Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between Estel Tech ("Processor") and the Customer ("Controller") (collectively, the "Parties"). This DPA is incorporated into the Estel Terms of Service and applies to the processing of Personal Data by Estel on behalf of the Customer.

1. Definitions

• "Buyer Data" means the personal data of third-party business professionals (leads) processed via the Platform.
• "Data Protection Laws" means the GDPR (EU 2016/679), the UK GDPR, and any applicable national B2B privacy laws.
• "Orchestration" means the technical process of querying Third-Party Services using Controller's credentials.

2. Scope and Role

Roles: The Customer is the Data Controller of Buyer Data. Estel is the Data Processor.

Subject Matter: The processing of B2B contact information to facilitate sales outreach.

Duration: The term of the Customer's subscription to the Platform.

3. Obligations of the Processor (Estel)

Estel shall:

• Processing Instructions: Process Buyer Data only on documented instructions from the Controller (e.g., executing a search or clicking "Reveal Contact").
• Confidentiality: Ensure that all staff authorized to process Buyer Data are subject to strict confidentiality obligations.
• Security Measures: Implement technical and organizational measures to protect data, including Fernet (AES-128) encryption for OAuth tokens and TLS 1.2+ for all data transfers.
• Sub-processing: Only engage sub-processors (listed in Section 5) who provide equivalent data protection guarantees.

4. Data Subject Rights

Since Estel processes Buyer Data in a transient manner (stored in chat history), Estel shall assist the Controller in fulfilling Data Subject requests (access, deletion, etc.) by:

• Providing tools within the Platform to delete specific chat histories.
• Permanently erasing all Buyer Data and OAuth tokens upon account termination.

5. Authorized Sub-processors

The Controller provides general authorization for Estel to engage the following sub-processors:

• Amazon Web Services (EU): Cloud infrastructure.
• OpenAI / Anthropic / Alphabet: AI generation via Zero-Retention/Non-Training APIs.
• Firebase: Authentication services.
• Apollo.io, Inc.: Data enrichment via Controller's credentials.

6. Personal Data Breach Notification

Estel shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Buyer Data processed by Estel.

7. International Transfers

For transfers to sub-processors in the USA, Estel ensures compliance via:

• Standard Contractual Clauses (SCCs).
• Verification that sub-processors are certified under the EU-U.S. Data Privacy Framework (DPF) where applicable.

8. Deletion and Return of Data

Upon termination of the Services, Estel shall:

• Delete all encrypted OAuth tokens immediately.
• Delete all Buyer Data within the Controller's chat history within 30 days.
• Retain only de-identified, one-way HMAC-SHA256 hashes of professional titles/companies for system optimization (which do not constitute Personal Data).

Annex 1: Details of Processing

Categories of Data Subjects: Business professionals, prospects, and decision-makers.

Types of Personal Data: Names, professional titles, company names, LinkedIn URLs, professional email addresses, and professional phone numbers.

Nature of Processing: Retrieval, organization, storage (transient), and AI-assisted outreach generation.

Annex 2: Technical and Organizational Measures (TOMs)

• Encryption: All sensitive credentials (API keys/Tokens) are encrypted at the application layer using Fernet encryption.
• Access Control: Strict "least-privileged" access for Estel employees; no employee access to buyer contact data unless required for specific support debugging.
• Audit Logs: Maintenance of logs for all administrative access.
• Isolation: Multi-tenant architecture ensuring no data leakage between different User accounts.