationalisation of the Standard Contractual Clauses
This Part applies where the Controller is established in the European Economic Area or the United Kingdom, or where Data Protection Law otherwise requires a transfer mechanism for Controller Personal Data.
- Clauses applied: the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller to processor). For transfers subject to UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (issued under section 119A of the Data Protection Act 2018) applies, with the EU SCCs completed as set out below.
- Parties: the Controller is the data exporter; Oliver Lythe, trading as Oliver Lythe Sales, is the data importer. Contact details are in Part A.
- Docking clause (Clause 7): applies.
- Sub-processor authorisation (Clause 9): Option 2, general written authorisation, applies. The list of Sub-processors is in Part C, and the notice period for changes is as set out in Section 7.
- Redress, transparency and local law (Clauses 14 and 15): the parties confirm the transparency, onward-transfer and local-law assessment obligations in the SCCs, and the data importer shall notify the data exporter of, and where lawful resist, any third-party or governmental access request affecting Controller Personal Data as provided in Clause 15.
- Governing law (Clause 17) and forum (Clause 18): the SCCs are governed by the law of the Republic of Ireland unless another EU member state is designated here: __________________. Disputes arising from the SCCs shall be resolved before the courts of that member state.
- Annex mapping: Annex I (A: List of Parties; B: Description of Transfer; C: Competent Supervisory Authority) is completed by Part A of this Schedule. Annex II (technical and organisational measures) is completed by Part B. Annex III (list of sub-processors) is completed by Part C.
- UK Addendum tables: where the UK Addendum applies, the information required by its Tables 1 to 3 is taken from Parts A to C of this Schedule, and the Approved Addendum takes effect on the date of signature.
Terms of Service · Privacy Policy · Data Processing Agreement · Mutual NDA · Onboarding · Connect your LinkedIn