LeadLex
LEGAL

Data Processing Agreement

Last updated: 27 March 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Lead IP GmbH ("Processor", "LeadLex") and the organization using the LeadLex Services ("Controller", "Customer") and governs the processing of personal data by LeadLex on behalf of the Customer pursuant to Art. 28 GDPR.

This DPA applies when LeadLex processes personal data on behalf of the Customer as a data processor. For data that LeadLex processes as a data controller (e.g., account registration data, billing information), the Privacy Policy applies.

2. Definitions

Terms used in this DPA have the meanings given to them in the GDPR (Regulation (EU) 2016/679), the Terms of Service, and this DPA. "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings set out in Art. 4 GDPR.

3. Subject Matter and Duration

3.1. Subject matter: LeadLex processes personal data on behalf of the Customer to provide the LeadLex platform Services, including CRM management, AI-assisted analysis (Lexi), email and calendar synchronization, and integration with third-party services.

3.2. Duration: Processing begins when the Customer starts using the Services and continues until the Customer's account is terminated and all Customer Data is deleted in accordance with Section 11.

3.3. Nature and purpose: Automated and manual processing of personal data to provide, maintain, and improve the Services as described in the Terms of Service.

4. Types of Personal Data

The following categories of personal data may be processed, depending on the Customer's use of the Services:

  • Contact information (name, email, phone number, job title, company)
  • Business relationship data (deals, matters, engagement history)
  • Communication content (emails, calendar events, meeting notes) — only where the Customer activates the relevant integration
  • Professional profile data (LinkedIn profiles, professional history)
  • AI interaction data (queries to Lexi and generated responses)

5. Categories of Data Subjects

  • Customer's employees and authorized users
  • Customer's clients and prospective clients
  • Customer's business contacts and referral sources
  • Other individuals whose data the Customer uploads to or processes through the Services

6. Obligations of the Processor

LeadLex shall:

6.1. Process personal data only on documented instructions from the Customer, unless required by EU or Member State law. If such a legal requirement applies, LeadLex shall inform the Customer before processing (unless prohibited by law).

6.2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2.

6.4. Respect the conditions for engaging sub-processors as described in Section 8.

6.5. Taking into account the nature of the processing, assist the Customer through appropriate technical and organizational measures for the fulfillment of the Customer's obligation to respond to Data Subject requests (Art. 15–22 GDPR).

6.6. Assist the Customer in ensuring compliance with obligations under Art. 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to LeadLex.

6.7. At the Customer's choice, delete or return all personal data after the end of the provision of Services and delete existing copies, unless EU or Member State law requires storage (see Section 11).

6.8. Make available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor (see Section 10).

7. Obligations of the Controller

The Customer shall:

7.1. Ensure that it has a valid legal basis for the processing of personal data through the Services and that all necessary consents have been obtained or other legal bases apply.

7.2. Provide documented processing instructions to LeadLex.

7.3. Be responsible for the accuracy, quality, and legality of Customer Data and the means by which the Customer acquired the data.

8. Sub-Processors

8.1. The Customer grants LeadLex general written authorization to engage sub-processors. The current list of sub-processors is set out in Annex 3.

8.2. LeadLex shall notify the Customer of any intended changes to its sub-processors by email at least 14 days before the new sub-processor begins processing personal data. The Customer may object to a new sub-processor within 14 days of receiving notice. If the Customer objects on reasonable data protection grounds and LeadLex cannot reasonably accommodate the objection, either party may terminate the affected Services.

8.3. LeadLex shall impose contractual obligations on each sub-processor that are no less protective than those in this DPA.

9. International Transfers

9.1. Personal data may be transferred to sub-processors located outside the EEA. Where such transfers occur, LeadLex ensures an adequate level of protection through:

  • EU-US Data Privacy Framework (DPF) certification of the sub-processor
  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Supplementary measures including encryption and access controls

9.2. The transfer mechanisms applicable to each sub-processor are set out in Annex 3.

10. Audits

10.1. LeadLex shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.

10.2. The Customer (or a mandated independent third-party auditor bound by confidentiality) may conduct an audit of LeadLex's processing activities no more than once per calendar year, with at least 30 days' prior written notice and during normal business hours. The audit shall not unreasonably disrupt LeadLex's operations.

10.3. Where LeadLex has obtained relevant third-party certifications or audit reports (e.g., SOC 2 Type 2 via its infrastructure provider), these may be provided to the Customer in lieu of an on-site audit, at LeadLex's discretion.

11. Data Deletion and Return

11.1. Upon termination of the Services, the Customer may request export of all Customer Data within 30 days.

11.2. After the 30-day export period (or upon the Customer's earlier written instruction), LeadLex shall delete all Customer Data within 30 days, except where EU or Member State law requires continued storage.

11.3. LeadLex shall provide written confirmation of deletion upon request.

12. Data Breach Notification

12.1. LeadLex shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer Data.

12.2. The notification shall include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) the contact person for further information.

12.3. LeadLex shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

13. Availability

A signed copy of this DPA is included with all Pro and Enterprise plans. Customers on the Starter plan may request a signed DPA by contacting privacy@leadlex.com.

14. Contact

Data processing inquiries: privacy@leadlex.com

Lead IP GmbH Trogerstraße 50 81675 Munich, Germany

Annex 1: Details of Processing

| Element | Description | |---------|-------------| | Subject matter | Provision of CRM, AI assistant, and integration services | | Duration | Term of the service agreement | | Nature of processing | Collection, storage, organization, retrieval, consultation, use, disclosure by transmission, erasure | | Purpose | Providing, maintaining, and improving the LeadLex platform | | Categories of data subjects | Customer employees, clients, prospects, business contacts | | Types of personal data | Contact details, business data, communications, professional profiles, AI interaction logs |

Annex 2: Technical and Organizational Measures (TOMs)

LeadLex implements the following measures pursuant to Art. 32 GDPR:

Encryption:

  • Data in transit: TLS 1.3
  • Data at rest: AES-256 encryption
  • BYOK (Bring Your Own Key) encryption available on Enterprise plans

Access control:

  • Role-based access control (RBAC)
  • SSO via SAML 2.0 (Pro and Enterprise plans)
  • Multi-factor authentication supported
  • Principle of least privilege enforced

Infrastructure security:

  • EU-hosted primary database (Supabase, Frankfurt region)
  • Complete tenant isolation — no cross-tenant data access
  • Regular vulnerability scanning and security patching
  • Semi-annual penetration testing

Organizational measures:

  • Confidentiality agreements for all personnel
  • Data protection training for staff with access to personal data
  • Incident response plan with defined roles and escalation procedures
  • Access to customer data only with written customer approval for support purposes

AI-specific measures:

  • AI provider (Anthropic) processes data in real time with no retention beyond the session
  • Customer data is never used to train or fine-tune AI models
  • Strict data boundaries between AI processing and model training pipelines

Logging and monitoring:

  • Full audit logging of user and system actions
  • Configurable data retention policies
  • Real-time anomaly detection

Annex 3: Sub-Processor List

| Sub-Processor | Purpose | Location | Transfer Mechanism | |--------------|---------|----------|-------------------| | Vercel Inc. | Website and application hosting, CDN | USA | EU-US Data Privacy Framework | | Supabase Inc. | Database, authentication, storage | EU (Frankfurt, Germany) | Data processed within EU | | Anthropic PBC | AI processing (Claude — powers Lexi) | USA | Standard Contractual Clauses | | Google LLC | Gmail and Google Calendar sync | USA | EU-US Data Privacy Framework | | Microsoft Corp. | Outlook, Calendar, Teams, LinkedIn sync | USA | EU-US Data Privacy Framework | | HubSpot Inc. | CRM synchronization | USA | EU-US Data Privacy Framework | | Slack Technologies (Salesforce) | Messaging integration | USA | EU-US Data Privacy Framework |

This list is current as of the date stated at the top of this DPA. Changes are communicated per Section 8.2.

We onboard law firms one at a time.

Applications open. Reviewed every Tuesday.