Data Processing Addendum

1. Scope and Parties

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Terms of Service between you (“Customer” or “Controller”) and Great Marketing AI Inc., doing business as Lead Distro AI (“Processor,” “we”), and applies to the Processor's processing of Personal Data on behalf of the Customer in connection with the Service.

This DPA reflects the parties' obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “Data Protection Laws”).

2. Roles of the Parties

For Personal Data submitted to the Service, the Customer is the Controller (or Business under CCPA/CPRA) and Lead Distro AI is the Processor (or Service Provider under CCPA/CPRA). We process Personal Data only on documented instructions from the Customer, including with regard to transfers to third countries.

3. Subject Matter, Nature, and Purpose of Processing

• Subject matter: provision of lead distribution, AI scoring, AI calling, ad spend syncing, and analytics services
• Duration: the term of the Customer's subscription, plus a 30-day grace period after termination
• Nature and purpose: ingest, store, score, route, deliver, and report on lead records and related data
• Categories of data subjects: end consumers whose lead records the Customer submits, plus the Customer's own users and integration partners
• Categories of Personal Data: name, phone number, email, mailing address, IP address, attribution metadata, custom form fields configured by the Customer, and any other data the Customer chooses to submit
• Special categories: not intentionally collected. Customers must not submit special categories of data (health, biometric, racial, political, etc.) without prior written agreement

4. Processor Obligations

We will:

• Process Personal Data only on documented instructions from the Customer
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures (see Section 7) to protect Personal Data
• Engage Sub-processors only in accordance with Section 5
• Assist the Customer with data subject access, correction, deletion, and portability requests
• Assist the Customer with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities
• Notify the Customer without undue delay (within 72 hours) after becoming aware of a Personal Data breach
• At the Customer's choice, return or delete all Personal Data after the end of the provision of services
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits at reasonable intervals

5. Sub-processors

The Customer authorizes us to engage the Sub-processors listed below for the purposes described. We remain liable for the acts and omissions of our Sub-processors. We will notify the Customer of any addition or replacement of Sub-processors at least 30 days in advance, and the Customer may object on reasonable grounds related to data protection.

6. International Transfers

For transfers of Personal Data from the EEA, UK, or Switzerland to a country not deemed adequate by the European Commission, the parties incorporate the EU Standard Contractual Clauses (SCCs) Module Two (Controller-to-Processor) by reference, with the Customer as data exporter and Great Marketing AI Inc. as data importer. The UK International Data Transfer Addendum applies to UK transfers.

7. Security Measures

We implement and maintain the following technical and organizational measures:

• Encryption in transit: TLS 1.2+ for all connections
• Encryption at rest: AES-256 for database and file storage; OAuth tokens encrypted with application-layer envelope encryption
• Access controls: role-based access, principle of least privilege, multi-factor authentication for all employee accounts
• Tenant isolation: all customer data is scoped by organization ID at the application layer; row-level security enabled at the database layer
• Audit logging: append-only audit logs for security-sensitive events (sign-in, impersonation, data exports)
• Secrets management: environment-based secrets, no credentials in source control
• Vulnerability management: automated dependency scanning, prompt remediation of known CVEs
• Backup and recovery: daily encrypted database backups with point-in-time recovery
• Incident response: documented runbook and 72-hour breach notification SLA

8. Data Subject Rights

We will assist the Customer in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection. Customers may submit requests on behalf of their data subjects to support@leaddistro.ai. We will respond within 30 days unless an extension is permitted by law.

9. Return and Deletion

On termination of the Customer's subscription, we will delete or return all Personal Data within 30 days, unless we are legally required to retain it. Backups are purged on the standard backup rotation cycle (90 days). The Customer may request a final data export at any time during the subscription term and during the 30-day grace period.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits any rights or remedies of data subjects under applicable Data Protection Laws.

11. Contact

• Email: support@leaddistro.ai
• Great Marketing AI Inc. (dba Lead Distro AI)
• 8605 Santa Monica Blvd #779486
• West Hollywood, CA 90069