Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Controller") and GrowthReactor.ai ("Processor," "we," "us," or "our").

This DPA governs the processing of Personal Data (as defined below) by GrowthReactor.ai on behalf of the Customer in connection with the provision of our AI-powered B2B tools and services ("Services").

This DPA is designed to meet the requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by GrowthReactor.ai on behalf of the Customer.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Controller" means the Customer, who determines the purposes and means of Processing Personal Data.
• "Processor" means GrowthReactor.ai, who processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by GrowthReactor.ai to process Personal Data.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR and CCPA.

3. Roles and Responsibilities

3.1 Controller Responsibilities

As Controller, the Customer:

• Determines the purposes and means of Processing Personal Data
• Ensures it has a lawful basis for Processing under applicable Data Protection Laws
• Provides any necessary notices and obtains any required consents from Data Subjects
• Ensures that Personal Data provided to GrowthReactor.ai is accurate and lawfully collected
• Complies with all applicable Data Protection Laws

3.2 Processor Responsibilities

As Processor, GrowthReactor.ai:

• Processes Personal Data only on documented instructions from the Customer
• Ensures that persons authorized to process Personal Data are bound by confidentiality
• Implements appropriate technical and organizational security measures
• Engages Sub-processors only with the Customer's authorization
• Assists the Customer in responding to Data Subject requests
• Assists the Customer in ensuring compliance with Data Protection Laws
• Deletes or returns Personal Data upon termination, as instructed by the Customer
• Makes available information necessary to demonstrate compliance with this DPA

4. Details of Data Processing

4.1 Nature and Purpose of Processing

GrowthReactor.ai processes Personal Data for the following purposes:

• Providing AI-powered marketing and sales tools
• Generating content, analysis, and recommendations
• Managing user accounts and authentication
• Processing payments and maintaining billing records
• Providing customer support
• Improving and optimizing the Services

4.2 Types of Personal Data

The Personal Data processed may include:

• Contact information (name, email address, phone number)
• Account credentials and authentication data
• Company and business information
• Payment and billing information
• Usage data and analytics
• Content and data submitted through the Services
• Communications with customer support

4.3 Categories of Data Subjects

Data Subjects may include:

• Customer employees and authorized users
• Customer business contacts
• Individuals mentioned in content created or processed through the Services

4.4 Duration of Processing

Personal Data will be processed for the duration of the Services agreement and for any additional period required by law or as instructed by the Customer.

5. Security Measures

GrowthReactor.ai implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

5.1 Technical Measures

• Encryption of Personal Data in transit and at rest
• Regular security testing and vulnerability assessments
• Secure authentication mechanisms
• Access controls and authorization systems
• Network security and firewall protections
• Secure backup and recovery procedures

5.2 Organizational Measures

• Confidentiality obligations for personnel
• Security training for employees
• Incident response and breach notification procedures
• Regular security audits and assessments
• Vendor security management
• Data protection policies and procedures

5.3 Security Breach Notification

In the event of a Personal Data breach, GrowthReactor.ai will:

• Notify the Customer without undue delay upon becoming aware of the breach
• Provide reasonable information about the breach, including affected data and likely consequences
• Take reasonable steps to mitigate the breach and prevent future occurrences
• Cooperate with the Customer in any required breach notifications to authorities or Data Subjects

6. Sub-processors

6.1 Authorization

The Customer authorizes GrowthReactor.ai to engage Sub-processors to process Personal Data on the Customer's behalf. By accepting this DPA, the Customer provides general authorization for the engagement of Sub-processors.

6.2 Current Sub-processors

GrowthReactor.ai currently uses the following Sub-processors:

6.3 Sub-processor Obligations

GrowthReactor.ai ensures that:

• Sub-processors are bound by data protection obligations equivalent to those in this DPA
• Sub-processors implement appropriate security measures
• GrowthReactor.ai remains fully liable for Sub-processor performance

6.4 Changes to Sub-processors

GrowthReactor.ai will provide notice of any new Sub-processors at least 30 days before engagement. The Customer may object to a new Sub-processor on reasonable data protection grounds by notifying GrowthReactor.ai within 30 days.

7. Data Subject Rights

GrowthReactor.ai will, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws.

GrowthReactor.ai will provide reasonable assistance to enable the Customer to respond to Data Subject requests, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) or the Customer's jurisdiction.

For transfers from the EEA, GrowthReactor.ai ensures appropriate safeguards through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally approved transfer mechanisms

9. Data Retention and Deletion

9.1 Retention

GrowthReactor.ai will retain Personal Data only for as long as necessary to provide the Services or as required by law.

9.2 Return or Deletion

Upon termination of the Services or at the Customer's request, GrowthReactor.ai will:

• Return all Personal Data to the Customer in a commonly used format, or
• Securely delete all Personal Data, except where retention is required by law
• Ensure that Sub-processors also delete or return Personal Data

10. Audits and Compliance

GrowthReactor.ai will make available to the Customer information necessary to demonstrate compliance with this DPA and allow for audits by the Customer or an authorized third-party auditor, subject to:

• Reasonable advance notice (at least 30 days)
• Confidentiality obligations for the auditor
• Reasonable frequency (no more than once per year unless required by law)
• Reimbursement of reasonable costs incurred by GrowthReactor.ai

11. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service.

Each party will indemnify the other for losses arising from its breach of this DPA, subject to the terms of the main agreement.

12. Term and Termination

This DPA will commence on the date the Customer first uses the Services and will continue until termination of the Services agreement or earlier termination as permitted under the Terms of Service.

13. Contact Information

For questions about this DPA or to exercise your rights, please contact: