This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between KodeKind S.R.L. ("Processor", "SRLeads", "we", "us") and the Organization using the Service ("Controller", "you", "your").
This DPA applies to the extent that SRLeads processes Personal Data on behalf of the Controller in the course of providing the Service, as required by Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
Terms not defined here have the meaning given in the GDPR or the Agreement.
- "Personal Data" means any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller through the Service.
- "Data Subject" means the identified or identifiable person to whom the Personal Data relates (e.g., leads managed by the Controller).
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope & Roles
2.1 Controller and Processor
The Controller determines the purposes and means of processing Personal Data (lead data, contact information, communication records). The Processor processes Personal Data solely on behalf of the Controller and in accordance with the Controller's documented instructions.
2.2 Processing Activities
The Processor processes Personal Data for the following activities:
| Activity | Categories of Data Subjects | Types of Personal Data | Purpose |
|---|
| Lead management | Business contacts (leads) | Name, email, phone, social links, notes, activity records | Store and manage leads in Kanban boards |
| SMS delivery | Leads with phone numbers | Phone number, message body (nulled after delivery) | Deliver SMS via Android relay on Controller's behalf |
| Email delivery | Leads with email addresses | Email address, email content | Deliver transactional emails on Controller's behalf |
| Consent management | Leads who receive communications | Consent states, interaction events, IP addresses | Track and enforce communication consent |
| Webhook delivery | Leads affected by transitions | Lead data included in event payloads | Deliver outbound webhooks to Controller's endpoints |
| Quick action execution | Leads targeted by actions | Lead context data in HTTP requests | Execute HTTP calls to Controller's configured URLs |
| Auto-add leads | Companies matching filter criteria | Company data (public), filter criteria | Automatically create leads from matching companies |
2.3 Duration
This DPA applies for the duration of the Agreement. Upon termination, the Processor will handle Personal Data in accordance with Section 10 of this DPA.
2.4 Data Location
Personal Data is primarily stored and processed within the European Union. Data is not transferred outside the European Economic Area except through the approved Sub-processors listed in Section 6.1, subject to the safeguards described in Section 9.
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by EU or Member State law — in which case, the Processor shall inform the Controller of that legal requirement before processing (unless the law prohibits such information).
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational security measures as described in Section 5.
- Engage Sub-processors only in accordance with Section 6.
- Assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under GDPR Chapter III.
- Assist the Controller in ensuring compliance with the obligations under GDPR Articles 32 to 36 (security, breach notification, impact assessments), taking into account the nature of processing and the information available to the Processor. In particular, the Processor will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (Art. 35 GDPR) and prior consultations with supervisory authorities (Art. 36 GDPR), to the extent the Processor's assistance is necessary and relevant given the nature of the processing.
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
- Maintain records of processing activities carried out on behalf of the Controller in accordance with Art. 30(2) GDPR.
4. Obligations of the Controller
The Controller shall:
- Ensure that it has a lawful basis for the processing of Personal Data and for instructing the Processor to process Personal Data on its behalf.
- Obtain all necessary consents from Data Subjects before using the Service's communication features (SMS, email) to contact them, in compliance with Romanian Law 506/2004 and the ePrivacy Directive.
- Provide Data Subjects with all required privacy notices and information about how their data is processed.
- Respond to Data Subject requests in a timely manner, with the Processor's assistance as needed.
- Ensure that its instructions to the Processor comply with applicable data protection law.
- Notify the Processor without undue delay if it becomes aware of any Security Incident or Data Subject complaint related to the processing.
5. Security Measures
The Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk of processing:
5.1 Access Control
- User authentication via email + password with bcrypt hashing (10 salt rounds).
- Optional multi-factor authentication (TOTP) with encrypted secrets (AES-256-GCM) and hashed recovery codes (SHA-256).
- Role-based access control (Owner, Member) with granular permissions.
- Session management with 24-hour expiry, httpOnly/secure/SameSite cookies.
- API key authentication with SHA-256 hashing and optional IP whitelisting.
- Rate limiting on authentication endpoints (10 attempts per 15-minute window).
5.2 Data Protection
- All data transmitted over HTTPS/TLS.
- SMS phone numbers and message bodies permanently deleted immediately upon delivery or failure.
- SMS error messages sanitized (phone numbers redacted, truncated).
- Immutable interaction log with database-level triggers preventing modification or deletion.
- Security headers (Helmet/secure headers) on all application services.
- CAPTCHA protection on account registration (Cloudflare Turnstile).
- API request logs automatically purged after 7 days.
5.3 Infrastructure
- Self-hosted MySQL database and Redis cache within the EU.
- Object storage via Cloudflare R2 (encrypted at rest by Cloudflare).
- Stripe PCI DSS Level 1 compliance for payment processing.
- Webhook payloads signed with HMAC-SHA256 (when secret is configured).
5.4 Organizational Measures
- Access to production systems limited to authorized personnel.
- Audit logging of significant operations with IP address and timestamp.
- Consent records versioned and stored with IP address and timestamp at signup.
6. Sub-Processors
6.1 Current Sub-Processors
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-Processor | Purpose | Data Processed | Location |
|---|
| Stripe, Inc. | Payment processing, subscription management | Organization name, email, payment method, invoice amounts, org_id and plan_slug metadata | United States / European Union |
| SmartBill SRL | Romanian fiscal invoice generation and PDF storage | Billing company name, tax ID (CUI), VAT number, full billing address, organization owner email, invoice amounts and line items | Romania |
| Resend, Inc. | Transactional and marketing email delivery | Recipient email address, first name, email subject and body content (may include amounts, links, OTP codes) | United States |
| Cloudflare, Inc. | CDN, DNS, R2 object storage, Turnstile CAPTCHA | All proxied HTTP traffic, organization logos (R2), CAPTCHA verification tokens and IP addresses | United States / European Union (global network) |
| Google LLC | Website analytics (Google Analytics 4) — only when user consents to analytics cookies | Page views, interactions, anonymized browser data | United States / European Union |
6.2 Android Relay
The SMS Android Relay is not a Sub-processor — it is the Controller's own paired device. The Processor facilitates the WebSocket connection between the Service and the Controller's device but does not operate the device. Phone numbers and message bodies are transmitted through the connection and permanently deleted from the Service immediately upon delivery or failure.
6.3 Changes to Sub-Processors
The Processor will notify the Controller at least 30 days before engaging a new Sub-processor or replacing an existing one. Notification will be sent via email to the Organization owner.
If the Controller objects to a new Sub-processor on reasonable data protection grounds within the 30-day notification period, the Processor will: (a) not engage the objected-to Sub-processor for processing the Controller's Personal Data; (b) make reasonable efforts to provide an alternative solution; (c) if no alternative is available and the Sub-processor is essential to the continued provision of the Service, either party may terminate the affected service component with 30 days' written notice, and the Controller will receive a pro-rata refund for any prepaid and unused period.
6.4 Sub-Processor Obligations
The Processor ensures that each Sub-processor is bound by data protection obligations no less protective than those in this DPA, including through written agreements that comply with Article 28(4) GDPR. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
7. Data Subject Rights
The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).
- The Service provides self-service tools for Data Subjects where applicable: the opt-in/opt-out page allows leads to manage their SMS and email consent, view their consent status, and withdraw consent at any time.
- SMS keyword handling (STOP/START/HELP) automatically updates consent state when leads reply to SMS messages.
- The Controller can delete individual leads, which cascades to remove all associated notes, activities, history, relationships, and consent state.
- If the Processor receives a request directly from a Data Subject, it will promptly inform the Controller and will not respond to the request without the Controller's instructions, unless legally required to do so.
8. Security Incident Notification
- The Processor will notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Security Incident affecting Personal Data processed under this DPA. This initial notification may be preliminary and incomplete.
- A detailed notification will follow within 48 hours of becoming aware of the incident, including to the extent available: (a) a description of the nature of the incident, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the incident; (c) the measures taken or proposed to address the incident and mitigate its effects; (d) the name and contact details of the Processor's point of contact.
- The Processor will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
- The Processor will preserve all relevant evidence and logs related to the Security Incident for a period of at least 12 months.
- The Processor's notification of a Security Incident shall not be construed as an acknowledgment of fault or liability.
9. International Data Transfers
Some Sub-processors are located in the United States. The Processor ensures that international transfers of Personal Data are protected by appropriate safeguards:
- Stripe: EU-U.S. Data Privacy Framework certified; Standard Contractual Clauses.
- Resend: Standard Contractual Clauses (SCCs).
- Cloudflare: EU-U.S. Data Privacy Framework certified; Standard Contractual Clauses; Binding Corporate Rules.
- Google: EU-U.S. Data Privacy Framework certified; Standard Contractual Clauses.
The Processor monitors developments in international data transfer law, conducts Transfer Impact Assessments for US-based Sub-processors, and maintains Standard Contractual Clauses as a supplementary transfer mechanism. The Controller may request copies of the relevant transfer mechanism documentation by contacting [email protected].
10. Data Return & Deletion
10.1 During the Agreement
The Controller may export lead data and personal data at any time through the Service's built-in export features (data export in profile settings, API access).
10.2 Upon Termination
Upon termination of the Agreement, the Processor will:
- Continue to make the Controller's data available for export for a minimum of 30 days after termination.
- Upon the Controller's request, delete all Personal Data processed on the Controller's behalf, except where retention is required by EU or Member State law.
- Certify in writing that all Personal Data has been deleted, upon the Controller's request.
10.3 Data Retained by Law
The following data is retained after termination as required by law or legitimate compliance interests:
- Fiscal invoices (10 years, Romanian fiscal law — Law 82/1991).
- Interaction log entries (immutable compliance records).
- Audit log entries (immutable security records).
11. Audits
- The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.
- The Controller (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct audits of the Processor's data processing activities, upon reasonable notice (minimum 30 days) and during normal business hours.
- Audits shall be conducted no more than once per year, unless required by a supervisory authority or following a Security Incident.
- The Processor may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2), or evidence of compliance with applicable standards.
- The Controller shall bear the costs of any audit it initiates, unless the audit reveals material non-compliance by the Processor.
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability for: (a) obligations that cannot be limited under applicable law; (b) intentional misconduct or gross negligence; or (c) liability arising from data protection obligations under GDPR, including fines imposed by supervisory authorities.
13. General Provisions
- Governing law. This DPA is governed by the laws of Romania, consistent with the Agreement.
- Conflict. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
- Amendments. This DPA may be amended by the Processor to reflect changes in law, regulatory guidance, or Sub-processor arrangements, with 30 days' notice to the Controller.
- Severability. If any provision of this DPA is found unenforceable, the remaining provisions shall continue in full force.
For questions about this DPA or to exercise rights under it, contact:
KodeKind S.R.L.
Privacy inquiries: [email protected]
General inquiries: [email protected]
For our full privacy practices, see our Privacy Policy.