Data Processing Agreement

Last updated: 2026-05-13

This Data Processing Agreement (“DPA”) forms part of the contract between the Customer (“Controller”) and SalesIQ (“Processor”) when the Customer uses SalesIQ Cloud to process personal data subject to GDPR, the Swiss FADP, or equivalent regulations. By using SalesIQ Cloud, the Customer accepts this DPA. A signed copy is available on request via the contact channel listed at the bottom of this page.

1. Definitions

Terms not defined here have the meaning given in Article 4 GDPR. “Personal Data” means data the Customer uploads or generates in SalesIQ Cloud that identifies a natural person (typically prospect contact data and CRM records).

2. Subject matter, duration, nature, and purpose

Subject matter: Provision of the SalesIQ Cloud B2B sales intelligence platform.
Duration: The term of the underlying subscription, plus the retention period defined in the Privacy Policy.
Nature and purpose:Hosting, processing, and storing the Controller's Personal Data; sending the Controller's outreach messages via the Controller's own connected email/LinkedIn accounts; AI-assisted message generation and prospect discovery.
Categories of data subjects:The Controller's prospects, leads, contacts, and team members.
Categories of Personal Data: contact details (name, email, phone, LinkedIn URL, job title), company information, notes and messages exchanged.

3. Processor obligations

The Processor will:

Process Personal Data only on documented instructions from the Controller.
Ensure persons authorized to process Personal Data are bound by confidentiality.
Implement appropriate technical and organizational measures (Annex II below) to protect Personal Data.
Assist the Controller in responding to data subject requests, breach notifications, and DPIAs.
Notify the Controller of a Personal Data breach without undue delay (within 72 hours of becoming aware).
Delete or return all Personal Data at the end of the contract, subject to legal retention requirements.
Make available to the Controller all information necessary to demonstrate compliance.

4. Sub-processors

The Controller authorizes the Processor to use the sub-processors listed in the Privacy Policy. The Processor will notify the Controller of any intended addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object on reasonable grounds.

5. International transfers

Some sub-processors are located outside the EEA / Switzerland. Where required, transfers are governed by the EU Standard Contractual Clauses (Module 2 or 3 as applicable) and the Swiss FADP equivalent. The Processor performs a transfer impact assessment for each non-adequacy country.

6. Audit rights

The Controller may audit compliance no more than once per year with 30 days' notice, during business hours, at the Controller's expense. The Processor may satisfy audit requests by providing a recent SOC 2 or equivalent report.

7. Liability

Each party's liability under this DPA is subject to the limitations set out in the underlying Terms of Service.

Annex I — Description of processing

As described in sections 2 and the Privacy Policy. The Controller determines the purposes for which Personal Data is uploaded; the Processor acts only on the Controller's configured instructions through the Software.

Annex II — Technical and organizational measures

Encryption: AES-256-GCM for OAuth tokens at rest; TLS 1.2+ for data in transit.
Access control: SSO + 2FA available for staff; least-privilege access to production systems.
Tenant isolation: Per-workspace logical isolation enforced at the database and application layer.
Backups: Daily encrypted backups, 30-day retention.
Vulnerability management: Automated dependency scanning (Dependabot), static code analysis (CodeQL), responsible disclosure program.
Monitoring: Error tracking with PII scrubbing; usage and audit logs.
Incident response: Documented procedure with 72-hour breach notification SLA.
Personnel: Background checks for staff with production access; annual security training.

Contact

SalesIQ — Canton of Vaud, Switzerland
DPA contact: info@salesiq.ch

Data Processing Agreement

Last updated: 2026-05-13

2. Subject matter, duration, nature, and purpose

Subject matter: Provision of the SalesIQ Cloud B2B sales intelligence platform.

Duration: The term of the underlying subscription, plus the retention period defined in the Privacy Policy.

Nature and purpose:Hosting, processing, and storing the Controller's Personal Data; sending the Controller's outreach messages via the Controller's own connected email/LinkedIn accounts; AI-assisted message generation and prospect discovery.

Categories of data subjects:The Controller's prospects, leads, contacts, and team members.

Categories of Personal Data: contact details (name, email, phone, LinkedIn URL, job title), company information, notes and messages exchanged.

3. Processor obligations

The Processor will:

Process Personal Data only on documented instructions from the Controller.

Ensure persons authorized to process Personal Data are bound by confidentiality.

Implement appropriate technical and organizational measures (Annex II below) to protect Personal Data.

Assist the Controller in responding to data subject requests, breach notifications, and DPIAs.

Notify the Controller of a Personal Data breach without undue delay (within 72 hours of becoming aware).

Delete or return all Personal Data at the end of the contract, subject to legal retention requirements.

Make available to the Controller all information necessary to demonstrate compliance.

Annex II — Technical and organizational measures

Encryption: AES-256-GCM for OAuth tokens at rest; TLS 1.2+ for data in transit.

Access control: SSO + 2FA available for staff; least-privilege access to production systems.

Tenant isolation: Per-workspace logical isolation enforced at the database and application layer.

Backups: Daily encrypted backups, 30-day retention.

Vulnerability management: Automated dependency scanning (Dependabot), static code analysis (CodeQL), responsible disclosure program.

Monitoring: Error tracking with PII scrubbing; usage and audit logs.

Incident response: Documented procedure with 72-hour breach notification SLA.

Personnel: Background checks for staff with production access; annual security training.