Data Processing Agreement

GDPR-Compliant Data Processing Terms for Clients and Partners

GDPR Article 28 Compliant Standard Contractual Clauses Data Protection

Effective Date: January 15, 2025 | Version: 2.1

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ForexBrokerLead and its Clients, in accordance with Article 28 of the GDPR.

1. Parties and Definitions

1.1 Parties: This DPA is between:

  • Data Controller: The Client (as defined in the main agreement)
  • Data Processor: ForexBrokerLead

1.2 Definitions: For purposes of this DPA:

  • "GDPR" means Regulation (EU) 2016/679
  • "Data Subject" means an identified or identifiable natural person
  • "Personal Data" means any information relating to a Data Subject
  • "Processing" means any operation performed on Personal Data
  • "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data

2. Processing Details

2.1 Subject Matter: The subject matter of the data processing under this DPA is the Personal Data provided by the Data Controller to the Data Processor for the purposes of providing lead generation services.

2.2 Duration: The processing will continue for the duration of the main service agreement, unless otherwise terminated in accordance with this DPA.

2.3 Nature and Purpose: The Data Processor will process Personal Data for the purpose of providing verified lead generation services to the Data Controller, including but not limited to:

  • Lead verification and validation
  • Data enrichment and analysis
  • Delivery of leads to the Data Controller
  • Quality assurance and improvement

2.4 Types of Personal Data: The processing involves the following categories of data:

  • Contact information (name, email, phone number)
  • Demographic information
  • Professional information
  • Financial information (where relevant and lawful)
  • Online identifiers and technical data

2.5 Categories of Data Subjects: The processed data may concern the following categories of data subjects:

  • Potential customers and leads
  • Website visitors
  • Business contacts

3. Processor Obligations

3.1 Processing Instructions: The Data Processor shall process Personal Data only on documented instructions from the Data Controller, unless required to do so by applicable law.

3.2 Confidentiality: The Data Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures: The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data
  • Measures to ensure confidentiality, integrity, and resilience
  • Measures to restore availability following incidents
  • Regular testing of security measures

3.4 Data Protection Impact Assessment: The Data Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments.

4. Sub-processing

4.1 Authorization: The Data Controller provides general authorization for the Data Processor to engage sub-processors, provided that the Data Processor:

  • Enters into a written agreement with the sub-processor containing data protection obligations no less protective than those in this DPA
  • Remains liable for the actions of its sub-processors
  • Informs the Data Controller of any intended changes concerning sub-processors

4.2 Current Sub-processors: The Data Processor uses the following sub-processors:

Sub-processor Service Provided Location Data Processed
Amazon Web Services Cloud Infrastructure EU/US Technical data, backups
Google Cloud Platform Analytics & Storage EU/US Anonymized analytics data
Telegram API Communication Platform Global Contact information, messages

4.3 Objection Right: The Data Controller may object to the appointment of new sub-processors on reasonable grounds relating to data protection.

5. Data Subject Rights

5.1 Assistance: The Data Processor shall, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising Data Subject rights.

5.2 Request Handling: If the Data Processor receives a request from a Data Subject concerning their Personal Data, the Data Processor will direct the Data Subject to the Data Controller, unless otherwise instructed by the Data Controller.

6. Personal Data Breaches

6.1 Notification: The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data Breach.

6.2 Cooperation: The Data Processor shall cooperate with the Data Controller and take such reasonable commercial steps as are directed by the Data Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

6.3 Documentation: The Data Processor shall maintain a record of all Personal Data Breaches, comprising the facts relating to the breach, its effects, and the remedial action taken.

7. Data Transfers

7.1 International Transfers: The Data Processor may transfer Personal Data outside the European Economic Area (EEA) only if appropriate safeguards are implemented, such as:

  • An adequacy decision by the European Commission
  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Approved codes of conduct or certification mechanisms

7.2 Safeguards: Where Personal Data is transferred outside the EEA, the Data Processor shall implement appropriate safeguards as required by GDPR Chapter V.

8. Audit Rights

8.1 Audit Cooperation: The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

8.2 Audit Conditions: Audits shall be conducted:

  • With reasonable advance notice (at least 30 days)
  • During normal business hours
  • No more than once per year (unless a Personal Data Breach has occurred)
  • Subject to appropriate confidentiality obligations

9. Return and Deletion of Data

9.1 Return or Deletion: At the choice of the Data Controller, the Data Processor shall delete or return all Personal Data to the Data Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.

9.2 Deletion Timeline: Deletion shall occur within 30 days of termination of the agreement, unless otherwise required by law.

10. Liability and Indemnification

10.1 Liability: Each party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set out in the main agreement.

10.2 Indemnification: The Data Processor shall indemnify and hold harmless the Data Controller from and against any claims, losses, or expenses arising from the Data Processor's breach of this DPA.

11. Governing Law and Jurisdiction

11.1 Governing Law: This DPA shall be governed by and construed in accordance with the laws specified in the main agreement.

11.2 Jurisdiction: Any dispute arising from this DPA shall be subject to the jurisdiction clauses in the main agreement.

ANNEX 1: DETAILS OF PROCESSING

Category Details
Controller The Client as defined in the main service agreement
Processor ForexBrokerLead
Data Subjects Prospective customers, website visitors, business contacts
Categories of Data Contact details, demographic information, professional information, online identifiers
Special Categories None (unless explicitly agreed in writing)
Processing Operations Collection, storage, analysis, verification, transfer, deletion
Purpose Provision of verified lead generation services
Retention Period As specified in the main agreement or until deletion request
Data Transfers May involve transfers outside EEA with appropriate safeguards

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

2.1 Physical Access Control: Measures to prevent unauthorized persons from gaining access to data processing systems.

2.2 System Access Control: Measures to prevent data processing systems from being used without authorization.

2.3 Data Access Control: Measures to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access.

2.4 Transmission Control: Measures to ensure that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.

2.5 Input Control: Measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into, modified, or removed from data processing systems.

2.6 Availability Control: Measures to ensure that Personal Data are protected against accidental destruction or loss.

ACCEPTANCE AND EXECUTION

This Data Processing Agreement is incorporated by reference into the main service agreement between the parties. By using ForexBrokerLead's services, the Data Controller accepts the terms of this DPA.

FOR THE DATA CONTROLLER:

Name: _________________________

Title: _________________________

Date: _________________________

FOR THE DATA PROCESSOR (ForexBrokerLead):

Name: Robert Johnson

Title: CEO

Date: January 15, 2025

DPA Execution

This DPA is automatically incorporated into our Terms of Service. For a signed copy or custom DPA terms, please contact our legal department at legal@forexbrokerlead.com.

Related Legal Documents

Terms of Service

Complete terms governing our services and client relationships

View Terms
Privacy Policy

How we collect, use, and protect your personal information

View Policy
Legal Information

Comprehensive legal and compliance information

View Information