Data Processing Agreement (DPA)

Under GDPR Article 28

Last updated: 2026-05-17 | Processor: Compuute AB (org.nr 559374-5606)

Parties

Controller: The entity that has registered an API key and uses the Lead Enrichment API (the "Customer").
Processor: Compuute AB, org.nr 559374-5606, Stockholm, Sweden.

1. Definitions

"Personal Data" — any information relating to an identified or identifiable natural person (GDPR Art. 4(1)).
"Processing" — any operation performed on Personal Data (GDPR Art. 4(2)).
"Data Subject" — the identified or identifiable natural person to whom the Personal Data relates.
"Sub-processor" — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Breach" — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"SCCs" — Standard Contractual Clauses adopted by the European Commission for international data transfers.

2. Scope and Purpose

This DPA applies to all Processing of Personal Data that the Processor carries out on behalf of the Controller in connection with the Lead Enrichment API.

Nature of processing: Automated retrieval, AI-powered enrichment, scoring, storage, and delivery of B2B lead data via REST API.

Categories of data subjects: Founders, executives, and other publicly visible representatives of B2B companies.

Types of Personal Data: Names, professional titles, company information, firmographics, technographics, AI-generated lead scores and buying signals — all derived from publicly available sources.

3. Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller (defined by API usage).
Ensure authorized persons are bound by confidentiality obligations.
Implement all security measures required under GDPR Article 32 (see Section 6).
Assist the Controller with Data Subject requests (see Section 5).
Assist the Controller with obligations under GDPR Articles 32–36.
At the Controller's choice, delete or return all Personal Data upon termination.
Make available information necessary to demonstrate compliance and allow audits.
Immediately inform the Controller if an instruction infringes the GDPR.

4. Sub-processors

The Controller provides general written authorization for the Processor to engage the following Sub-processors:

Sub-processor	Purpose	Location	Transfer Mechanism
Anthropic	AI-powered lead enrichment	USA	SCCs
Supabase	Database storage	EU (AWS eu-west-1)	N/A (EU)
Railway	API hosting and compute	USA	SCCs
Stripe	Payment processing	USA	SCCs
Upstash	Rate limiting and caching	EU (eu-west-1)	N/A (EU)

The Processor shall inform the Controller of any intended changes to Sub-processors at least 30 days in advance. The Controller may object within 14 days on reasonable data protection grounds.

The Processor remains fully liable for each Sub-processor's obligations.

5. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).

If the Processor receives a request directly from a Data Subject, it shall forward it to the Controller promptly and not respond without the Controller's instruction.

Submit requests to daniel@compuute.se. The Processor shall respond within 10 business days.

6. Security Measures

Technical measures:

API key credentials hashed using SHA-256
All data in transit encrypted via TLS 1.2+
Database encryption at rest (Supabase managed)
Redis cache encryption in transit (Upstash TLS)
Rate limiting (100 requests/hour per key)
Access logging of all API requests

Organizational measures:

Production access limited to authorized personnel
Sub-processors selected for GDPR compliance
Data minimization: only publicly available B2B data collected
Pseudonymization where applicable

7. Data Breach Notification

The Processor shall notify the Controller of a Data Breach without undue delay and within 72 hours of becoming aware of it.

Notification shall include: nature of the breach, categories and approximate number of affected records, likely consequences, and measures taken or proposed to mitigate effects.

Notifications will be sent to the email address associated with the Controller's API key.

8. Audit Rights

The Controller or an independent auditor may audit the Processor's compliance, subject to:

At least 30 days written notice
Conducted during normal business hours
Auditor bound by confidentiality
Limited to once per calendar year (unless a breach has occurred)

Costs borne by the Controller, unless audit reveals material non-compliance by the Processor.

9. Data Return and Deletion

Lead data is refreshed on a 30-day cycle. Data older than 90 days is archived and purged.
Upon termination or request, the Processor shall return (JSON format) or delete all Personal Data within 30 days.
The Processor may retain data required by law (e.g., Swedish Bookkeeping Act — 7 years for transaction records).

10. International Data Transfers

Transfers to Sub-processors outside the EEA (USA) are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission under GDPR Chapter V.

11. Duration and Termination

This DPA enters into force when the Controller accepts the Terms of Service. It remains in effect while the Processor processes Personal Data on the Controller's behalf.

Sections 7, 8, 9, and 12 survive termination.

12. Governing Law

This DPA is governed by Swedish law. Disputes shall be resolved by Stockholm District Court (Stockholms tingsratt).

13. Amendments

The Processor may update this DPA to reflect changes in law or Sub-processor arrangements, with at least 14 days notice. Continued use constitutes acceptance.

Contact

daniel@compuute.se | Compuute AB, Stockholm, Sweden