Data processing agreement
Last updated: January 1, 2026
This data processing agreement ("DPA") forms part of the terms of service between Leads4Talent LLC ("processor" or "we") and the client ("controller" or "you").
1. Parties & definitions
Processor: Leads4Talent LLC, 7901 4th Street N, Suite 16801, St. Petersburg, Florida 33702, United States, email: support@leads4talent.com
Controller: The client subscribing to Leads4Talent services.
Definitions:
- Personal data: Any information relating to an identified or identifiable individual collected through your job campaigns.
- Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
- Data subject: The individual whose personal data is processed (e.g., job applicants).
Applicable laws: This DPA is intended to comply with applicable data protection laws worldwide, including Regulation (EU) 2016/679 (GDPR) and the UK GDPR, where applicable.
2. Scope of processing
What we process: We process personal data solely to provide our job campaign services as described in the terms of service.
Categories of data subjects:
- Job applicants
- Prospective candidates
- Anyone submitting information through your job funnels
Categories of personal data:
- Contact information (name, email, phone number)
- Location/city
- Work history and experience
- Qualification quiz responses
- Any other information you choose to collect through your campaigns
Purpose of processing:
- Operating your job campaign funnels
- Delivering applicant data to you via the applicant dashboard or ATS
- Providing campaign management and optimization services
- Supporting your recruiting and hiring activities
Duration of processing: We process data for the duration of your active subscription plus 30 days after cancellation (archive period).
3. Roles & responsibilities
You (controller):
- Determine what personal data to collect and how to use it.
- Ensure you have legal basis to collect and process the data.
- Handle all applicant data in compliance with applicable privacy laws.
- Respond to data subject requests (access, deletion, etc.).
We (processor):
- Process personal data only on your documented instructions.
- Implement appropriate security measures.
- Assist you in meeting your legal obligations.
- Do not use personal data for any purpose other than providing our services.
- Do not sell applicant personal data or use it for our own marketing purposes.
4. Processing instructions
Your instructions: By using our services, you instruct us to:
- Collect personal data via your job campaign funnels.
- Store the data in the applicant dashboard.
- Deliver the data to you or your designated ATS.
- Process the data as needed to operate and optimize your campaigns.
Unlawful instructions: If we believe your instructions violate applicable data protection laws, we will notify you promptly.
Anonymized data: We may anonymize personal data (removing all identifiable information) and use such anonymized data for analytics and service improvement.
5. Security measures
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, alteration, or disclosure. These measures may include encryption, access controls, security monitoring, employee confidentiality obligations, and vendor security assessments.
We continuously review and update our security practices to maintain an appropriate level of protection based on the nature and risks of the processing.
While we use commercially reasonable measures to protect personal data, we do not guarantee its absolute security.
6. Subprocessors
Authorization: You authorize us to engage the following subprocessors to assist in providing our services:
| Subprocessor | Service | Server location |
|---|---|---|
| Brevo (Sendinblue) | Email/SMS services | France (EU) |
| Celonis SE (Make) | Automation | Germany (EU) |
| Cloudflare, Inc. | Hosting | Global |
| Google Ireland Ltd. | Storage & email | Ireland (EU) |
| Google LLC | Advertising (when used) | Global |
| Katiba Technology GmbH | Hosting | Germany (EU) |
| Meta Platforms, Inc. | Advertising (when used) | Global |
| Perspective Software GmbH | Hosting | Germany (EU) |
| Pinterest, Inc. | Advertising (when used) | Global |
| Restly, Inc. (Zite) | Hosting & automation | Global |
| Snap Inc. | Advertising (when used) | Global |
| TikTok Inc. | Advertising (when used) | Global |
| Twilio Inc. | SMS services | US |
| X Corp. | Advertising (when used) | Global |
| Zapier Inc. | Automation | US |
Subprocessor requirements: All subprocessors are contractually required to:
- Process personal data only as instructed.
- Implement appropriate security measures.
- Maintain confidentiality.
- Comply with applicable data protection laws.
Changes to subprocessors: We will notify you at least 14 days before adding or replacing any subprocessor. You may object on reasonable data protection grounds. We will work in good faith to address any legitimate concerns. If we cannot resolve a legitimate data protection objection, you may terminate the agreement in accordance with the terms of service.
Subprocessors vs. personnel: Our employees and any freelance contractors we may engage work under our direct control and instructions, and are considered our personnel, not subprocessors. All such personnel are contractually bound to confidentiality and data protection obligations consistent with this DPA. The subprocessor provisions of this DPA apply only to third-party service providers listed above.
7. Data subject rights
Your obligations: As controller, you are responsible for responding to data subject requests (access, correction, deletion, etc.).
Our assistance: We will assist you by:
- Providing access to personal data in the applicant dashboard.
- Enabling data export via CSV.
- Deleting data upon your request.
- Responding promptly to your reasonable assistance requests.
If a data subject contacts us directly, we will forward their request to you promptly.
8. Data breach notification
Our obligations: If we become aware of a personal data breach, we will notify you without undue delay and provide available details of the breach, affected data, and mitigation steps taken or proposed.
Your obligations: You are responsible for determining whether to notify data subjects or regulators, as required by applicable law.
9. Data retention & deletion
During subscription: We retain personal data for as long as your subscription is active and as needed to provide the services, support ongoing recruiting, maintain applicant records, comply with legal obligations, or as otherwise legally permitted.
When a campaign ends but your subscription remains active: If a campaign is ended, swapped, or set offline while your subscription remains active, applicant data for that campaign may remain accessible in the dashboard for up to 30 days. After that, the campaign may be archived to keep the workspace clean.
After subscription cancellation: If your subscription ends, dashboard access ends when the subscription ends. Applicant data may be retained internally for up to 30 days after cancellation for archive, export, deletion, or legal purposes. Upon request, we can provide a CSV export before deletion.
After the 30-day retention period: All applicant data is permanently deleted from our systems unless we are required by law to retain it longer. We will notify you if this applies.
10. International data transfers
Cross-border transfers: Our services involve international data transfers (e.g., US-based company, EU-hosted servers, global subprocessors). Applicant data is stored primarily in the European Union through our subprocessors, with limited processing and transfers outside the EU as described in section 6.
Transfer mechanisms: Where required by applicable law, we rely on appropriate transfer mechanisms such as standard contractual clauses (SCCs), adequacy decisions, or other legally recognized safeguards.
Your acknowledgment: By using our services, you acknowledge that these international transfers may occur under the mechanisms described.
11. Compliance & documentation
Your rights: You may request documentation demonstrating our compliance with this DPA, including access to relevant security certifications, policies, and third-party audit reports where available.
Our cooperation: We will provide reasonable documentation and cooperate with you to enable you to verify compliance with this DPA and applicable data protection laws. We will also cooperate with supervisory authorities as legally required.
12. Liability
Our liability: We are liable for damages caused by our breach of this DPA, subject to the limitations in the terms of service.
Shared liability: Where both parties are responsible for a data protection violation, liability is allocated based on proportional responsibility.
13. Term & termination
Duration: This DPA remains in effect for as long as we process personal data on your behalf.
Termination:
- This DPA terminates automatically when your subscription ends.
- You may terminate immediately if we materially breach this DPA and fail to cure within a reasonable opportunity after written notice.
- Upon termination, we will delete or return all personal data as described in section 9.
14. Modifications
We may update this DPA to reflect changes in law or our practices. We will notify you of material changes via email at least 30 days before they take effect.
15. Governing law
This DPA is governed by the laws of the state of Florida, consistent with the terms of service.
Acceptance
This DPA is incorporated into and forms part of the terms of service. By accepting the terms of service, you accept this DPA.