Data Processing Agreement
Effective: March 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between you ("Controller", "Customer") and Connecto ("Processor") and supplements the Terms of Service.
2. Scope and Purpose
The Processor processes personal data on behalf of the Controller to provide the Connecto platform, including LinkedIn outreach automation, AI message generation, and campaign analytics.
3. Categories of Data Subjects
- Customer employees/representatives (account holders)
- LinkedIn users targeted by Customer campaigns ("Leads")
4. Types of Personal Data
- Account data: name, email, LinkedIn profile URL, CV text
- Lead data: name, headline, company, LinkedIn URL, location (publicly available on LinkedIn)
- Usage data: campaign configuration, message templates, analytics
5. Processing Duration
Processing continues for the duration of the Service Agreement. Upon termination, personal data is deleted within 30 days, except where retention is required by law.
6. Processor Obligations
- Process data only on documented instructions from the Controller
- Ensure persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject requests
- Delete or return all personal data at the end of the service
- Make available all information necessary to demonstrate compliance
7. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, Auth | EU (Frankfurt) | Within EU |
| Unipile | LinkedIn API | EU | Within EU |
| OpenAI | AI message generation | USA | SCCs + DPA |
| Stripe | Payments | USA / EU | PCI DSS + SCCs |
| Resend | Transactional email | USA | SCCs |
| Vercel | Hosting & CDN | Global Edge | SCCs |
| PostHog | Product analytics | EU | Within EU |
| Sentry | Error tracking | USA | SCCs |
| Inngest | Background jobs & queue | Cloud | SCCs |
| Cloudflare | CDN, DNS, DDoS protection | Global Edge | SCCs + DPA |
| iubenda | Cookie consent, privacy policy hosting | EU (Italy) | Within EU |
8. International Transfers
Where personal data is transferred outside the EEA, the Processor ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).
9. Security Measures
- Encryption at rest and in transit (TLS 1.3, AES-256)
- Row-Level Security (RLS) on all database tables
- Role-based access control
- Regular security audits and penetration testing
- Automated backup and disaster recovery
- LinkedIn credentials never stored (Unipile hosted auth)
10. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach, providing all information required under Art. 33 GDPR.
11. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable notice and confidentiality obligations.
12. Contact
For DPA-related inquiries: info@connectodigital.com