Legal

Data Processing Agreement

Agreement governing the processing of personal data

Processor: Midbound, Inc. Address: 1111B S Governors Ave, STE 21790, Dover, DE 19904 Contact: [email protected]

1. Preamble and Incorporation

This Data Processing Addendum (“DPA”) is incorporated by reference into the Master Services Agreement, or other written agreement (“Agreement”) between Midbound, Inc. (“Processor”) and the customer (“Controller”). This document is maintained publicly to define the data protection obligations of the Processor.

2. Definitions

  • Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with the Processor.
  • Controller: The entity that determines the purposes and means of Processing Personal Data (the Customer).
  • Data Protection Laws: All applicable privacy and data protection laws, including the EU GDPR (Regulation 2016/679), UK GDPR, and CCPA.
  • Data Subject: A natural person who can be identified directly or indirectly.
  • Personal Data: Any information relating to a Data Subject processed under this DPA.
  • Processing: Any operation or set of operations performed on Personal Data, including collection, storage, use, sharing, and deletion.
  • Sub-processor: Any third party engaged by the Processor to process Personal Data on its behalf.

3. Data Processing Terms

3.1 Scope and Purpose

  • Subject Matter: Processing of Personal Data as necessary to deliver the Processor’s services.
  • Duration: The term of the Agreement between Controller and Processor.
  • Purpose: As defined in the Agreement and Annex A.
  • Categories of Data and Data Subjects: As set out in Annex A.

3.2 Instructions from Controller

The Processor will only process Personal Data in accordance with the Controller’s documented instructions unless legally required to do otherwise.

4. Processor Responsibilities

4.1 Confidentiality

All employees and authorized personnel who process Personal Data are subject to binding confidentiality obligations.

4.2 Security

The Processor maintains appropriate technical and organizational measures as described in Annex B to protect Personal Data from unauthorized or unlawful Processing and from accidental loss, destruction, or damage.

4.3 No Use for Model Training or Resale

The Processor does not use Personal Data to train AI or machine learning models and will not sell, rent, or share Personal Data with any third party for advertising, profiling, or model training.

4.4 Sub-processors

Sub-processors are listed in Annex C. The Processor will:

  • Notify the Controller at least 30 days prior to adding or replacing a Sub-processor.
  • Allow the Controller to object on reasonable grounds.
  • If the objection cannot be resolved, permit the Controller to suspend the affected services.
  • Bind each Sub-processor to data protection obligations no less protective than those in this DPA.

4.5 Data Subject Rights and CCPA Opt-Out

The Processor will assist the Controller in fulfilling Data Subject rights, including access, rectification, erasure, restriction, and portability, in compliance with Data Protection Laws. The Processor will honor lawful CCPA opt-out requests as instructed by the Controller.

4.6 Responsibility for Personnel

The Processor remains fully responsible for the actions and omissions of its employees, agents, and contractors.

5. Data Breach Notification

The Processor will notify the Controller without undue delay and no later than 48 hours after becoming aware of a Personal Data breach. The notice will include:

  • A description of the breach.
  • The categories and approximate number of affected Data Subjects.
  • The likely consequences.
  • Measures taken or proposed to address the breach.

6. International Transfers

Transfers of Personal Data outside the EEA, UK, or Switzerland will occur only under:

  • An adequacy decision.
  • Standard Contractual Clauses (SCCs).
  • Another lawful transfer mechanism.

7. Audits and Compliance

The Processor will provide information reasonably required to demonstrate compliance with this DPA. The Controller may conduct one audit per 12-month period with 30 days’ prior written notice. Audits must not unreasonably interfere with the Processor’s operations and must remain confidential. The Controller bears its own costs and will reimburse the Processor for reasonable expenses incurred.

8. Records

The Processor maintains records of Processing activities and will make them available to the Controller upon request as required by law.

9. Data Retention and Deletion

Upon termination of services, Personal Data will be either deleted or returned to the Controller upon written request unless retention is legally required. The Processor will certify deletion upon request. The Controller retains full ownership of its Submitted Data and all Output Data derived from it.

10. Liability and Modification Notice

Liability under this DPA is subject to the limitations set out in the Agreement. The Processor will indemnify, defend, and hold the Controller harmless against losses or regulatory fines arising from the Processor’s or its Sub-processors’ breach of this DPA or violations of applicable privacy laws. The Processor will provide at least 30 days’ advance notice of any material modifications to this DPA.

11. Governing Law

This DPA is governed by the law specified in the Agreement. If no law is specified, the laws of the State of Delaware apply.

12. AI-Powered Features Disclaimer

The Processor may use AI-driven models to provide enriched or inferred business intelligence. These features are probabilistic and provided as-is without warranties of accuracy or fitness for purpose. The Controller is responsible for its use of AI-generated insights.

Clarification of AI Use: The Processor’s AI systems are limited to semantic matching of job titles, roles, and similar business signals. No Personal Data is used for AI training. AI outputs do not infer sensitive characteristics.

13. AI Governance and Ethics

The Processor’s AI models:

  • Are trained only on non-personal business context data.
  • Do not use customer data or Personal Data.
  • Are subject to periodic performance and fairness reviews.
  • Do not engage in autonomous decision-making.
  • Do not process Personal Data for profiling or behavioral inference.

14. Support

The Processor provides a priority support channel for inquiries or issues related to Processing activities. All tickets are tracked and resolved promptly.

Annex A – Details of Processing

Data Subjects

  • Visitors to Controller websites or applications
  • Controller customers, employees, and agents

Categories of Personal Data

  • Identifiers such as name, email, phone, and IP address
  • Behavioral data including page views, UTM parameters, and session activity
  • Device and browser information
  • CRM-linked metadata

Processing Activities

  • Collection, storage, analysis, enrichment, filtering, export, deletion
  • Identity resolution and lead qualification based on consented signals
  • Secure delivery to Controller systems through integrations

Annex B – Security Measures

  • Role-based access controls and least privilege principles.
  • Encryption in transit (TLS 1.2 or higher).
  • Encryption at rest (AES-256).
  • 2-Factor Identification (based on TOTP protocol).
  • Continuous monitoring and audit logging.
  • Encrypted, geo-redundant backups and disaster recovery.
  • Employee background checks and confidentiality training.
  • Consent-based tracking with opt-out capabilities.
  • Logical data segregation and account isolation.
  • SOC 2 readiness underway.

Annex C – Sub-processors

Sub-processor Purpose Country
Sentry Error Analytics USA
Google Analytics Web analytics USA
MailerSend / Instantly Email marketing USA
Cloudflare Hosting security & Infrastructure USA
Clickhouse Database services USA
Google Cloud Platform Cloud infrastructure USA
Midbound Data sourcing & enrichment USA
Attio CRM USA
Nango Integrations USA
Slack Internal notifications USA
Google Sheets Data export & integrations USA

Last updated: July 17, 2025