Data Processing Agreement

Preamble

This Personal Data Processing Agreement (hereinafter “DPA”) is entered into between Pronto and the Client, as defined in the General Terms and Conditions of Use and Sale.

All capitalized terms used in this DPA have the meanings given to them in the General Terms and Conditions of Use and Sale, unless otherwise defined herein.

This DPA applies to the Processing of Personal Data carried out by Pronto on behalf of the Client, in the context of the Client's use of the software accessible from Pronto's website (https://prontohq.com and https://app.prontohq.com) and the Pronto API.

1 – Purpose

The purpose of this DPA is to ensure the compliance of Personal Data Processing carried out by Pronto on behalf of the Client with paragraphs 3 and 4 of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (hereinafter “GDPR”).

It is understood that Pronto acts on behalf of the Client and pursuant to the Client's documented instructions. The Client acts either on its own behalf and for its own purposes as a Data Controller or on behalf of and for the purposes of its own clients as a Data Processor.

2 – Description of Processing Activities

The Processing activities carried out by Pronto on behalf of the Client have the following characteristics:

• Categories of Data Subjects:The Client's prospects or the Client's customers' prospects, who are business professionals.
• Categories of Personal Data Processed: Identity and contact data of prospects (e.g., names and email addresses). This may potentially include data related to professional activities, such as roles or company information.
• Nature of Processing: Enrichment of data provided by the Client, including temporary storage of such data.
• Purposes for Which Personal Data Are Processed: Data enrichment performed so that the Client or the Client's Customers can carry out commercial prospecting operations.
• Duration of Processing: Data is stored by default for 3 months, followed by automatic deletion.

Pronto Processes Personal Data solely for these stated purposes.

3 – Instructions

Pronto Processes Personal Data only on documented instructions from the Client, unless it is required to do otherwise by Union or French law. In such cases, Pronto shall inform the Client of that legal requirement before Processing, unless the law prohibits such disclosure on important grounds of public interest.

Pronto shall inform the Client if, in its opinion, an instruction given by the Client infringes the GDPR or any other applicable data protection regulations.

4 – Processing Security

Pronto implements the technical and organizational measures specified in Appendix 1 to ensure the security of Personal Data. These measures include protection against any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

When assessing the appropriate level of security, Pronto takes into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing, as well as the risks to Data Subjects.

Pronto grants its personnel access to Personal Data only to the extent strictly necessary for the execution, management, and monitoring of the Processing. Pronto ensures that such personnel are committed to confidentiality.

5 – Documentation and Compliance

Pronto makes available to the Client all information necessary to demonstrate compliance with the obligations set forth in this DPA.

At the Client's request, and where there are indications of non-compliance, Pronto also allows for audits of Processing activities covered by this DPA. Such audits may be conducted by the Client or by an independent auditor mandated by the Client. The Client shall give Pronto at least thirty (30) days' written notice prior to any audit.

Pronto makes available to the competent supervisory authority, upon request, the information set out in this article, including any audit results.

6 – Use of Sub-processors

Pronto has the Client's general authorization regarding the use of sub-processors, based on a list agreed upon between the Parties (see Appendix). Pronto specifically informs the Client by any means of any planned changes to this list (e.g., the addition or replacement of sub-processors) at least eight (8) days in advance, thus allowing the Client to object to such changes before the sub-processor(s) is/are engaged.

When Pronto engages a sub-processor to carry out specific Processing activities, it ensures that the sub-processor has data protection obligations similar to those imposed on Pronto under this DPA.

Pronto remains fully liable to the Client for the performance of the sub-processor's obligations under the contract concluded with the sub-processor.

7 – International Transfers

Any transfer of data to a third country or international organization by Pronto is carried out only on the basis of documented instructions from the Client or to meet a specific requirement under Union or French law, and in accordance with Chapter V of the GDPR.

The Client agrees that if Pronto engages a sub-processor pursuant to Article 6 above, and the Processing involves a transfer of Personal Data (as defined by Chapter V of the GDPR), Pronto and the sub-processor may rely on any valid data transfer mechanism recognized under EU law, including standard contractual clauses adopted by the European Commission.

8 – Assistance to the Client

Pronto shall promptly inform the Client when it receives a request from a Data Subject seeking to exercise their rights. Pronto assists the Client, taking into account the nature of the Processing, in responding to Data Subject requests. Pronto shall comply with the Client's instructions in this regard.

However, where an opt-out request is made directly via Pronto's website (for instance, via a “Do not sell my information” or equivalent module), the request is deemed to be addressed to Pronto. In this case, Pronto will honor the Data Subject's request without further notice to the Client.

Pronto also assists the Client in ensuring compliance with the following obligations under the GDPR, taking into account the nature of the Processing and the information available to Pronto:

• The obligation to conduct a data protection impact assessment (DPIA) when required;
• The obligation to consult the competent supervisory authority prior to Processing when a DPIA indicates a high risk;
• The obligations set forth in Article 32 of the GDPR (Security of Processing).

9 – Notification of Personal Data Breaches

In the event of a Personal Data Breach involving Personal Data Processed by Pronto on the Client's behalf, Pronto shall inform the Client without undue delay once it becomes aware of such a Breach.

This notification shall include (where available):

1. A description of the nature of the Breach (including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned);
2. The contact details of a point of contact where more information can be obtained;
3. The likely consequences of the Breach and the measures taken or proposed to be taken to address it, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all the information at the same time, the initial notification shall contain the information then available, and further information shall be provided without undue delay as it becomes available.

10 – Data Fate

Upon the termination of the General Terms and Conditions of Use and Sale or this DPA (collectively, the “Contract”), Pronto shall delete all Personal Data Processed on behalf of the Client, unless Union or French law requires longer retention.

11 – Termination

Pronto reserves the right to modify these Terms and Conditions at any time. Such modifications will be effective immediately upon posting the modified terms on the Website. Continued use of the Services after any such changes shall constitute the Customer's consent to such changes.

Appendix 1 – Technical and Organizational Security Measures

To ensure data security in accordance with Article 32 of the GDPR, Pronto implements the following technical and organizational measures. These measures are designed to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage.

1. Personal Data Pseudonymization and Encryption

Pronto uses robust encryption methods (e.g., bcrypt for passwords) to ensure the security of credentials. Pseudonymization techniques (e.g., anonymized logging with user identifiers) may be employed to further protect Data Subjects' privacy.

2. Measures to Ensure Ongoing Confidentiality, Integrity, Availability, and Resilience

Pronto relies on secured databases within a controlled environment (e.g., virtual private cloud), preventing unauthorized access and enhancing the availability and integrity of data.

3. Regular Testing, Assessment, and Evaluation

Pronto regularly conducts unit tests, integration tests, and evaluations of its technical measures to ensure they remain effective in protecting Personal Data.

4. User Identification and Authorization

Pronto enforces secure identification and authorization mechanisms, including session cookies (e.g., JWT signed with HMAC using SHA256). Role-based access control (RBAC) is applied to manage and restrict privileges.

5. Data Protection During Transmission

All data transfers occur over encrypted channels (HTTPS/SSL tunnels), ensuring confidentiality and integrity in transit.

6. Data Protection During Storage

Data at rest is protected with AES encryption, a widely recognized standard providing a high level of security.

7. Physical Security of Hosting Locations

Pronto's hosting provider (e.g., compliant with SOC 2, ISO 27001 standards) has stringent physical access controls and security measures in place to protect its data centers.

8. Event Logging

Comprehensive event logs are maintained, including IP addresses, user IDs, actions, and roles. Logs are encrypted at rest and retained for a minimum of one year, enabling robust monitoring and compliance support.

9. Data Minimization

Pronto adheres to the principle of data minimization, documenting each data element's purpose in a data registry.

10. Limited Data Retention

Data retention policies are enforced; each dataset is assigned a creation and expiration date. This approach is balanced against any legitimate interests and/or legal requirements for data retention.

11. Technical and Organizational Measures for Sub-processors

Pronto obligates any sub-processor to implement similar or equivalent security measures. These include encryption of Personal Data, ensuring confidentiality, integrity, availability, and resilience of Processing systems, and complying with data minimization and retention policies.

Appendix 2: List of Sub-processors

Main Sub-processors

Additional Providers for Data Enrichment and Validation

Below is a list of providers used for professional email enrichment, phone number lookup, email deliverability checks, or obtaining LinkedIn URLs. Each provider may have different processing locations or legal bases; Pronto ensures that any transfers outside the EU are subject to a valid transfer mechanism: