Data Processing Addendum

Last updated: July 2026

This document is a general template provided for convenience. It is not legal advice and should be reviewed and adapted by qualified counsel for your jurisdiction before you rely on it.

This Data Processing Addendum (“DPA”) forms part of, and is governed by, the Terms of Service between LeadQuasar (“LeadQuasar”) and the customer (“Customer”). It applies where LeadQuasar processes personal data on the Customer’s behalf in connection with the Service and is subject to applicable data-protection law, including the GDPR and UK GDPR.

1. Definitions

  • Controller — the entity that determines the purposes and means of processing personal data. For personal data the Customer submits or manages through the Service (for example, its own outreach lists and account data), the Customer is the Controller.
  • Processor — the entity that processes personal data on behalf of the Controller. LeadQuasar acts as Processor for such data.
  • Sub-processor — a third party engaged by the Processor to process personal data on the Controller’s behalf.
  • Personal data, processing, and data subject have the meanings given in the GDPR.

2. Scope and roles

This DPA applies to LeadQuasar’s processing of Customer personal data as a Processor. Each party will comply with its obligations under applicable data-protection law. Where LeadQuasar determines the purposes and means of processing (for example, for the compilation of its own B2B database or for billing and security), LeadQuasar acts as an independent Controller and its Privacy Policy applies.

3. Processing details

  • Subject matter: provision of the Service.
  • Duration: the term of the Terms, plus any retention period described below.
  • Nature and purpose: hosting, storing, and processing Customer data to deliver lead management, list building, outreach, AI features, and export.
  • Types of data: business-contact details, account data, and usage data.
  • Data subjects: the Customer’s users and the business contacts the Customer processes through the Service.

LeadQuasar will process Customer personal data only on the Customer’s documented instructions, including as set out in the Terms and this DPA, unless required by law.

4. Sub-processors

The Customer authorizes LeadQuasar to engage sub-processors to support the Service. Current sub-processors include:

  • Stripe — payment processing.
  • Resend / SMTP email providers — email delivery.
  • OpenAI — AI features.
  • Vercel — hosting, analytics, and performance monitoring.
  • Database host — managed database infrastructure for stored data.

LeadQuasar imposes data-protection obligations on each sub-processor consistent with this DPA and remains responsible for their performance. We will give reasonable notice of any intended addition or replacement of a sub-processor so the Customer may object on reasonable data-protection grounds.

5. Security measures

LeadQuasar implements appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls and authentication, hashed credentials, network security, logging, and use of reputable infrastructure providers. These measures are designed to ensure a level of security appropriate to the risk.

6. Data subject requests

Taking into account the nature of the processing, LeadQuasar will provide reasonable assistance to enable the Customer to respond to requests from data subjects exercising their rights (access, correction, deletion, restriction, portability, or objection). Where LeadQuasar receives such a request directly, it will, where lawful, direct the data subject to the relevant Controller or to support@leadquasar.com.

7. Breach notification

LeadQuasar will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer personal data, and will provide information reasonably available to assist the Customer in meeting its own notification obligations.

8. International transfers

Where processing involves transferring personal data outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, such as the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, which are incorporated by reference where applicable.

9. Audit

LeadQuasar will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an authorized auditor, subject to reasonable confidentiality, notice, and frequency limitations.

10. Deletion or return on termination

Upon termination of the Service and at the Customer’s choice, LeadQuasar will delete or return Customer personal data, and delete existing copies, unless retention is required by law. Certain records, such as suppression lists, may be retained to honor removal requests.

11. Contact

For any matter relating to this DPA, contact us at support@leadquasar.com or via our contact page.