Data Processing Agreement

Effective Date: Upon execution by both parties or digital acceptance via the SIE Data Broker Dashboard

Parties:

Data Controller ("Broker"): The entity accessing SIE Data signals for redistribution or downstream use

Data Processor ("SIE Data" or "Processor"): SIE Data, Inc., operating at siedata.dev

---

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection law.

Processing: Any operation performed on Personal Data, including collection, storage, retrieval, transmission, erasure, or destruction.

Data Subject: The individual to whom the Personal Data relates.

Sub-processor: A third party engaged by SIE Data to process Personal Data on the Broker's behalf.

Applicable Data Protection Law: GDPR, CCPA/CPRA, and any other applicable privacy regulation in the jurisdictions where the data originates or is processed.

Intent Signals: Behavioral, transactional, or self-declared data points that indicate market interest or purchase intent. Intent Signals are NOT consumer reports under FCRA.

---

2. Data Processing Scope

2.1 Subject Matter and Purpose

SIE Data processes Intent Signals and associated metadata to deliver structured data feeds to the Broker. Processing is limited to:

Aggregation and normalization of zero-party and behavioral data

Enrichment with publicly available business information

Scoring and classification of intent signals

Delivery via API, S3, SFTP, or webhook as configured by the Broker

2.2 Categories of Data

Business contact information (name, title, company, business email, business phone)

Behavioral intent indicators (topic interest, content engagement, technology signals)

Firmographic data (company size, industry, revenue range, location)

Transactional public records (permits, licenses, filings)

2.3 Excluded Data

SIE Data does NOT process and will never include:

Credit scores, FICO scores, or any credit bureau data

Bankruptcy records, payment history, or collections data

Employment history, rental history, or criminal records

Any data classified as FCRA-regulated

Social Security numbers, driver's license numbers, or government ID numbers

Health or medical information

Data about children under 16

---

3. Obligations of Data Controller (Broker)

The Broker shall:

1. Lawful Basis: Ensure a valid legal basis exists for all downstream processing of data received from SIE Data, including any necessary consents from Data Subjects.

2. Purpose Limitation: Use data exclusively for the purposes described in the applicable service agreement (marketing, advertising, audience segmentation, and business intelligence).

3. FCRA Compliance: NOT use any SIE Data signals for eligibility determinations including credit, employment, insurance, housing, or any purpose regulated under the Fair Credit Reporting Act.

4. Transparency: Maintain a public privacy policy disclosing the use of third-party data providers for marketing purposes.

5. Data Subject Requests: Promptly forward any Data Subject access, deletion, or opt-out requests to SIE Data within 48 hours of receipt.

6. Security: Implement appropriate technical and organizational measures to protect data received from SIE Data, including encryption in transit and at rest.

7. Breach Notification: Notify SIE Data within 24 hours of discovering any security breach affecting data received under this agreement.

8. Downstream Transfers: Ensure any further transfer of data to third parties is governed by equivalent data protection terms.

---

4. Obligations of Data Processor (SIE Data)

SIE Data shall:

1. Processing Instructions: Process Personal Data only on the documented instructions of the Broker, unless required by law.

2. Confidentiality: Ensure all personnel processing Personal Data are bound by confidentiality obligations.

3. Security Measures: Implement and maintain the security measures described in Section 6.

4. Sub-processor Management: Not engage additional Sub-processors without prior written notice to the Broker (see Section 5).

5. Data Subject Assistance: Assist the Broker in responding to Data Subject rights requests.

6. Audit Support: Make available to the Broker all information necessary to demonstrate compliance with this agreement.

7. Data Return/Deletion: Upon termination, delete or return all Personal Data to the Broker at the Broker's choice, within 30 days.

8. FCRA Firewall: Maintain technical controls (the FCRA Firewall) that prevent FCRA-regulated data from being included in any data feed or API response.

---

5. Sub-processors

5.1 Authorized Sub-processors

SIE Data currently uses the following categories of Sub-processors:

Cloud Infrastructure: Hosting, database, and compute services (Supabase, AWS, Vercel, Railway)

Data Enrichment: Business data enrichment providers (Hunter, Lusha, Prospeo)

Caching: In-memory data caching (Upstash Redis)

Communication: Transactional email delivery (Zoho Mail)

5.2 Sub-processor Changes

SIE Data will notify the Broker at least 14 days before engaging a new Sub-processor. The Broker may object to a new Sub-processor within 10 days of notification. If the objection cannot be resolved, either party may terminate the affected data processing.

5.3 Sub-processor Obligations

All Sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this agreement.

---

6. Security Measures

SIE Data implements the following technical and organizational measures:

6.1 Encryption

AES-256-GCM encryption for PII at rest

TLS 1.2+ for all data in transit

HMAC-SHA256 for API key authentication and webhook signatures

6.2 Access Control

Role-based access control (RBAC) with least-privilege principle

JWT-based authentication with 30-minute access tokens

IP whitelisting available for API keys

Multi-factor authentication for administrative access

6.3 Infrastructure

SOC 2 Type II compliant cloud infrastructure providers

Automated vulnerability scanning and dependency auditing

Regular penetration testing

Encrypted database backups with point-in-time recovery

6.4 Monitoring

Real-time audit logging of all data access and modifications

Tamper-evident audit chains with cryptographic verification

Automated alerting for anomalous access patterns

DNC and suppression list synchronization

---

7. Data Subject Rights

7.1 Supported Rights

SIE Data supports the following Data Subject rights:

Access: Data Subjects may request a copy of their data

Deletion: Data Subjects may request erasure of their data

Opt-Out: Data Subjects may opt out of data sales/sharing

Correction: Data Subjects may request correction of inaccurate data

7.2 Response Timeline

SIE Data will respond to verified Data Subject requests within:

30 days for GDPR requests

45 days for CCPA/CPRA requests (with one 45-day extension if needed)

7.3 Suppression Lists

Opt-out requests are added to a global suppression list that is checked before every data delivery. Suppression is permanent unless the Data Subject explicitly re-consents.

---

8. International Transfers

8.1 Transfer Mechanisms

If Personal Data is transferred outside the originating jurisdiction, SIE Data will ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) for EU-to-non-EU transfers

Data Processing Addendums compliant with applicable law

Encryption of data in transit and at rest during transfer

8.2 Data Residency

Primary data processing occurs in the United States. The Broker will be notified if data processing locations change.

---

9. Term and Termination

9.1 Term

This agreement remains in effect for the duration of the Broker's service agreement with SIE Data.

9.2 Termination

Either party may terminate this agreement:

Upon 30 days written notice

Immediately if the other party materially breaches this agreement and fails to cure within 15 days

Immediately if required by a supervisory authority

9.3 Post-Termination

Upon termination, SIE Data will:

1. Cease all processing of the Broker's data within 24 hours

2. Delete or return all Personal Data within 30 days

3. Provide written confirmation of deletion upon request

4. Continue to maintain the confidentiality of any retained audit logs

---

10. Liability

10.1 Processor Liability

SIE Data is liable for damages caused by processing that violates this agreement or applicable data protection law. Liability is limited to direct damages and capped at the total fees paid by the Broker in the 12 months preceding the claim.

10.2 Controller Liability

The Broker is liable for damages arising from its instructions to SIE Data that violate applicable data protection law, or from the Broker's failure to fulfill its obligations under Section 3.

10.3 Indemnification

Each party shall indemnify the other against regulatory fines, penalties, and third-party claims arising from the indemnifying party's breach of this agreement.

10.4 Limitation

Neither party excludes or limits liability for:

Willful misconduct or gross negligence

Breach of confidentiality obligations

Obligations that cannot be limited under applicable law

---

11. General Provisions

11.1 Governing Law

This agreement is governed by the laws of the State of Delaware, without regard to conflict of law principles.

11.2 Amendments

Amendments to this agreement must be in writing and signed by both parties. SIE Data may update its security measures (Section 6) provided the overall level of protection is not reduced.

11.3 Severability

If any provision is found invalid, the remaining provisions continue in full force and effect.

11.4 Entire Agreement

This DPA, together with the Broker service agreement, constitutes the complete agreement between the parties regarding data processing.

---

*SIE Data, Inc. | siedata.dev | Data Processing Agreement v1.0 | March 31, 2026*