Enrichley Data Processing Addendum

Effective: 9 June 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Enrichley LLC (“Enrichley”) and the customer (“Customer”) for use of Enrichley’s services (the “Agreement”). It governs the processing of personal data in connection with the services.

1. Definitions

“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Supervisory Authority” have the meanings in the GDPR. “Customer Personal Data” means personal data that Enrichley processes on behalf of Customer under the Agreement (e.g., records Customer uploads or connects, and enrichment/validation results returned to Customer). “Applicable Data Protection Law” means all privacy and data-protection laws applicable to a party, including the GDPR, UK GDPR, and U.S. state privacy laws (e.g., CCPA/CPRA).

2. Roles of the parties

  • Customer Personal Data — Enrichley as Processor. With respect to Customer Personal Data, Customer is the Controller and Enrichley is the Processor (a “service provider” under CCPA). Enrichley processes Customer Personal Data only on Customer’s documented instructions, including to provide the services (such as storing Customer’s data for Customer’s use, and matching/appending information to Customer’s records and returning the results to Customer). Enrichley does not “sell” or “share” (as defined by CCPA/CPRA) Customer Personal Data, does not disclose it to other customers or third parties except sub-processors engaged to provide the services, and does not combine it with personal data from other sources for its own purposes or incorporate it into Enrichley’s contact database.
  • Live enrichment data — Enrichley as intermediary. Enrichley does not maintain its own database of contacts. When Customer requests an enrichment, Enrichley retrieves business data from third-party data partners and public sources in real time and returns the result to Customer. Those data partners are the source and controller of the underlying data; Customer acts as an independent controller of the results it receives and is responsible for its own compliance with Applicable Data Protection Law.

3. Customer instructions and obligations

Customer instructs Enrichley to process Customer Personal Data as described in the Agreement and this DPA. Customer represents that it has all necessary rights, lawful bases, and notices/consents to provide Customer Personal Data to Enrichley and to instruct the processing, and that its use of the services and of any data obtained complies with Applicable Data Protection Law (including any required notices to, and choices for, data subjects). Customer will not provide special-category or other sensitive data except as expressly permitted by the Agreement, the Data Use Policy (/data-use), and the Acceptable Use Policy (/acceptable-use).

4. Confidentiality and security

Enrichley will ensure persons authorized to process Customer Personal Data are bound by confidentiality, and will implement appropriate technical and organizational measures as described in Annex II.

5. Sub-processors

Customer provides general authorization for Enrichley to engage sub-processors to process Customer Personal Data. Enrichley’s current sub-processors are listed at enrichley.com/subprocessors. Enrichley will impose data-protection obligations on each sub-processor substantially similar to those in this DPA and remains responsible for their performance. Enrichley will provide a mechanism to be notified of new sub-processors with at least 30 days’ advance notice; if Customer reasonably objects on data-protection grounds and the parties cannot resolve it, Customer may terminate the affected service.

6. Personal data breach

Enrichley will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to assist Customer’s own obligations.

7. Assistance to Customer

Taking into account the nature of processing, Enrichley will provide reasonable assistance to Customer for: (a) responding to data-subject requests; (b) security of processing; (c) breach notification; and (d) data protection impact assessments and prior consultation.

8. Data-subject requests

If Enrichley receives a request from a data subject regarding Customer Personal Data, Enrichley will, where legally permitted, refer the request to Customer and assist Customer in responding.

9. International transfers

To the extent Enrichley processes Customer Personal Data originating from the EEA, UK, or Switzerland in a country without an adequacy decision, the parties agree that the European Commission’s Standard Contractual Clauses (Module Two, Controller-to-Processor) are incorporated by reference and completed as set out in Annex III, together with the UK International Data Transfer Addendum and the Swiss amendments where applicable. The SCC annexes and the appointment of an EU/UK representative will be put in place before Enrichley processes EU/UK personal data.

10. Deletion and return

Upon termination of the Agreement, Enrichley will, at Customer’s choice, delete or return Customer Personal Data within 30 days, except where retention is required by law.

11. Audits

Enrichley will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits.

12. Liability, precedence, governing law

This DPA is subject to the limitations of liability in the Agreement. In case of conflict, this DPA prevails over the Agreement with respect to processing of Customer Personal Data. This DPA is governed by the law of the State of California (matching our Terms of Service), without prejudice to the SCCs’ own governing-law terms.

Annex I — Details of processing

  • Subject matter / nature & purpose: providing Enrichley’s data services (email verification, contact and company enrichment, and related offerings) to Customer, including storing Customer’s data for Customer’s use and matching/appending information.
  • Duration: the term of the Agreement, plus the deletion/return period (Section 10).
  • Categories of data subjects: Customer’s business contacts and prospects.
  • Types of Personal Data: business contact identifiers — name, business email, employer/company, job title, professional profile URLs, and general location. Not intended to include special-category data or phone numbers (not currently processed).

Annex II — Technical and organizational security measures

Enrichley’s measures (see also enrichley.com/security): encryption of data in transit (HTTPS) and at rest (AES-256); role-based access controls and least privilege; authentication via Clerk; secrets management; logging and error/performance monitoring (Sentry); and vendor (sub-processor) risk management. Enrichley does not currently hold SOC 2 or ISO 27001 certification and makes no such claim.

Annex III — SCC elections

The SCC annexes, the UK Addendum tables, and the Swiss amendments will be put in place before Enrichley begins processing EU/UK personal data.