Lead Friendly
PricingSign in

Data Processing Addendum

Effective: 2026-05-26 Version: 2026-05-26.v3

Material change from v2: This DPA is now organised into two parts — Section A (Single-Tier Processing) governs the default Customer↔Provider relationship and is unchanged in substance from v2. Section B (Three-Tier Sub-Processing) is new and applies in addition to Section A whenever the Customer operates the Service in reseller mode (billing_mode = 'reseller') and acts as a Processor for its own End-Clients, with the Provider acting as Sub-Processor in the chain. Customers on v2 must re-accept on the next acceptance prompt.

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", "you", "Controller") and Lead Friendly LLC ("Provider", "we", "us", "Processor") set out in the Terms of Service (the "Agreement"). It governs the processing of personal data by Lead Friendly LLC on Customer's behalf in connection with the Service. Capitalized terms not defined here have the meaning given in the Agreement.

SECTION A — Single-Tier Processing (DEFAULT)

Section A governs the default Customer↔Provider relationship and applies to every Customer regardless of billing mode. Three-tier reseller scenarios additionally trigger Section B below.

1. Roles and scope

1.1 For personal data submitted by Customer or generated through Customer's use of the Service ("Customer Data"), Customer is the controller and Lead Friendly LLC is the processor.

1.2 Where Lead Friendly LLC processes personal data of its own account holders, billing contacts, or website visitors, Lead Friendly LLC is the controller for that data, governed by our Privacy Policy and not this DPA.

1.3 The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects covered by this DPA are described in Annex A.

1.4 Reseller mode. Where Customer operates the Service as a reseller (Customer's billing_mode is reseller), Customer may itself act as a Processor for the data of its End-Clients, in which case Lead Friendly LLC acts as a Sub-Processor in the chain. Section B of this DPA (where engaged) supplements this Section A and governs the three-tier relationship. Section A governs the default single-tier relationship.

2. Customer obligations

2.1 Customer warrants that it has a valid lawful basis for the processing it directs Lead Friendly LLC to perform, that it has obtained any consents required (including TCPA prior express written consent for marketing calls or messages), and that its instructions to Lead Friendly LLC do not require Lead Friendly LLC to violate applicable law.

2.2 Customer is solely responsible for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data.

3. Provider obligations

3.1 Documented instructions. Lead Friendly LLC will process Customer Data only on Customer's documented instructions, including with respect to international transfers, except where required by applicable law.

3.2 Confidentiality. Lead Friendly LLC will ensure personnel authorized to process Customer Data are bound by appropriate confidentiality obligations.

3.3 Security. Lead Friendly LLC will implement and maintain the technical and organizational measures described in Annex B to protect Customer Data.

3.4 Cooperation with data subject requests. Taking into account the nature of the processing, Lead Friendly LLC will assist Customer with appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligations to respond to data subject requests under applicable data protection law (access, rectification, erasure, restriction, portability, objection).

3.5 Assistance with assessments. Lead Friendly LLC will provide reasonable assistance to Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities, where required.

4. Subprocessors

4.1 Customer authorizes Lead Friendly LLC to engage subprocessors to provide infrastructure, telephony, voice processing, identity verification, payment processing, email delivery, and similar services. The current list of subprocessors is published at /legal/subprocessors and is incorporated into this DPA by reference.

4.2 Lead Friendly LLC will impose data-protection terms on each subprocessor that are no less protective than those set out in this DPA, and will remain liable for the acts and omissions of its subprocessors to the same extent Lead Friendly LLC would be liable if performing the services directly.

4.3 Lead Friendly LLC will provide at least 30 days' prior notice of the addition or replacement of a subprocessor by updating the subprocessor list and (at Customer's option) by email to the primary account contact. Customer may object to a new subprocessor on reasonable data-protection grounds within that 30-day window. If the parties cannot resolve the objection, Customer's exclusive remedy is to terminate the affected portion of the Service for convenience.

5. Personal data breach

5.1 Lead Friendly LLC will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any actual or reasonably suspected personal data breach affecting Customer Data.

5.2 The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

5.3 Lead Friendly LLC will cooperate in good faith with Customer's reasonable requests for information necessary for Customer's own breach-notification obligations.

6. International transfers

6.1 Lead Friendly LLC's primary infrastructure is hosted in the United States. Customer Data may be transferred to or accessed from the United States in connection with provision of the Service.

6.2 Where Customer Data subject to the GDPR or UK GDPR is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties agree that the transfer is governed by the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor), which are incorporated into this DPA by reference, with Lead Friendly LLC as data importer and Customer as data exporter. Where the UK GDPR applies, the UK Addendum to the SCCs issued by the Information Commissioner's Office applies.

6.3 Annex C describes the technical and organizational supplementary measures Lead Friendly LLC relies on for transfers under Section 6.2.

7. Audits

7.1 Lead Friendly LLC will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Lead Friendly LLC will respond to Customer's reasonable requests for documentation within 30 days.

7.2 To the extent that Customer's audit rights cannot be reasonably satisfied through documentation, Lead Friendly LLC will cooperate with one (1) audit per twelve-month period conducted by Customer or its independent third-party auditor (subject to confidentiality), at Customer's expense, on no less than 30 days' prior written notice and during normal business hours, in a manner that does not unreasonably interfere with Lead Friendly LLC's operations or compromise other customers' data.

8. Return and deletion

8.1 At Customer's choice, Lead Friendly LLC will delete or return all Customer Data after the end of the provision of services, unless storage is required by applicable law.

8.2 Customer may export Customer Data via the Service's data-export tooling at any time during the term.

8.3 Following termination, Lead Friendly LLC retains the operational copy of general Customer Content for 30 days to support reactivation and export, after which it is deleted or de-identified, except for the categories in Section 8.4 that Lead Friendly LLC is required or permitted to retain for a longer period.

8.4 The following categories are retained beyond the period in Section 8.3 because retention is required or permitted by applicable law (including tax, anti-fraud, and telecommunications record-keeping obligations) or is necessary for the establishment, exercise, or defense of legal claims (including payment-dispute and chargeback defense):

  • Identity-verification (KYC) records — up to 7 years after account closure.
  • Telephone-consent records (the prior-express-written-consent ledger) — up to 7 years.
  • Call and message metadata and compliance audit logs — up to 3 years.
  • Records evidencing acceptance of the Agreement and policies — retained for as long as they may be needed as evidence of the contractual relationship.

On expiry of each period above, the relevant data is deleted or de-identified. Backups follow a rolling 90-day retention cycle and are overwritten in the ordinary course; backup data is not restored into production except for disaster recovery. These periods are maintained in Lead Friendly LLC's internal data-retention policy and may be updated to reflect changes in legal requirements.

9. Liability

9.1 The liability of each party under or in connection with this DPA is subject to the limitations of liability set out in the Agreement.

10. Term

10.1 This DPA takes effect on the date Customer accepts the Agreement and continues until the Agreement terminates or expires, except for provisions that by their nature should survive (including Sections 5, 8, and 9).

11. Order of precedence

11.1 In the event of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict for matters relating to the processing of Customer Data. The Standard Contractual Clauses, where they apply under Section 6.2, prevail over this DPA to the extent of any conflict.

Annex A — Description of processing

  • Subject matter: processing of Customer Data in connection with the Lead Friendly LLC hosted CRM, AI voice-agent, and telephony platform.
  • Duration: the term of the Agreement, plus any post-termination retention period under Section 8.
  • Nature and purpose: storage, retrieval, transmission, modification, deletion, AI processing (speech-to-text, language model, text-to-speech), recording and transcription, telephony interconnect, billing, identity verification, automated workflow execution, customer support.
  • Types of personal data: identifiers (names, email addresses, phone numbers), authentication credentials, business contact details, call recordings and transcripts, message content, IP addresses, device identifiers, billing information (processed by payment subprocessor), identity-verification artifacts (processed by identity-verification subprocessor).
  • Categories of data subjects: Customer's authorized users; Customer's contacts, leads, and end-customers; participants on calls placed or received via the Service.

Annex B — Technical and organizational measures

  • Encryption. TLS 1.2+ in transit; AES-256 at rest for the operational database, object storage, and backups. Sensitive identity-verification and telephone-consent fields receive an additional layer of application-level AES-256-GCM encryption under separately managed keys.
  • Access control. Role-based access to the production environment limited to a minimum number of authorized engineering and operations personnel. Multi-factor authentication required for all production access. Periodic access reviews.
  • Tenant isolation. Row-level security on tenant-scoped tables; per-organization scoping enforced in all RPC functions that mutate Customer Data; strict separation between Customer Data and Lead Friendly LLC internal data.
  • Audit logging. Application-level audit logs for security-relevant events (authentication, KYC transitions, billing changes, impersonation, compliance overrides). Server-side access to encrypted identity-verification fields is separately logged with automated alerting on anomalous access patterns. Database-level logs are retained per the underlying provider's standard policy.
  • Change management. Code changes are reviewed and merged via pull request; infrastructure-as-code where practical; production deployments via the platform's audited release pipeline.
  • Vulnerability management. Dependencies scanned for known vulnerabilities; patches applied on a risk-prioritized schedule.
  • Incident response. Documented incident-response process covering identification, containment, eradication, recovery, and post-incident review. 24/7 on-call rotation.
  • Backups. Encrypted, geographically replicated, retained per Section 8.3.
  • Personnel. Security awareness training on hire and annually thereafter; confidentiality obligations in employment and contractor agreements.
  • Subprocessor due diligence. Subprocessors are reviewed for appropriate security and privacy posture before engagement.

SECTION B — Three-Tier Sub-Processing (RESELLER MODE)

Section B applies in addition to Section A only when the Customer's billing_mode is reseller. In that case, the data-flow has three distinct levels — the Customer's End-Clients (level 1), the Customer acting as a Processor on End-Client instructions (level 2), and Lead Friendly LLC acting as Sub-Processor (level 3). The terms below configure the GDPR Article 28(2)–(4) authorisations and obligations specific to that chain. Where Section A and Section B conflict, Section B prevails for level-2 and level-3 obligations; Section A prevails otherwise.

B1. Roles in the three-tier chain

B1.1 With respect to End-Client personal data that the Customer processes on documented instructions of its End-Clients ("Tier-2 Data"), the End-Client is the Controller, the Customer is the Processor, and Lead Friendly LLC is the Sub-Processor.

B1.2 With respect to data the Customer processes for its own purposes (its own users, its own billing contacts, its own marketing leads) the Customer remains Controller and Lead Friendly LLC is the Processor under Section A.

B1.3 With respect to payment and transaction data for Reseller-Mode charges processed by Lead Friendly LLC as merchant of record, Lead Friendly LLC is the Controller (see Reseller Agreement § 3.1). Section B does not apply to that data.

B2. Article 28 authorisations

B2.1 General written authorisation for Sub-Processors (GDPR Art. 28(2)(b)). The Customer hereby grants Lead Friendly LLC a general written authorisation, in the Customer's capacity as Processor for End-Clients, to engage the Sub-Processors listed at /legal/subprocessors for the purposes described therein. The Customer warrants it has obtained equivalent authorisation from each of its End-Clients (in their capacity as Controller) per GDPR Article 28(4).

B2.2 Flow-down to End-Clients (GDPR Art. 28(4)). The Customer will impose data-protection terms on each End-Client engagement that are no less protective than this DPA and that authorise Lead Friendly LLC as a Sub-Processor on the same terms applicable in this DPA, including international-transfer arrangements (Section 6) and security measures (Annex B).

B2.3 30-day Sub-Processor change notice (GDPR Art. 28(2)(a)). Lead Friendly LLC's 30-day prior-notice obligation in Section 4.3 of Section A flows down: the Customer will provide its End-Clients with at least 30 days' notice of any new Lead Friendly LLC-engaged Sub-Processor and will pass an End-Client's reasoned objection to Lead Friendly LLC within that window. If the parties cannot resolve the End-Client objection, the Customer's exclusive remedy is to terminate the affected portion of the Service for convenience.

B3. Sub-Processor obligations in the chain

B3.1 Lead Friendly LLC, as Sub-Processor for Tier-2 Data, will:

(a) process Tier-2 Data only on the Customer's documented instructions, which include the instructions the Customer in turn receives from its End-Clients;

(b) impose data-protection terms on each of its own Sub-Processors that are no less protective than this DPA;

(c) provide reasonable assistance — in the form of documentation, summary reports, or, where strictly necessary, supervised inspection — to enable the Customer to demonstrate Article 28(1) compliance to its End-Clients (subject to the audit cadence in Section 7);

(d) on the Customer's request, support End-Client data-subject requests for access, rectification, erasure, restriction, portability, and objection routed through the Customer (Section 3.4);

(e) notify the Customer of any actual or reasonably suspected personal data breach affecting Tier-2 Data within the 72-hour window in Section 5, with sufficient information for the Customer to in turn notify its End-Client(s).

B3.2 Lead Friendly LLC will not engage with End-Clients directly for purposes of Tier-2 Data processing except (i) at the Customer's documented request, (ii) where required by applicable law, or (iii) in accordance with the Sub-account continuity policy in Reseller Agreement Section 7.6.

B4. Customer obligations as Processor

B4.1 The Customer warrants it has a valid Article 28(3) processing agreement with each End-Client and that its instructions to Lead Friendly LLC reflect those agreements and are themselves lawful.

B4.2 The Customer is responsible for maintaining the End-Client–facing record of processing activities, sub-processor list, and incident-notification surface required by GDPR Articles 30, 28(2), and 33–34 at the End-Client level.

B4.3 The Customer will not instruct Lead Friendly LLC to process Tier-2 Data in any manner that Lead Friendly LLC, acting reasonably, considers unlawful, and Lead Friendly LLC may refuse such an instruction in writing.

B5. International transfers in the chain

B5.1 Where Tier-2 Data subject to GDPR or UK GDPR is transferred from the EEA, the United Kingdom, or Switzerland to a country lacking an adequacy decision, the parties additionally rely on the European Commission's Standard Contractual Clauses Module Three (processor-to-sub-processor), which are incorporated by reference, with Lead Friendly LLC as data importer and the Customer as data exporter acting on behalf of its End-Clients as Controllers. Where the UK GDPR applies, the UK Addendum to the SCCs applies.

B5.2 The supplementary technical and organisational measures in Annex C apply to Tier-2 Data on the same terms as Tier-1 Data.

B6. Audit rights in the chain

B6.1 An End-Client's audit rights are exercised through the Customer; Lead Friendly LLC will not be subject to direct End-Client audits.

B6.2 The Customer may aggregate End-Client audit requests and exercise them under Section 7 of Section A on the End-Clients' behalf, subject to the same cadence, expense, and operational limits.

B7. Conflict between Sections

B7.1 If a conflict arises between Section A and Section B with respect to the same processing activity, Section B governs for that activity. The Standard Contractual Clauses (any Module) prevail over both Sections where they apply.

Annex C — Supplementary measures for international transfers

  • TLS 1.2+ for all transfers between regions.
  • AES-256 at rest in the U.S. region.
  • Logged access to production data; engineers do not access Customer Data except for legitimate operational purposes (incident response, customer-authorized debugging) and access is auditable.
  • Lead Friendly LLC will use commercially reasonable efforts to challenge any binding requests from public authorities for Customer Data that conflict with the laws of the data exporter's country, and will inform the data exporter of any such request unless legally prohibited from doing so.

Acceptance

Customer accepts this DPA by clicking the acceptance control in the Lead Friendly LLC account settings or by entering into a separate written agreement that incorporates this DPA by reference.

For questions about this DPA, contact: privacy@leadfriendly.com.

© 2026 Lead Friendly LLC. All rights reserved.Lead Friendly LLC, PO Box 88413, Tukwila, WA 98138
PricingAboutSecurityComplianceCompareFor AgenciesGuidesFAQContactTermsPrivacyAcceptable UseRefund PolicyCookiesSub-processorsLimit Use of Sensitive PIPrivacy Rights
XGitHubYouTubeInstagramFacebookTikTokBlueskyReddit