Data Processing Agreement

Last updated: June 9, 2026

Document version: 1.1 · Effective: June 10, 2026

Prospectr Marketing Inc (DBA Prospectr Digital), a Minnesota corporation founded in 2006. Address: 3508 W 22nd St, Minneapolis, MN 55416, USA. Phone: (612) 293-0179. Email: info@prospectrdigital.com. Tagline: Every Channel. One Team. Engineered for Performance.
Download the full Data Processing Agreement (v1.1, PDF).

This Data Processing Agreement (this “DPA”) forms part of the Master Subscription Agreement, Order Form, Terms of Service, or other agreement (the “Principal Agreement”) between Prospectr Marketing Inc (DBA Prospectr Digital), a Minnesota corporation (“Processor,” “Prospectr”), and the Customer identified in the Principal Agreement (“Controller,” “Customer”), where Prospectr processes Personal Data on Customer’s behalf in connection with the Services.

If there is a conflict between this DPA and the Principal Agreement, this DPA controls only as to the processing of Personal Data.

1. Definitions

  • Customer Personal Data — Personal Data Customer entrusts to Prospectr through the Services, including Inputs and Outputs to the extent they contain Personal Data.
  • Data Protection Laws — including GDPR, UK GDPR, CCPA/CPRA, and other applicable U.S. state and international privacy laws.
  • SCCs — the Standard Contractual Clauses adopted by EU Commission Implementing Decision 2021/914, supplemented by the UK Addendum where applicable.
  • Sub-processor — any third party engaged by Prospectr that processes Customer Personal Data.

2. Roles and scope

  • Customer is the data controller (“business” under CCPA/CPRA) of Customer Personal Data.
  • Prospectr is the data processor (“service provider” under CCPA/CPRA) for Customer Personal Data.
  • Prospectr is the controller of business-contact data about Customer’s authorized users collected directly by Prospectr to operate the relationship — governed by the Privacy Policy, not this DPA.
  • Subject matter, duration, nature, purpose, data types, and Data Subject categories are described in Annex I.

3. Customer’s instructions; lawful basis

Prospectr will process Customer Personal Data only on Customer’s documented instructions (the Principal Agreement, the Documentation, Customer’s configuration of the Services, and written instructions to Prospectr support). Prospectr will not sell or “share” (CCPA/CPRA) Customer Personal Data, retain it outside the direct business relationship, or combine it with Personal Data from other sources except as strictly required to provide the Services or comply with law.

If law requires processing Customer has not instructed, Prospectr will inform Customer of the requirement before processing, unless prohibited by that law. Customer is responsible for establishing and documenting the lawful basis for the processing it instructs.

4. Sub-processors

Customer authorizes Prospectr to engage the Sub-processors listed in Annex II (also published in the Privacy Policy §4.2). The current list includes: Amazon Web Services, Anthropic, OpenAI, Google, Microsoft Azure, Stripe, Cloudflare, AWS SES / Resend (transactional email), Documenso (e-signature), Mailgun (where applicable), ElevenLabs (where applicable), GoHighLevel (where applicable), and Bright Data (where applicable).

Prospectr will give Customer at least thirty (30) days’ prior written notice of any new Sub-processor or change. Customer may object on reasonable data-protection grounds. If the objection cannot be resolved, Customer may terminate the affected Service for convenience with a pro-rata refund of prepaid, unused fees as Customer’s sole remedy.

Prospectr will impose data-protection obligations on each Sub-processor no less protective than this DPA and remains liable to Customer for Sub-processor failures.

5. Security measures

Prospectr will implement and maintain the technical and organizational measures in Annex III (Section 5 below), which include at minimum:

  • Encryption — TLS 1.2+ in transit; AES-256 at rest in primary stores and backups, with keys in AWS KMS.
  • Access control — RBAC, least-privilege IAM, mandatory MFA on Prospectr personnel accounts that touch Customer Personal Data.
  • Network security — VPC isolation, security groups, WAF, segmentation of production from non-production.
  • Vulnerability management — automated dependency scanning, regular patching, annual penetration test.
  • Change management — code review, CI/CD with required checks, deployment audit log.
  • Logging and monitoring — administrative-action audit log, centralized aggregation, alerting on suspicious events.
  • Personnel — written confidentiality, background checks for personnel handling Customer Personal Data, periodic training.
  • Vendor management — written DPAs with all Sub-processors that touch Customer Personal Data.
  • BC/DR — backups to a separate region (us-west-2), documented restore procedures, periodic restore testing.

6. Personal-data breach notification

Prospectr will notify Customer without undue delay and, in any event, within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will describe (to the extent then known) the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed. Initial information may be preliminary; Prospectr will supplement as more information becomes available.

Customer is responsible for notifying supervisory authorities and Data Subjects as required by law. Prospectr will cooperate reasonably to support those notifications.

7. Data Subject rights

Prospectr will assist Customer in fulfilling Data Subject requests through the Services console. If Customer asks Prospectr for assistance, Prospectr will acknowledge within five (5) business days and fulfil within thirty (30) days, except where applicable law allows a longer period.

If Prospectr receives a Data Subject request directly relating to Customer’s processing, Prospectr will promptly forward the request to Customer and not respond except to confirm receipt and direct the Data Subject to Customer, unless Customer instructs otherwise or law requires Prospectr to respond.

8. Audit rights

On Customer’s written request, no more than once per twelve (12) months and subject to confidentiality, Prospectr will provide its then-current SOC 2 Type II report (once available; see Privacy Policy §14) and a written summary of the security measures in Annex III. This is Customer’s primary audit mechanism.

Customer may conduct an on-site audit only (a) where required by Data Protection Law and the SOC 2 report and available documentation are demonstrably insufficient, or (b) following a confirmed material Personal Data Breach affecting Customer’s data. On-site audits are scheduled at least 30 days in advance, conducted during business hours, by a mutually agreed independent auditor under NDA, at Customer’s expense, and limited to no more than once per 12 months absent regulatory requirement.

9. Restricted Transfers

To the extent a Restricted Transfer of Customer Personal Data occurs, the parties incorporate the EU SCCs Module Two (controller-to-processor) by reference with: Clause 7 (docking) included; Clause 9 Option 2 (general written authorization, 30-day notice); Clause 11 redress body not elected; Clause 17 governing law of Ireland; Clause 18 forum, courts of Ireland.

For UK transfers, the UK International Data Transfer Addendum to the EU SCCs is incorporated. For Swiss transfers, the EU SCCs apply as if FADP-adapted.

10. Return or deletion of data on termination

  • Sovereign: Customer Personal Data remains in Customer’s own cloud account. Prospectr will revoke access credentials and destroy any temporary copies it holds within sixty (60) days.
  • Steward: Customer may, for sixty (60) days after termination, export Customer Personal Data through documented endpoints. After that window, Prospectr will delete from primary systems within 30 days, and from backups per the rotation cycle.
  • On Customer’s written request, Prospectr will provide written confirmation of deletion.
  • Prospectr may retain Customer Personal Data for the period required by applicable law (tax, AML), and will continue to apply the security and confidentiality measures of this DPA to retained data.

11. Liability

The liability provisions of the Principal Agreement apply to this DPA. Where the SCCs require a higher standard of liability, that standard applies for the activities the SCCs cover.

12. Term and termination

This DPA takes effect on the Effective Date and remains in effect for the duration of the Principal Agreement. The obligations in Sections 5 (Security), 6 (Breach), 8 (Audit), 10 (Return or deletion), and 11 (Liability) survive termination.

13. General

This DPA is governed by Minnesota law (Hennepin County venue), except for the SCCs, which follow Section 9. This DPA supersedes any prior data-processing addendum between the parties for the same Services. Notices to Prospectr go to privacy@prospectrdigital.com.

Annex I — Description of Processing

A. Categories of Data Subjects. Customer’s customers, leads, prospects, employees, contractors, vendors, end-users, and other persons whose Personal Data Customer processes through the Services.

B. Categories of Personal Data. Identifiers (names, business/personal email, phone, postal addresses), professional information (employer, role, title), commercial information (purchase/engagement history), communications content, and other Personal Data Customer provides. Customer is responsible for not providing “Sensitive Personal Data” except as permitted under AUP §1.4.

C. Nature and Purpose. Storage, retrieval, analysis, classification, summarization, generation, transformation, transmission, and any other operation necessary to deliver the configured Services.

D. Duration. The duration of the Principal Agreement, plus the retention windows in Section 10 and the legal-retention period.

Annex II — Sub-processor list

The current sub-processor list is published in the Privacy Policy §4.2.

Annex III — Technical and Organizational Measures

The measures Prospectr maintains are set out in Section 5 of this DPA. A detailed control matrix is available on request under NDA via the Customer Trust Center.

Execution

The parties may execute this DPA as a standalone document by signing in the space provided in the markdown source. Where this DPA is incorporated by click-through acceptance of the Principal Agreement, that click-through acceptance constitutes signature for purposes of the E-SIGN Act and UETA.

Download the full DPA markdown (for separate execution): request a counter-signed copy.