Data Processing Agreement

iTYZER Ltd — For Agency Plan Clients — UK GDPR Article 28 Compliant

This DPA is incorporated into the LeadTYZER Terms of Service for Agency plan subscribers. By subscribing to the Agency plan, you agree to this DPA in addition to the Terms of Service.

1. Parties

Controller: the Agency client (identified in their LeadTYZER account). Processor: iTYZER Ltd, Company No. 16817299, England and Wales.

2. Subject Matter

iTYZER Ltd processes B2B professional contact data on behalf of the Agency client for the purpose of lead delivery through the LeadTYZER platform. The categories of data subjects are business professionals. The categories of personal data are professional contact information only.

3. Processor Obligations

iTYZER Ltd will: process data only on documented instructions from the Controller; ensure authorised persons are subject to confidentiality obligations; implement appropriate technical and organisational security measures; assist the Controller with data subject rights requests within the timeframe required by applicable law; delete or return all personal data after the service ends; provide all information necessary to demonstrate compliance with Article 28 GDPR.

4. Sub-Processors

Current sub-processors: Supabase Inc (database, EU-West Ireland), Vercel Inc (hosting, EU-West Ireland), Stripe Inc (payment processing, EU), Anthropic PBC (AI processing, USA — SCCs in place). Any new sub-processors will be notified 30 days in advance.

5. Security

We implement: row-level security on all database tables; API key hashing (SHA-256); TLS 1.3 in transit; AES-256 at rest; access logging on all sensitive operations; regular security reviews.

6. Contact

DPA queries: privacy@leadtyzer.com. For a signed copy of this DPA, email legal@leadtyzer.com.