Data Processing Agreement.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Webcite Technology Systems Ltd ("Processor", "we", "us") and the Customer ("Controller", "you") and applies whenever we process Personal Data on your behalf in connection with the Service (Client Engine).
1 · Definitions
"UK GDPR" means Regulation (EU) 2016/679 as it forms part of UK law by virtue of the Data Protection Act 2018, together with that Act.
"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in UK GDPR.
"Customer Personal Data" means Personal Data processed by us on your behalf as part of providing the Service.
"Sub-processor" means any third party we engage to process Customer Personal Data.
2 · Roles
You are the Controller of Customer Personal Data. We are the Processor. Each party will comply with its obligations under applicable data protection law.
3 · Scope and purpose of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Client Engine SaaS platform |
| Duration | The term of the Service plus 30 days for return / deletion |
| Nature and purpose | Hosting, prospect identification, enrichment, signal detection, sequence generation and dispatch, analytics, support |
| Categories of Data Subject | Your end users (employees, contractors); your prospects (B2B contacts) |
| Categories of Personal Data | Names, work emails, job titles, employer names, LinkedIn URLs, phone numbers (where supplied), enrichment fields, signal data, engagement events |
| Special category data | None expected. You must not upload special category data without our prior written consent |
4 · Our obligations as Processor
We will:
- Process Customer Personal Data only on your documented instructions, including those given through the Service interface, unless required to do otherwise by law (in which case we will tell you, unless prohibited)
- Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality
- Apply appropriate technical and organisational measures to protect Customer Personal Data, taking into account the state of the art and the nature of processing (see Annex A)
- Assist you, taking into account the nature of processing, with: responding to Data Subject rights requests; security; breach notification; data protection impact assessments; and prior consultation with the ICO
- At your choice, return or delete Customer Personal Data within 30 days after the end of the Service, except where retention is required by law
- Make available to you all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in Section 9
5 · Sub-processors
You give us general authorisation to engage Sub-processors for the provision of the Service. Our current list of Sub-processors is published in our Privacy Policy at clientengine.webcite.ai/privacy.
We will:
- Impose contractual obligations on each Sub-processor that are no less protective than those in this DPA
- Remain liable for the acts and omissions of our Sub-processors
- Give you at least 14 days' notice of any new or replacement Sub-processor by updating the published list and, on request, by email
If you object to a new Sub-processor on reasonable data protection grounds, you may terminate the affected portion of the Service for convenience without further charge, with effect from the date the new Sub-processor is added.
6 · International transfers
Where we transfer Customer Personal Data outside the UK, we will rely on a valid transfer mechanism, including:
- UK adequacy regulations, where applicable
- The UK International Data Transfer Addendum to the EU Standard Contractual Clauses
- The EU Standard Contractual Clauses
- The UK extension to the EU-US Data Privacy Framework, where the recipient is certified
You authorise us to enter into transfer mechanisms with Sub-processors on your behalf where necessary.
7 · Data Subject rights
We will, by appropriate technical and organisational measures, assist you in fulfilling your obligations to respond to Data Subject requests under UK GDPR Articles 15 to 22. If we receive a request from one of your Data Subjects directly, we will pass it to you without undue delay and will not respond unless instructed to do so.
8 · Personal data breaches
We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer Personal Data. Our notice will include, to the extent known:
- The nature of the breach, including categories and approximate numbers of Data Subjects and records concerned
- The likely consequences
- Measures taken or proposed to address the breach and mitigate its effects
- A contact point for further information
9 · Audits
You may, no more than once per twelve-month period and on at least 30 days' written notice, audit our compliance with this DPA. Audits will be conducted during business hours, in a manner that does not unreasonably disrupt our business, and subject to confidentiality obligations.
In place of an on-site audit, we may satisfy our obligations under this Section by providing recent third-party security or compliance reports (where available), responses to a reasonable security questionnaire, and other written evidence of compliance.
10 · Liability and indemnity
The liability provisions in the Terms of Service apply to this DPA. Where UK GDPR Article 82 imposes joint and several liability between Controller and Processor, each party is responsible for its share of liability based on its respective fault.
11 · Conflict
In the event of conflict between this DPA and the Terms of Service, this DPA takes precedence on matters concerning the processing of Personal Data.
12 · Governing law
This DPA is governed by the laws of England and Wales.
Annex A
Technical and organisational security measures
We apply at minimum the following measures:
Encryption. TLS 1.2 or higher in transit. Encryption at rest for the production database and storage volumes.
Access control. Role-based access control inside the Service. Multi-factor authentication on production infrastructure. Least-privilege principle for all administrative access.
Authentication. Passwords stored hashed using industry-standard algorithms. No plaintext password storage. Session management with secure cookies.
Network security. Production traffic restricted via firewall rules. Database not exposed to the public internet.
Logging and monitoring. Application and infrastructure logs retained. Audit trails for sensitive actions. Alerting on anomalous events.
Vulnerability management. Dependency scanning. Timely patching of known vulnerabilities.
Backups. Automated daily database backups with documented retention and tested restore procedures.
Personnel. Confidentiality obligations on all personnel with access to Customer Personal Data. Access provisioned on need-to-know basis and revoked on role change or departure.
Sub-processor controls. Written contracts with all Sub-processors imposing equivalent obligations.
Incident response. Documented breach notification procedure with 72-hour Controller notification commitment.
Annex B
List of Sub-processors
The current list of Sub-processors is published and maintained at clientengine.webcite.ai/privacy. As of the effective date of this DPA, the list comprises:
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic, PBC | LLM inference | USA |
| OpenAI, LLC | LLM inference | USA |
| Moonshot AI (Kimi) | LLM inference | China / Singapore |
| Apollo.io | Prospect data and enrichment | USA |
| Exa Labs, Inc. | Web signal search | USA |
| ManyReach | Email sequencing infrastructure | USA |
| Resend | Transactional email | USA |
| Clerk, Inc. | User authentication | USA |
| Stripe Payments Europe Ltd | Payment processing | Ireland / USA |
| Railway Corp. | Application hosting | USA |
| Railway Postgres | Database hosting | USA |
Anticipated future Sub-processors (notified in advance of activation):
| Sub-processor | Purpose | Status |
|---|---|---|
| HeyReach | LinkedIn outreach | Planned (v2) |
| Pipedrive | CRM two-way sync | Planned (v2) |
Signatures
This DPA is accepted by the Customer when the Customer accepts the Terms of Service or by acting through an authorised user on the Customer's behalf. No physical signature is required for this DPA to take effect.
For the avoidance of doubt:
Email: info@webcite.ai
Company No. 16580236
ICO Reg. No. ZC045226
