This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Subduxion B.V. ("Subduxion", "Processor"), a private limited liability company incorporated under the laws of the Netherlands (KVK 94892083), with its registered office at High Tech Campus 5, 5656 AE Eindhoven, The Netherlands, and the entity agreeing to these terms ("Customer", "Controller").
This DPA sets out the terms under which Subduxion processes Personal Data on behalf of the Customer in connection with the Blake platform (the "Services"), in compliance with Regulation (EU) 2016/679 (the "GDPR"), the Dutch Uitvoeringswet Algemene Verordening Gegevensbescherming ("UAVG"), and any other applicable data protection legislation (collectively, "Data Protection Law").
1. Scope and Roles
1.1 Controller and Processor
The Customer acts as the Controller within the meaning of Article 4(7) GDPR with respect to Customer Data processed through the Services. Subduxion acts as the Processor within the meaning of Article 4(8) GDPR, processing Customer Data on behalf of the Customer in accordance with the Customer's documented instructions.
1.2 Subduxion as Controller
Subduxion also acts as an independent Controller for certain processing activities necessary for the operation and improvement of the Services, including: (a) fraud prevention and security monitoring; (b) compliance with legal obligations (including anti-money laundering and sanctions screening); (c) billing and account management; (d) product analytics using aggregated and anonymised data; and (e) service improvement using anonymised and aggregated data. Subduxion's processing as Controller is governed by the Privacy Policy.
1.3 Precedence
In the event of a conflict between the Agreement and this DPA with respect to data protection matters, this DPA shall prevail. In the event of a conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses shall prevail.
2. Processing Details
2.1 Subject Matter and Purpose
Subduxion processes Customer Data for the purpose of providing the Services, which include AI-powered lead prospecting, CRM data enrichment, outreach generation, pipeline analytics, and related sales development functionality, as described in the Agreement and applicable service documentation.
2.2 Categories of Data Subjects
Customer Data may include Personal Data relating to the following categories of Data Subjects:
- Customer's employees, contractors, and other authorised users of the Services.
- Customer's prospects, leads, contacts, and business relations.
- Representatives of Customer's clients, suppliers, and partners.
- Any other natural persons whose Personal Data is submitted by Customer through the Services.
2.3 Types of Personal Data
The Personal Data processed may include, depending on the Customer's use of the Services:
- Identification Data: names, job titles, professional roles, company names, photographs.
- Contact Data: email addresses, telephone numbers, business addresses, LinkedIn profile URLs.
- Professional Data: employment history, industry sector, company size, seniority level.
- Communication Data: email content, call transcripts, notes, interaction histories.
- Behavioural Data: email opens, link clicks, response patterns, engagement scores.
- CRM Data: deal stages, pipeline values, lead scores, tags, custom fields.
- Technical Data: IP addresses, device identifiers, browser information (limited to Service functionality).
2.4 Sensitive Data
The Services are not designed to process special categories of Personal Data as defined in Article 9 GDPR. Customer shall not submit sensitive data to the Services unless explicitly agreed in writing with Subduxion, including appropriate additional safeguards.
2.5 Duration
The processing shall continue for the duration of the Agreement. Upon termination, processing shall cease subject to the data return and deletion provisions of Section 7.
3. Processor Obligations
3.1 Instructions
Subduxion shall process Customer Data only on documented instructions from the Customer, unless processing is required by European Union or Member State law to which Subduxion is subject (Article 28(3)(a) GDPR). In such case, Subduxion shall inform the Customer of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
If Subduxion reasonably believes that an instruction from the Customer infringes Data Protection Law, Subduxion shall promptly inform the Customer and shall be entitled to suspend the relevant processing until the Customer modifies or confirms the instruction.
3.2 Confidentiality
Subduxion shall ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR). Access to Customer Data shall be limited to personnel who require such access for the performance of the Services on a need-to-know basis.
3.3 Security Measures
Subduxion shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons (Article 32 GDPR). Such measures include, without limitation:
- Encryption: TLS 1.2 or higher for data in transit; AES-256 for data at rest.
- Access Control: role-based access controls with principle of least privilege, multi-factor authentication for administrative access.
- Network Security: network segmentation, intrusion detection, firewall protection, DDoS mitigation.
- Application Security: secure development lifecycle, code reviews, dependency scanning, regular penetration testing.
- Monitoring: centralised logging, anomaly detection, real-time security event monitoring.
- Data Segregation: logical separation of Customer Data between customers.
- Backup and Recovery: automated backups, point-in-time recovery, geo-redundant storage.
- Personnel Security: background checks for employees with access to production systems, mandatory annual security awareness training.
- Physical Security: Services are hosted in SOC 2 Type II-certified data centre facilities with 24/7 monitoring, biometric access controls, and environmental protection systems.
3.4 Data Subject Requests
Taking into account the nature of the processing, Subduxion shall assist the Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subjects' rights under Chapter III GDPR (Articles 15-22).
If Subduxion receives a request directly from a Data Subject regarding Customer Data, Subduxion shall promptly inform the Customer and shall not respond to the Data Subject directly unless instructed to do so by the Customer or required by applicable law.
3.5 Data Protection Impact Assessments
Taking into account the nature of processing and the information available to Subduxion, Subduxion shall provide reasonable assistance to the Customer in ensuring compliance with the Customer's obligations under Articles 35 and 36 GDPR (data protection impact assessments and prior consultation with supervisory authorities). Subduxion may charge a reasonable fee for such assistance to the extent it exceeds standard support.
3.6 Data Breach Notification
Subduxion shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach (as defined in Article 4(12) GDPR) affecting Customer Data (a "Data Incident"). Such notification shall include, to the extent available:
- A description of the nature of the Data Incident, including the categories and approximate number of Data Subjects and records concerned.
- The name and contact details of the point of contact at Subduxion.
- A description of the likely consequences of the Data Incident.
- A description of the measures taken or proposed to address the Data Incident, including measures to mitigate its possible adverse effects.
Subduxion shall cooperate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of the Data Incident. Subduxion's obligation to report or respond to a Data Incident shall not be construed as an acknowledgement of fault or liability.
4. Sub-processors
4.1 General Authorisation
The Customer provides general written authorisation for Subduxion to engage Sub-processors for the processing of Customer Data, subject to the requirements of this Section 4. A current list of Sub-processors is available upon request at privacy@subduxion.com and will be maintained at a URL communicated to the Customer.
4.2 Sub-processor Obligations
Subduxion shall: (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA; and (b) remain fully liable to the Customer for the performance of each Sub-processor's obligations (Article 28(4) GDPR).
4.3 Changes to Sub-processors
Subduxion shall notify the Customer at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor. The Customer may object to a new Sub-processor on reasonable grounds related to data protection by notifying Subduxion in writing within 14 days of receiving such notice. If the Customer objects and Subduxion cannot reasonably accommodate the objection, either party may terminate the affected Services upon 30 days' written notice.
4.4 Current Sub-processors
The following categories of Sub-processors are engaged as of the effective date of this DPA:
| Category | Purpose | Location |
|---|---|---|
| Cloud Infrastructure | Hosting, compute, and storage | EU / US |
| Database Services | Data storage and retrieval | EU / US |
| AI Model Providers | Natural language processing, embeddings | EU / US |
| Email Delivery | Transactional and outreach email delivery | EU / US |
| Payment Processing | Subscription billing and invoicing | EU / US |
| Analytics | Product usage analytics (anonymised) | EU / US |
5. International Data Transfers
5.1 Data Location
All Customer Data is stored and processed within the European Economic Area (EEA). Subduxion's primary database, file storage, and application servers are located in data centres within the EU. Subduxion does not transfer Customer Data to countries outside the EEA for storage or processing purposes.
5.2 Limited Infrastructure Processing
Certain sub-processors may process technical metadata (such as IP addresses, error tracking data, and routing information) outside the EEA for edge routing, error monitoring, and performance optimisation. These sub-processors are certified under the EU-US Data Privacy Framework (DPF) pursuant to Commission Implementing Decision (EU) 2023/1795. No Customer Data, personal content, or business data is processed through these services.
5.3 Safeguards
To the extent that any sub-processor processes technical metadata outside the EEA, Subduxion ensures that such processing is subject to appropriate safeguards, including: (a) Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914; and (b) supplementary technical, contractual, and organisational measures in accordance with EDPB Recommendations 01/2020, including encryption in transit, data minimisation, and access controls.
6. Audit Rights
6.1 Audit
Subduxion shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (Article 28(3)(h) GDPR), subject to the following:
- Audits shall be conducted no more than once per 12-month period, unless a Data Incident has occurred or a supervisory authority requires an additional audit.
- The Customer shall provide at least 30 days' prior written notice of any audit.
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with Subduxion's operations.
- The Customer's auditor shall be bound by confidentiality obligations no less protective than those in the Agreement.
- Subduxion may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2 Type II), or completed industry-standard questionnaires (e.g., SIG, CAIQ), to the extent these adequately address the Customer's audit objectives.
6.2 Costs
Each party shall bear its own costs in connection with audits. However, if an audit reveals a material breach of this DPA, Subduxion shall bear the reasonable costs of the audit.
7. Data Return and Deletion
7.1 Return
Upon termination or expiry of the Agreement, Subduxion shall, at the Customer's election, return all Customer Data in a structured, commonly used, and machine-readable format, or securely delete all copies of Customer Data in its possession or control, including from backup systems, within 90 days of termination. The Customer may request data export at any time during the 30-day period following termination.
7.2 Retention Exceptions
Subduxion may retain Customer Data to the extent and for the period required by applicable law (including Dutch fiscal retention obligations), regulation, or court order. In such cases, Subduxion shall: (a) limit processing to the purposes required by law; (b) maintain the confidentiality and security of the retained data; and (c) delete the data upon expiry of the applicable retention period.
7.3 Certification
Upon the Customer's request, Subduxion shall provide written certification that it has complied with the deletion obligations of this Section 7.
8. CCPA Compliance
To the extent that Subduxion processes Customer Data that is subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), Subduxion certifies that it:
- Shall not sell or share (as those terms are defined in the CCPA) Customer Data.
- Shall not retain, use, or disclose Customer Data for any purpose other than the business purposes specified in this DPA and the Agreement.
- Shall not retain, use, or disclose Customer Data outside of the direct business relationship with the Customer.
- Shall not combine Customer Data received from the Customer with Personal Data received from other sources, except as permitted by the CCPA for the business purposes described in this DPA.
9. Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement, except that this DPA shall not limit either party's liability for breaches of Data Protection Law to the extent that such limitation would be prohibited by mandatory law. Nothing in this DPA shall limit a Data Subject's rights under Data Protection Law, including the right to claim compensation under Article 82 GDPR.
10. Definitions
Capitalised terms not defined in this DPA have the meanings given to them in the Agreement. In addition:
- "Customer Data" means Personal Data that the Customer uploads, submits, or otherwise makes available through the Services.
- "Data Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.
- "Data Protection Law" means all applicable data protection and privacy legislation, including GDPR, UAVG, UK GDPR, ePrivacy Directive, CCPA, and any applicable national implementing legislation.
- "EEA" means the European Economic Area (EU Member States plus Iceland, Liechtenstein, and Norway).
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.
- "Sub-processor" means any third party engaged by Subduxion to process Customer Data on behalf of the Customer.
- "Supervisory Authority" means the independent public authority responsible for monitoring the application of Data Protection Law, including the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
- "UK GDPR" means the GDPR as retained in United Kingdom law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
11. Contact
For any questions or requests relating to this DPA, please contact:
Subduxion B.V.
Attn: Data Protection
High Tech Campus 5
5656 AE Eindhoven
The Netherlands
Email: privacy@subduxion.com