Data Processing Addendum
Last Updated: January 23, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between:
- Customer (the entity entering into the Terms of Service or other agreement for the Services) ("Customer" or "Controller"), and
- Poolside Ventures S.L. (company number B05370846) ("DataMerge" or "Processor").
This DPA applies to Processing of Customer Personal Data by DataMerge on behalf of Customer in connection with the Services.
1. Definitions
Capitalized terms not defined in this DPA have the meaning given in the Agreement and/or the GDPR.
"Agreement" means the Terms of Service, order form, or other agreement governing Customer's use of the Services.
"Customer Personal Data" means any Personal Data that DataMerge Processes on behalf of Customer in connection with the Services, including:
- Personal Data contained in Customer Data submitted to the Services; and
- Personal Data contained in enrichment results and other outputs generated within Customer's account/tenant as a result of Customer's configuration and use of the Services,
in each case to the extent such information constitutes Personal Data.
"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including (where applicable) the GDPR, UK GDPR, and the CCPA/CPRA.
"GDPR" means Regulation (EU) 2016/679.
"Personal Data Breach" has the meaning given in the GDPR.
"Process" / "Processing" has the meaning given in the GDPR.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for transfers of Personal Data to third countries (as updated or replaced from time to time).
"Sub-processor" means any Processor engaged by DataMerge to Process Customer Personal Data on behalf of Customer in connection with the Services.
2. Roles of the Parties
2.1 Controller and Processor. Customer is the Controller of Customer Personal Data. DataMerge is the Processor of Customer Personal Data.
2.2 Customer instructions. Customer instructs DataMerge to Process Customer Personal Data to provide the Services in accordance with the Agreement, this DPA, the Documentation, and Customer's use and configuration of the Services.
3. Details of Processing (GDPR Art. 28(3))
The Processing details are described in Annex 1.
4. DataMerge (Processor) Obligations
4.1 Processing on instructions. DataMerge will Process Customer Personal Data only on documented instructions from Customer unless required to do otherwise by applicable law.
4.2 Confidentiality. DataMerge will ensure that persons authorized to Process Customer Personal Data are under an appropriate obligation of confidentiality.
4.3 Security. DataMerge will implement appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex 2, and may update these measures as needed provided they do not materially decrease overall security.
4.4 Assistance with data subject rights. Taking into account the nature of the Processing, DataMerge will provide reasonable assistance to enable Customer to respond to requests from data subjects exercising their rights under Data Protection Laws, to the extent Customer cannot do so independently through the Services.
4.5 Assistance with compliance. DataMerge will provide reasonable assistance to Customer with Customer's obligations relating to:
- security of Processing,
- Personal Data Breach notifications,
- data protection impact assessments, and
- prior consultation with supervisory authorities,
in each case to the extent applicable to the Services and the information available to DataMerge.
4.6 Breach notification. DataMerge will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably necessary to enable Customer to meet its breach notification obligations.
4.7 No independent use / no sale. DataMerge will not sell Customer Personal Data and will not Process Customer Personal Data for its own independent purposes outside providing, securing, and improving the Services as permitted by the Agreement and this DPA.
5. Customer (Controller) Obligations
Customer is responsible for:
- ensuring it has a lawful basis to Process Customer Personal Data and to instruct DataMerge to Process it;
- providing required notices to data subjects;
- handling opt-outs, objections, and do-not-contact preferences relating to Customer's downstream use of data outside the Services; and
- ensuring it does not provide special category data to the Services unless expressly agreed in writing.
6. Sub-processors
6.1 General authorization. Customer provides general authorization for DataMerge to appoint Sub-processors.
6.2 Sub-processor obligations. DataMerge will:
- enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those in this DPA;
- remain responsible for the performance of its Sub-processors; and
- ensure Sub-processors Process Customer Personal Data only as necessary to provide their services.
6.3 Notice of changes. DataMerge will make available an up-to-date list of Sub-processors and will notify Customer of material changes to that list where feasible (e.g., via email or in-product notice). Customer may object on reasonable data protection grounds within a reasonable period. If the Parties cannot resolve the objection, Customer may terminate the impacted portion of the Services.
6.4 Enrichment sub-processors. Customer acknowledges and agrees that DataMerge may engage one or more enrichment workflow providers as Sub-processors to support enrichment workflows and to return enrichment results in response to Customer-initiated queries submitted through the Services. Sub-processors are listed in Annex 3.
7. International Transfers
7.1 General. Where Customer Personal Data is transferred outside the EEA/UK/Switzerland, DataMerge will ensure an appropriate transfer mechanism is in place (e.g., SCCs) unless an adequacy decision applies.
7.2 SCCs (where required). Where SCCs apply, the Parties agree to incorporate the SCCs by reference and complete them in good faith as necessary for the relevant transfer scenario.
8. Audits and Information
8.1 Information. DataMerge will make available information reasonably necessary to demonstrate compliance with this DPA.
8.2 Audits. Customer may conduct an audit (or have an independent auditor conduct an audit) of DataMerge's compliance with this DPA no more than once per year, unless required due to a Personal Data Breach or supervisory authority request, subject to reasonable confidentiality, scope, and security restrictions and advance notice.
9. Return and Deletion
9.1 At termination. Upon termination or expiration of the Agreement, DataMerge will, in accordance with Customer's instruction and the capabilities of the Services:
- enable return/export of Customer Personal Data; and/or
- delete Customer Personal Data within a commercially reasonable period,
unless retention is required by law or for legitimate purposes such as security logging, fraud prevention, or dispute resolution (in which case it will remain protected and be deleted when no longer required).
10. Liability
Liability is governed by the Agreement, to the extent permitted by applicable law.
11. Order of Precedence
If there is a conflict between this DPA and the Agreement regarding the Processing of Customer Personal Data, this DPA will prevail.
Annex 1 — Processing Details
Subject matter: Provision of the Services (enrichment workflows, API functionality, storage within Customer's account/tenant, exports, support, and security).
Duration: For the term of the Agreement and until deletion/return as described in Section 9.
Nature and purpose of Processing: To Process Customer Personal Data on behalf of Customer in order to provide the Services as configured and used by Customer, including submitting customer-initiated enrichment queries to Sub-processors.
Categories of data subjects: Business contacts, leads, prospects, Customer personnel (users/admins), and other individuals whose Personal Data Customer Processes via the Services.
Types of Personal Data: Professional contact information (e.g., name, role, employer, business email, business phone/mobile, profile URLs), company affiliation, identifiers, and other fields submitted by Customer or returned as enrichment outputs within Customer's account/tenant.
Special categories: Not intended to be processed.
Annex 2 — Security Measures
- encryption in transit (TLS/HTTPS);
- access controls and least-privilege permissions;
- multi-factor authentication for administrative access where available;
- logging and monitoring of systems;
- vulnerability management and secure development practices;
- encrypted backups and recovery procedures;
- incident response processes and personnel training.
Annex 3 — Sub-processors
The following Sub-processor is used as of the DPA effective date:
| Sub-processor | Location | Service Provided | Processing Purpose |
|---|---|---|---|
| FullEnrich Corp | United States | Enrichment workflow provider | Return enrichment results in response to Customer-initiated queries submitted through the Services |
| Google Cloud (Google Cloud EMEA Limited) | Belgium / EU | Cloud infrastructure and hosting | Hosting, storage, compute, backups, and related infrastructure services necessary to provide, secure, and support the Services (including processing of Customer Personal Data as applicable) |
