Data Processing Agreement (DPA — GDPR Art. 28)

1. Subject-matter, definitions and contractual interplay

The purpose of this DPA is to set out the conditions under which CloseHunt processes personal data, as processor, on behalf of the Customer, the controller, in connection with the provision of the CloseHunt platform services (the "Services"). It implements the requirements of Article 28(3) of the GDPR.

The terms "personal data", "processing", "controller", "processor", "sub-processor", "data subject", "personal data breach", "supervisory authority" and "documented instructions" have the meanings given to them in the GDPR. "Prospect Data" means the personal data described in Annex 1, processed by CloseHunt on behalf of the Customer. "Account Data" means data relating to the Customer's account, billing, authentication, usage and security of the Customer's users, for which CloseHunt acts as a separate controller (see section 3).

This DPA supplements and is incorporated into the Terms of Use (CGU) and the Terms of Sale (CGV). The Acceptable Use Policy (AUP) is incorporated by reference and operationalises the lawfulness obligations borne by the Customer in its capacity as controller. In the event of a conflict relating to the processing of personal data on behalf of the Customer, this DPA prevails over the CGU and the CGV; for any other matter, the order of priority set out in the CGV applies. This DPA is governed by French law; any dispute falls within the jurisdiction of the Commercial Court (Tribunal de commerce) of [VILLE_SIEGE], the parties being business professionals (jurisdiction-attribution clause).

2. Duration and nature & purpose of processing

This DPA takes effect on the date the Customer accepts the CGU/CGV and remains in force for the entire duration of the provision of the Services involving the processing of Prospect Data, and thereafter until the return or deletion of the data in accordance with section 13.

The nature and purpose of the processing are multichannel outbound sales prospecting and automated replies to inbound messages, performed autonomously by artificial-intelligence agents configured by the Customer, across eight channels (email, LinkedIn, WhatsApp, Telegram, Instagram, Messenger, SMS and voice calls), on behalf of and in accordance with the Customer's instructions. CloseHunt provides configuration and automation tooling: it does not select recipients, does not define the Customer's commercial strategy, and does not determine the purposes or essential means of the outreach. The detailed processing operations are set out in Annex 1, which forms an integral part of this DPA.

CloseHunt does not use Prospect Data for any purpose of its own. In particular, CloseHunt does not reuse Prospect Data to train its models, does not resell it, and does not exploit it across customers (no cross-tenant use). Any reuse for its own purposes would make CloseHunt a controller for that operation, which this DPA expressly prohibits.

3. Roles of the parties

For the Prospect Data described in Annex 1, the Customer is the CONTROLLER within the meaning of Article 4(7) of the GDPR: it decides whom to contact, through which channels, with what message, at what frequency and on what legal basis; it bears the legitimate-interest assessment (LIA) where it relies on that basis, the information of data subjects (Article 14 of the GDPR), the substantive lawfulness of the outreach under the GDPR, the ePrivacy Directive and channel-platform rules, as well as primary responsibility for responding to data-subject requests and for notifying any breach to its supervisory authority.

For that same Prospect Data, CloseHunt is the PROCESSOR within the meaning of Article 4(8) of the GDPR: it acts solely on the Customer's documented instructions (section 4), implements the security measures (section 6), manages sub-processors (section 7), assists the Customer (sections 9 and 10) without substituting itself for the Customer, and returns or deletes the data at the end of the contract (section 13).

For Account Data, CloseHunt acts as a separate and independent controller, governed by its Privacy Policy and not by this DPA. The Customer may not claim any control over Account Data under this DPA. The aggregated and anonymised analytics produced by CloseHunt for the improvement and security of the Services, which do not allow re-identification of a data subject, do not constitute Prospect Data.

Where the Customer is established outside the European Union but targets individuals located in the Union, it remains a controller subject to the GDPR; it is responsible for appointing, where applicable, a representative within the meaning of Article 27 of the GDPR and a data protection officer within the meaning of Article 37. CloseHunt does not assume any of these functions on the Customer's behalf.

4. Processing on documented instructions and duty to alert

CloseHunt processes Prospect Data only on the basis of the Customer's documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which CloseHunt is subject; in such a case, CloseHunt informs the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The following constitute the entirety of the Customer's documented instructions within the meaning of Article 28(3)(a) of the GDPR: (i) this DPA and the CGU/CGV; (ii) the Customer's configuration of the platform (agents, sequences, segments, channels, sending and reply rules); and (iii) the actions performed by the Customer or its users within the platform. Any additional instruction must be agreed in writing and may give rise to charges if it exceeds the standard features.

In accordance with the final paragraph of Article 28(3) of the GDPR, CloseHunt immediately informs the Customer if, in its opinion, an instruction infringes the GDPR or other Union or national data-protection provisions. CloseHunt may suspend the execution of the relevant instruction until it is confirmed, amended or withdrawn by the Customer, without this constituting a breach. This right to alert does not impose on CloseHunt any obligation to provide legal advice or to verify the legal basis, the information of data subjects, or the lawfulness of the Customer's outreach, which remain the Customer's sole responsibility.

5. Confidentiality of personnel

CloseHunt ensures that persons authorised to process Prospect Data — employees, contractors and sub-processors — have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with Article 28(3)(b) of the GDPR.

CloseHunt restricts access to Prospect Data to those persons who need access for the performance of the Services (need-to-know and least-privilege principles). Confidentiality commitments survive the termination of those persons' duties or contract. CloseHunt ensures that such persons are made aware of their data-protection obligations.

6. Security measures (Art. 32)

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of individuals, CloseHunt implements the appropriate technical and organisational measures required by Article 32 of the GDPR and described in Annex 1. These measures are deemed to constitute the security measures agreed between the parties.

CloseHunt may update its technical and organisational measures, provided that the level of protection of Prospect Data is not materially reduced. The Customer acknowledges that it is responsible for assessing whether these measures are appropriate to the risks specific to its processing, and for enabling and keeping enabled the protection features made available to it (in particular opt-out/STOP handling, suppression lists, and consent and opt-out logging).

• Encryption of personal data in transit (TLS) and at rest;
• Hosting and primary storage within the European Union (see Annex 1 and section 8);
• Role-based access control, strong authentication and least-privilege principle;
• Logical segregation of data between customers (multi-tenant isolation);
• Encrypted storage of Customer-supplied enrichment API keys and channel connection secrets;
• Logging, traceability and monitoring of accesses and operations;
• Backups and restoration procedures enabling the availability and access to data to be restored;
• Vulnerability management and regular testing of the effectiveness of the measures.

7. Sub-processing

The Customer grants general written authorisation for CloseHunt to engage sub-processors for the performance of the Services, in accordance with Article 28(2) and (4) of the GDPR. The list of categories of sub-processors currently engaged is set out in Annex 2; CloseHunt maintains an up-to-date version which it makes available to the Customer.

CloseHunt informs the Customer prior to any addition or replacement of a sub-processor, on reasonable notice (in principle thirty (30) days), by email and/or notification within the platform. The Customer may object to a change on reasonable and documented data-protection grounds, within the notice period. The parties shall use good-faith efforts to resolve the objection; failing a solution, the Customer may, as its sole and exclusive remedy, terminate without penalty the Service affected by the change.

CloseHunt imposes on each sub-processor, by contract, data-protection obligations substantially equivalent to those of this DPA (flow-down), in particular sufficient guarantees as to the implementation of appropriate technical and organisational measures. CloseHunt remains fully liable to the Customer for the performance by its sub-processors of their data-protection obligations.

Third-party enrichment providers configured by the Customer using its own API keys ("bring-your-own-key") are engaged on the Customer's account and on the Customer's instruction: they do not constitute CloseHunt sub-processors and fall under a contractual arrangement specific to the Customer. With respect to such providers, CloseHunt acts merely as a technical conduit routing data according to the Customer's configuration.

8. International transfers

Prospect Data is hosted and primarily stored within the European Union (cloud hosting / infrastructure — Scaleway SAS, France/EU). Where a sub-processor processes Prospect Data outside the European Economic Area — in particular for AI inference — such transfer is carried out on the basis, in order of priority, of: (i) a European Commission adequacy decision, including the EU-US Data Privacy Framework for certified importers; (ii) failing that, the standard contractual clauses adopted by Implementing Decision (EU) 2021/914, deemed incorporated by reference and pre-armed (Module 2, controller-to-processor where CloseHunt processes outside the EEA, and Module 3, processor-to-sub-processor), together with a Transfer Impact Assessment under Clause 14; (iii) exceptionally, a derogation provided for in Article 49 of the GDPR.

The parties agree that the standard contractual clauses apply automatically, without further formality, in the event of the expiry, withdrawal or invalidation of a certification under the data-protection framework or of an adequacy decision, their annexes then being completed by reference to Annexes 1 and 2 of this DPA. The Customer acts as data exporter and CloseHunt as importer or onward exporter depending on the flow concerned.

For data flows originating in the United Kingdom, the UK International Data Transfer Addendum (UK IDTA Addendum) is added to the standard contractual clauses; for data flows originating in Switzerland, the clauses are read in accordance with Swiss law (the FDPIC being the competent authority, references to the GDPR being understood as references to the revised Swiss Data Protection Act). These addenda apply only where the relevant transfer tool is relied upon.

9. Assistance with data-subject rights

In accordance with Article 28(3)(e) of the GDPR, CloseHunt assists the Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling its obligation to respond to requests for the exercise of data-subject rights (access, rectification, erasure, restriction, portability, objection — including the absolute right to object to direct marketing under Article 21(2) of the GDPR).

To that end, CloseHunt makes self-service features available to the Customer: data export (DSAR), rectification and erasure, implementation and enforcement of suppression lists, management and enforcement of opt-outs and STOP keywords, and logging of consents, opt-outs and events. A public opt-out page is available at https://closehunt.io/opt-out.

If a data subject addresses a request relating to Prospect Data directly to CloseHunt, CloseHunt forwards it to the Customer without undue delay and does not respond on its own initiative, save on the Customer's instruction or a legal obligation. The Customer remains solely responsible for the legal assessment of and the substantive response to each request. Assistance exceeding the standard features of the platform may give rise to charges, taking into account the nature of the processing and the information available to CloseHunt.

10. Assistance with security, breaches, DPIAs and prior consultation (Arts. 32 to 36)

In accordance with Article 28(3)(f) of the GDPR, and taking into account the nature of the processing and the information available to it, CloseHunt assists the Customer in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR, namely the security of processing, the notification of breaches, the communication of breaches to data subjects, the data protection impact assessment (DPIA) and prior consultation of the supervisory authority.

CloseHunt notifies the Customer of any personal data breach affecting Prospect Data without undue delay after becoming aware of it, so as to enable the Customer to comply, where applicable, with its obligation to notify the supervisory authority within the seventy-two (72) hour period provided for in Article 33 of the GDPR. CloseHunt's notification contains the information reasonably available at that time (nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or envisaged) and is supplemented as further information becomes available.

It is expressly agreed that the Customer, in its capacity as controller, is solely responsible for notifying the breach to its supervisory authority (Article 33) and, where applicable, for communicating it to the data subjects (Article 34). A breach notification by CloseHunt does not entail any admission of fault or liability on its part. Any assistance exceeding the standard features and information may give rise to charges.

11. Records, audits and inspections

CloseHunt maintains the record of processing activities carried out on behalf of the Customer required by Article 30(2) of the GDPR. In accordance with Article 28(3)(h) of the GDPR, CloseHunt makes available to the Customer all information necessary to demonstrate compliance with the obligations of this section and of the GDPR.

The Customer may exercise its audit right primarily through the review of documentation, the description of technical and organisational measures, and the independent audit reports or certifications available to CloseHunt. Where those elements are insufficient to demonstrate compliance, the Customer (or an auditor mandated by it, bound by confidentiality and not a competitor of CloseHunt) may carry out an on-site audit, under the following conditions: reasonable prior written notice of at least thirty (30) days; no more than once per twelve (12) month period (unless required by a supervisory authority or following a breach justifying an additional audit); during business hours; subject to a confidentiality agreement; without disrupting CloseHunt's operations or compromising the security or confidentiality of other customers' data; and at the Customer's cost.

CloseHunt contributes to audits and inspections conducted by the Customer or the mandated auditor, within the limits set out in this section. These arrangements aim to reconcile the effectiveness of the audit right with the security of the multi-tenant environment and the protection of the trade secrets of CloseHunt and of its other customers.

12. Liability and interplay with the CGU/CGV

Each party is liable, vis-à-vis data subjects and supervisory authorities, for compliance with the obligations imposed on it by the GDPR by reason of its role, in accordance with Article 82 of the GDPR. CloseHunt, in its capacity as processor, is liable only for breaches of the GDPR obligations specifically applicable to processors or for failing to comply with the Customer's lawful instructions.

The Customer warrants that it has, for each data subject, a valid legal basis under Article 6 of the GDPR (generally legitimate interest within the meaning of Article 6(1)(f), supported by a documented assessment for B2B prospecting, or consent where required), that it complies with all applicable rules on prospecting, electronic communications (ePrivacy) and the terms of the channel platforms, channel by channel and country by country, that it has the right to upload and target each contact, that it informs data subjects in accordance with Article 14 of the GDPR, and that it honours opt-outs. These warranties are detailed in the Acceptable Use Policy (AUP) and the CGV.

The Customer indemnifies CloseHunt against any third-party claim, action by a supervisory authority, fine, or data-subject claim arising from the Customer's collection or sourcing of data, its targeting decisions, the absence of a legal basis or consent, non-compliance with anti-spam rules or channel rules, or any instruction of the Customer. CloseHunt's liability is otherwise limited and capped under the conditions set out in the CGV. Where CloseHunt is required to compensate a data subject for damage originating in a decision falling within the Customer's responsibility as controller, CloseHunt has a right of recourse to recover from the Customer the corresponding share of liability (Article 82(5) of the GDPR). No provision of this DPA is intended or has the effect of excluding any liability that the GDPR renders non-excludable vis-à-vis data subjects.

13. Fate of the data at the end of the contract

At the end of the provision of the Services, at the Customer's choice, CloseHunt deletes or returns all Prospect Data and deletes existing copies, in accordance with Article 28(3)(g) of the GDPR, unless Union or Member State law requires storage. In the latter case, CloseHunt isolates and protects the retained data and carries out no other processing of it.

The Customer has a self-service export feature enabling it to retrieve its data before the cessation of the Services. CloseHunt carries out the return or deletion within thirty (30) days following the cessation of the Services or the Customer's request (subject to the technical timeframes for purging backups). Failing an instruction from the Customer upon the expiry of that period, CloseHunt proceeds with deletion by default.

Suppression and opt-out records (suppression lists, opt-out logs) may be retained beyond that period, in a minimised form, for the sole purpose of enabling the Customer and CloseHunt to honour data subjects' objections and to demonstrate compliance therewith. Upon request, CloseHunt provides the Customer with a certificate of deletion or return.

14. Contact, final provisions and governing law

For any question relating to data protection under this DPA, the Customer may contact CloseHunt at [email protected] and [email protected]. Legal questions may be addressed to [email protected] and support requests to [email protected].

This DPA is governed by French law and supplemented by Annexes 1 and 2, which form an integral part of it. Any dispute between the parties, who are business professionals, relating to the formation, interpretation or performance of this DPA falls within the exclusive jurisdiction of the Commercial Court (Tribunal de commerce) of [VILLE_SIEGE], in accordance with the jurisdiction-attribution clause set out in the CGV. CloseHunt is published by [DENOMINATION], a [FORME_SOCIALE] with share capital of [CAPITAL_SOCIAL], whose registered office is located at [ADRESSE_SIEGE], registered with the Trade and Companies Register (RCS) of [RCS_VILLE] under number [SIREN], intra-EU VAT [TVA_INTRA], publication director [DIRECTEUR_PUBLICATION]. The host is Scaleway SAS, 8 rue de la Ville l'Évêque, 75008 Paris, France.

Annex 1 — Description of processing and security measures

This Annex contains the descriptive particulars required by Article 28(3) of the GDPR and the description of the technical and organisational measures referred to in section 6.

• Subject-matter of the processing: performance of the automated sales prospecting and inbound-reply Services provided by CloseHunt to the Customer.
• Nature and purpose: multichannel outbound sales prospecting and automated replies to inbound messages, performed by AI agents configured by the Customer, on behalf of the Customer, across eight channels (email, LinkedIn, WhatsApp, Telegram, Instagram, Messenger, SMS, voice calls).
• Duration of the processing: the duration of the provision of the Services involving the processing of Prospect Data, and thereafter until return or deletion in accordance with section 13.
• Categories of data subjects: business prospects, leads and contacts targeted by the Customer and persons replying to the messages ("repliers").
• Types of personal data: business identifiers and contact details (first name, last name, business email address, phone number, social-messaging handles and accounts), role and company, enrichment attributes, content of sent messages and received replies, opt-out/consent status and associated logs.
• Excluded data: no special-category data within the meaning of Article 9 of the GDPR, no data relating to criminal convictions or offences, and no data of minors may be processed; their uploading and targeting are prohibited by the AUP.
• Security measures (Art. 32): encryption in transit and at rest; hosting and primary storage within the European Union; role-based access control and least privilege; logical isolation between customers; encrypted storage of enrichment keys and channel secrets; logging and monitoring; backups and restoration; vulnerability management and regular testing.
• Obligations and rights of the controller: as set out in this DPA, in particular in sections 3, 4, 6, 12 and 13.

Annex 2 — Categories of sub-processors

CloseHunt engages the following categories of sub-processors for the processing of Prospect Data, under the Customer's general authorisation (section 7). CloseHunt maintains an up-to-date list of the corresponding entities and informs the Customer prior to any change, in accordance with section 7.

• Cloud hosting / infrastructure (Scaleway SAS, France/EU) — hosting and storage of data;
• AI inference (OpenAI, Anthropic) — generation and processing of messages by the AI agents;
• Payment (Stripe) — processing of payments and billing (relates primarily to Account Data);
• Email deliverability infrastructure — routing and deliverability of email messages;
• Social and instant-messaging infrastructure — routing of messages on social and instant-messaging channels;
• SMS gateway — routing of SMS messages;
• Voice-call infrastructure — routing and processing of voice calls.
• For the record, third-party enrichment providers configured by the customer (keys supplied by the Customer) are not CloseHunt sub-processors but fall under an arrangement specific to the Customer (section 7).