Data Processing Agreement

Last updated: 2026-05-06 · Forms part of our Terms of Service and applies to every customer using a paid plan or any plan involving processing of customer-controlled data.

Plain-English summary. When you (the customer) save leads or upload data into Prospera, you remain the data controller for that data. We are a data processor acting on your instructions. This agreement sets out the terms of that arrangement, satisfying UK GDPR Article 28's mandatory contract clauses. Acceptance of our Terms of Service constitutes acceptance of this DPA — no separate signature is required.

1. Definitions

Capitalised terms have the same meaning as in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. "Customer Personal Data" means personal data processed by Prospera on behalf of the Customer through use of the Service. "Sub-processor" means any third party engaged by Prospera to process Customer Personal Data on the Customer's behalf.

2. Roles and scope

The Customer is the Controller of Customer Personal Data. Prospera is the Processor.

This DPA applies to all processing of Customer Personal Data carried out by Prospera in connection with the provision of the Service. The subject-matter, duration, nature, purpose and categories are set out in Annex A below.

3. Customer instructions

Prospera will process Customer Personal Data only in accordance with the documented instructions of the Customer. Use of the Service constitutes documented instructions to process Customer Personal Data for the purpose of providing the Service. Any out-of-scope processing requested by the Customer requires a separate written instruction.

If Prospera believes a Customer instruction infringes UK GDPR or other applicable data-protection law, Prospera will inform the Customer.

4. Confidentiality of personnel

Prospera will ensure that anyone authorised to process Customer Personal Data is bound by a duty of confidentiality (contractual or statutory).

5. Security measures (Article 32)

Prospera implements appropriate technical and organisational measures to protect Customer Personal Data, including:

Encryption of data in transit (TLS) and at rest;
Per-tenant logical isolation enforced at the application layer;
Role-based access control with least-privilege defaults;
Multi-factor authentication for administrative access where supported;
Daily encrypted backups, retained for at least 7 days;
Logging and monitoring of administrative actions;
Regular security testing and timely patching of dependencies;
Vendor due-diligence and contractual flow-down to sub-processors.

A more-detailed Compliance Pack (technical and organisational measures, security questionnaire, penetration-test summary if available) is provided on request to enterprise customers.

6. Sub-processors

The Customer authorises Prospera to engage the sub-processors listed at our Sub-processors page. Prospera will:

Impose data-protection obligations on each sub-processor at least as protective as this DPA;
Remain liable to the Customer for the acts and omissions of each sub-processor;
Notify the Customer at least 14 days before adding or replacing a sub-processor (unless an emergency security change is required);
Allow the Customer to object on reasonable, documented grounds. Where Prospera and Customer cannot agree an alternative, the Customer may terminate the affected portion of the Service without penalty.

7. International transfers

To the extent that Customer Personal Data is transferred outside the UK, Prospera will ensure an appropriate transfer mechanism is in place — UK adequacy (EU/EEA), the UK-US Data Bridge, or the UK International Data Transfer Addendum to the Standard Contractual Clauses. The current locations are listed on the Sub-processors page.

8. Data-subject rights

Prospera provides the Customer with reasonable assistance — through the Service's existing functionality or by other means — to respond to requests from data subjects exercising their UK GDPR rights (access, rectification, erasure, restriction, portability, objection, automated decision-making).

If Prospera receives a data-subject request directly that relates to Customer Personal Data, Prospera will forward the request to the Customer without delay (unless prohibited by law).

9. Personal data breach notification

Prospera will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of any personal-data breach affecting Customer Personal Data. The notification will include the information required by UK GDPR Article 33(3) to the extent then known.

10. Audit and inspection

Prospera will make available all information necessary to demonstrate compliance with this DPA. Where the Customer reasonably requires an audit, Prospera will:

First provide its most recent Compliance Pack and any third-party assurance reports (e.g. SOC 2, ISO 27001) it holds;
Cooperate with reasonable, good-faith follow-up enquiries;
Allow on-site audit only where mandated by an applicable supervisory authority and on at least 30 days' written notice (audit cost borne by the Customer unless the audit reveals a material breach of this DPA).

11. Return or deletion of data

On termination of the Service, Prospera will, at the Customer's option, delete or return Customer Personal Data within 90 days, unless retention is required by applicable law (in which case the data will be securely held and deleted as soon as the retention obligation ends). Prospera's standard retention practice is described in the Privacy Notice — retention section.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in our Terms of Service, except that nothing in this DPA limits liability that cannot lawfully be limited.

13. Governing law & jurisdiction

This DPA is governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the English courts.

Annex A — Processing details

Subject matter	Provision of the Prospera B2B prospecting platform.
Duration	For the term of the Customer's subscription, plus the retention periods set out in the Privacy Notice.
Nature and purpose of processing	Storage, organisation, retrieval, enrichment, AI-summarisation, export and (where the Customer chooses) onward transmission of UK B2B lead data, in support of the Customer's prospecting and business-development activities.
Categories of data subjects	Directors, officers, persons-with-significant-control and named employees of UK companies the Customer chooses to research; plus the Customer's own end-users with access to the Customer's tenant.
Categories of personal data	Identity (name, role, dates of appointment), business contact details (email, phone, LinkedIn URL), company-of-employment data, contextual signals (filings, accreditations), Customer-tenant user credentials. No special categories of personal data (Article 9) are intended to be processed.
Frequency	Continuous, while the Service is in use.
Sub-processors	As listed on the Sub-processors page.

Annex B — Technical and organisational measures (summary)

See Section 5 (Security measures). The full Compliance Pack is available to enterprise customers on request.

Annex C — Cross-border transfers

Where any Customer Personal Data is transferred outside the UK, the transfer is made under one of:

An adequacy decision applicable to the destination country;
The UK-US Data Bridge (Data Privacy Framework) for certified US recipients;
The UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

The applicable mechanism for each sub-processor is identified on the Sub-processors page.