This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service between New Lab, LLC (hereinafter - GetProspect) and the Users of the Service (as it is defined below). Users enter into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorized Affiliates (as defined below).
The parties agreed to the following:
1. Definitions:
Affiliate - means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with an entity.
Authorized Affiliate - means any of Users Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Terms of Service.
Controller - means the person that determines the purposes and means of the processing of Personal Data.
Data Subject – means the individual to whom Personal Data relates.
Database – means all or the part of the information (including Personal Data) that could be provided to the Users via the Website.
GDPR - means Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
Instructions – means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
Personal Data - any information relating to an identified or identifiable natural person; an identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach - any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Processing - any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means a person (physical or legal entity) that processes Personal Data on behalf of the Controller.
Services - means the common name for the services that New Lab, LLC provides for the Users, for instance, the access to the Database.
Subprocessor - any natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Processor (including any Processor affiliate).
Transfer – means to disclose or otherwise make Personal Data available to a third party (including to any affiliate or Subprocessor), either by physical movement of the Personal Data to the third party or by enabling access to the Personal Data by other means.
Users of the Service (Users) – any person (physical or legal entity) that is registered at the Website and has access (limited or unlimited) to the Database.
Website – online source, located at the following address: https://getprospect.com.
2. Main points. GetProspect obligations
2.1. As defined and described in Privacy Policy and Terms of Service, GetProspect collects different business information about people. This information may include Personal Data. That is why GetProspect and its Users are under obligations stipulated by GDPR. GetProspect declares that information is collected in a legal way and from public sources.
2.2. GetProspect testify that it will process Personal Data only for the purposes described in this DPA and Privacy policy or as otherwise required by applicable law. GetProspect is not responsible for compliance with any data protection laws applicable to Users.
2.3. If GetProspect becomes aware that it cannot process Personal data according to the Users’ instructions due to legal requirements, it will notify Users about such legal requirements and, if necessary, cease all processing until Users issues new Instructions.
2.4. GetProspect could not be liable for any failure to perform the services in case of circumstances described in art. 2.3.
2.5. GetProspect implements and maintains appropriate technical and organizational measures to protect Personal Data. For more details about such measures, please contact us.
2.6. GetProspact will notify Users in case of Personal Data breach. At Users’ request, GetProspect will promptly provide Users with such reasonable assistance as necessary to enable Users to notify relevant Personal Data breach to competent authorities and/or affected Data Subjects.
3. Users responsibilities
3.1. Within the scope of the Terms of Service and its use of the services, Users is responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions.
3.2. In particular but without prejudice to the generality of the foregoing, Users acknowledges and agrees that it will be solely responsible for: the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data; complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use for marketing purposes); ensuring that it have the right to transfer, or provide access to, the Personal Data; ensuring that it’s Instructions to GetProspect regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
3.3. Users should immediately inform GetProspect if it is not able to comply with its legal responsibilities under this DPA or applicable Data Protection Laws.
3.4. The parties agree that the Terms of Service (including this DPA), together with the use of the Services, constitute Users’ complete Instructions to GetProspect in relation to the Processing of Personal Data.
3.5. Users is solely responsible for independently determining whether the data security provided for the Services adequately meets its obligations under applicable Data Protection Laws. Users is also responsible for its secure use of the Services, including protecting the security of Personal Data in transit to and from the Services (including securely to back up or encrypt any such Personal Data).
3.6. Parties acknowledge and agree that Users is a Controller during processing Personal Data and GetProspect is a Processor.
3.7. Users agrees that GetProspect may engage Sub-Processors to process Personal Data on Users’ behalf. Where GetProspect engages Sub-Processors, it will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those on this DPA. GetProspect will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and any acts or omissions of such Sub-Processor that caused GetProspect to breach any of its obligations under this DPA. GetProspect will give the Users opportunity to object to a new Sub-Processor’s engagement on reasonable grounds relating to the protection of Personal Data within 30 days of notifying Users.
3.8. Parties shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data unless it first takes all such measures necessary to ensure that transfer is in compliance with applicable European Data Protection Laws.
4. Appropriate technical and organizational measures
4.1. The Data Processor must implement appropriate and reasonable technical and organizational measures to ensure a level of security that matches the risks of data processing for the processing of Personal Data which the Data Controller provides under this Data Processing Agreement, including reasonably ensuring a) Pseudonymization and encryption of Personal Data; b) continuous confidentiality, integrity, availability and robustness of the processing systems and services for which the Data Processor is responsible; c) timely recovery of the availability of and access to Personal Data in case of a physical or technical incident; d) a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure processing security; e) that Personal Data is not accidentally or unlawfully destroyed, lost or impaired and against any unauthorized disclosure, abuse or in any other way is processed in violation of any applicable law on Personal Data.
4.2.The Data Processor shall determine the appropriate level of technical and organizational measures. When determining this, the Data Processor must particularly consider the risks related to the processing, i.e. the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data that has been transmitted, stored, or processed in any other way.
4.3. Data Processor shall, upon prior written request from the Data Controller, and within reasonable time-limits provide the Data Controller with sufficient information to document that the above mentioned technical and organizational security measures have been taken.
5. General terms
5.1. The Data Controller and the Data Processor and, where applicable, their representatives shall cooperate, on request, with the supervisory authority in the performance of its tasks.
5.2. In no event shall the Data Processor be liable, whether in contract or tort or otherwise for any incidental, indirect, consequential or unforeseeable loss, damage or expense, loss of profits, loss of business, loss of opportunity, loss or corruption of data, however arising, including any claims for payments of fines.
5.3. All notices related to this Data Processing Agreement must be made to the GetProspect to the following mail.
Appendix 1: pre-approved list of subcontractors
To provide a request, email us on [email protected].
Appendix 2: list of the technical and organizational security measures
Pseudonymisation and encryption of personal data
GetProspect’s databases with Personal Data are stored on encrypted disks.
Measures for user identification and authorization
Access control policies require that access to GetProspect database was granted based on user’s authorization and limits based on "need to-know" and "least-privilege" principles. Documentation of these requirements is recorded.
Measures for the protection of data during transmission
Customer data stored by GetProspect is encrypted in transit between the user’s software application and Get Prospects using HTTPS.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
GetProspect and it’s subprocessors use a variety of tools and mechanisms to achieve high availability and resiliency.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
GetProspect has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of customers’ systems. GetProspect conducts a variety of regular internal and external audits that are inclusive of security operations.
Measures for ensuring physical security of locations at which personal data are processed
GetProspect’s databases are stored at DigitalOcean data centers that are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with access restricted through badge controlled gates.
Date of last revision: December 23, 2021.