← Back to home

Data Processing Agreement (DPA)

Version 1.0 — Last updated: 13 May 2026

⚠️ Closed-beta starter draft. This DPA is a reasonable starting point for controller-to-processor B2B SaaS arrangements. It should be reviewed by qualified legal counsel and customised for individual customer agreements before being signed.

Parties

  • Controller: The Totalinfo Ltd customer entity that has signed up to the service.
  • Processor: Totalinfo Ltd, Belfast, Northern Ireland.

This DPA forms part of the Terms of Service between the Controller and the Processor and applies whenever the Processor processes personal data on the Controller's behalf.

1. Subject matter and purpose

The Processor processes personal data on the Controller's instructions solely for the purpose of providing the Lead Generation platform (lead sourcing, enrichment, qualification, draft email generation, outreach delivery).

2. Categories of data subject

  • Employees and authorised users of the Controller (account holders).
  • Decision-makers and representatives of companies the Controller targets for outreach (named officers, contact-form-public emails, etc.).

3. Categories of personal data

  • Names, work email addresses, work phone numbers, job titles, employer names.
  • LinkedIn URLs where publicly listed.
  • Engagement metrics (whether/when an outreach email was opened).

We do not process special-category data (Article 9 GDPR) and the Controller agrees not to upload such data into the platform.

4. Duration

For the duration of the Controller's subscription to the service plus any retention period documented in Section 10 of the Privacy Policy.

5. Processor obligations

The Processor shall:

  1. Process personal data only on documented instructions from the Controller (which are deemed given by the Controller's use of the platform).
  2. Ensure persons authorised to process data are bound by confidentiality.
  3. Implement appropriate technical and organisational measures (see Security Overview).
  4. Engage sub-processors only with the Controller's general authorisation (the list at /sub-processors is deemed authorised; we notify of additions/changes via email with 30 days' opt-out).
  5. Assist the Controller in fulfilling data subject rights requests.
  6. Notify the Controller of personal data breaches within 72 hours of becoming aware.
  7. Delete or return all personal data on termination of the subscription, subject to legal retention requirements.
  8. Make available to the Controller information necessary to demonstrate compliance, and allow for audits subject to reasonable advance notice and confidentiality.

6. Sub-processors

See the live list at /sub-processors. The Controller's general authorisation is given for all sub-processors listed there at the time of signup. The Processor will give 30 days' notice (via in-app banner + the Controller's account email) before adding a new sub-processor. The Controller may object in writing; if the objection cannot be resolved the Controller may terminate the affected service.

7. International transfers

Where personal data is transferred outside the UK or EEA, the Processor relies on:

  • The UK / EU adequacy decisions where available.
  • Standard Contractual Clauses (SCCs) — UK addendum where the recipient is outside the UK adequacy list.

8. Liability

The liability provisions in the Terms of Service Section 10 apply to this DPA, save that nothing in the cap limits liability for breaches of Article 28 GDPR or for damages payable to data subjects.

9. Governing law

Laws of Northern Ireland, with submission to the courts of Northern Ireland.

10. Order of precedence

In the event of conflict, this DPA prevails over the Terms of Service on personal-data matters only.

Contact

DPA-related queries: richard@ipr.guru