leadCheck

Data Processing Agreement

Last updated: August 26, 2025

INTRODUCTION

This Data Processing Agreement (“Agreement” or “DPA”) is entered into on the date of acceptance (“Effective Date”) by and between:

LeadCheck LLC – a limited liability company incorporated in Wyoming, with offices at 3050 Biscayne Blvd Ste 202, Miami, FL 33137, USA, (“LeadCheck,” “Processor,” “Provider,” “we,” or “us”),

and

Customer – the entity or individual using the LeadCheck Services, whose details are provided during account registration (“Controller” or “you”).

The Controller and the Processor are collectively referred to as the “Parties,” and individually as a “Party.”

This Agreement forms part of the Terms & Conditions of Use governing Customer’s use of the LeadCheck Services. In the event of a conflict between this DPA and the Terms, this DPA shall control with respect to the processing of personal data.

DEFINITIONS

  • “Data Controller” or “Controller” – the entity that determines the purposes and means of personal data processing.
  • “Data Processor” or “Processor” – the entity that processes personal data on behalf of the Controller.
  • “Personal Data” – any information relating to an identified or identifiable natural person, as defined under GDPR, CCPA, or other applicable data protection laws.
  • “Special Categories of Personal Data” – sensitive data including, but not limited to, government identifiers, financial account numbers, racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, genetic/biometric data, or sexual orientation.
  • “Services” – the hosted SaaS services provided by LeadCheck, including lead validation, compliance checks, API access, and related tools.
  • “Sub-processor” – any third party engaged by LeadCheck to assist in processing Personal Data.
  • “Applicable Law” – all data protection and privacy laws, including GDPR (EU Regulation 2016/679), CCPA/CPRA, and other relevant U.S. or international laws.

BACKGROUND OF DATA PROCESSING

  • This Agreement applies exclusively to Personal Data processed by LeadCheck on behalf of the Controller in connection with the Services.
  • Pursuant to Article 28(3) of the GDPR, and other applicable laws, the Controller engages LeadCheck to process Personal Data, and LeadCheck accepts such processing subject to the terms herein.
  • Both Parties remain responsible for ensuring compliance with applicable data protection laws. Nothing in this Agreement relieves either Party of its direct obligations under the GDPR, CCPA/CPRA, or other laws.

NATURE AND PURPOSE OF PROCESSING

The Processor processes Personal Data solely for the following purposes:

  • Providing the Services under the Terms of Service.
  • Validating and verifying lead data provided by the Controller.
  • Ensuring compliance with applicable telemarketing, email, and privacy laws (e.g., TCPA, CAN-SPAM, GDPR, CCPA/CPRA).
  • Providing technical support, account management, and security monitoring.
  • Maintaining backup, disaster recovery, and fraud prevention measures.

Processing activities may include collection, storage, transmission, validation, deduplication, encryption, reporting, and deletion of Personal Data.

TYPES OF PERSONAL DATA & DATA SUBJECTS

Categories of Data Subjects may include:

  • Contacts in Controller’s uploaded lead lists.
  • Business representatives whose data is subject to compliance checks.
  • Controller’s authorized users and employees (account-level data).

Categories of Personal Data may include:

  • Contact data (name, phone number, email address, postal address).
  • Metadata (IP address, device identifiers, geolocation).
  • Business and company data submitted by the Controller.
  • Lead verification results.

The Controller agrees not to upload Special Categories of Personal Data unless expressly permitted in writing by LeadCheck.

DURATION OF PROCESSING

Processing shall continue for the duration of the Services under the Terms of Service, unless otherwise required by law. Upon termination, Personal Data shall be deleted or returned as described below.

OBLIGATIONS OF THE PROCESSOR

  1. Process Personal Data only on documented instructions from the Controller.
  2. Maintain confidentiality and restrict access to authorized personnel only.
  3. Implement appropriate technical and organizational security measures consistent with Article 32 GDPR and industry standards (encryption, firewalls, secure servers).
  4. Notify the Controller of any Personal Data breach without undue delay (within 72 hours where feasible).
  5. Assist the Controller in responding to data subject rights requests (access, correction, deletion, portability).
  6. Make available records necessary to demonstrate compliance and allow audits (subject to reasonable notice and costs).
  7. Return or delete Personal Data at the end of the engagement, unless retention is required by law.

OBLIGATIONS OF THE CONTROLLER

  1. Ensure all Personal Data provided to LeadCheck has a lawful basis for processing.
  2. Inform data subjects of processing activities, including disclosures to LeadCheck.
  3. Not upload unlawful or unauthorized data to the Services.
  4. Retain responsibility for compliance with all applicable laws regarding data subject rights.
  5. Provide written instructions for any processing beyond the default Service scope.

USE OF SUB-PROCESSORS

The Controller authorizes LeadCheck to engage Sub-processors for hosting, storage, analytics, customer support, and payment processing.

  • AWS/Google Cloud – hosting and storage
  • Stripe/PayPal – payments
  • Zendesk – customer support
  • Google Analytics – performance monitoring

LeadCheck will ensure Sub-processors are bound by written agreements providing at least the same level of protection as this DPA.

INTERNATIONAL TRANSFERS

Where Personal Data is transferred outside the EEA/UK/Switzerland, LeadCheck will ensure such transfers are lawful under GDPR, including reliance on: Data Privacy Framework certification; Standard Contractual Clauses (SCCs); or other recognized safeguards.

DATA BREACH NOTIFICATION

  1. Notify the Controller promptly (no later than 72 hours after discovery).
  2. Provide details of the breach, including scope, cause, and mitigation steps.
  3. Cooperate fully to support any required notifications to supervisory authorities or data subjects.

RETURN OR DELETION OF DATA

  • The Controller may request deletion or return of all Personal Data.
  • LeadCheck shall delete all data within 30 days unless legal obligations require longer retention.
  • Backup copies may persist for an additional 5 days before automatic overwrite.

SECURITY MEASURES

  • TLS encryption in transit and AES-256 encryption at rest.
  • Access controls and role-based authentication.
  • Regular penetration testing and vulnerability scans.
  • Logging and monitoring of system activity.
  • Employee confidentiality agreements and security training.

LIABILITY & INDEMNIFICATION

  • The Controller remains liable for ensuring the legality of data it submits.
  • LeadCheck shall not be liable for damages caused by Controller’s misuse of Personal Data or unlawful instructions.
  • Each Party shall indemnify the other against claims arising from its own failure to comply with applicable data protection laws.

GENERAL TERMS

  1. This Agreement is effective upon acceptance and remains in effect for the duration of the Services.
  2. Either Party may terminate this DPA with one week’s written notice, provided the Terms of Service remain in force.
  3. Amendments must be in writing and signed by both Parties.
  4. This Agreement is governed by the laws of Florida, United States, and disputes shall be resolved by binding arbitration in Miami, Florida, unless otherwise required by GDPR.
LeadCheck LLC
3050 Biscayne Blvd Ste 202
Miami, FL 33137
Email: support@leadcheck.co

©   2025 LeadCheck LLC   |   Terms & Conditions   |   Privacy Policy  |   Data Processing Agreement