LeadsEngine Ltd GDPR Addendum to Terms Of Use


This General Data Protection Regulation Addendum (" GDPR Addendum") is incorporated by reference into the Terms of Use Agreement. This GDPR Addendum is entered into by and between the Customer (“Data Controller”) and LeadsEngine Ltd (“ Data Processor”).

2. This GDPR Addendum is supplemental to this Terms Of Use Agreement and sets out the terms that apply when Personal Data (as defined below) is processed by Data Processor under the Terms Of Use Agreement. The purpose of the GDPR Addendum is to ensure such processing is conducted in accordance with applicable laws, including the Data Protection Law (defined below), and with due respect for the rights and freedoms of individuals whose personal data are processed.

3. The Data Processor provides the  Services (as defined in the above Terms Of Use Agreement) and the Data Controller uses the LeadsEngine Ltd Services for the purposes specified in the Terms Of Use Agreement. With respect to the Terms Of Use Agreement the Data Processor processes Personal Data on behalf of, and as instructed by, the Data Controller.

4. This GDPR Addendum details the Parties' rights and obligations related to the scope of the processing of Personal Data. This GDPR Addendum shall apply to all activity within the scope of and related to the Terms Of Use Agreement, and in whose context the Data Processor’s employees or subcontractors may come into contact with Data Controller’s Personal Data.

Section 1

Data Protection Law : means (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.

Section 2

Subject of addendum (Data Processing)

1. The scope, extent, duration and nature of the collection, processing and use of Personal Data as well as the types of Personal Data (as defined in the Data Protection Law “Personal Data”) and categories of data subjects are set out in Schedule 1 attached hereto and both the Data Controller and Data Processor shall comply with all applicable requirements of the Data Protection Law.

2. The Data Controller selected the Data Processor as a service provider by exercising its duties of diligence under the Data Protection Law. It is the intent of the Parties that the Terms Of Use Agreement includes a written mandate within the meaning of the Data Protection Law and govern the Parties’ rights and obligations in the context of data processing.

3. To the extent this addendum employs the term “(data) process(ing) (of data),” it refers, in a general way, to the collection, processing and use of Personal Data, including but not limited to obtaining, storing, altering, transmitting, blocking, deleting, using, anonymising, pseudonymising, encrypting or otherwise using data within the meaning of the Data Protection Law.

4. Direction means the written instruction issued by the Data Controller to the Data Processor, and directing the latter to perform a specific action with regard to Personal Data (e.g. processing, anonymisation, blocking, deletion, disclosure).

Section 3 

Data Controller’s Rights and Obligations

1. The Data Controller is responsible (within the meaning of the Data Protection Law) for the Data Processor’s processing of data. Other than where Data Processor is the only party with a direct relationship with the individuals whose Personal Data is being processed hereunder (“ Data Subjects”), Data Controller shall ensure it has all necessary appropriate consents and notices in place to enable lawful transfer of Personal Data to the Data Processor for the duration and purposes of the Terms Of Use Agreement.

2. The Data Controller is entitled to issue supplementary directions at any time regarding the purpose, manner and extent of the processing

3. The Data Controller shall ensure that Data Subjects’ rights are observed and should third parties take legal action against the Data Processor on the grounds of data processing, the Data Controller will indemnify the Data Processor in respect of any such claim.

4. Prior to the commencement of data processing and in regular intervals thereafter, the Data Controller shall assure itself that the Data Processor has implemented technical and organisational measures to protect the Personal Data.

5. The Data Controller will promptly notify the Data Processor if and when it detects errors or irregularities in connection with the Data Processor’s processing of Personal Data.

Section 4 

Data Processor’s Rights and Obligations

1. Without prejudice to the generality of Section 1(1), the Data Processor shall, in relation to any Personal Data processed in connection with the performance by the Data Processor of its obligations under the Terms Of Use Agreement:

a. process that Personal Data only on the written instructions of the Data Controller unless the Data Processor is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Data Processor to process Personal Data ( Applicable Laws). Where the Data Processor is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller;

b. ensure that it has in place the appropriate technical and organisational measures which have been reviewed and approved by the Data Controller, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

c. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

d. not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:

(i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer;

(ii) the Data Subject has enforceable rights and effective legal remedies;

(iii) the Data Processor complies with its obligations under the Data Protection Law by providing an adequate level of protection to any Personal Data that is transferred; and

(iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.

e. at the Data Controller’s cost, assist the Data Controller: (i) in responding to any request from a Data Subject; (ii) in responding to requests, investigations or audits by a Data Protection Law supervisory authority or regulator (a “DPA”); and (iii) in complying with any request by Data Controller with respect to ensuring compliance with Data Controller’s obligations under the Data Protection Law with respect to security, breach notifications, impact assessments and consultations with DPAs, provided that Data Processor shall notify Data Controller without undue delay should it receive any such request or query from a Data Subject or DPA;

f. notify the Data Controller without undue delay on becoming aware of a Personal Data breach;

g. at the written direction of the Data Controller, delete or return Personal Data and copies thereof to the Data Controller on termination of the Terms Of Use Agreement unless required by Data Protection Law to store the Personal Data; and

h. maintain complete and accurate records and information to demonstrate its compliance with this Section 4, and allow for audits by the Data Controller or the Data Controller’s designated auditor.

Section 5


The Data Controller consents to the Data Processor appointing those parties listed in Schedule 2 as third-party processors of Personal Data under this addendum. The Data Processor confirms that it has entered or (as the case may be) will enter with the third-party processors into a written agreement incorporating terms which are substantially similar to those set out in this clause addendum. As between the Data Controller and the Data Processor, the Data Processor shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this Section 5. The Data Processor will notify the Data Controller in writing, via an appropriate medium, where any new third party sub-processors are used and will give the Data Controller the opportunity to object to the engagement of the new third party sub-processors within 30 days after being notified. The objection must be based on reasonable grounds (e.g. if the Data Controller proves that significant risks for the protection of its Personal Data exist at the third party sub-processor). If the Data Processor and Data Controller are unable to resolve such objection, either party may terminate the Terms Of Use Agreement by providing written notice to the other party

Section 6

Audit Rights:

1. The Data Processor is obliged to assure compliance with the technical and organisational measures and will allow Data Controller or an independent auditor appointed by Data Controller to conduct audits (including inspections) to verify Data Processor’s compliance with the respective technical and organisational measures.

2. The Data Processor may refuse, at its own discretion and taking into account the Data Controller's statutory duties, to disclose certain information that is sensitive with respect to the Data Processor's business or if the Data Processor violated statutory or contractual obligations by disclosing the information. In particular, the Data Controller is not granted access to information on the Data Processor's other business partners, on costs, on quality audit and contract management reports, as well as on any and all other non-public information of the Data Processor not directly necessary in view of statutory audit rights.

Section 7

Term of Addendum:

Except where this addendum expressly stipulates any surviving obligation, the term of this addendum shall follow the term of the Terms Of Use Agreement.

Section 8 


1. This addendum shall constitute a binding part of the Terms Of Use Agreement. Unless the foregoing has not been regulated otherwise, the terms of the Terms Of Use Agreement shall apply to this addendum accordingly.

2. Ancillary agreements must be made in writing. The foregoing shall also apply to the waiver of this mandatory written form.

In the event that individual provisions of this addendum are ineffective, the remaining provisions of the addendum and the Terms Of Use Agreement hereof continue in full force and effect.



Subject Matter: Any data supplied to the system by the owner or contractors
Processing Duration: As long as the instance requires
Nature and Purpose of Processing: Cleaning, deduplication, validation, enhancing, forwarding, storing
Categories of Data: Any data supplied to the system such as names, emails, phone numbers, etc
Data Subjects: Leads supplied in to the system



OVH.co.uk - Server & Data Hosting
Amazon S3 - Data Storage
Amazon Cloudfront - Content Delivery Network
Amazon SES - Transactional Email Services
SendGrid.net - Marketing Email Services
LetsEncrypt - SSL Services