LeadderLeadder

Last updated:

Data Processing Agreement (DPA)

GDPR Art. 28 · UK GDPR · KVKK Art. 12 Compliant Effective Date: May 6, 2026 | Version: 1.0

IMPORTANT: This DPA is incorporated into and forms part of the Terms of Service. Electronic acceptance is valid and enforceable under the U.S. E-SIGN Act, EU eIDAS Regulation, GDPR Article 28(9), Turkish Code of Obligations Article 14, Turkish Electronic Commerce Law No. 6563, and KVKK Article 12.

1. Parties and Definitions

1.1. Parties

  • Data Controller / Business ("Customer"): The User of the Platform that runs lead generation campaigns and collects personal data from End Users.
  • Data Processor / Service Provider ("Leadder"): CZ Partners Reklam Teknoloji Eğitim Danışmanlık Ltd Şti, Mersis No: 0216154593500001, Tax ID: 2161545935, registered office at Esentepe Mah. Büyükdere Cad. Levent 199 No: 199 İç Kapı No: 6 Şişli/İstanbul, Türkiye.

1.2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (GDPR Article 4(1), UK GDPR, KVKK Article 3(1)(d)).
  • Customer Data: All Personal Data processed by Leadder on behalf of Customer through the Platform, including lead form responses, conversion event data, custom audience members, and end user identifiers.
  • Processing: Any operation performed on Personal Data as defined under applicable laws.
  • Personal Data Breach: Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • Sub-processor: Any third party engaged by Leadder to Process Customer Data.
  • Applicable Data Protection Laws: GDPR, UK GDPR, Data Protection Act 2018 (UK), CCPA/CPRA, Virginia CDPA, Colorado PA, Connecticut DPA, Texas DPSA, Utah CPA, KVKK (Türkiye Law No. 6698), and other applicable data protection laws.
  • Standard Contractual Clauses (SCC): European Commission's SCCs (Decision 2021/914), Modules 2 and 3, supplemented by UK Addendum where applicable.

2. Subject Matter and Roles

2.1. Processing Relationship

  • Customer is the Data Controller / Business — solely responsible for ensuring lawful collection, use, and disclosure.
  • Leadder is the Data Processor / Service Provider — processes data only on Customer's documented instructions.

2.2. Scope of Processing

  • Subject Matter: Personal Data processed in connection with advertising campaigns, lead collection, conversion tracking, and growth optimization.
  • Duration: Term of Customer's use plus post-termination period set forth in Section 7.
  • Nature and Purpose: Operations necessary to provide the Services — data retrieval, storage, organization, display, export, deletion.
  • Categories of Data Subjects: (i) End Users who respond to advertisements (leads); (ii) website/app visitors who trigger conversion events; (iii) members of custom or lookalike audiences.
  • Categories of Personal Data: Names, email addresses, phone numbers, postal addresses, IP addresses, device identifiers, hashed identifiers (SHA-256), conversion event data, and other lead form fields.
  • Sensitive / Special Category Data: Leadder does not invite Customer to process sensitive data. Customer agrees not to upload such data.

3. Customer Obligations

As Data Controller / Business, Customer agrees to:

  • Maintain a valid lawful basis for collecting Personal Data from End Users
  • Provide End Users with required notices under GDPR Arts. 13–14, CCPA, and KVKK Art. 10
  • Comply with marketing consent laws (TCPA, CAN-SPAM, CASL, PECR/ePrivacy, İYS, etc.)
  • Publish and maintain a current privacy policy
  • Register with applicable data protection authorities (e.g., VERBİS in Türkiye)
  • Respond to Data Subject rights requests in a timely manner
  • Notify supervisory authorities and Data Subjects of breaches as required
  • Ensure all instructions to Leadder are lawful

Customer is solely liable for administrative fines, lawsuits, damages, or third-party claims arising from breach of these obligations.

4. Leadder's Obligations as Processor

4.1. Compliance with Instructions

Processes Customer Data only on Customer's documented instructions. Will not process for own commercial purposes, will not sell Customer Data.

4.2. Confidentiality

All personnel authorized to Process Customer Data are subject to written confidentiality obligations. Obligations survive termination.

4.3. Security Measures

Appropriate technical and organizational measures per GDPR Article 32, UK GDPR, and KVKK Article 12:

  • TLS 1.2+ encryption for data in transit (HTTPS)
  • AES-256 encryption for data at rest
  • SHA-256 hashing for sensitive identifiers (phone, email)
  • Bcrypt/Argon2 password hashing
  • Vault/KMS encryption for OAuth tokens
  • RBAC and principle of least privilege
  • MFA capability
  • Regular backups and disaster recovery
  • Penetration testing and vulnerability scans
  • Access and change logs with anomaly detection

4.4. Assistance with Data Subject Requests

If a Data Subject contacts Leadder directly, Leadder will refer them to Customer. Technical assistance provided within 30 days for fulfillment of rights requests.

4.5. Assistance with DPIAs

Reasonable assistance for Data Protection Impact Assessments under GDPR Article 35.

4.6. Personal Data Breach Notification

Upon becoming aware of a breach:

  • Notify Customer without undue delay and within 24 hours
  • Provide all information required under GDPR Article 33(3)
  • Provide reasonable assistance in notifying supervisory authorities and Data Subjects
  • Investigate, contain, and implement corrective measures

Customer is solely responsible for notifying its own supervisory authorities and affected Data Subjects.

4.7. Audit Rights

  • SOC 2 Type II or ISO 27001 audit reports made available annually; internal security attestation provided upon request until then.
  • With at least 30 days' prior written notice, one on-site audit per year by an independent auditor.
  • Audit costs borne by Customer; if a material breach is identified, Leadder bears costs.

5. Sub-Processors

5.1. General Authorization

Customer hereby grants general authorization to engage Sub-processors. Current list published at leadder.co/sub-processors.

5.2. New Sub-processors

At least 30 days' notice before adding or replacing a Sub-processor. Customer may object on reasonable, data protection-based grounds; if no resolution, Customer may terminate the affected Service.

5.3. Leadder's Liability for Sub-processors

Written agreements with each Sub-processor imposing equivalent data protection obligations. Leadder remains responsible for Sub-processors' acts and omissions.

6. International Data Transfers

6.1. Transfer Mechanisms

  • EU/EEA: EU Standard Contractual Clauses (Decision 2021/914), Modules 2 and 3. For transfers to the U.S., EU-U.S. Data Privacy Framework (DPF) for DPF-certified recipients.
  • UK: EU SCCs supplemented by UK Addendum (UK Information Commissioner) or UK International Data Transfer Agreement (IDTA).
  • Türkiye: Standard Contracts issued by the Turkish Personal Data Protection Authority under KVKK Article 9 (as amended), signed and notified to the Authority within 5 business days of execution.
  • Other Jurisdictions: Transfer mechanisms appropriate under applicable local laws.

6.2. Transfer Impact Assessment

Conducted for transfers to the United States and other third countries pursuant to the Schrems II ruling. Supplementary measures include encryption, hashing, and access controls.

7. Return and Deletion of Data

Upon termination, at Customer's election:

  • Return all Customer Data in structured, machine-readable format (CSV/JSON), or
  • Delete or anonymize all Customer Data within 30 days

Default: automatic deletion after 30 days. Backup copies deleted on the next backup rotation cycle (no later than 90 days).

Legal retention exceptions: Tax records (VUK 10 years), traffic logs (Türkiye Law No. 5651, 2 years), statute of limitations (TBK Art. 146, 10 years) — retained under access isolation.

8. Liability

Subject to Terms of Service Section 9 liability cap (greater of fees paid in the prior 12 months or USD $100). The limitation does NOT apply to: gross negligence or willful misconduct; indemnification obligations; statutory consumer protection rights.

9. Indemnification

Customer agrees to indemnify and hold Leadder harmless from administrative fines, regulatory penalties, Data Subject damages, third-party lawsuits, court costs, and attorneys' fees arising from Customer's: failure to comply with notice obligations; failure to obtain valid consent; violations of marketing consent laws; failure to respond to Data Subject rights requests; use of collected data outside declared purposes.

10. Conflict of Terms

In case of conflict between this DPA and the Terms of Service regarding Processing of Personal Data, this DPA prevails. In case of conflict between this DPA and the EU SCCs or UK Addendum, the SCCs/UK Addendum prevail.

11. Term and Termination

Remains in effect for the term of the Terms of Service. The following Sections survive: Section 4.2 (Confidentiality), Section 7 (Return and Deletion of Data), Section 8 (Liability), Section 9 (Indemnification), Section 13 (Governing Law).

12. Amendments

Material changes communicated at least 30 days in advance; continued use constitutes acceptance.

13. Governing Law and Jurisdiction

Governed by the laws of the Republic of Türkiye. Disputes before Istanbul (Çağlayan) Courts and Enforcement Offices, except that Data Subjects retain the right to bring proceedings in their local courts under GDPR Article 79.

14. Acceptance

Accepted electronically at signup. Enterprise customers may request a separately signed PDF version via DocuSign or equivalent.

Annex A — Technical and Organizational Measures

A.1. Access Control: RBAC; principle of least privilege; MFA mandatory for administrator accounts; access for departing employees revoked within 24 hours.

A.2. Encryption: In transit: TLS 1.2+ (HTTPS); At rest: AES-256; Field-level: SHA-256 hashing for sensitive fields (phone, email); Passwords: bcrypt or argon2 with salt; OAuth tokens: encrypted via vault/KMS.

A.3. Network Security: Vercel + Cloudflare DDoS protection; Web Application Firewall (WAF); Rate limiting and bot protection.

A.4. Monitoring and Logging: All access and changes logged; anomaly detection and alerting; Sentry error tracking; logs retained minimum 12 months.

A.5. Backup and Disaster Recovery: Daily automated backups (Supabase Point-in-Time Recovery); RTO: 4 hours; RPO: 24 hours; Backups encrypted at rest.

A.6. Personnel Security: Written confidentiality agreements with all employees; onboarding and recurring security training; annual data protection training.

A.7. Incident Response: Documented breach response plan; 24-hour notification commitment to Customers; root cause analysis and corrective measures.

A.8. Sub-processor Management: GDPR-compliant DPAs with all Sub-processors; annual reviews.

A.9. Physical Security: Data centers (Supabase, Vercel) SOC 2 / ISO 27001 certified.

A.10. Regular Testing: Annual penetration testing; continuous vulnerability scanning (Snyk, Dependabot); annual DPIAs for high-risk processing.

Annex B — List of Sub-Processors

Current list published at leadder.co/sub-processors.

Leadder will notify Customer at least 30 days before adding or replacing a Sub-processor (DPA Section 5.2).